Fast Facts February 2021

Monthly data-driven threat landscape updates Contents

• Contents • FRS • FRS • Introduction – Malware Families – Banking Malware • Disclaimer • Updates & Top 5 • Updates & Top 5 • SPN • Segments • Segments • – Total Threats • Industries Industries – • Blocked – Malware Campaigns Macro Malware • • Queries • Updates & Top 5 Updates & Top 5 • – Ransomware Threats • Segments Segments • • Blocked • Industries Industries – • Protection Layers – Ransomware PoS Malware • Updates & Top 5 • Updates & Top 5 • ERS • New Families • Segments – Spam Attachments • Segments • Industries – BEC • Industries • Overall and CEO Fraud • BEC Impersonation • BEC Intent

• WRS • SHN • Appendix – C&C Server Malware – Events, Devices, and Routers – What is SPN, MARS, • Updates & Top 5 • All Events, Devices, and Routers SHN, and IoTRS? – Botnet • Top 5 Bidirectional Events – What is MARS? • Connections • Key Events and Outbound/Inbound Groups – What is SHN? • C&C Servers – Outbound Events – What is IoTRS? • MARS • Possible Outbound Attacks (Events), – What is BEC? – – Android Malware Devices, and Routers What is ZDI? – • Updates & Top 5 • Top 5 Outbound Attacks (Events) What is an Botnet, C&C • Server? • ZDI Top Possible Outbound Attacks by Device Type – Vulnerabilities – Inbound Events • Per Vendor • Possible Inbound Attacks (Events), Devices, • Zero-day and Routers • ICS • Top 5 Possible Inbound Attacks (Events) • ICS Zero-day • Top Possible Inbound Attacks by Device Type

3 © 2021 Trend Micro Inc. Introduction • In the state of a prolonged worldwide health pandemic, threat detections have remained in billions for January and February, with threat actors utilizing the virus outbreak to abuse users’ systems.

– Trend Micro™ Smart Protection Network™ (SPN) has blocked a total of 6.2 billion threats. – Malware families have indicated a total of 1.1 million unique detections. – EMOTET is no longer the top malware in January and February in malware detections. – RAMNIT is back to the top banking malware, taking over the position of EMOTET. – EMOTET, RYUK, and TRICKBOT also shows a 43.0% decrease only for EMOTET. – Overall BEC attacks have increased by 28.3% – New datasets for BEC to indicate the distributions of impersonations and intents. – Trend Micro Smart Home Network (SHN) shows significant increases by 429.9% and 394.9%, for devices and routers respectively related to inbound possible attacks. – See the rest of this presentation for more of our data.

• Trend Micro Research is sharing monthly threat landscape updates based on Trend Micro™ Smart Protection Network™ (SPN) security infrastructure data through Email Reputation Service (ERS), File Reputation Service (FRS), and Web Reputation Service (WRS). With SPN sensors, gathered data also come from Trend Micro researchers, the Zero Day Initiative (ZDI) team, the PH Threat Hunting team, the Mobile App Reputation Service (MARS) team, and Smart Home Network (SHN), and IoT Reputation Service (IoTRS).

– The cutoff date for the monthly data is at the end of each month. For this report, the cutoff was on February 28, 2020. The numbers are their exact counts (i.e., no rounding decimals off to whole numbers or to the nearest thousand). – The data in this report is a snapshot of the data gathered from sensors and parameters Trend Micro core technology experts used during the report’s creation. As such, readers should be aware of the possibility that the figures in the report may change retrospectively due to any future enhancements applied to the sensors and parameters. Corresponding explanations shall accompany any changes in succeeding reports. – Please note that these detection numbers are from the coverage of the SPN sensors distributed globally, which is not exhaustive. Those regional rankings and figures cannot be free from such market-share influenced distribution bias.

Trend Micro has blocked 6.2 billion threats in February, a 3.8% decrease from January’s 6.4 billion.

While ERS has dominated the detection counts, only both WRS and FRS shows an increase of 25.4% and 10.3%, respectively.

