As ransomware operators were attacking state and municipal networks alongside hospitals and schools, a global pandemic response to COVID-19 necessitated a move to remote work for a significant portion of the economy. Many security teams were forced to suspend wide-ranging analyses around the adoption of remote work policies and instead focus on a supply chair attack from a trusted platform.

This report aims to reveal top trends that will shape the cybersecurity industry in 2020.

Mandiant’s 2019 edition of their threat intel report. Focusing on significant trends in attack TTPs over the past calendar year.

FireEye Threat Intelligence assesses with high confidence that APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control. Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely statesponsored activity. This is remarkable because explicit financially motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests these two motivations were balanced concurrently from 2014 onward.

FireEye has been detecting and responding to cyber attacks every day for over 15 years. The release of M-Trends® 2020 marks 11 years of providing the cyber security community with insights gained from the frontlines of those attacks.

The goal of this initiative was to identify trends impacting cyber security decisions, the top cyber security priorities for 2020 and beyond, the focus of risk mitigation strategies, and to highlight the overall beliefs and perceptions held by senior executives regarding the state of the cyber threat landscape and how the cyber security industry, governments and regulatory agencies are responding to their needs.

Since 2017, risk experts have consistently ranked large-scale cyber attacks and data fraud among the top five mostly likely risks around the world. Despite growing anxieties about cyber threats, cyber resilience strategies and investments continue to lag. Globally, the time taken to discover a data breach has considerably lowered since 2017, but organizations in the Asia-Pacific region took four months longer than the global median. Internet users are growing 10 times faster than global population, exponentially increasing the surface area of attack. For example, in 2018, the total cost of cyber crimes grew by a third compared to 2016, to $600 billion, but investments in cyber security only increased 10 percent over the same period.

From the report, “In the cyber security industry, we’re so frequently working around-the-clock for days at a time that we often forget when one year ends and another begins. It’s a shame, too, because the end of the year is a very important time. It provides a moment to reflect on what we observed and experienced over the past 12 months, and to consider how best to address the challenges we have been facing. Perhaps more critical to our line of work, it offers an opportunity to note what developed into a trend, and what might develop into a trend as we move into the next year and beyond.”

In late February 2017, FireEye as a Service (FaaS) identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. Based on multiple identified overlaps in infrastructure and the use of similar tools, tactics, and procedures (TTPs), we have high confidence that this campaign is associated with the financially motivated threat group tracked by FireEye as FIN7.

FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool (RAT) that has been used for nearly a decade for key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying, and more.

In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the XLSM documents. At least one observed phishing lure delivered a Cobalt Strike payload. As of the writing of this blog post, FireEye had not observed post-exploitation activity by the threat actors, so we cannot assess the goal of the campaign. We have previously observed APT19 steal data from law and investment firms for competitive economic purposes. This purpose of this blog post is to inform law firms and investment firms of this phishing campaign and provide technical indicators that their IT personnel can use for proactive hunting and detection.

This blog post offers insight into the New ICS Attack Framework “Triton”

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.

FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands. FireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch to address the vulnerability and security guidance, which can be found here.

This blog post takes a look at APT29 Domain Fronting with Tor.

Read about the threat outlook for aerospace and defense sectors as threat groups seek to gain military and economic advantages.

This blog post takes a look at Metamorfo and how it is impacting Brazilian users, specifically, to install banking trojans.

Gain insights into the nature and rationales of cyber threats international organizations and nonprofits face.

In this report they look at incidents that occurred between October 2016 and September 2017.

In 2013, ISMG and FireEye teamed up to survey security leaders about advanced threats and breach response. Among the findings: Only 20 percent of respondents rated their incident response programs “very effective,” and they were most concerned about their abilities to detect and contain APT/malware quickly and completely.

This blog post discusses APT32 and it’s targetting of global corporations for destruction.