Top insights from our Annual Global Threat Intelligence Report
13 May 2021
Q&A with Jon Heimerl
What’s the most interesting finding you took away from this year’s Report?
It’s really interesting to see how cybercriminals have honed their focus on the top three industries over the past year. Attacks on finance, manufacturing and healthcare accounted for 62% of attacks during 2020. If you consider that in 2019, the top three industries accounted for 51% of all attacks and 46% of all attacks in 2018, it’s clear that threat actors are intentionally focusing on targets they’ve decided are more valuable. And these three industries are the ones they have in their line of sight.
Why did finance become the most attacked industry? And why did attack volumes jump by 50%?
Finance has long been an attractive target for hostile actors. They focus on gaining access to systems to steal financial and identity data, potentially modify data, and commit direct theft. Finance has been the first or second most attacked industry in eight of the nine years NTT has been developing the Global Threat Intelligence Report (GTIR).
COVID-19 certainly helped change the game for finance. Bank lobbies closed and financial organizations experienced less foot traffic. Many industries which consume capital were depressed as global economies struggled to cope with the effects of the pandemic. In response, financial institutions redirected traffic to mobile applications and online banking, including customer and vendor portals. These experienced increased use as customers relied more on digital services. Hostile threat actors quickly capitalized on this increased reliance on web-enabled apps. Their intensified focus on these apps is demonstrated by the increase in web-application and application-specific attacks.
Overall, did attack volumes skyrocket due to COVID-19?
Interestingly, NTT didn’t observe this effect. While it’s true that attack volumes did increase slightly from 2019, the change wasn’t significant. Additionally, it’s impossible to say whether this slight increase was due to expected growth in attacks; new zero-days or other vulnerabilities; exploit kits or other tactics or procedures; or could be directly attributable to COVID-19.
NTT did, however, observe a shift in existing attacks towards COVID-19 related issues. For instance, while phishing attacks may not have increased dramatically from year to year, a significant number of phishing attacks during 2020 can be directly attributed to lures (subjects) using the COVID-19 virus, outbreaks, conspiracies and vaccines. No such lures existed in 2019.
XMRig was the most detected malware this year. What is XMRig, and how did it become so prevalent?
XMRig is a coinminer, a type of program that uses hardware resources to generate cryptocurrencies, such as Bitcoin, Monero or Ethereum. Attackers can compromise an organization's resources and install coinminers, which may lead to a degradation in reliability as the coinminer uses system resources. XMRig mines the Monero cryptocurrency. XMRig is particularly important as malicious usage of coinminers surged, representing a staggering 41% of malware detected in 2020. XMRig was the most common variant at nearly 82% of all coinminer activity.
Last year, attackers targeted content management suites (CMSs) – but this year, no CMS was in the global top 10? What happened? Are attackers no longer targeting CMSs?
CMSs are still meaningful since they can influence access to the corporate website. It’s true that no CMS was named as targeted in the top 10 most attacked technology globally. But some industries did have CMS suites in their top 10, and most had CMS suites in their top 15, including WordPress, Drupal, NoneCMS and Joomla!
But those numbers themselves are a little misleading. The single most attacked technology globally was ThinkPHP, which was targeted in 30% of all attacks, and the NoneCMS, which was targeted in 2020, uses ThinkPHP.