As of February, the total of threats blocked in 2021 is at 12.7 billion.

The total number of queries in February had an decrease of 3.9% from January.

URL queries for WRS have indicated the SPN queries' top source with more than 60%. The second is FRS, while ERS is the last.

As of February, the threat queries in 2021 are at 861.4 billion.

The number of annual ransomware detections from 2016 to 2019 ranges from 55 million to over 1 billion. As of February, the total number of ransomware detections in 2020 is at 3.0 million.

The number of ransomware threats blocked is 1.5 million in February, indicating a 0.8%% decrease from January. WRS dominates the Ransomware threats blocked.

Feb-21 Jan-21 1 .PDF 662,787 .PDF 1,430,887 2 .DOC 42,706 .DOC 28,462 3 .HTM 24,884 .EXE 27,509 4 .XLS 21,128 .XLS 24,659 5 .EXE 20,558 .HTML 19,301

The total count of detections for file types used in spam attachments has decreased by 47.6% from January to February .PDF was able to hold the top file type used in spam despite its 53.7% decrease.

While the CEO fraud attempts have increased by 9.1%, the Overall BEC attempts had grown by 28.6% from January to Feburary.

Datasets for both spoofed and targeted positions are not available now due to the process issue. And from January 2021, we have started monitoring the datasets like impersonation and intent from the case submissions. 21 © 2021 Trend Micro Inc. FRS (File Reputation Service) Malware Families, Campaigns, and Ransomware

Feb-21 Jan-21 1 WCRY 12,524 WCRY 15,923 2 COINMINER 9,476 COINMINER 11,610 3 DOWNAD 6,691 VIRUX 7,217 4 DLOADER 6,445 DLOADER 7,178 5 NEMUCOD 6,210 DOWNAD 7,026

The number of malware families has decreased by 13.9% from January to February. As EMOTET dropped, WCRY is back to the usual top malware family detected position.

The consumer segment has remained the most significant number of malware detections in January and February, followed by the enterprise.

ENT Feb-21 Jan-21 Cons Feb-21 Jan-21 1 WCRY 12,067 WCRY 15,407 1 NEMUCOD 5,543 NEMUCOD 5,526 2 VIRUX 5,358 VIRUX 6,752 2 COINMINER 3,699 COINMINER 4,273 3 VIRUX 5,135 COINMINER 6,689 3 DLOADER 3,554 DLOADER 4,150 4 DOWNAD 4,599 DOWNAD 4,996 4 DRIDEX 2,419 LOCKY 2,567 5 EQUATED 3,322 EQUATED 4,618 5 POWLOAD 2,387 POWLOAD 2,544

SMB Feb-21 Jan-21 Others Feb-21 Jan-21 1 COINMINER 640 EMOTET 1,003 1 ADLOAD 77 LOCKY 64 2 DOWNAD 498 COINMINER 644 2 DLOADER 67 DLOADER 50 3 SALITY 324 DOWNAD 463 3 DRIDEX 40 POWLOAD 41 4 EMOTET 304 POWLOAD 385 4 LOCKY 36 Mackeeper 37 5 WCRY 290 DLOADER 381 5 POWLOAD 27 DRIDEX 29

In February, WCRY has continued to be the top malware family for the enterprise segment, while EMOTET has dropped to the fourth for SMB, and out of top 5 for customer.

Feb-21 Jan-21 1 Manufacturing 29,933 Manufacturing 76,467 2 Healthcare 28,531 Healthcare 37,359 3 Government 24,739 Government 25,949 4 Banking 18,553 Education 22,583 5 Education 17,908 Banking 21,488 6 Technology 13,188 Technology 16,060 7 Telecommunications 10,019 Telecommunications 13,336 8 Materials 8,654 Financial 7,752 9 Financial 6,272 Food and beverage 6,166 10 Food and beverage 5,976 Transportation 6,017

The manufacturing industry remains at the top with the most malware detections in February, despite a decrease of 60.9% from January. And the healthcare industry has gained the second spot in 2021.

