As Organizations Move to Cloud Environments and Embrace Digital Transformation, Adversaries are Quickly Adapting According to Breach Investigations and Threat Intelligence Analysis
CHICAGO - April 22, 2020 - Trustwave today released the 2020 Trustwave Global Security Report, which reveals the top security threats, breaches by industry and cybercrime trends from 2019.
"Our 2019 findings depict organizations under tremendous pressure contending with adversaries who are methodical in selecting their targets and masterful at finding new pathways into environments as the attack surface widens," said Arthur Wong, chief executive officer at Trustwave. "We continue to see the global threat landscape evolve through novel malware delivery, inventive social engineering and the ways malicious behaviors are concealed. How fast threats are detected and eliminated is the top cybersecurity priority in every industry."
The report is based on the analysis of a trillion logged security and compromise events, hundreds of hands-on data-breach and forensic investigations, penetration tests and red teaming exercises, network vulnerability scans and internal research.
Key findings from the 2020 Trustwave Global Security Report include:
- Attacks on cloud services more than doubles -- Corporate environments continue to lead all environments targeted by cybercriminals at 54% slightly down 2% followed by e-commerce at 22% down 5% when compared to 2018. Cloud services saw the biggest increase and is now the third most targeted environment accounting for 20% of investigated incidents up significantly from 7% the previous year.
- Social engineering reigns supreme in method of compromise -- Social engineering remained the top method of compromise in 2019. Half of all incidents investigated by Trustwave analysts were the result of phishing or other social engineering tactics, up from 33% in 2018.
- Ransomware overtakes payment card data in breach incidents -- For the first time, ransomware incidents overtook payment card data when comparing types of information most targeted by cybercriminals. The quick monetary return of encrypting specific computer files or entire systems and demanding payment accounted for 18% of breach incidents observed in 2019 up from 4% in 2018. By comparison, the success of ransomware was slightly higher than the total percentage of incidents involving card-not-present and track data at 17%.
- Malware-laden spam drops to nearly zero -- Findings show a large decrease in the volume of spam email hitting organizations from 45.3% in 2018 to 28.3% in 2019 due to several large spamming operations reducing activities or vanishing altogether. Of the spam analyzed in 2019 by Trustwave, only 0.2% contained malware down from 6% the previous year. This decrease although positive, supports findings cybercriminals are shifting tactics opting for more targeted and personal email attacks known as Business Email Compromise (BEC). In 2019, Trustwave saw the average volume of BEC messages captured at the gateway rise to an average of 60 messages per day up from 20 messages the previous year.
- Malware capabilities and delivery evolves -- Downloaders at 24.9% made a significant jump in the largest single category of malware encountered up from 13% in 2018. The increase can be attributed to an uptick in "malware-as-a-service" bots such as Emotet. Criminals often use downloaders and droppers in multi-stage attacks to install additional malware varieties.
- Database information disclosure vulnerabilities increase -- The number of vulnerabilities patched in five of the most common database products was 202, up from 148 in 2019. Of those patched, 118 allowed denial of service (DOS) attacks followed by information disclosure at 28, up from 15 in 2018.
- Cryptojacking nearly vanishes from web-based attacks -- The 1,250% surge of cryptojacking malware observed in 2018 used to place JavaScript coin miners on websites or infect carrier-grade routers all but vanished in 2019 after cryptomining service Coinhive shut down. To make up for lost revenue, cybercriminals stepped up social engineering efforts by sending fake update messages for browsers, operating systems and other software to trick users into installing malware.
- Internal detection crucial for reducing threat response time -- The median time duration from threat intrusion to detection when detected internally dropped to just two days, down from 11 days in 2018. The median time duration from threat intrusion to detection when detected externally by a third party however rose significantly to 86 days from 55 days just a year ago.
- Windows and remote code execution favored -- Sixty-nine percent of malware investigated by Trustwave targeted the Windows operating system followed by cross-platform at 23% and Unix at 8%. Of the exploited vulnerabilities observed, the top two at 61% when combined, allowed remote code execution. Surprisingly, 67% of exploits used against service providers involved CVE-2014-0780 giving remote attackers the ability to read administrative passwords in app files and execute arbitrary code in unspecified web requests.
- Magecart gains prominence -- Attacks from Magecart, a loose affiliation of cybercriminal groups who target e-commerce sites often through the Magento platform, accounted for nearly 6% of overall Trustwave investigations in 2019 up from zero instances four years ago. Retail and hospitality have been hardest hit as cybercriminals pivot from targeting point-of-sale (POS) terminals due to implementation of Europay, MasterCard and Visa (EMV)chip technology to targeting online storefronts.
- Asia Pacific and retail tops data breach incidents -- For a second consecutive year, the Asia-Pacific region led in the number of data compromises investigated, accounting for 37% of instances up 2% from 2018 and 7% from 2017. North America followed at 33% slightly rising 3% from 2018; Europe, Middle East and Africa came in third at 25% and Latin America & Caribbean (LAC) at 4%. The retail sector led the number of incidents at 24% jumping 6% compared to 2018. The financial industry came in second at 14% and hospitality third at 13% up 3% since 2018.
Data Sources
Trustwave experts gathered and analyzed real-world data from hundreds of breach investigations that the company conducted in 2019 across 16 countries. This data was added to the analysis of a trillion logged security and compromise events across a global network of Trustwave Security Operations Centers, along with deep analysis of tens of billions of email messages; tens of millions of customer web pages; thousands of penetration tests across databases, networks and applications; and telemetry from both native and partner technologies distributed across the globe.
To download a complimentary copy of the 2020 Trustwave Global Security Report, visit: https://www.trustwave.com/en-us/resources/library/documents/2020-trustwave-global-security-report/.
About Trustwave
As a recognized global cyber defender that stops cyber threats all day, every day – we enable our clients to conduct their business securely.
Trustwave detects threats that others can’t see, enabling us to respond quickly and protect our clients from the devastating impact of cyberattacks. We leverage our world-class team of security consultants, threat hunters and researchers, and our market-leading security operations platform to relentlessly identify and isolate threats with the right telemetry at the right time for the right response.
Trustwave is a leader in managed detection and response (MDR), managed security services (MSS), consulting and professional services, database security, and email security. Our elite Trustwave SpiderLabs team provides award-winning threat research and intelligence, which is infused into Trustwave services and products to fortify cyber resilience in the age of advanced threats.