Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cybercriminal Tactics. Show all posts

LockBit Ransomware: Covertly Evolving Towards Next-Gen Threats Amid Takedown Efforts

 

In a significant development, law enforcement dismantled the infrastructure of LockBit ransomware earlier this week, uncovering the clandestine work on a next-generation file encryption malware. Referred to as LockBit-NG-Dev, this emerging threat, likely the precursor to LockBit 4.0, was revealed through a collaborative effort between the UK's National Crime Agency and cybersecurity firm Trend Micro. 

In a departure from its predecessors built in C/C++, LockBit-NG-Dev is a work-in-progress developed in .NET, compiled with CoreRT, and packed with MPRESS. This strategic shift was brought to light as Trend Micro analyzed a sample of the latest LockBit variant capable of operating across multiple systems, indicating a more sophisticated approach to infection. 

Despite lacking some features present in previous versions, such as self-propagation on compromised networks and printing ransom notes on victims' printers, LockBit-NG-Dev appears to be in its final development stages, providing the most anticipated functionalities. Trend Micro's technical analysis reveals the encryptor's support for three encryption modes (using AES+RSA) – "fast," "intermittent," and "full." It includes a custom file or directory exclusion and the ability to randomize file naming to complicate restoration efforts. 

Notably, the malware features a self-delete mechanism that overwrites LockBit's own file contents with null bytes. The discovery of LockBit-NG-Dev is a significant setback for LockBit operators, following law enforcement's Operation Cronos. Even if the gang still controls backup servers, the exposure of the new encryptor's source code poses a formidable challenge for the cybercriminal business. Restoring operations becomes a daunting task when security researchers have knowledge of the encrypting malware's source code. 

This revelation emphasizes the ongoing battle between law enforcement and cybercriminals, underscoring the need for continued vigilance and collaboration to address evolving threats in the ransomware landscape. 

In conclusion, the revelation of LockBit ransomware secretly building a next-gen encryptor serves as a stark reminder of the persistent and adaptive nature of cyber threats. As organizations and cybersecurity professionals work to stay ahead of evolving ransomware tactics, the need for proactive defenses, continuous threat intelligence sharing, and a collective, global response has never been more critical. LockBit's covert evolution reinforces the urgency of fortifying cybersecurity measures to protect against the ever-changing landscape of sophisticated cyber threats.

Malware Developer Claims Ability to Reactivate Expired Google Authentication Cookies

 

The Lumma information-stealer malware, known as 'LummaC2,' is reportedly touting a novel functionality that claims to enable cybercriminals to revive expired Google cookies, potentially allowing them to take control of Google accounts. Session cookies, specialized web cookies facilitating automatic login during a browsing session, typically have a limited lifespan for security reasons. This measure prevents misuse in case the cookies are stolen, as possessing them grants access to the account.

The discovery of this feature came to light when Alon Gal from Hudson Rock identified a forum post by the malware's developers on November 14. The post announced an update boasting the "ability to restore dead cookies using a key from restore files (applies only to Google cookies)." Intriguingly, this capability was restricted to subscribers of Lumma's highest-tier "Corporate" plan, priced at $1,000 per month.

The forum post specified that each key could be utilized twice, allowing for a single instance of cookie restoration. While seemingly limiting, this still poses a significant threat, particularly for organizations adhering to robust security practices.

The introduction of this purported feature in recent Lumma releases is awaiting validation by security experts and Google. The uncertainty surrounds whether the functionality performs as claimed. It's noteworthy that another malware, Rhadamanthys, announced a similar capability in a recent update, hinting at a potential security vulnerability exploited by these malicious actors.

Efforts to obtain a comment from Google regarding the possibility of a session cookie vulnerability have been met with silence. Lumma's developers released an update shortly after being contacted by BleepingComputer, positioning it as an additional fix to circumvent new restrictions imposed by Google to hinder cookie restoration.

Despite attempts to glean insights directly from Lumma's operators, they remained tight-lipped about the workings of the feature. When confronted with Rhadamanthys' similar functionality, Lumma's representative asserted that their competitors had imitated the feature without understanding its intricacies.

If the claims about information-stealers restoring expired Google cookies are accurate, users may be powerless to safeguard their accounts until Google issues a fix. Precautions advised include steering clear of torrent files and executables from dubious sources, as well as being cautious with Google Search results.