EMOTET, RYUK, and TRICKBOT are the three malware families with the most active campaigns. However, EMOTET shows a significant decrease of 43.0% from January to February.

EMOTET shows a significant decrease from January to February in all segments. EMOTET’s increase in Others is negligible.

Feb-21 Jan-21 1 Government 224 Manufacturing 183 2 Manufacturing 148 Government 175 3 Healthcare 114 Healthcare 131 4 Telecommunications 106 Financial 122 5 Food and beverage 71 Telecommunications 112 6 Education 30 Real estate 97 7 Technology 27 Food and beverage 84 8 Comm and Media 16 Technology 70 9 Banking 12 Education 59 10 Transportation 12 Transportation 35

The government has taken the top from the manufacturing industry with the highest number of malware detections, followed by the manufacturing and healthcare industries in the second and the third, respectively.

Feb-21 Jan-21 1 WCRY 12,524 WCRY 15,923 2 LOCKY 1,384 LOCKY 1,423 3 CERBER 732 NEFILIM 498 4 GANDCRAB 245 CERBER 435 5 RYUK 229 GANDCRAB 211

The number of detected ransomware families has decreased by 11.6% from January to February. WCRY still holds the top ransomware family.

Feb-21 Jan-21 IZICRYPT AMJIXIUS CRYNG SOPHCRYPT HDLOCKER SHARPCRYPTER SICKRANSOM CICADA LUCIFER CRYSIS.TIBGGH BUTWO BLUECRAB FLAMINGO JUDGE CNHCRYPT MIJNAL NAMASTE GUNSHOT GARYTEST MOLOCH PSIXTIN

We have discovered eight new ransomware families in February, a 38.5% decrease from thirteen in January.

The enterprise segment continues to have the most detections. Detections for consumer segments in February show a slight inrease despite an overall decrease in ransomware family detection.

ENT Feb-21 Jan-21 Cons Feb-21 Jan-21 1 WCRY 12,037 WCRY 15,407 1 LOCKY 1,149 LOCKY 1,183 2 CERBER 224 NEFILIM 498 2 CERBER 496 CERBER 231 3 RYUK 223 LOCKY 223 3 WCRY 195 WCRY 181 4 LOCKY 205 CERBER 194 4 GANDCRAB 60 GANDCRAB 65 5 GANDCRAB 181 DARKSIDE 176 5 CRYPWALL 33 CRYPWALL 26

SMB Feb-21 Jan-21 Others Feb-21 Jan-21 1 WCRY 290 WCRY 335 1 LOCKY 4 LOCKY 3 2 SODINOKIBI 152 SODINOKIBI 77 2 WCRY 2 CRYPWALL 1 3 AVADDON 31 AKO 27 3 GANDCRAB 1 CRYPTLOCK 1 4 LOCKY 26 PHOBOS 17 4 5 AKO 16 GANDCRAB 15 5

WCRY retains the top-ranking family for both enterprise and SMB segments in January and February. On the other hand, LOCKY holds the most detected for the consumer segment.

Feb-21 Jan-21 1 Banking 4,970 Banking 6,395 2 Government 1,699 Government 2,081 3 Manufacturing 765 Manufacturing 914 4 Food and beverage 665 Healthcare 848 5 Healthcare 664 Real estate 735 6 Education 258 Food and beverage 727 7 Technology 204 Education 370 8 Financial 201 Telecommunications 295 9 Telecommunications 153 Financial 290 10 Retail 143 Technology 270

The total number of detections for ransomware has decreased by 11.6% from January to February. The banking industry has taken the top position, which shows a notable move as the ransomware family ranking in 2021.

Feb-21 Jan-21 1 RAMNIT 2,251 EMOTET 4,518 2 FAREIT 1,259 RAMNIT 2,789 3 ZBOT 1,159 BEBLOH 1,159 4 BEBLOH 1,084 DRIDEX 1,150 5 EMOTET 1,054 ZBOT 915

In February, the number of banking malware detections has decreased by 24.4% from January. RAMNIT is back to the first rank, while EMOTET had dropped to the fifth.

