From the front lines of incident response engagements to managed security services, IBM Security X-Force observes attack trends firsthand, yielding insights into the cyber threat landscape. Every year, X-Force collates billions of data points to assess cybersecurity threats to our customers.

This report — the X-Force Threat Intelligence Index 2021 — represents our latest edition of that yearly assessment. It covers data and findings from January to December 2020 and is meant to assist organizations in understanding current threats and how they evolve, assess risk and prioritize cybersecurity efforts. Research found Linux-related malware threats rising rapidly, threat actors actively spoofing top technology brands and shifting tactics emerging in response to the evolving COVID-19 situation.

This year’s report includes data from multiple IBM teams, including X-Force Threat Intelligence, X-Force Incident Response, X-Force Red, IBM Managed Security Services and IBM Trusteer, as well as IBM collaborators, such as Quad9 and Intezer. The following are some of the top findings from this data.

Cyber Criminals Take a Page From the Hybrid Cloud Playbook

Linux operating systems power 90% of the cloud workload, providing the backbone of cloud and hybrid cloud infrastructures. With cloud services enabling organizations with greater flexibility, efficiency and strategic value for their data, the demand for cloud computing is growing every year. Cyber criminals are taking note and recognize that cloud environments present opportunities for them as well. In particular, they are investing more time and effort into creating malware tailored to cloud environments.

X-Force collaborator Intezer identified that Linux-based malware grew 40% year-over-year from 2019 to 2020, with 500% growth from 2010 to 2020. In addition, cyber criminals are investing heavily in creating new Linux cryptomining malware, suggesting that these criminals aim to exploit cloud computing’s processing power to maliciously obtain cryptocurrency. X-Force has observed ransomware strains such as RansomEXX and SFile turning up with Linux versions, and Intezer has observed top threat actors — including ITG14ITG05 and ITG11 — creating Linux versions of their traditional malware.

Figure 1: New Linux malware families discovered per year, 2010-2020 (Source: Intezer)

In addition to Linux malware variants, X-Force analysts have observed threat actors — including big-game-hunting ransomware actors such as Sodinokibi — exploiting cloud services such as MEGA or pCloud to store and leak victim data.

While cybercriminals’ focus on the cloud is concerning, X-Force threat intelligence recognizes that awareness is key. By staying alert to these new threats, tracking new forms of Linux malware, writing rules to detect them and employing a range of defense-in-depth strategies to secure cloud computing environments, X-Force is helping organizations continue to realize the benefits of the cloud even while cyber criminals focus more effort in this area.

Threat Actors Capitalize on Consumer Trust to Spoof Brands

Spoofing popular brands seems to never go out of style. Cyber criminals in 2020 continually sought to exploit consumer trust in well-known brands by creating malicious domains and fake websites mimicking trusted companies. Similar to last year’s Threat Intelligence Index that covered 2019 trends, Google, YouTube, Facebook, Amazon, Apple and WhatsApp all made the top 10 list, underscoring the popularity of technology and social media domains for actors seeking to plant malware on websites and user devices, steal user credentials or collect payment card information.

In addition, tools that have become critical to communication and collaboration during the 2020 pandemic made it into this year’s top ten: DropBox, PayPal and Microsoft also made the list, probably due to the increased reliance on these services during stay-at-home orders.

Interestingly, Adidas also made the top ten spoofed brands this year, ending up seventh on our list. The majority of Adidas website spoofing occurred in January 2020 and capitalized on the release of a new Adidas Superstar sneaker and the Yeezy sneakers by Kanye West. Many of the spoofed websites would have been convincing to the average sneaker shopper. Yeezy was one of Adidas’ top-selling sneakers, and attackers appear to have taken notice that emerging news from top brands has the potential to facilitate money-making scams.

Figure 2: Image of spoofed Adidas Yeezy sneaker website (Source: X-Force)

Attackers’ Targets and Tactics Shifted With COVID-19 Response Efforts

As the COVID-19 pandemic continues to affect countries, organizations and individuals around the world, attackers continue to adjust their strategy to capitalize on the trend, gain critical information and disrupt networks and supply chains involved in the response for financial or national gain.

IBM’s tracking of COVID-19-related spam reveals a massive increase in such campaigns in March and April 2020 — constituting an over 6000% increase at its highest point, according to our data analysis. In this early campaign, attackers capitalized on worldwide interest in information about the breaking pandemic, spoofing emails from official health resources and government assistance programs. This trend stabilized around June 2020 as the world began settling in to a ‘new normal.’

Since June 2020, COVID-19-related spam has hovered around 1% of all spam X-Force sees, and we anticipate that this trend is likely to continue well into 2021.

Figure 3: COVID-19-related spam trends as a percent of all spam (Source: X-Force)

In addition, threat actors reacted to COVID-19 by directing threat activity toward pharmaceutical companies, health care organizations and supply chains for personal protective equipment (PPE), the evolution of COVID vaccines and its cold chain distribution. In June 2020, X-Force discovered a global spear-phishing campaign targeted at more than 100 high-ranking executives involved in a German government task force charged with obtaining PPE during the pandemic. In October, X-Force uncovered a highly targeted campaign against the COVID-19 vaccine cold chain, probably perpetrated by a nation-state actor seeking information or an opportunity to disrupt vaccine distribution.

Call to Action: Embed Threat Intelligence Into Your Business

The X-Force Threat Intelligence Index 2021 reveals new changes to the cyber threat landscape worldwide. Threat actors’ attack types, techniques and strategies are changing, and adjusting your organization’s security strategy to address these changes can make all the difference for your security posture this year. In particular, some of the top defense mechanisms X-Force recommends reviewing and assessing are:

  • Have an incident response plan for ransomware and ensure it includes cloud assets and data. X-Force data shows that ransomware is the top attack type for 2021, and attackers are increasingly stealing and leaking sensitive company data in addition to encrypting it. Have a response plan that addresses these techniques. We recommend that the plan includes safely storing and updating backups and recovering from those backups, as well as encrypting sensitive data so it is unreadable if stolen.
  • Use Quad9 to sidestep spoofed domainsQuad9 is a free tool that quickly detects and blocks malicious domains, keeping your organization safe from attacks that might deploy malware or steal user credentials. X-Force findings show that threat actors actively created new, malicious domains mimicking top brands or pretending to be an official source for COVID-19 information or government relief funds. Blocking out communication with malicious and suspicious websites can help mitigate the threat of phishing and fraud.
  • Employ defense-in-depth tactics to defend against new malware. Threat actors are developing new malware strains every day — including malware targeting Linux systems and updates to more traditional malware that include anti-detection techniques. Employing a range of tools that can identify malware in addition to techniques used by threat actors immediately before and after malware is deployed can assist your organization in staying on top of these latest threats. Security Event and Incident Management tools, Endpoint Detection tools, cloud workload monitoring and email security tools can assist in building this layered approach.

Throughout the year, IBM X-Force researchers also provide ongoing research and analysis in the form of blogs, white papers, webinars and podcasts, highlighting our insight into advanced threat actors, new malware and new attack methods. In addition, we provide a large body of current, cutting-edge analysis to subscription clients on our Premier Threat Intelligence platform.

Download the Report

If you have experienced a cyber incident and would like immediate assistance from IBM Security X-Force incident response, please call our hotline at 1-888-241-9812 (US) or +001-312-212-8034 (global). Learn more about X-Force’s threat intelligence and incident response services.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…