From the front lines of incident response engagements to managed security services, IBM Security X-Force observes attack trends firsthand, yielding insights into the cyber threat landscape. Every year, X-Force collates billions of data points to assess cybersecurity threats to our customers.

This report — the X-Force Threat Intelligence Index 2021 — represents our latest edition of that yearly assessment. It covers data and findings from January to December 2020 and is meant to assist organizations in understanding current threats and how they evolve, assess risk and prioritize cybersecurity efforts. Research found Linux-related malware threats rising rapidly, threat actors actively spoofing top technology brands and shifting tactics emerging in response to the evolving COVID-19 situation.

This year’s report includes data from multiple IBM teams, including X-Force Threat Intelligence, X-Force Incident Response, X-Force Red, IBM Managed Security Services and IBM Trusteer, as well as IBM collaborators, such as Quad9 and Intezer. The following are some of the top findings from this data.

Cyber Criminals Take a Page From the Hybrid Cloud Playbook

Linux operating systems power 90% of the cloud workload, providing the backbone of cloud and hybrid cloud infrastructures. With cloud services enabling organizations with greater flexibility, efficiency and strategic value for their data, the demand for cloud computing is growing every year. Cyber criminals are taking note and recognize that cloud environments present opportunities for them as well. In particular, they are investing more time and effort into creating malware tailored to cloud environments.

X-Force collaborator Intezer identified that Linux-based malware grew 40% year-over-year from 2019 to 2020, with 500% growth from 2010 to 2020. In addition, cyber criminals are investing heavily in creating new Linux cryptomining malware, suggesting that these criminals aim to exploit cloud computing’s processing power to maliciously obtain cryptocurrency. X-Force has observed ransomware strains such as RansomEXX and SFile turning up with Linux versions, and Intezer has observed top threat actors — including ITG14ITG05 and ITG11 — creating Linux versions of their traditional malware.

Figure 1: New Linux malware families discovered per year, 2010-2020 (Source: Intezer)

In addition to Linux malware variants, X-Force analysts have observed threat actors — including big-game-hunting ransomware actors such as Sodinokibi — exploiting cloud services such as MEGA or pCloud to store and leak victim data.

While cybercriminals’ focus on the cloud is concerning, X-Force threat intelligence recognizes that awareness is key. By staying alert to these new threats, tracking new forms of Linux malware, writing rules to detect them and employing a range of defense-in-depth strategies to secure cloud computing environments, X-Force is helping organizations continue to realize the benefits of the cloud even while cyber criminals focus more effort in this area.

Threat Actors Capitalize on Consumer Trust to Spoof Brands

Spoofing popular brands seems to never go out of style. Cyber criminals in 2020 continually sought to exploit consumer trust in well-known brands by creating malicious domains and fake websites mimicking trusted companies. Similar to last year’s Threat Intelligence Index that covered 2019 trends, Google, YouTube, Facebook, Amazon, Apple and WhatsApp all made the top 10 list, underscoring the popularity of technology and social media domains for actors seeking to plant malware on websites and user devices, steal user credentials or collect payment card information.

In addition, tools that have become critical to communication and collaboration during the 2020 pandemic made it into this year’s top ten: DropBox, PayPal and Microsoft also made the list, probably due to the increased reliance on these services during stay-at-home orders.

Interestingly, Adidas also made the top ten spoofed brands this year, ending up seventh on our list. The majority of Adidas website spoofing occurred in January 2020 and capitalized on the release of a new Adidas Superstar sneaker and the Yeezy sneakers by Kanye West. Many of the spoofed websites would have been convincing to the average sneaker shopper. Yeezy was one of Adidas’ top-selling sneakers, and attackers appear to have taken notice that emerging news from top brands has the potential to facilitate money-making scams.

Figure 2: Image of spoofed Adidas Yeezy sneaker website (Source: X-Force)

Attackers’ Targets and Tactics Shifted With COVID-19 Response Efforts

As the COVID-19 pandemic continues to affect countries, organizations and individuals around the world, attackers continue to adjust their strategy to capitalize on the trend, gain critical information and disrupt networks and supply chains involved in the response for financial or national gain.

IBM’s tracking of COVID-19-related spam reveals a massive increase in such campaigns in March and April 2020 — constituting an over 6000% increase at its highest point, according to our data analysis. In this early campaign, attackers capitalized on worldwide interest in information about the breaking pandemic, spoofing emails from official health resources and government assistance programs. This trend stabilized around June 2020 as the world began settling in to a ‘new normal.’

Since June 2020, COVID-19-related spam has hovered around 1% of all spam X-Force sees, and we anticipate that this trend is likely to continue well into 2021.

Figure 3: COVID-19-related spam trends as a percent of all spam (Source: X-Force)

In addition, threat actors reacted to COVID-19 by directing threat activity toward pharmaceutical companies, health care organizations and supply chains for personal protective equipment (PPE), the evolution of COVID vaccines and its cold chain distribution. In June 2020, X-Force discovered a global spear-phishing campaign targeted at more than 100 high-ranking executives involved in a German government task force charged with obtaining PPE during the pandemic. In October, X-Force uncovered a highly targeted campaign against the COVID-19 vaccine cold chain, probably perpetrated by a nation-state actor seeking information or an opportunity to disrupt vaccine distribution.

Call to Action: Embed Threat Intelligence Into Your Business

The X-Force Threat Intelligence Index 2021 reveals new changes to the cyber threat landscape worldwide. Threat actors’ attack types, techniques and strategies are changing, and adjusting your organization’s security strategy to address these changes can make all the difference for your security posture this year. In particular, some of the top defense mechanisms X-Force recommends reviewing and assessing are:

  • Have an incident response plan for ransomware and ensure it includes cloud assets and data. X-Force data shows that ransomware is the top attack type for 2021, and attackers are increasingly stealing and leaking sensitive company data in addition to encrypting it. Have a response plan that addresses these techniques. We recommend that the plan includes safely storing and updating backups and recovering from those backups, as well as encrypting sensitive data so it is unreadable if stolen.
  • Use Quad9 to sidestep spoofed domainsQuad9 is a free tool that quickly detects and blocks malicious domains, keeping your organization safe from attacks that might deploy malware or steal user credentials. X-Force findings show that threat actors actively created new, malicious domains mimicking top brands or pretending to be an official source for COVID-19 information or government relief funds. Blocking out communication with malicious and suspicious websites can help mitigate the threat of phishing and fraud.
  • Employ defense-in-depth tactics to defend against new malware. Threat actors are developing new malware strains every day — including malware targeting Linux systems and updates to more traditional malware that include anti-detection techniques. Employing a range of tools that can identify malware in addition to techniques used by threat actors immediately before and after malware is deployed can assist your organization in staying on top of these latest threats. Security Event and Incident Management tools, Endpoint Detection tools, cloud workload monitoring and email security tools can assist in building this layered approach.

Throughout the year, IBM X-Force researchers also provide ongoing research and analysis in the form of blogs, white papers, webinars and podcasts, highlighting our insight into advanced threat actors, new malware and new attack methods. In addition, we provide a large body of current, cutting-edge analysis to subscription clients on our Premier Threat Intelligence platform.

Download the Report

If you have experienced a cyber incident and would like immediate assistance from IBM Security X-Force incident response, please call our hotline at 1-888-241-9812 (US) or +001-312-212-8034 (global). Learn more about X-Force’s threat intelligence and incident response services.

More from Threat Intelligence

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today