For both January and February, the enterprise segment has dominated the most banking malware detections, followed by the consumer and SMB segments.

ENT Feb-21 Jan-21 Cons Feb-21 Jan-21 1 RAMNIT 1,511 RAMNIT 1,902 1 BEBLOH 1,072 EMOTET 1,689 2 DORKBOT 837 EMOTET 1,821 2 RAMNIT 649 BEBLOH 1,151 3 EMOTET 773 DORKBOT 782 3 URSNIF 554 DRIDEX 948 4 FAREIT 744 QAKBOT 443 4 ZBOT 445 RAMNIT 766 5 ZBOT 692 ZBOT 415 5 FAREIT 431 URSNIF 575

SMB Feb-21 Jan-21 Others Feb-21 Jan-21 1 QAKBOT 105 EMOTET 1,000 1 EMOTET 4 EMOTET 8 2 RAMNIT 91 QAKBOT 132 2 TRICKBOT 3 DRIDEX 6 3 FAREIT 81 RAMNIT 120 3 FAREIT 3 LOKI 3 4 EMOTET 81 LOKI 85 4 LOKI 2 FAREIT 3 5 LOKI 54 FAREIT 75 5 ZBOT 1 URSNIF 2

In February, RAMNIT is the most detected banking malware for the enterprise segment. QAKBOT has taken the top spot from EMOTET for SMB. BEBLOH has remained at the top for the consumer segment.

Feb-21 Jan-21 1 Government 794 Government 748 2 Manufacturing 420 Manufacturing 597 3 Food and beverage 341 Healthcare 365 4 Healthcare 268 Education 358 5 Telecommunications 258 Food and beverage 327 6 Education 230 Telecommunications 301 7 Technology 218 Financial 280 8 Banking 92 Real estate 253 9 Oil and Gas 45 Technology 233 10 Transportation 45 Transportation 142

The total number of banking malware detections has decreased by 24.4% from January to February. The government has been at the top among industries, followed by the manufacturing industry.

Feb-21 Jan-21 1 POWLOAD 3,326 EMOTET 3,241 2 DRIDEX 2,948 POWLOAD 3,084 3 DLOADR 1,984 DLOADR 2,808 4 EMOTET 1,531 LOCKY 1,749 5 LOCKY 1,523 DRIDEX 1,594

The total number of Macro malware detections in February has shown a 2.4% decrease from January. And, EMOTET has dropped into the fourth with an significant decrease.

In February, the consumer segment has shown the most detections for macro malware, followed by the enterprise and SMB segments.

ENT Feb-21 Jan-21 Cons Feb-21 Jan-21 1 POWLOAD 1,287 EMOTET 1,136 1 DRIDEX 2,350 DLOADR 2,010 2 DLOADR 592 POWLOAD 783 2 POWLOAD 1,806 POWLOAD 1,921 3 EMOTET 460 DLOADR 547 3 DLOADR 1,256 EMOTET 1,495 4 MARKER 364 THUS 497 4 LOCKY 1,190 LOCKY 1,408 5 DRIDEX 359 LAROUX 386 5 DLOADER 845 DRIDEX 1,184

SMB Feb-21 Jan-21 Others Feb-21 Jan-21 1 EMOTET 223 EMOTET 602 1 DRIDEX 40 LOCKY 61 2 POWLOAD 210 POWLOAD 344 2 DLOADR 39 DLOADR 36 3 DRIDEX 199 DLOADR 215 3 LOCKY 32 POWLOAD 36 4 DLOADR 97 DRIDEX 79 4 POWLOAD 23 DRIDEX 28 5 DLOADER 42 DLOADER 62 5 DLOADER 16 DLOADER 9

EMOTET does not dominate as the most detected macro malware family in the enterprise segments in February. EMOTET is still at the top in SMB, but the detection counts are small.

