Threat Intelligence Blog

Posted February 20, 2020

On  January 16, 2020, LookingGlass hosted a webinar on trends observed in the 2019 cyber threat landscape. Much of the activity seen in 2019 was a continuation of observed 2018 threat activity. Certain attack vectors noticeably increased in that adversaries are using known attack vectors more aggressively and frequently. Some notable events in 2019 included the release of files related to the 9/11 attacks by threat actor “The Dark Overlord,” copious amounts of credit card information added to the Joker’s Stash carding forum, and elevated levels of ransomware attacks on government offices, schools, and healthcare providers.

With the continual evolution of technology and its impact on the cyber landscape, LookingGlass anticipates that threat actors will also evolve, improving on their current tactics, techniques, and procedures to leverage attacks against their targets. In light of this, it is critical to remain vigilant and utilize healthy cybersecurity hygiene to minimize the chances of falling victim to a cyber-attack.

What are the top cyber security trends of 2020 to keep an eye out for?

LookingGlass predicts the 2020 cyber threat landscape will observe varying levels of activity. While no one can be certain which events will occur at the start of any given year, in LookingGlass’ estimation, the following six categories of threats and activities observed at the end of 2019 are likely to persist in 2020:

Phishing and business email compromise (BEC) lures

LookingGlass anticipates there will be a continuation of phishing and BEC lures from 2019 into 2020. While phishing and BEC share a common theme of a third party attempting to trick victims into providing sensitive and financial information, one of the main differences between phishing and BEC is that phishing emails utilize spoofed email addresses and domain names to distribute lures. In contrast, BEC scams get delivered through a compromised email address, typically that of a business executive, which is a tactic that can make unsuspecting users fall for the scam. In September 2019, the Internet Crime Complaint Center (IC3) reported that BEC scams totaled over $26 billion lost between June 2016 to July 2019. Figure 1 is a graph created by IC3 depicting reported losses from November 2017 to June 2019 due to BEC scams. The volume of activity for 2019 consisted of varying levels of reported losses and will likely continue to increase in 2020.


Figure 1: IC3 graph illustrating reported losses from November 2017 to June 2019

Threat actors can utilize tactics such as social engineering to distribute lures that are both appealing and sophisticated to unsuspecting end users. This can be an advantageous tactic during holidays and popular events. One example is tax season in the United States. Threat actors will distribute tax-themed phishing and BEC lures to potential targets in an effort to trick them into providing sensitive personal and financial information. Because taxpayers anticipate receiving electronic communications about their taxes from their employer, threat actors can take advantage of this and incorporate social engineering in the lures with the hope that victims will fall for the attack. The persistence of phishing and BEC lures not only showcase the need for end-users to understand the risks associated with these types of attacks, but also the methods in which threat actors distribute these threats.


Ransomware is expected to persist in 2020 with ransomware operators expanding their pool of targets and deploying attacks that are both advanced and costly. As observed in 2018 and 2019, ransomware targets included healthcare providers, local and state governments, and schools. Just recently, currency exchange service Travelex was the victim of the Sodinokibi ransomware (also known as Revil ransomware). BleepingComputer reported the Sodinokibi group claimed to encrypt Travelex’s entire network, copied more than 5GB of personal data, and deleted backup files to prevent system restoration. The ransom note demanded a payment of $3 million paid within seven days, or the actors would publish the stolen data. Not only does this unfortunate event highlight that ransomware is no going away any time soon, but it also showcases the detrimental impact that ransomware attacks have on a business. Figure 2 displays a sample of the Sodinokibi ransom note, obtained by LookingGlass research.


Figure 2: Sodinokibi/Revil ransom note

One reason as to why ransomware operators target government offices, schools, and healthcare providers is primarily due to the value of data stored on computer filesystems. Threat actors can deploy advanced ransomware that can cripple a target’s entire computer system making it especially difficult to restore files and applications. Ransomware-as-a-service plays a part in these infections as ransomware operators urge victims to either pay a specified ransom amount or communicate with the operators via email or messaging application to negotiate the ransom payment. This latter option is likely because of the rising prices of cryptocurrency. Some strains of ransomware threaten to release sensitive information obtained from the infections if victims do not pay the ransom within a specific timeframe. As ransomware attacks continue into 2020 with both advanced and costly capabilities as well as an expansion of targets, end-users must adopt strong security practices, such as making frequent backups of critical information and avoid interacting with suspicious emails and websites.

Dark Web’s “as-a-service” economy

The dark web’s “as-a-service” economy is expected to continue in 2020. The dark web contains marketplaces for threat actors to buy and sell data-rich information, such as compromised accounts credentials, credit card information, personally identifiable information (PII), and protected health information (PHI). The dark web also includes the sale of software builds for malware, access to botnet infrastructure, and customizable off-the-shelf tools.  Figure 3 displays the login page for the Joker’s Stash carding forum.