Analysing Advanced Persistent Threats 2023: Tactics, Targets, and Trends

 

The term "Advanced Persistent Threat" (APT) denotes a highly specialised category of cyber adversaries within the field of cybersecurity. These entities distinguish themselves through advanced skill sets and substantial access to resources, often employing sophisticated tools and techniques. APTs typically exhibit state sponsorship, indicating either direct or indirect government support or intricate ties to organized crime syndicates. 

This connection to state actors or criminal groups grants them a level of persistence and capability that far exceeds that of conventional cybercriminals. In 2023, the cybersecurity landscape has witnessed the persistent activity of several Advanced Persistent Threat (APT) groups, with attributions largely pointing to nation-states, notably Iran and China. These sophisticated entities operate at the forefront of cyber capabilities, employing advanced tactics, techniques, and procedures. Their activities extend beyond conventional cybercriminal motives, often involving strategic objectives tied to geopolitical influence, military espionage, or the compromise of critical infrastructure. As the year unfolds, the vigilance of cybersecurity experts remains crucial in monitoring and responding to the evolving tactics employed by these APT groups, reflecting the ongoing challenge of safeguarding against state-sponsored cyber threats.  

Here’s a summary of some of the most active and prominent APT Groups as of 2023:  

1) APT39  

APT39, believed to be associated with Iran, has emerged as a notable player in the cyber threat landscape in 2023. This advanced persistent threat group strategically directs its efforts towards the Middle East, with a specific focus on key sectors such as telecommunications, travel, and information technology firms. APT39 employs a sophisticated arsenal of cyber tools, including the use of SEAWEED and CACHEMONEY backdoors, along with spearphishing techniques for initial compromise. 

2) APT35 

APT35, believed to be affiliated with Iran, has solidified its position as a significant threat in 2023, honing its focus on military, diplomatic, and government personnel across the U.S., Western Europe, and the Middle East. Employing a sophisticated toolkit that includes malware such as ASPXSHELLSV and BROKEYOLK, the group employs a multifaceted approach, leveraging spearphishing and password spray attacks to infiltrate target networks. APT35's strategic interests span various sectors, encompassing U.S. and Middle Eastern military, diplomatic and government personnel, as well as organizations in the media, energy, defense industrial base (DIB), and the engineering, business services, and telecommunications sectors.  

3) APT41 

APT41, believed to be linked to China, continues to pose a significant cyber threat in 2023, targeting a diverse range of sectors including healthcare, telecommunications, high-tech, education, and news/media. Renowned for employing an extensive arsenal of malware and spear-phishing tactics with attachments, APT41 demonstrates a multifaceted approach, engaging in both state-sponsored espionage and financially motivated activities. Researchers have identified APT41 as a Chinese state-sponsored espionage group that has also ventured into financially motivated operations. Active since at least 2012, the group has been observed targeting industries such as healthcare, telecom, technology, and video games across 14 countries. APT41's activities overlap, at least partially, with other known threat groups, including BARIUM and Winnti Group, underscoring the complexity and interconnected nature of cyber threats associated with this sophisticated actor.  

4) APT40 

APT40, associated with China, maintains a strategic focus on countries crucial to China's Belt and Road Initiative, with a particular emphasis on the maritime, defense, aviation, and technology sectors. Notably active in 2023, APT40 employs a diverse range of techniques for initial compromise, showcasing their sophisticated capabilities. These methods include web server exploitation, phishing campaigns delivering both publicly available and custom backdoors, and strategic web compromises. APT40's modus operandi involves the utilization of compromised credentials to access connected systems and conduct reconnaissance. The group further employs Remote Desktop Protocol (RDP), Secure Shell (SSH), legitimate software within victim environments, an array of native Windows capabilities, publicly available tools, and custom scripts to facilitate internal reconnaissance. This comprehensive approach highlights APT40's adaptability and underscores the persistent and evolving nature of cyber threats in the geopolitical landscape. 

5) APT31 

Focused on government entities, international financial organizations, aerospace, and defense sectors, among others, APT31, also known as Zirconium or Judgment Panda, stands out as a formidable Advanced Persistent Threat group with a clear mission likely aligned with gathering intelligence on behalf of the Chinese government. Operating in 2023, APT31 exhibits a strategic approach, concentrating on exploiting vulnerabilities in applications like Java and Adobe Flash to achieve its objectives. Similar to other nation-state actors, the group's primary focus is on acquiring data relevant to the People's Republic of China (PRC) and its strategic and geopolitical ambitions. The group's activities underscore the ongoing challenge of safeguarding sensitive information against sophisticated state-sponsored cyber threats. 