Feb-21 Jan-21 1 Manufacturing 654 Manufacturing 895 2 Government 338 Government 440 3 Food and beverage 227 Transportation 290 4 Telecommunications 207 Food and beverage 225 5 Healthcare 167 Healthcare 200 6 Transportation 156 Technology 174 7 Education 156 Financial 156 8 Technology 145 Telecommunications 123 9 Retail 70 Real estate 121 10 Comm and Media 57 Education 106

The manufacturing industry remains the top industry for macro malware detections, followed by the government, food and beverage, telecommunications, and healthcare industries in February.

Feb-21 Jan-21 1 ALINAOS 15 ALINAOS 10 2 UDPOS 8 UDPOS 8 3 LOCKPOS 8 LOCKPOS 6 4 GRATEFULPOS 5 RAWPOS 5 5 RAWPOS 3 POSNEWT 5

In February, the total number of PoS malware detections have increased by 6.5%. ALINAOS keeps the top spot as the most detected PoS malware family. Detections are few compared to other malware types.

In February, the enterprise segment covers the most PoS malware detections, followed by the consumer segment. And there is no detection in other segments. Detections are few compared to other malware types.

ENT Feb-21 Jan-21 Cons Feb-21 Jan-21 1 ALINAOS 15 ALINAOS 10 1 UDPOS 4 - 2 LOCKPOS 8 UDPOS 8 2 TINYPOS 1 - 3 GRATEFULPOS 5 LOCKPOS 6 3 - - 4 UDPOS 4 RAWPOS 5 4 - - 5 RAWPOS 3 POSNEWT 5 5 - -

SMB Feb-21 Jan-21 Others Feb-21 Jan-21 1 - PWNPOS 1 1 - POCARDL 1 2 - - 2 - - 3 - - 3 - - 4 - - 4 - - 5 - - 5 - -

ALINAOS dominates as the most detected PoS malware family in the enterprise segment in February. And, there is few detections in other segments.

Feb-21 Jan-21 1 Food and beverage 9 Food and beverage 12 2 - Real estate 12 3 - - 4 - - 5 - - 6 - - 7 - - 8 - - 9 - - 10 - -

The total number of PoS malware detections has increased by 6.5% from January to February. In February, the food and beverage industry has the only industry observed due to the small number of detections.

Feb-21 Jan-21

1 emotet 1,007 emotet 934

2 infosteal 341 feodo 329

3 feodo 177 infosteal 301

4 trojan 143 ursnif 151

5 trickbot 122 cerber 127

The total number of C&C server related malware detections has indicated a 1.5% decrease from January to February. EMOTET is still the top malware in this section.

The number of C&C servers we detected has increased by 32.4% from January to February. Meanwhile, the number of botnet connections we detected has reduced by 31.9%.

Feb-21 Jan-21 1 Xloader 312,998 XLoader 445,339 2 FakeSpy 39,101 XLoaderPack 82,014 3 FakeChrome 31,715 FakeSpy 64,791 4 XLoaderPack 29,661 FakeChrome 61,198 5 SendPay 27,755 FakeCrome 37,322

The total number of Android malware detections have shown a decrease of 34.4% from January to February. XLoader continues to be at the top spot, while FakeSpy is back to the second spot from despite its decrease.

The total number of vulnerabilities found in ZDI has increased by 14.6% from January to February, while there is a slight 6.6% decrease in Others. Both Adobe and Apple shows a significant increase with the reported vulnerabilities in February among the key vendors.

In February, ICS vulnerabilities show no significant move only from 54 to 53, while there is no ICS Zero-Day vulnerabilities reported in both months. On the other hand, Zero-Day (Non-ICS) vulnerabilities has increased from 2 to 7.

SHN has observed an decrease of 11.5% for events from January to February. Meanwhile, a 1.2% increase for devices and a 2.2% increase for routers.

