More than half of attacks last year leveraged fileless or "malware-free" techniques, as hackers increasingly turn to stolen credentials in their efforts to breach corporate networks. The telecommunications industry also saw increased attacks from threat actors such as those from China and North Korea, which targeted the sector for its intellectual property and competitive intelligence.
Malware-free tactics accounted for 51% of attacks in 2019, compared to 40% just the year before, though this figure was significantly driven by a sharp increase of such attacks targeting North America. Some 74% of attacks in the region were malware-free while such techniques accounted for 25% of attacks targeting Indo-Pacific, according to CrowdStrike's Global Threat Report 2020.
The annual report's assessment of the threat landscape is based on its analysis of data collected from more than 3 trillion events per week across 176 countries, consultations from its intelligence team that tracks 131 adversaries including nation-state and hacktivist actors as well as Falcon OverWatch threat hunters, and findings from its investigations of incident responses in 2019.
The increasing popularity of malware-free attacks underscored the need for organisations not to rely solely on antivirus tools, said CrowdStrike. The security vendor defined malware-free attacks as those in which files or file fragments are not written to disk. These could be attacks where codes executed from memory or where stolen credentials are tapped to enable remote logins. It added that malware-free attacks typically require various detection techniques to identify and intercept, such as behavioural detection and human threat hunting.
The 2020 threat report also saw more incidents of ransomware and ransom demands from cybercriminals who, increasingly, conducted data exfiltration, which enabled them to exploit sensitive data that was proprietary information or potentially embarrassing for victims.
In addition, nation-state adversaries last year targeted a range of industries, but were especially interested in the telecommunications sector, which saw increased attack frequency from nations such as China and North Korea, noted CrowdStrike. State actors from China, in particular, were keen to target the industry in a bid to steal intellectual property and competitive intelligence, said the US security vendor.
Furthermore, China's state actors have continued to focus on supply chain compromises, "demonstrating the nation-state's continued use of this tactic to identify and infect multiple victims", CrowdStrike said. The vendor added that these hackers also targeted other US industries that are deemed critical to China's strategic interests, including clean energy, healthcare, biotechnology, and pharmaceuticals. It said such attacks were likely to continue.
The report also pointed to North Korea's interest in cryptocurrency exchanges, which it suggested facilitated espionage-focused efforts that were aimed at gathering data on users or cryptocurrency operations and systems. CrowdStrike added that North Korea might be looking to develop its own cryptocurrency to further circumvent trade sanctions.
However, cyber adversaries took longer to break into and move laterally within a network, requiring nine hours to do so, compared to 4 hours and 37 minutes in 2018. This longer "breakout time", as CrowdStrike coined, was reflective of a significant increase in cybercriminal attacks, which the security vendor said typically had longer breakout times compared to attacks launched by nation-state adversaries.
It further stressed the need for organisations to focus on increasing their speed in identifying and addressing attacks, as nation-state activities last year did not show major changes in breakout times.
After detecting a breach, businesses in the city-state take 37 hours on average to investigate and contain the attack, compared to the 31 hours companies across the globe take to do likewise.
With cybercriminals taking less and less time to break into corporate systems, enterprises will have to tap artificial intelligence and machine learning tools to bolster their ability to defend against attacks and beef up their network resilience.
Three out of the nine exploit kits active today are using fileless attacks to infect victims.
These attacks cost the average organization millions and SMBs are the worst affected.
Mining for Monero is the campaign's ultimate goal.