6) APT30 

APT30, believed to be associated with China, distinguishes itself through its noteworthy focus on long-term operations and the infiltration of air-gapped networks, specifically targeting members of the Association of Southeast Asian Nations (ASEAN). Employing malware such as SHIPSHAPE and SPACESHIP, this threat actor utilizes spear-phishing techniques to target government and private sector agencies in the South China Sea region. Notably, APT30's objectives appear to lean towards data theft rather than financial gain, as they have not been observed targeting victims or data that can be readily monetized, such as credit card information or bank credentials. Instead, the group's tools demonstrate functionality tailored for identifying and stealing documents, with a particular interest in those stored on air-gapped networks. APT30 employs decoy documents on topics related to Southeast Asia, India, border areas, and broader security and diplomatic issues, indicating a strategic approach to lure in and compromise their intended targets in the geopolitical landscape. 

7) APT27 

APT27 believed to be operating from China, is a formidable threat actor specializing in global intellectual property theft across diverse industries. Employing sophisticated malware such as PANDORA and SOGU, the group frequently relies on spear-phishing techniques for initial compromise. APT27 demonstrates versatility in deploying a wide array of tools and tactics for its cyberespionage missions. Notably, between 2015 and 2017, the group executed watering hole attacks through the compromise of nearly 100 legitimate websites to infiltrate victims' networks. Targeting sectors including government, information technology, research, business services, high tech, energy, aerospace, travel, automotive, and electronics, APT27 operates across regions such as North America, South-East Asia, Western Asia, Eastern Asia, South America, and the Middle East. The group's motives encompass cyberespionage, data theft, and ransom, employing a diverse range of malware including Sogu, Ghost, ASPXSpy, ZxShell RAT, HyperBro, PlugX RAT, Windows Credential Editor, and FoundCore. 

8) APT26 

APT26, suspected to have origins in China, specializes in targeting the aerospace, defense, and energy sectors. Recognized for its strategic web compromises and deployment of custom backdoors, this threat actor's primary objective is intellectual property theft, with a specific focus on data and projects that provide a competitive edge to targeted organizations within their respective fields. The group's tactics involve the utilization of associated malware such as SOGU, HTRAN, POSTSIZE, TWOCHAINS, and BEACON. APT26 employs strategic web compromises as a common attack vector to gain access to target networks, complementing their approach with custom backdoors deployed once they penetrate a victim's environment.  

9) APT25 

APT25, also recognized as Uncool, Vixen Panda, Ke3chang, Sushi Roll, and Tor, is a cyber threat group with suspected ties to China. The group strategically targets the defense industrial base, media, financial services, and transportation sectors in both the U.S. and Europe. APT25's primary objective is data theft, and its operations are marked by the deployment of associated malware such as LINGBO, PLAYWORK, MADWOFL, MIRAGE, TOUGHROW, TOYSNAKE, and SABERTOOTH. Historically, the group has relied on spear-phishing techniques in its operations, incorporating malicious attachments and hyperlinks in deceptive messages. APT25 actors typically refrain from using zero-day exploits but may leverage them once they become public knowledge. The group's consistent focus on targeted sectors and methods underscores its persistence and intent to pilfer sensitive information from key industries in the U.S. and Europe. 

10) APT24 

APT24, also known as PittyTiger and suspected to have origins in China, conducts targeted operations across a diverse array of sectors, including government, healthcare, construction, mining, nonprofit, and telecommunications industries. The group has historically targeted organizations in countries such as the U.S. and Taiwan. APT24 is distinguished by its use of the RAR archive utility to encrypt and compress stolen data before exfiltration from the network. Notably, the stolen data primarily consists of politically significant documents, indicating the group's intention to monitor the positions of various nation-states on issues relevant to China's ongoing territorial or sovereignty disputes. Associated malware utilized by APT24 includes PITTYTIGER, ENFAL, and TAIDOOR. The group employs phishing emails with themes related to military, renewable energy, or business strategy as lures, and its cyber operations primarily focus on intellectual property theft, targeting data and projects that contribute to an organization's competitiveness within its field. 

