McAfee: the six cyber vulnerabilities to avoid in 2021
2021 will be a difficult year worldwide in terms of cybersecurity, says McAfee. The California-based corporation says the global work-from-home mandate and attacks on public and private sector organisations (like the SUNBURST infiltration of the SolarWinds Orion platform) will continue to be a concern over the next 12 months.
The growth of the IoT has compounded the problem, as the ever-increasing use of connected devices presents greater opportunities for digital breaches. Mobile users say McAfee will need to vigilant in terms of fraudulent mobile payment messages in the form of phishing or smishing messages.
Corporate crime
As leading security experts scrabble hastily to clean up the compromised SolarWinds’s Orion IT platform used to distribute a malicious software backdoor to dozens of customers, including several high-profile U.S. government agencies, the imminent threat of cyber espionage is only just being realised.
McAfee experts believe the incident represents a “shift in tactics” and opens the door to nefarious governments using new weapons for cyber-espionage.
“Just as the use of nuclear weapons at the end of WWII changed military strategy for the next 75 years, the use of a supply chain attack has changed the way we need to consider defence against cyber-attacks,” says McAfee’s senior vice president, Steve Grobman.
But what does that mean for our global, digital networks which are growing daily and are now more essential to global economies than ever before? Governments and espionage are as old as time, but the targeting of private companies with such ferocious and stealthy tactics means private data and intellectual property is at serious risk.
Grobman says such large-scale attacks are dangerous because they use trusted software to “infiltrate victim organisations with the backdoor and allow the attacker to take any number of secondary steps.”
This, he points out, could involve stealing data, destroying data, holding critical systems for ransom, orchestrating system malfunctions that result in kinetic damage, or simply implanting additional malicious content throughout the organisation to stay in control even after the initial threat appears to have passed.
“It enables U.S. adversaries to steal all manner of information, from inter-governmental communications to national secrets. Attackers can, in turn, leverage this information to influence or impact U.S. policy through malicious leaks,” adds Grobmen. “Every breached agency may have different secondary cyber backdoors planted, meaning that there is no single recipe to evict the intrusion across the federal government.”
Home networks
McAfee saw cybercriminals increase their focus on the home attack surface with a surge in various phishing message schemes across communications channels. The number of malicious phishing links McAfee blocked grew over 21% from March to November 2020, at an average of over 400 links per home.
McAfee’s report revealed its Secure Home Platform device monitoring has registered a 22% increase in the number of connected home devices globally since COVID-19 hit in March 2020. There has also been a 60% increase in the US and over 70% of the traffic from these devices originated from smartphones, laptops, other PCs and TVs, and over 29% originated from IoT devices such as streaming devices, gaming consoles, wearables, and smart lights.
Grobman says, “This type of attack poses a threat to individuals and their families given that in today’s highly interconnected homes. A breach of consumer electronics companies can result in attackers using their access to smart appliances such as TVs, virtual assistants, and smart phones to steal their information or act as a gateway to attack businesses while users are working remotely from home.”
Suhail Ansari, McAfee’s CTO of the San Francisco Bay area, points out that the home environment “contrasts with a corporate office environment filled with devices hardened by enterprise-grade security measures.”
He adds, “We now work with consumer-grade networking equipment configured by us and lacking the central management, regular software updates and security monitoring of the enterprise.”
Cloud control
Attacks on cloud platforms and users will evolve into a highly polarised state where they are either “mechanised and widespread” or “sophisticated and precisely handcrafted” predicts Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research
This is mainly because the pandemic has hastened the speed of the corporate IT transition to the cloud, thus accelerating the potential for new corporate cloud-related attack schemes. With increased cloud adoption and the large number of enterprises working from home, not only is there a growing number of cloud users but also a lot more data both in motion and being transacted.
Data taken from 30mn McAfee MVISION Cloud users worldwide shows a 50% increase in enterprise cloud use across all industries in the first quarter of 2020. The analysis reveals an upsurge across all cloud categories, usage of collaboration services such as Microsoft O365 by 123%, increase in the use of business services such as Salesforce by 61% and the largest growth in collaboration services such as Cisco Webex (600%), Zoom (+350%), Microsoft Teams (+300%), and Slack (+200%), says McAfee.
During the same period, McAfee witnessed a surge in attacks on cloud accounts, an estimated 630% increase overall, with variations in the sectors that were targeted. Transportation led vertical industries with a 1,350% increase in cloud attacks, followed by education (+1,114%), government (+773%), manufacturing (+679%), financial services (+571%) and energy and utilities (+472%).
