Skip to content

Threat Intel Report Q1 2020

A comprehensive approach

Anticipate threats


Proactively harden your directory infrastructure

Uncover vulnerabilities and weak configurations to maintain strong security boundaries

AD admins, blue teams, and auditors

Detect attacks


Detect attacks in real time with our AD-specific threat intelligence

Make AD an integral part of your security practice with SIEM and SOAR integrations

Enable your threat hunters with AD-native investigation capabilities

SOC analysts and threat hunters

Respond to breaches


Replay attacks and hunt for patient zero

Remediate at machine-speed through our orchestration playbooks

Detect persistence mechanisms and kick them out for good

Incident responders

The features we are proud of

Cutting-edge security technology

Harden, detect, respond
All your practices extended to your most vital IT asset: Active Directory

True real-time
Live exposure visualization, immediate attack alerts

Step-by-step recommendations
A follow-the-guide approach for AD admins new to security

Intelligence-driven, AD-native
Beyond compliance, detect AD-specific attack patterns

Seamless end-to-end user experience

No agents, no privileges
An instant-on application with hardly a footprint on operations

Dashboard-oriented UX
To simplify decision-making
and prioritization

Simple, no-nonsense architecture
Using standard protocols and proven technologies

Native integrations with your other practices
Turbo-charge your SIEM, SOAR, and IAM solutions

Top 5 attack trends

Q1 2020

Attacks from China on the rise

Phishing tactics using coronavirus crisis

Ransomware attacks still escalating

MacOS now a new attack vector

Active Directory used for lateral movement and privilege escalation

Attacks from China on the rise

  • Chinese non-state cybercriminals are transforming from small organizations into well-organized criminal groups targeting international organizations
  • Asia is the focus of attack, and advanced ransomware targeting Active Directory for fast movement is the main attack vector
  • 800+ million people have internet access in China: as that number increases, more criminal groups are engaging in cybercriminal activities to increase revenues
  • Cybercriminal activities from China are growing at 30% annually
  • According to dark web marketplaces, stolen data provided by Chinese actors is growing 23% every year
  • Chinese cybercriminal activity exceeds $15 billion USD; a recent Chinese study provided figures on the Chinese cybercriminal underground
  • An estimated 400,000 people are working for cybercriminal groups in China
  • Dark web marketplaces are not easily accessible for Chinese cybergroups because the government still blocks access to Tor and anonymous internet access; so the dark web is only used to sell services (e.g. malware customization) or stolen data
  • Many of the Chinese cybergroups are using “classic” forums (e.g. Weibo or Baidu) and “language codes” to exchange information between groups:

Devices, computers,
or servers

Chicken meat: 鸡肉

Stolen accounts
or passwords

Letters/envelopes: 字母 / 信封


Fishing boxes: 钓鱼箱

Stolen financial data
or credit cards

Tracking material: 追踪材料

Phishing tactics using coronavirus crisis

New cyberattacks exploit your fears with phishing emails designed to steal money, get personal information, and infect computers

This email is not from the CDC. It’s a phishing attack designed to harvest usernames and passwords from people who click the link. The link looks like it will take you to a website about coronavirus. It will not.

You land on a fake Microsoft Outlook login page created to steal usernames and passwords. Criminals control this fake Outlook page.

Once they capture your login credentials, they can use them to access your email account and look for anything valuable.

An email will ask to open a document to explain about coronavirus “care.” Another email will ask you for Bitcoin.

Ransomware attacks
still escalating

  • Malware threat rate and numbers detection are in line with those from Q4 2019
  • Malware automation and industrialization are increasing (estimated to grow 13% over Q4 2019)
  • New ransomware-as-a-service platforms are spreading: better service offers and more advanced technical capabilities

MacOS now a new attack vector

  • Adwares infection by OS for 2019 and Q1 2020:
    • Windows OS: 24 million
    • MacOS: 30 million
  • Average number of threats by OS for 2019 and Q1 2020:
    • Windows OS: 6 threats per endpoint
    • MacOS: 11 threats per endpoint
  • Rise of MacOS threats: increase of 400% in 2019 and Q1 2020 compared to 2018!

AD used for lateral movement and privilege escalation

  • Threat sophistication increased, with many more attacks using exploits, credential stealing tools, or multi-step attacks
  • Mass infections targeting large organizations increased — AD usage is now a “by design” behavior: embedded Mimikatz increased 42% during Q1 2020 compared to Q3/Q4 2019
  • Emotet & Trickbot trojans are still increasing: the top 5 infections during Q1 2020 were using Emotet or Trickbot
  • MacOS integrated in Active Directory appears to be a good, new attack vector to infect whole organizations

The rise of ransomware-as-a-service

  • Definition: “ransomware-as-a-service” is abbreviated as RaaS. This is a form of software-as-a-service (SaaS) used by underground vendors to threaten actors by providing them a ransomware platform tool.
  • RaaS borrows from the SaaS model. This subscription-based model enables even the novice cybercriminal to launch ransomware attacks without much difficulty.
  • You can find various RaaS packages on the market that reduce the need for significant technical knowledge of how to create ransomware. This malicious model allows anyone to become an “affiliate” of an established RaaS package or service.

RaaS example: Sodinokibi

Sodinokini attack methods include:

> Active exploitation of a vulnerability in Oracle WebLogic, officially named CVE-2019-2725
> Malicious spam or phishing campaigns with links or attachments
> Malvertising campaigns that lead to the RIG exploit kit, an avenue that GandCrab has used before
> Compomised or infiltrated managed service providers (MSPs) to push the ransomeware en masse; this is done by accessing networks via a remote desktop protocol (RDP), then using the MSP console to deploy the ransomware
> Evading detection through the "Heaven’s gate" technique used to execute 64-bit code on a 32-bit process, which allows malware to run

Sodinokibi ransomware business detections in 2019

Other examples


RaaS business model


RaaS factory: creation of a RaaS offer and publication on dark web


Beginner goes to the RaaS platform and asks for a ransomware kit


The RaaS factory automatically creates a ransomware code with an affiliate number + step-by-step information for how to launch a ransomware campaign, etc.


Beginner uses the RaaS to deploy, infect organizations, and demand ransom


Once the organization pays the ransom, 50% of the money goes to the beginner, 50% of the money goes to the RaaS factory

Q1 2020 attack examples

Our solutions

Provide field-tested products
with a seamless end-to-end user experience

Break the dynamics of most modern threats to enterprises by preventing attacks from spreading internally

A technical expertise recognized and awarded worldwide

Comments are closed.

Download pdf

Want more insights?

Contact us