11) APT23 

APT23, suspected to have ties to China, directs its cyber operations towards the media and government sectors in the U.S. and the Philippines, with a distinct focus on data theft of political and military significance. Unlike other threat groups, APT23's objectives lean towards traditional espionage rather than intellectual property theft. The stolen information suggests a strategic interest in political and military data, implying that APT23 may be involved in supporting more traditional espionage operations. The associated malware used by APT23 is identified as NONGMIN. The group employs spear-phishing messages, including education-related phishing lures, as attack vectors to compromise victim networks. While APT23 actors are not known for utilizing zero-day exploits, they have demonstrated the capability to leverage these exploits once they become public knowledge. 

12) APT22 

Also known as Barista and suspected to be linked to China, APT22 focuses its cyber operations on political, military, and economic entities in East Asia, Europe, and the U.S., with a primary objective of data theft and surveillance. Operating since at least early 2014, APT22 is believed to have a nexus to China and has targeted a diverse range of public and private sector entities, including dissidents. The group utilizes associated malware such as PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, and LOGJAM. APT22 employs strategic web compromises as a key attack vector, allowing for the passive exploitation of targets of interest. Additionally, threat actors associated with APT22 identify vulnerable public-facing web servers on victim networks, uploading webshells to gain access to the victim's network. This comprehensive approach underscores APT22's persistent and multifaceted tactics in carrying out intrusions and surveillance activities on a global scale. 

13) APT43 

Linked to North Korea, APT43 has targeted South Korea, the U.S., Japan, and Europe across various sectors, including government, education/research/think tanks, business services, and manufacturing. Employing spear-phishing and fake websites, the group utilizes the LATEOP backdoor and other malicious tools to gather information. A distinctive aspect of APT43's operations involves stealing and laundering cryptocurrency to purchase operational infrastructure, aligning with North Korea's ideology of self-reliance, thereby reducing fiscal strain on the central government. APT43 employs sophisticated tactics, creating numerous convincing personas for social engineering, masquerading as key individuals in areas like diplomacy and defense. Additionally, the group leverages stolen personally identifiable information (PII) to create accounts and register domains, establishing cover identities for acquiring operational tooling and infrastructure. 

14) Storm-0978 (DEV-0978/RomCom) 

Storm-0978, also known as RomCom, is a Russian-based cybercriminal group identified by Microsoft. Specializing in ransomware, extortion-only operations, and credential-stealing attacks, this group operates, develops, and distributes the RomCom backdoor, and its latest campaign, detected in June 2023, exploited CVE-2023-36884 to deliver a backdoor with similarities to RomCom. Storm-0978's targeted operations have had a significant impact on government and military organizations primarily in Ukraine, with additional targets in Europe and North America linked to Ukrainian affairs. The group is recognized for its tactic of targeting organizations with trojanized versions of popular legitimate software, leading to the installation of RomCom. Notably, ransomware attacks attributed to Storm-0978 have affected industries such as telecommunications and finance, highlighting the group's broad impact and the evolving nature of cyber threats in the geopolitical landscape. 

15) Camaro Dragon 

A Chinese state-sponsored hacking group named 'Camaro Dragon' has recently shifted its focus to infecting residential TP-Link routers with a custom malware called 'Horse Shell.' European foreign affairs organizations are the specific targets of this cyber campaign. The attackers utilize a malicious firmware exclusively designed for TP-Link routers, enabling them to launch attacks appearing to originate from residential networks rather than directly targeting sensitive networks. Check Point, the cybersecurity firm that uncovered this campaign, clarifies that homeowners with infected routers are unwitting contributors rather than specific targets. The infection is attributed to self-propagating malware spread via USB drives. Checkpoint identified updated versions of the malware toolset, including WispRider and HopperTick, with similar capabilities for spreading through USB drives. These tools are associated with other tools employed by the same threat actor, such as the Go-based backdoor TinyNote and a malicious router firmware implant named HorseShell. The shared infrastructure and operational objectives among these tools provide further evidence of Camaro Dragon's extensive and coordinated cyber activities. 

In conclusion, the cybersecurity landscape of 2023 has been defined by a substantial surge in Advanced Persistent Threat (APT) activities, reflecting a sophisticated and dynamic threat environment. This analysis has delved into the intricate and evolving nature of these threats, emphasizing the persistent and increasingly sophisticated endeavours of emerging and established APT groups. These actors, distinguished by high skill levels and substantial resources, often operate with state sponsorship or connections to organized crime, enabling them to execute complex and prolonged cyber campaigns. 

