From the front lines of incident response engagements to managed security services, IBM Security X-Force observes attack trends firsthand, yielding insights into the cyber threat landscape. Every year, X-Force collates billions of data points to assess cybersecurity threats to our customers.

This report — the X-Force Threat Intelligence Index 2021 — represents our latest edition of that yearly assessment. It covers data and findings from January to December 2020 and is meant to assist organizations in understanding current threats and how they evolve, assess risk and prioritize cybersecurity efforts. Research found Linux-related malware threats rising rapidly, threat actors actively spoofing top technology brands and shifting tactics emerging in response to the evolving COVID-19 situation.

This year’s report includes data from multiple IBM teams, including X-Force Threat Intelligence, X-Force Incident Response, X-Force Red, IBM Managed Security Services and IBM Trusteer, as well as IBM collaborators, such as Quad9 and Intezer. The following are some of the top findings from this data.

Cyber Criminals Take a Page From the Hybrid Cloud Playbook

Linux operating systems power 90% of the cloud workload, providing the backbone of cloud and hybrid cloud infrastructures. With cloud services enabling organizations with greater flexibility, efficiency and strategic value for their data, the demand for cloud computing is growing every year. Cyber criminals are taking note and recognize that cloud environments present opportunities for them as well. In particular, they are investing more time and effort into creating malware tailored to cloud environments.

X-Force collaborator Intezer identified that Linux-based malware grew 40% year-over-year from 2019 to 2020, with 500% growth from 2010 to 2020. In addition, cyber criminals are investing heavily in creating new Linux cryptomining malware, suggesting that these criminals aim to exploit cloud computing’s processing power to maliciously obtain cryptocurrency. X-Force has observed ransomware strains such as RansomEXX and SFile turning up with Linux versions, and Intezer has observed top threat actors — including ITG14ITG05 and ITG11 — creating Linux versions of their traditional malware.

Figure 1: New Linux malware families discovered per year, 2010-2020 (Source: Intezer)

In addition to Linux malware variants, X-Force analysts have observed threat actors — including big-game-hunting ransomware actors such as Sodinokibi — exploiting cloud services such as MEGA or pCloud to store and leak victim data.

While cybercriminals’ focus on the cloud is concerning, X-Force threat intelligence recognizes that awareness is key. By staying alert to these new threats, tracking new forms of Linux malware, writing rules to detect them and employing a range of defense-in-depth strategies to secure cloud computing environments, X-Force is helping organizations continue to realize the benefits of the cloud even while cyber criminals focus more effort in this area.

Threat Actors Capitalize on Consumer Trust to Spoof Brands

Spoofing popular brands seems to never go out of style. Cyber criminals in 2020 continually sought to exploit consumer trust in well-known brands by creating malicious domains and fake websites mimicking trusted companies. Similar to last year’s Threat Intelligence Index that covered 2019 trends, Google, YouTube, Facebook, Amazon, Apple and WhatsApp all made the top 10 list, underscoring the popularity of technology and social media domains for actors seeking to plant malware on websites and user devices, steal user credentials or collect payment card information.

In addition, tools that have become critical to communication and collaboration during the 2020 pandemic made it into this year’s top ten: DropBox, PayPal and Microsoft also made the list, probably due to the increased reliance on these services during stay-at-home orders.

Interestingly, Adidas also made the top ten spoofed brands this year, ending up seventh on our list. The majority of Adidas website spoofing occurred in January 2020 and capitalized on the release of a new Adidas Superstar sneaker and the Yeezy sneakers by Kanye West. Many of the spoofed websites would have been convincing to the average sneaker shopper. Yeezy was one of Adidas’ top-selling sneakers, and attackers appear to have taken notice that emerging news from top brands has the potential to facilitate money-making scams.

Figure 2: Image of spoofed Adidas Yeezy sneaker website (Source: X-Force)

Attackers’ Targets and Tactics Shifted With COVID-19 Response Efforts

As the COVID-19 pandemic continues to affect countries, organizations and individuals around the world, attackers continue to adjust their strategy to capitalize on the trend, gain critical information and disrupt networks and supply chains involved in the response for financial or national gain.

IBM’s tracking of COVID-19-related spam reveals a massive increase in such campaigns in March and April 2020 — constituting an over 6000% increase at its highest point, according to our data analysis. In this early campaign, attackers capitalized on worldwide interest in information about the breaking pandemic, spoofing emails from official health resources and government assistance programs. This trend stabilized around June 2020 as the world began settling in to a ‘new normal.’

Since June 2020, COVID-19-related spam has hovered around 1% of all spam X-Force sees, and we anticipate that this trend is likely to continue well into 2021.

Figure 3: COVID-19-related spam trends as a percent of all spam (Source: X-Force)

In addition, threat actors reacted to COVID-19 by directing threat activity toward pharmaceutical companies, health care organizations and supply chains for personal protective equipment (PPE), the evolution of COVID vaccines and its cold chain distribution. In June 2020, X-Force discovered a global spear-phishing campaign targeted at more than 100 high-ranking executives involved in a German government task force charged with obtaining PPE during the pandemic. In October, X-Force uncovered a highly targeted campaign against the COVID-19 vaccine cold chain, probably perpetrated by a nation-state actor seeking information or an opportunity to disrupt vaccine distribution.

Call to Action: Embed Threat Intelligence Into Your Business

The X-Force Threat Intelligence Index 2021 reveals new changes to the cyber threat landscape worldwide. Threat actors’ attack types, techniques and strategies are changing, and adjusting your organization’s security strategy to address these changes can make all the difference for your security posture this year. In particular, some of the top defense mechanisms X-Force recommends reviewing and assessing are:

  • Have an incident response plan for ransomware and ensure it includes cloud assets and data. X-Force data shows that ransomware is the top attack type for 2021, and attackers are increasingly stealing and leaking sensitive company data in addition to encrypting it. Have a response plan that addresses these techniques. We recommend that the plan includes safely storing and updating backups and recovering from those backups, as well as encrypting sensitive data so it is unreadable if stolen.
  • Use Quad9 to sidestep spoofed domainsQuad9 is a free tool that quickly detects and blocks malicious domains, keeping your organization safe from attacks that might deploy malware or steal user credentials. X-Force findings show that threat actors actively created new, malicious domains mimicking top brands or pretending to be an official source for COVID-19 information or government relief funds. Blocking out communication with malicious and suspicious websites can help mitigate the threat of phishing and fraud.
  • Employ defense-in-depth tactics to defend against new malware. Threat actors are developing new malware strains every day — including malware targeting Linux systems and updates to more traditional malware that include anti-detection techniques. Employing a range of tools that can identify malware in addition to techniques used by threat actors immediately before and after malware is deployed can assist your organization in staying on top of these latest threats. Security Event and Incident Management tools, Endpoint Detection tools, cloud workload monitoring and email security tools can assist in building this layered approach.

Throughout the year, IBM X-Force researchers also provide ongoing research and analysis in the form of blogs, white papers, webinars and podcasts, highlighting our insight into advanced threat actors, new malware and new attack methods. In addition, we provide a large body of current, cutting-edge analysis to subscription clients on our Premier Threat Intelligence platform.

Download the Report

If you have experienced a cyber incident and would like immediate assistance from IBM Security X-Force incident response, please call our hotline at 1-888-241-9812 (US) or +001-312-212-8034 (global). Learn more about X-Force’s threat intelligence and incident response services.

More from Threat Intelligence

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today