“The increasing proportion of unmanaged devices accessing the enterprise cloud has effectively made home networks an extension of the enterprise infrastructure. We expect that widespread attacks will start weaponizing AI for better efficacy against thousands of heterogenous home networks,” says Sandeep Chandana, Principal Data Scientist at Skyhigh Networks
“While the volume of sensitive data in motion increases and enterprise cloud postures mature, we also predict that the attackers will be forced to handcraft highly targeted exploits for specific enterprises, users and applications,” he adds.
Phishing and smsishing
As m-commerce gains momentum, users reliant on mobile payments will become an increasingly large target for cybercriminals through exploitative phishing and smsishing messages that seek to defraud users through malicious payment URLs.
A 2020 Worldpay Global Payments Report estimates that 41% of payments today are on mobile devices, and this number looks set to increase by 2023. Another 2020 study by Allied Market Research found that the global mobile payment market size was valued at $1.48tn in 2019, and is projected to reach $12.06 trillion by 2027, growing at a compound annual growth rate of 30.1% from 2020 to 2027.
Criminals have also shifted from PC browsers and credit cards to mobile payments and according to research by RSA’s Fraud and Risk Intelligence team, 72% of cyber fraud activity involved the mobile channel in the fourth quarter of 2019. The researchers observed that this represented “the highest percentage of fraud involving mobile apps in nearly two years and underscores a broader shift away from fraud involving web browsers on PCs.”
Ansari predicts there will be “an increase in “receive”-based mobile payment exploits, since they provide a quick mechanism for fraudsters that combines phishing or smsishing messages with payment URLs.”
He adds, “This could take shape in schemes where fraudsters set up a fake call center using a product return and servicing scam, where the actors send a link via email or SMS, offering a refund via a mobile payment app. But the user is unaware that they are agreeing to pay versus receiving a refund.”
QR code abuse
QR codes have emerged as a convenient input mechanism to make mobile transactions more efficient. However, McAfee predicts hackers will increasingly use these QR code schemes and broaden them using social engineering techniques.
Particularly in the age of pandemic, QR codes have proven useful in limiting direct contact between businesses and consumers in every setting from restaurants to personal care salons, to fitness studios.
A September 2020 survey by MobileIron also found that 86% of respondents scanned a QR code over the previous year and over half (54%) reported an increase in the use of such codes since the pandemic began. Two-thirds (67%) said the technology made life easier in a touchless world.
However, the MobileIron report also found that fewer than one-third (31%) realise that a QR code can make a payment, cause a user to follow someone on social media (22%), or start a phone call (21%). A quarter of respondents admit scanning a QR code that did something unexpected (such as take them to a suspicious website), and 16% admitted they were unsure if a QR code did what it was intended to do.
Dattatraya Kulkarni, a software engineer for Microsoft, says, "Although the QR codes themselves are a secure mechanism, we expect them to be misused by bad actors in 2021 and beyond."
He explains, “The lack of user knowledge on how QR codes work makes them a useful tool for cybercriminals. They have been used in the past in phishing schemes to avoid anti-phishing solutions’ attempts to identify malicious URLs within email messages. They can also be used on webpages or social media.”
In such schemes, says Kulkarni, victims scan fraudulent QRs and find themselves taken to malicious websites where they are asked to provide login, personal info, usernames and passwords, and payment information, which criminals then steal. The sites could also be used to download malicious programs onto a user's device.
Social networks to channel attack vectors
McAfee predicts increasingly sophisticated cyber enemies will target, engage and compromise corporate victims through social networks as an attack vector. The security company has observed more complex threat actors using social networks such as LinkedIn, What’s App, Facebook and Twitter to engage, develop relationships and then compromise corporate employees.
Individual employees engage with social networks in a capacity that straddles both their professional and personal lives. Additionally, user activity on social network platforms is not monitored or controlled in the same way as enterprise security controls over corporate-issued devices.
Samani explains, “Through these victims, they compromise the broader enterprises that employ them. McAfee predicts such actors will seek to broaden the use of this attack vector in 2021 and beyond for a variety of reasons.”
He points out that malicious actors have used social network platforms in broad-scoped schemes to perpetrate relatively low-level criminal scams. However, he points out, “prominent actors such as APT34, Charming Kitten, Threat Group-2889 (among others) have been identified using these platforms for higher-value, more targeted campaigns on the strength of the medium's capacity for enabling customised content for specific types of victims.”
Operation North Star is an example of this type of attack. Discovered by McAfee late last year, the campaign showed how insecure social media privacy controls are. The ease of development and use of fake LinkedIn user accounts and job descriptions could lure and attack defence sector employees.
Samani concludes, “Just as individuals and organisations engage potential consumer customers on social platforms by gathering information, developing specialised content and conducting targeted interactions with customers, malicious actors can similarly use these platform attributes to target high value employees with a deeper level of engagement.”