Throughout the year, APTs have prominently featured, executing meticulously planned operations focused on long-term infiltration and espionage. Their objectives extend beyond financial gain, encompassing geopolitical influence, military espionage, and critical infrastructure disruption, posing a significant threat to global stability and security. 

Key regions such as the Asia-Pacific (APAC), South America, Russia, and the Middle East have witnessed diverse APT activities, showcasing unique tactics and targeting various sectors. Notable incidents, including compromising secure USB drives, deploying remote access Trojans (RATs), and sophisticated spear-phishing campaigns, underscore the adaptability of APT groups. The emergence of new actors alongside well-established groups, utilizing platforms like Discord and exploiting zero-day vulnerabilities, highlights the need for enhanced cyber defenses and international cooperation. 

Incidents like the Sandworm attack and exploitation of Atlassian Confluence flaws exemplify the diverse and evolving nature of APT threats, emphasizing their technical prowess and strategic focus on critical sectors and infrastructure. In response, a comprehensive and adaptive approach involving robust security measures, intelligence sharing, and strategic collaboration is essential to effectively mitigate the multifaceted risks posed by these highly skilled adversaries in the ever-evolving cyber threat landscape.

Metaverse Opens Up New World of Cybercrime, Says Interpol

 

Global police agency, Interpol says that it is preparing for the risks that online immersive environments, the “metaverse" could create in form of new kinds of cybercrime while bolstering the already existing forms of cybercrime. 
 
Countries that are a member of Interpol have since been raising concerns on how to prepare for potential metaverse crime. Interpol's executive director for technology and innovation, Madan Oberoi told Reuters that, “some of the crimes may be new to this medium, some of the existing crimes will be enabled by the medium and taken to a new level." 
 
According to Oberoi, augmented reality and virtual reality could affect how phishing and scams operate. Additionally, he stated that concerns over child safety were also present.  
 
Virtual reality, as per Oberoi could aid crime in the physical world, “If terror group wants to attack a physical space they may use this space to plan and simulate and launch their exercises before attacking” he added.  
 
Earlier this October, Europol, the European Union’s law enforcement agency stated in a report that threat groups in the future may use virtual worlds for propaganda, recruitment, and training. The report added that users may as well create virtual worlds with “extremist rules.” 
 
According to Europol, if the metaverse environment detects users' interactions on a blockchain, “this might make it possible to follow everything someone does based on one interaction with them- providing valuable information for stalkers or extortionists.” 
 
Since 2021, Metaverse has been a tech buzzword, with company giants and investors claiming that the virtual world environments will advance in popularity, marking a new stage in the internet’s development. Marking its shift towards the idea, Facebook, in October 2021 announced renaming the giant to “Meta.” 
 
But thus far, there are few indications that this vision will come true. As the stock price of Meta fell on Thursday, investors expressed skepticism about making bets in the metaverse. 
 
Sales of blockchain-based assets, that represent virtual land and other digital possessions have also witnessed a plunge after a period of frenetic growth last year.

Attackers Revive 20-Year-Old Tactic in Microsoft 365 Phishing Attacks

 

A classic phishing tactic using mislabeled files is being used to deceive Microsoft 365 users into revealing their credentials. Malicious actors are dusting off Right-to-Left Override (RLO) attacks to fool victims into running files with altered extensions, as per cybersecurity researchers at Vade. Victims are requested to enter their Microsoft 365 login details when they open the files. 

In the previous two weeks, Vade's threat analysis team has discovered more than 200 RLO attacks targeting Microsoft 365 users. The technique of assault was: 

Within the Unicode encoding system, the RLO character [U+202e] is a special non-printing character. The symbol was created to support languages like Arabic and Hebrew, which are written and read from right to left. 

The special character, which can be found in the Windows and Linux character maps, can be used to mask the file type. The executable file abc[U+202e]txt.exe, for example, will display in Windows as abcexe.txt, misleading people to believe it is a.txt file. 

The threat has been present for more than a decade, and CVE-2009-3376 was first identified in 2008 in Mozilla Foundation and Unicode technical reports. 

"While Right-to-Left Override (RLO) attack is an old technique to trick users into executing a file with a disguised extension, this spoofing method is back with new purposes," noted researchers. 

