• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Research

Cisco Umbrella discovers evolving, complex cyberthreats in first half of 2020

Author avatar of Austin McBrideAustin McBride
August 18, 2020 • 6 minute read
View blog >

With economies on lifelines and work being done by teleconference calls, it may seem sometimes like the whole world is on hiatus. But the reality is that cyberattackers aren’t sleeping. Their tactics and targets may be shifting and changing, but the threats are not going away.

Key Highlights

In the first half of 2020, Cisco Umbrella identified the following threat trends:

  • an evolution in repurposing trojans and droppers for new forms of malware delivery
  • an increase in obfuscation and the use of macros and other fileless* malware to evade traditional antivirus (A/V) defenses
  • a rise in threats to managed service providers (MSPs)
  • loads of phishing tactics with COVID-19 related themes (which comes as no surprise – learn more about this in our earlier blog post).

Cisco Umbrella global network

Before we dig into the data, it’s helpful to remind ourselves how the Cisco global network views the threat landscape. Our 32+ customer facing data centers process 220+ billion domain naming service (DNS) requests daily. This gives us a unique perspective on global DNS traffic. This analysis is based on aggregated DNS query logs paired with scrubbed and anonymized customer demographic information.

Cisco Umbrella protects against more than 7 million malicious domains and IPs, while discovering over 60,000 new malicious destinations (domains, IPs, and URLs) on a daily basis. Each node of attack infrastructure is an opportunity to identify and neutralize before it can be used for new attacks. Cisco believes it’s better to predict and prevent cyberattacks.

  • Umbrella discovers evolving cyberthreats in first half of 2020 - Cisco Umbrella Blog 2019 top threats chart
    2019
  • Umbrella discovers evolving cyberthreats in first half of 2020 - Cisco Umbrella Blog 2020 top threats chart
    2020

Phishing moved into second place behind malware in the first half of 2020

Looking at our entire customer base in the first half of 2020: 91% of them saw a domain linked to malware, 83% of them saw a domain linked to phishing, 67% of them saw a domain linked to cryptomining, and 60% of them saw a domain linked to trojans. Last year, trojans were the second most active at 59% and phishing was in the fourth spot at 46% impacted. One of the reasons for the shift this year was due to the COVID-19 pandemic and the huge increase in malicious phishing sites preying on peoples’ fears around the virus.

Top attacks impacting Umbrella customers:

Umbrella discovers evolving cyberthreats in first half of 2020 - Cisco Umbrella Blog top attacks impacting our customers

Looking at the top attacks we’ve seen so far in 2020, it’s not surprising that cryptomining takes the top spot. Cryptomining was also the #1 attack last year by query volume. We saw more cryptomining in 2019 than in 2020, but the reduction in crypto query volume in 2020 wasn’t enough to drop cryptomining from the #1 spot.

However, it is important to note that cryptomining is inherently chattier than these other attacks, so its strong lead over these other top attacks is not as pronounced as it appears in terms of DNS query volume.

Trend #1: A new form of malware delivery

We’re seeing an evolution in repurposing trojans and droppers for new forms of malware delivery. Emotet comes in at #2. It started as a successful banking trojan, but quickly evolved into an even more successful delivery vehicle for malware dropping. Attackers are clearly sticking with what works. With its sophisticated modular architecture, worm-like propagation, and casting a wide net to impact the maximum number of victims – Emotet has become a workhorse for delivering numerous types of malware.

Ursnif/Gozi is another example of a trojan/dropper that is evolving its use cases. This attack type is being spread as a standalone version and as a dropper for other malware. It leverages email thread hijacking and abuse of trusted services such as Google Drive. Its targeted approach to the choice of delivery method depending on potential victims has made it popular in a wide variety of attacks.

Trend #2: Complexity, macros and fileless malware on the rise

Perhaps one of the biggest trends we have continued to see in the first half of 2020 has been the rise of more complex, multi-staged attacks. These attacks use new delivery mechanisms such as macros and other legitimate application functionality to evade A/V detection, obfuscation of data exfiltration (e.g., steganography), and coordination through command-and-control (C2) infrastructure.

Umbrella discovers evolving cyberthreats in first half of 2020 - Cisco Umbrella Blog sample attack chain


For example, the above attack chain illustrates how malspam delivers an innocent-looking document that uses a macro or PowerShell (functionality embedded into the application used to open the file). This then leads to a payload/dropper that disables security controls, establishes persistence, and downloads additional malware. When all of the targeted data is exfiltrated, TrickBot is downloaded and launched. TrickBot processes take control of the domain controller via SMB Exploit which leads to network compromise. The last step in the infection chain is ransomware, which encrypts all affected components.