Feb-21 Events % 1 NETBIOS SMB username brute force attempt 47.5% 2 RDP Brute Force Login 18.4% MISC Bitcoin or LiteCoin Mining Activity MISC Bitcoin/LiteCoin/Dogecoin Mining Activity -2 3 12.1% MISC BitMonero Mining Activity MISC Cryptocurrency Monero Mining Activity -1 4 TELNET Default Password Login 1 ~26 9.4% 5 NETBIOS SMB Auth failure 3.1%

Jan-21 Events % 1 NETBIOS SMB Auth failure 49.4% 2 TELNET Default Password Login 1 ~26 15.7% 3 NETBIOS SMB username brute force attempt 13.5% 4 RDP Brute Force Login 7.3% MISC Bitcoin or LiteCoin Mining Activity MISC Bitcoin/LiteCoin/Dogecoin Mining Activity -2 5 4.9% MISC BitMonero Mining Activity MISC Cryptocurrency Monero Mining Activity -1

In February, the rule "NETBIOS SMB username brute force attempt" detected events have still held the top for the bidirectional events (for both inbound and outbound combined). Meanwhile, the "RDP Brute Force Login" is in the second. "TELNET Default Password Login 1 ~26" detected events have dropped to the fourth.

The total combined detections for the key events and the outbound and inbound categories have shown a decrease of 11.5% in February. The "telnet default password" has a slight decrease of 9.4%. On the other hand, there are increases of 14.7% for "cryptocurrency mining."

The counts for possible outbound attacks (events) in February have shown a 40.5% decrease from January. The counts for devices and routers have indicated a rise of 13.9% and 17.2%.

Feb-21 Events % 1 NETBIOS SMB username brute force attempt 47.7% SMB Microsoft Windows SMB Server SMBv1 CVE-2017-0147 Information 2 19.8% Disclosure -1 3 SSH Brute Force Login 5.6% 4 WEB ACME mini_httpd Arbitrary File Read -1 (CVE-2018-18778) 4.7% 5 FTP Brute Force Login -2.1021 3.8%

Jan-21 Events % SMB Microsoft Windows SMB Server SMBv1 CVE-2017-0147 Information 1 25.7% Disclosure 2 NETBIOS SMB username brute force attempt 18.0% 3 NETBIOS SMB Auth failure 14.3% SMB Microsoft Windows SMB Server SMBv1 CVE-2017-0147 Information 4 13.6% Disclosure -1 5 SSH Brute Force Login 7.8%

In February, the "NETBIOS SMB username brute force attempt" rule events continue to hold the top event, followed by the "SMB Microsoft Windows" rule, which also remains at the second spot. On the other hand, the "SSH Brute Force Login" rule is back to the third, overtaken by the "NETBIOS SMB Auth failure" rule.

Feb-21 Device Type Outbound Attacks Devices Average 1 Desktop/Laptop 8,816,229 13,903 634 2 Smartphone 1,995,595 6,243 320 3 Unknown 1,009,129 1,163 868 4 NAS 378,236 285 1,327 5 Tablet 363,315 1,223 297 6 Printer 199,744 147 1,359 7 Wireless Access Point 156,564 682 230 8 IP Network Camera 77,322 821 94 9 Android Device 70,989 704 101 10 Game Console 25,155 318 79

Jan-21 Device Type Outbound Attacks Devices Average 1 Desktop/Laptop 14,318,993 10,057 1,424 2 Smartphone 2,608,126 6,334 412 3 Unknown 1,666,139 1,437 1,159 4 Tablet 921,742 1,026 898 5 NAS 829,424 365 2,272 6 IP Network Camera 535,635 932 575 7 Printer 405,909 235 1,727 8 Game Console 361,477 335 1,079 9 Wireless Access Point 177,337 784 226 10 Apple iOS Device 110,927 133 834 The desktop/laptop type has continued to have the highest number of events for the possible outbound attacks with more than 8.8 million, followed by the smartphone type. 62 © 2021 Trend Micro Inc. Possible Inbound Attacks (Events), Devices, and Routers

In February, the detection counts for possible inbound attacks (events) have shown an decrease of 38.9%. And the same goes for devices and routers, which shows significant increases by 429.9% and 394.9%, respectively.