Figure 3: Joker’s Stash login page

The dark web is becoming decentralized. Marketplace forums are not the only place where actors can obtain harmful software and compromised sensitive information. Instant messaging applications and social media platforms have provided a place for cybercriminals to buy and sell tools and data. The use of cryptocurrency as a method of payment in the dark web not only enables threat actors to purchase stolen information and sell off-the-shelf tools but also allows actors to make smooth transactions and preserve anonymity. These marketplace platforms allow cybercriminals to make a profit off their victims by selling stolen information to buyers who will pay money for valuable data obtained through nefarious means. With the selling of readily available malware source code and customizable off-the-shelf tools, less-technical cybercriminals can purchase destructive software, modify it, and distribute it to victims to carry out criminal activity.

If you feel like your organization could be threatened by cyber criminal’s acting within the darkweb, see our dark web monitoring services.

Increasing CVEs (Common Vulnerabilities and Exposures)

LookingGlass anticipates seeing increased CVE volume in 2020. In May 2019, security experts warned the public about CVE-2019-0708, also known as BlueKeep. BlueKeep is a remote code execution vulnerability that exploits the Remote Desktop Protocol (RDP) in older Microsoft systems. If an attacker were to use this vulnerability, the attacker could connect to the victim’s system using RDP to distribute specially crafted requests. If successful, the attacker could create, edit, and delete files or install applications on the affected system. After BlueKeep was used in a cryptocurrency mining campaign in November 2019, security researchers awaited when BlueKeep would be used in another attack. Microsoft urged users to patch Windows machines, as BlueKeep has a worming ability that can move laterally and infect other vulnerable machines or systems.

Our January glimpse into the current 2020 landscape has included not only the disclosure of several vulnerabilities but also Microsoft’s announcement of the Windows 7 end of life; Microsoft will no longer support operating system updates for Windows 7 and recommends Windows users to upgrade to Windows 10 (Figure 4).


Figure 4: Microsoft discontinues support for Windows 7

Windows users that choose to continue using Windows 7 are vulnerable to malware targeting the operating system. Microsoft’s discontinuation of Windows 7 highlights the fact that threat actors attempt to find flaws in software applications and operating systems and potentially use those flaws to exploit unsuspecting victims. It is critical for end users to apply patches and security updates to their devices in a timely manner.

Information Technology, Operational Technology, and the Internet of Things

LookingGlass predicts there will be an increase in security concerns surrounding information technology (IT), operational technology (OT), and the internet of things (IoT). These three areas of technology shape everyday operations for both professional and personal end users. The combination of IT and OT security best practices and procedures can aid in increasing IoT security. As smart devices have made an impact on technological advancement over the past several years, the same must be said for IoT security, especially when it comes to privacy.

In 2019, researchers expressed concern over the security and privacy of IoT connected devices. One such example included security flaws with Ring doorbell in which an adversary could spy on an individual’s video and audio footage if they were on a shared Wi-Fi network. Although Ring patched the vulnerability, this event highlights a potential attack vector in which an adversary could compromise targets. In terms of IoT botnet activity in 2019, security researchers observed a spike in the Mirai IoT botnet targeting enterprise-level hardware, demonstrating a growing concern for the security of IoT connected devices.

As previously mentioned, threat actors will attempt to exploit flaws and vulnerabilities in software. With devices ranging from smart phones, doorbells, refrigerators, and thermostats, we must ensure the security of the devices is robust. Establishing secure infrastructure and policy guidelines on corporate devices and BYOD (bring your own device) is key to lessening the chances of falling victim to any cyber-attack.

Weaponization of information

LookingGlass notes that numerous national and international events are set to occur in 2020, including the 2020 Summer Olympics in Tokyo, Japan and the United States presidential election. The United Kingdom’s exit from the European Union (Brexit) is also scheduled to take place in 2020 at the end of January. Due to these global and political events, we can expect to see misinformation campaigns, bot accounts, and rouge advertisements distributed through social media. Some social media platforms have taken action to restrict fake bot accounts and rogue advertisements from spreading misinformation. However, we cannot be sure how effective this will be in terms of politics and national and global events, specifically with the events occurring in 2020. We assess there will be a surge of bot accounts and false advertisements as adversaries look to develop ways to cause disorder and promote disinformation campaigns.

For more trends and insights like these, contact us directly to learn more.


Additional Posts

Defend your Global Attack Surface

Your organization has become a vast ecosystem of suppliers, investors, partners, and business ...

Government Agencies Need to Improve Their Digital Defenses in 2020

New year, not so new story: Government agencies are under fire from criminal hackers. But this ...