A variant on the data exfiltration step may be to use steganography. Steganography is the art of concealing information inside pictures. Attackers have used this technique specifically during this pandemic phase to exfiltrate data using steganography and is part of legitimate traffic.

Similarly, in the phase where the file employs some fileless automation such as Macros 4.0, VBA or PowerShell, the attack can make use of the legitimate software automation to obfuscate and then deobfuscate commands. Following is an example for a Macros 4.0 exploit using a Binary Interchangeable File Format (BIFF), which hides an embedded Microsoft Excel file.

Umbrella discovers evolving cyberthreats in first half of 2020 - Cisco Umbrella Blog macros exploit using BIFF


The download happens from the attackers’ infrastructure, which apparently is a series of compromised WordPress sites. Attackers are constantly running a parallel campaign throughout the year in targeting small/medium businesses WordPress sites and adding it to their compromised kitty of domains. These domains are loaded within the Excel files, so that when de-obfuscation happens, it ends up downloading the actual .exe malware from compromised WordPress domains.

Trend #3: A new favorite target – managed service providers (MSPs)

Threat Traffic by Industry Vertical:

  • 2019
  • 2020

The distribution of threat traffic by vertical has changed slightly from its distribution in 2019. Managed service providers at 28.47% has overtaken financial services at 23.49% for the top spot of most impacted vertical. Higher education traffic has fallen considerably in its share of the pie from the #2 spot to #5. This considerable drop in higher education threat traffic is most likely the result of students not being present in person for classes.

Trend #4: COVID click bait drives increase in phishing

The COVID-19 pandemic has a lot of people on edge. Many of us are paying closer attention to emails and article headlines offering up COVID-19 stats in our area or where to go to get free testing. Malicious actors have taken advantage of our interest in the topic and set up numerous sites to phish for credentials and drop malware.

The largest jump in malicious COVID-19 query traffic in North America was 6.3X and occurred from the beginning of February through the end of June.

The largest jump in malicious COVID-19 query traffic outside of North America was 13.2X in the period from the beginning of March through the end of May.

2020 – the year that keeps on giving

The first half of 2020 has been eventful with the rise of COVID-19 and the widespread move to remote work for much of the global workforce. The landscape has changed — more considerably for some sectors than others — but the bottom line is that malicious actors are still working hard to infiltrate your environment. A “little” pandemic will slow them down, but not stop them.

Thanks to Shyam Sundar Ramaswami for contributing the malware sample analysis.

About Cisco Umbrella

Cisco Umbrella delivers the most secure, reliable, and fastest internet experience to more than 100 million business and consumer users daily. Umbrella unifies firewall, secure web gateway, DNS-layer security cloud access security broker (CASB), and threat intelligence solutions into a single cloud service to help businesses of all sizes secure their network. As more organizations embrace direct internet access, Umbrella makes it easy to extend protection to roaming users and branch offices.

Leveraging insights from Cisco Talos, one of the world’s largest commercial threat intelligence teams with more than 300 researchers, Umbrella uncovers and blocks a broad spectrum of malicious domains, IPs, URLs, and files that are being used in attacks. We also feed huge volumes of global internet activity into a combination of statistical and machine learning models to identify new attacks being staged on the internet. Learn more about how we identify attacks with threat intelligence in this blog post from Chris Riviere.

In a recent test, Cisco Umbrella took the #1 spot in security efficacy against today’s threats. AV-TEST performed a review of Cisco cloud security solutions alongside comparable offerings from other vendors.

Learn more about how AV-TEST put our security to the test (and how we won). Read the report here.

* Fileless malware uses existing legitimate applications and system functionality to infiltrate a computer, leaving no signature and thereby evading traditional antivirus defenses. It typically functions by using legitimate tools for malicious purposes, such as LOLBins, and can include Microsoft Office Macros, PowerShell, among others.

Suggested Blogs

  • Cloud Application Security – Risks, Questions, Insights, and Solutions July 1, 2021 3 minute read
  • New research shows consumers want cybersecurity from service providers July 7, 2020 4 minute read
  • Discovering pandemic-themed phishing cyberattacks with threat intelligence April 28, 2020 6 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella