ICYMI, @PwC_UK’s 2020 #threatintel Year in Retrospect report is out now! All team contributed but h/t to @KystleM_Reid! :fire: You can check it out here: pwc.to/2ZPx7fo In this thread, I will summarise some of what I thought were key findings: 🧵👇 1/n
#Ransomware has become the most significant cyber security threat faced by organisations, irrespective of industry/location. TTPs have pivoted to mass data exfiltration prior to encryption, along with leaks & extortion. S/o to @andyp346 for all your work countering this.🙏 2/n
In 2020, 86% of the incidents that PwC’s Incident Response team responded to were attributable to cyber criminals. 79% of leaks happened in 2nd half of 2020. Our data sees Manufacturing, TMT, & Professional Services most impacted. 3/n
Malware delivery systems play a central role. From #Emotet & #Qakbot (leading to Egregor, Prolock, DoppelPaymer) to #Trickbot & #Bazar (leading to Ryuk). Shoutout to We don’t work together, but h/t to @wanna_VanTa & @x04steve the Ryuk smashers! Go read their work too🔥 4/n
Ransomware destroys companies & lives. It devastates hospitals, harms schools. It profits off others’ disgrace (& abuses their RDP conns & VPN creds). Small-medium orgs, critical infra, charities, need more help. 5/n
#CobaltStrike EVERYWHERE. Most crime & ransomware chains deploy CobaltStrike to burrow deeper into networks (e.g. #Nefilim, #Qakbot), but APTs also (e.g. Scarlet Ioke, Red Lich). It’s so versatile and widely used that efforts detecting CobaltStrike are well spent, imo. 6/n
#BEC: do NOT underestimate it. It’s costly to orgs & ruins individuals' lives. Domain spoofing, vendor email compromise, phishing kits... Now, BEC groups also use commodity malware. It's a threat. @iHeartMalware’s & @AgariInc's work on BEC live rent-free in my head. 7/n
We continue to observe a growing trend of #espionage motivated #APT's also performing financially-motivated activity - moonlighting (e.g. Red Kelpie; Yellow Geryon; Green Havildar’s subset Gorgon Group/Aggah) or to support national strategic goals (e.g. Black Artemis). 8/n
While not new, hacker-for-hire ops also blur lines b/w espionage & economic gain, targeting orgs & individuals. Several have been exposed this year, including Orange Abtu, #DeathStalker, #CostaRicto. Also great reports by @citizenlab, @Securelist, @BlackBerry on these 🔥 9/n
Re:COVID-19, PwC's #threatintel team did not observe significant lapses in threat actors’ operations - but both #APT's & cyber criminals used COVID-19-themed lures. Several threat actors (e.g. #WellMess; Yellow Garuda; Black Artemis) targeted vaccine & treatment research. 10/n
#APT's & cyber criminals used COVID-19 themes for #phishing: from WHO-branded lures (e.g. Red Orthrus) to impersonating WHO (e.g. Black Banshee) / attempting to cred phish WHO staff (Yellow Garuda); from COVID numbers reports (Trickbot), to spoofing financial aid schemes. 11/n
Of course, we see continued alignment b/w #cyberthreats & geopolitical events. Areas fraught with conflict/tension (India-China border, Nagorno-Karabakh, Iran, Hong Kong, Tibet) & minorities (like in Xinjang, or China-based Catholics) are in the crosshairs of #APT campaigns. 12/n
Our #threatintel Year in Retrospect report's “Intelligence gathering” section (pwc.to/2ZPx7fo) details cyber-enabled military/industrial espionage & civilian surveillance by threat actors based in DPRK, China, Russia, Iran, Turkey, Pakistan, India, Vietnam & more. 13/n
Some of my favourite insights:
- continued tool-sharing among China-based #APT's (#RoyalRoad, #ShadowPad, #PlugX);
- Yellow Nix stepping up its game + quickly moving to exploit newly-released vulnerabilities POCs;
- role of private intelligence companies in espionage ops. 14/n
Information operations also continue unabated (many great reports this year, incl. by @Graphika_NYC) – incl. Iran- & Russia-based threat actors sowing unrest ahead of the November 2020 US election, & threat actors pushing COVID-19 vaccine disinformation targeting Europe. 15/n
#Supplychain compromise has been relevant for years. Many forms of compromise: digital trust (certificates); trusted infra (websites/web apps); software (trojanising files, malicious plugins, fake apps like #AppleJeus); 3rd party compromise.
VPNs & web apps – ever more relevant in a remote work environment. #APT's including Red Kelpie, Yellow Nix, Blue Kitsune, + ransomware groups (e.g. Cl0p, Nefilim), have been exploiting VPN vulnerabilities & web infrastructure like OWA & Microsoft Exchange. 17/n
Rise of the defenders: In all this, in 2020, several public entities went more public on #threatintel attribution. The European Council imposed its 1st round of sanctions re cyber threats. The private sector took legal action. And let’s not forget the Emotet disruption! 18/n
So, what to expect in #threatintel in 2021? @KrystleM_Reid wrote a brilliant blog post on this: pwc.to/2ZPx7fo I only have 2 adds:
1) Orgs, PWEASE review assets & prioritise patches as per your threat model…
2) Thank you, #cyber defenders. You’re my heroes. 🔥💕19/19

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with The Banshee Queen 👑

The Banshee Queen 👑 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!