RLO spoofing was previously a common technique for hiding malware in attachments. According to Vade researchers, the approach is currently being used to phish Microsoft 365 business users in order to gain access to a company's data. The team encountered one RLO attack in which an email was delivered with what seemed to be a voicemail.mp3 attachment. 

Researchers stated, "This kind of scam preys on the curiosity of the recipient, who is not expecting a voicemail, and who maybe intrigued enough to click the phishing link in the body of the email or the attachment, which is often an html file."
  
"Most likely attackers are taking advantage of the COVID-19 pandemic, with the expansion of remote working," hypothesized the analysts, who also noted that "RLO spoofing attachments is more convincing with the lack of interpersonal communication due to teleworking."

Zix: Attackers Increasingly Adopting New Techniques to Target Users

 

Cybercriminals are continuously expanding their toolkit by experimenting with new strategies and approaches in order to improve their effectiveness against both technological and human adversaries. 

According to research released by Zix, attackers are increasingly adopting new tactics to target users. The research covered several examples and also examined numerous consistent attack techniques and patterns that tend to affect organizations across the globe. 

“Cybercrime is exploding in 2021 and if there is anything that could be learned over the past year, it is that threat hunters are essential,” stated Troy Gill, Manager of Research at Zix. 

“Companies cannot wait for potential threats to emerge but must proactively identify security incidents that may go undetected by automated security tools. As we enter into the back half of the year, we will continue to see phishing, Business Email Compromise (BEC) and ransomware attackers become more sophisticated and bad actors asking for higher bounties to release data they have compromised.” 

The most common techniques employed by attackers: 

-Customized phishing attacks are on the upswing: Between Q1 and Q2, phishing assaults increased in frequency and sophistication, with campaigns becoming particularly tailored to specific users through the use of CAPTCHAs and web certificate data. Many websites, such as Spotify and DocuSign, were utilized to attract consumers. 

-New attack trends have surfaced: Email threats have grown in the first half of 2021, with 2.9 billion emails quarantined through June. URL and text-based cyberattacks increased steadily in the first half of the year, whereas email-based attacks dropped in the first five months before spiking in June.  

-BEC (business email compromise) attacks have become the most extensively employed technique: Businesses were determined to be the most susceptible and sought after by attackers, according to the research. Hackers have been seen eavesdropping in on discussions from inside a hacked account before delivering more personalized messages in an attempt to extract financial data or passwords.

Malwarebytes Report Confirms the Change in Tactics of Cybercriminals During Covid-19

 

Malwarebytes, an American security firm announced the findings of its annual ‘State of Malware’ report, this report explored the working methodology of employees and cybercriminals. Work from home was the new normal during the Covid-19 pandemic wherein many companies altered their working methodology and started working remotely.

The notable change was in the working methodology of the threat actors, they were more focused on gathering intelligence, and exploiting and preying upon fears with targeted and sophisticated assaults. Last year, threat actors targeted many high-profile firms and popular personalities which included hacking the accounts of famous personalities such as Barack Obama, Jeff Bezos, and Elon Musk; attacking FireEye and SolarWinds via supply chain and the Marriott hotel which recorded theft of the records of 5.2 million guests.

Marcin Kleczynski, CEO of Malwarebytes stated, “this past year has taught us that cybercriminals are increasingly formidable, planning long-term, strategic, and focused attacks that are sometimes years in the making. 2020 continued to show us that no company is immune, and there is no such thing as ‘safe enough’.”

“The COVID-19 pandemic compounded this with new challenges in securing remote workforces, making it essential that we quickly become more adaptable and learn how to better protect workers in any environment. While our total detections are down this year, we must remain vigilant. The threats we are seeing are more refined and damaging than ever before”, he further added.

Last year, Malwarebytes observed an overall drop of 24 percent of Windows detections across businesses and an 11 percent drop for clients. In total, there was a 12 percent drop in Windows detections across the board. However, Mac detections for businesses surged to 31 percent, 2020 also witnessed the growth of Android malware called FakeAdsBlock, which produced an alarming number of non-stop ads, accounting for 80,654 detections.

HiddenAds was discovered to be the most common mobile adware application, this trojan attacks users with ads, and nearly 704,418 malicious activities were reported with an increase of nearly 150 percent year-over-year.