Feb-21 Events % 1 NETBIOS SMB username brute force attempt 60.7% 2 RDP Brute Force Login 26.1% 3 NETBIOS SMB Auth failure 4.2% SMB Microsoft Windows SMB Server SMBv1 CVE-2017-0147 Information Disclosure 4 2.0% -1 5 WEB Remote Command Execution via Shell Script -1.h 1.3%

Jan-21 Events % 1 NETBIOS SMB Auth failure 65.0% 2 NETBIOS SMB username brute force attempt 17.0% 3 RDP Brute Force Login 9.6%

4 SMB Microsoft Windows SMB Server SMBv1 CVE-2017-0147 Information Disclosure 1.4%

5 WEB Remote Command Execution via Shell Script -1.h 1.2%

For possible inbound attacks (events) in February, the "NETBIOS SMB username brute force attempt" rule events are still holding the top-ranked with over half of the detections. The "RDP Brute Force Login" rule events remain in its position at the second.

64 © 2021 Trend Micro Inc. Top Possible Inbound Attacks by Device Type Feb-21 Device Type Inbound Attacks Devices Average 1 NAS 73,844,416 9,336 7,910 2 Desktop/Laptop 47,784,055 33,125 1,443 3 Smartphone 32,912,430 44,535 739 4 Unknown 13,975,316 17,565 796 5 Tablet 6,250,545 6,172 1,013 6 Android Device 1,145,678 3,614 317 7 Game Console 961,892 3,284 293 8 IP Network Camera 752,229 4,343 173 9 Miscellaneous 684,662 1,899 361 10 SmartTV 268,445 1,594 168

Jan-21 Device Type Inbound Attacks Devices Average 1 NAS 138,752,051 12,424 11,168 2 Desktop/Laptop 76,992,424 43,168 1,784 3 Smartphone 44,249,580 57,564 769 4 Unknown 19,096,679 20,943 912 5 Tablet 7,818,003 6,805 1,149 6 Android Device 1,462,775 5,168 283 7 IP Network Camera 1,308,599 5,388 243 8 SmartTV 887,784 1,504 590 9 Game Console 868,518 2,990 290 10 Miscellaneous 688,392 2,210 311 The device type of network-attached storage (NAS) has the highest number for possible inbound attack events, followed by the device type of desktops/laptops. The device type of smartphones also holds the third. 65 © 2021 Trend Micro Inc. Appendix

The Trend Micro™ Smart Protection Network™ is a global network of threat intelligence sensors with continually updated email, web, and file reputation databases in the cloud. This up-to-the-second threat intelligence allows us to 250M+ 2.5T+ identify and block threats in real time. The Trend Micro reputation services check widely-used sensors threat queries yearly threat vectors to block spam/phishing, compromised websites, malicious files, compromised devices, and malicious mobile apps. They are: • Email Reputation Service (ERS) • Web Reputation Service (WRS) • File Reputation Service (FRS) 65B+ 500K+ • Mobile App Reputation Service (MARS) • IoT Reputation Service (IOTRS) threats blocked commercial yearly customers worldwide *These figures are approximate to show the SPN scale

The Mobile App Reputation Service (MARS) is a cloud-based service that scans and analyzes the threat risk of apps. It correlates web queries with SPN, dissects app code and private data access, and also activates the app to analyze its actual behavior.

Apps that exhibit adware, spyware, premium service abuse or rooting behavior are detected as malicious so users can delete them. Apps that try and steal personal information from the device are also categorized as dangerous.

Trend Micro Smart Home NetworkTM (SHN) is an embedded In February 2021: network security solution designed to protect against • 3,101,264: Active routers as of February 28, 2021 cyberattacks and provide network access management for all connected devices in a home network. It has been widely – Active routers are the routers with SHN solution adopted by leading home router vendors and deployed in enabled and can be monitored by SHN. more than two million households worldwide. – These active routers are called “SHN routers.”

