CrowdStrike’s 2020 Threat Report: Spammers finetune email thread hijacking

In its 2020 Global Threat Report, CrowdStrike found that bad actors are disabling endpoint protection and compromising WordPress sites to steal data and credentials. Companies should implement two-factor authentication and make sure existing security products are configured correctly to strengthen defenses.

During an interview at RSA 2020, Michael Sentonas, CTO of CrowdStrike, said that he often talks with CISOs at small- to medium-sized companies who are skeptical that hackers would target their companies.

“I ask them, ‘What’s your unique business differentiator and what would happen If you lost your customer data?'” he said. “That helps them understand what is at stake.”

Sentonas also said that fines triggered by Europe’s General Data Protection Rule (GDPR) are changing the business attitude toward security.

“People who may have been dismissive of cybersecurity previously are now on board,” he said.

CrowdStrike’s eport includes a threat landscape overview, ransomware threat assessment, e-crime trends and activity, and an update on intrusions from Iran, North Korea, China, Russia and other countries.

SEE: Cybersecurity: Let’s get tactical (free PDF)

“As an industry, we have to make sure that the noise doesn’t become such a regular thing that people don’t start to tune out,” Sentonas said.

Here is a recap of the most common tactics bad actors used in 2019 to steal or ransom data as well as some advice on how to avoid these breaches.

Hackers’ favorite tips, tricks, and processes in 2019

Crowdstrike saw the most activity around these strategies in 2019.  

Terminating security products

Perpetrators frequently tried to terminate endpoint protection products or security information and event management (SIEM) alert forwarders. Ransomware operators most often used two publicly available utilities to do this: PCHunter and ProcessHacker. These powerful utilities not only view and terminate processes, but also directly interface with the Windows kernel itself.  

DNS tunneling

Although this is not a new tactic, several bad actors used it in 2019, CrowdStrike Intelligence reported. The use of the DNS protocol for command-and-control (C2) communications is useful when other common internet protocols are disabled or closely inspected.

Use of compromised sites hosting WordPress

In Q3 2019,  bad actors started using compromised websites hosting individual WordPress instances to deliver malware, including REvil, MUMMY SPIDER’s Emotet, and QakBot. These sites also have been linked to credential harvesting operations. On Sept. 25, 2019, CrowdStrike Intelligence identified several malicious phishing pages impersonating a Microsoft Office 365 landing page.  

Email thread hijacking 

In October 2019, criminals launched multiple Emotet spam campaigns conducted by MUMMY SPIDER to hijack email threads. After a victim’s email content has been stolen, MUMMY SPIDER identifies a thread based on the subject line and crafts a reply. This tactic increases the likelihood that a recipient will open a malicious attachment (or click a link) because the sender looks familiar, and the subject line matches a prior conversation thread that they had with that person.  

How to improve your security

Based on conversations with clients and observations of security lapses, CrowdStrike offers this advice for closing security holes and implementing best practices.

Use what you have

CrowdStrike often found that hackers succeeded when security controls were not properly configured or not fully deployed across the environment. The proliferation of “big game hunting” has made it more likely that criminals will take advantage of this weakness. Smart organizations will spend the time needed to maximize the protection they gain from existing security controls.

Protect identities

CrowdStrike recommends implementing two-factor authentication (2FA) for all users because attackers are good at accessing and using valid credentials. Two-factor authentication makes it much more difficult for adversaries to do this. In addition to 2FA, a robust privilege access management process will limit the damage adversaries can do if they get in, and reduce the likelihood of lateral movement.

Accept the 1-10-60 rule challenge

Companies need a mature security process that can prevent, detect, and respond to threats quickly. CrowdStrike recommends the “1-10-60 rule” to combat cyberthreats:
    ●  Detect intrusions in under one minute.
    ●  Investigate and understand threats in under 10 minutes. 

    ●  Contain and eliminate the adversary from the environment in under 60 minutes. 


Enlist users in the fight

The theme of RSA 2020 was the human element and many speakers said it was time to stop blaming the end user as the biggest security risk. CrowdStrike also recognizes that the end user remains a critical link in the security chain. Companies should develop job-specific training to help employees understand how to identify and avoid phishing and social engineering.

Also see