Proofpoint’s 2020 Cyber Threat Predictions for the Middle East

During 2019, there were many trends within the threat landscape that help paint a picture of what we can expect in 2020. These include the results of widespread RAT and downloader distribution, significant evolution in impostor attacks, and increasingly sophisticated attacks on cloud applications.

Notably, the email will remain the initial threat vector of choice for most actors, driving credential phishing campaigns; targeted attacks with malware to establish a beachhead within organizations; and for widespread distribution of banking Trojans, downloaders, backdoors, and more. However, cloud-based email systems like Microsoft Office 365 and GSuite will themselves also be key targets for threat actors, providing platforms for future attacks and lateral movement within targeted organizations.

As cybercriminals are increasingly shifting their focus from targeting infrastructure to targeting people, in 2020 it is vital that organizations in the Middle East, as well as across the globe, recognize the human factor threat as any organization, regardless of its geography, is a target of those threat actors. Aligned with this, Proofpoint gathered the below top predictions for CIOs to watch out in 2020:

Despite its near absence as a primary payload in malicious emails, ransomware continued to make headlines throughout 2019, largely in so-called “big game hunting attacks.” We expect these types of attacks – in which threat actors focus on high-ransom attacks on servers and endpoints in mission-critical environments that are most likely to pay to decrypt their files for rapid recovery – to continue in 2020. Additionally, organizations will increasingly find that once they are victims of ransomware, they have already been compromised with a versatile malware strain that creates potential future vulnerabilities and exposes data and intellectual property.

Complex infection chains
While most users have largely been conditioned to avoid attachments from unknown senders, the increasing prevalence of cloud applications and storage means that we are all conditioned to click through links to view, share, and interact with a variety of content. Threat actors will continue to capitalize on this in 2020, both because of its effectiveness in social engineering and because URLs can be used to mask increasingly complex infection chains that make detection more difficult than a simply linked payload. Whereas URLs frequently linked to an executable for a malicious document in the past, 2020 will see increases in the use of URL shorteners, traffic distribution systems, and other hops to hide final payloads from defenders and automated systems.

Abusing legitimate services
Threat actors will expand their abuse of legitimate services for hosting and distributing malicious email campaigns, malware, and phishing kits. Similarly, the widespread abuse of other legitimate cloud-based hosting services for malware delivery will continue, capitalizing on our conditioning to click through links for shared content and the inability for most organizations to blacklist services like Dropbox and Box.
Finally, we predict malvertising activity associated with the Keitaro traffic distribution system (TDS) will expand and continue in 2020 based on its traffic statistics and the difficulty in blacklisting IPs associated with this type of service.

Brute force attacks get smarter
As organizations continue to adopt cloud-based productivity and collaboration software, these platforms become increasingly attractive targets for threat actors.
While traditional brute force attacks on these and other cloud services will continue in 2020, we expect these attacks to become increasingly advanced.
Additionally, while adoption of multifactor authentication is helping to mitigate risks associated with cloud attacks, vendors and organizations alike are finding that robust implementation carries its own challenges, driving organizations to look at biometrics and other potential solutions to secure their infrastructure, whether owned or purchased as a service.

Supply chains expose vertical and horizontal partners
Supply chain vulnerabilities took center stage with the breaches of major retailers in 2013 and 2014. While threat actors have continued to exploit the supply chain for everything from credit card theft to business email compromise (BEC), we expect this tactic to become even more sophisticated in 2020.
We also anticipate organizations will begin looking more closely at the wide range of suppliers with which they engage. Knowing who these suppliers are and requiring specific types of email security in vendor contracts will be critical to limiting threat actors’ ability to hop from one supplier to another until they compromise intended targets. Furthermore, this will also drive further adoption of DMARC as information security teams come together with procurement teams to demand standards-based approaches to vendor security.

Training takes center stage
While automated systems can prevent many threats from reaching inboxes, users remain the final line of defence, especially as threat actors turn to voice and SMS phishing and multi-channel attacks. As a result, training is a critical component of security but scarce resources demand that organizations be increasingly selective about the training they provide for their users. To effectively train employees on cybersecurity and ensure those trainings capture the main key-learnings, organizations must offer localized content into different languages taking into consideration the diverse cultural background of the workforce especially in countries such as the United Arab Emirates. In 2020, we expect that training priorities will be driven by threat intelligence and the types of threats organizations are actually experiencing. Additionally, there will be wider adoption of in-client email reporting mechanisms including automation to avoid overwhelming IT resources. Finally, given the challenge in detecting the attacks with automated systems, we also expect that organizations will focus training on internal phishing and email account compromise.