What does “source of possible attacks” mean? • 2,711,086: Daily average active routers as of February 27, SHN looks at the IP addresses of active routers to determine 2021 Active routers (SHN routers) are the routers with SHN the source of an event or possible attack. solution enabled and can be monitored by SHN. If a router which supports the SHN solution and has security – The daily average is calculated from last 5 days. features enabled triggers a security event, we confirm which • 37,416,344: Daily average active devices as of February 27, direction the attack is coming from and further check what 2021 attack source triggered the security event. After that, we then confirm the real focus of the attack. – Active devices detected by those SHN routers: these are the internet-capable devices connected to the SHN routers (for example smartphones or IoT devices in homes with an active router). – The daily average is calculated from last 5 days.

What are events and possible attacks? What are inbound and outbound possible attacks? “Events” are when SHN rules are triggered for greynet Once the packet triggers our DPI Intrusion Prevention System applications, which are not necessarily malicious and may (IPS) rule, we'll extract following information from feedback oftentimes include potentially unwanted programs such as data: adware or other grayware. Some events are simply strong • Event role: if the home device is a Server or Client indicators that an attack may happen. For example, the • Packet flow: if the direction is going from home to event “TELNET Default Password Login” is an indication that internet (outbound), or from internet to home (inbound) someone is systematically using default passwords to try and • access the router—it is not yet an attack. Rule ID and Name: we can reference our signature DB to know the attack’s characteristics and determine its And, some events cannot be clearly defined as malicious. severity. We also consider if the packet's source is an Cryptocurrency mining is not considered an attack because attacker or packet's destination is an attacker. there are some individuals who choose to actively mine cryptocurrency. Given the above conditions, we can judge if this event (possible attack) was an outbound possible attack or “Possible attacks” are high-risk events that are closely inbound possible attack. In other words, “possible attacks" related to threat activity. For example, one of the top are separated into inbound and outbound attacks. possible attacks is Microsoft Windows SMB Attack which is linked to the infamous MS17-010, the EternalBlue exploit connected to the WannaCry ransomware attack.

IoT Reputation Service (IoTRS) analyzes billions of transactions every day collected from tens of millions of sensors and devices from all over the world. They include home routers, industrial IoT devices, as well as consumer and commercial IoT devices, like DVRs and networked security cameras.

With big data analytics and machine learning, a bulk list of insecure IoT connections is generated and queried in real time to help protect against malicious or compromised IoT devices. This approach ensures people and organizations are protected against the botnet-like activity we saw with the Mirai and Perserai botnets and the similar attacks we will likely see from and against IoT devices.

In a typical business email compromise (BEC), a scammer impersonates a high-ranking executive and tricks an employee (usually one connected to the finance department) into transferring funds to the scammer’s account. There are 5 types of BEC: • The Bogus Invoice Scheme: Attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters. • CEO Fraud: Attackers pose as the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control. • Account Compromise: An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts. • Attorney Impersonation: Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. • Data Theft: Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives.

The Zero Day Initiative (ZDI) represents the world’s largest vendor-agnostic bug bounty program. Interested researchers provide the ZDI with exclusive information about previously unpatched vulnerabilities they have discovered. Then, the ZDI’s internal researchers and analysts validate the issue in our security labs and make a monetary offer to the researcher.

• Zero-Day vulnerabilities: Zero-days are vulnerabilities in a system or device that have been disclosed but are not yet patched. Because they were discovered before security researchers and software developers became aware of them—and before they can issue a patch—zero-day vulnerabilities pose a higher risk to users.

• ICS or SCADA vulnerabilities: Industry Control Systems (ICS) run the world’s various critical infrastructure sectors and are inherently attractive to different threat actors. Threat actors can use vulnerabilities to access ICS and gather information such as a facility’s layout, critical thresholds, or device settings for use in later attacks.

• Vendor vulnerabilities: Vulnerabilities in top vendors have the potential to affect millions across the globe. Since popular software and applications are installed on different devices and used by many people, a high rate of vulnerabilities is risky.

What is a botnet? A botnet (short for bot network) is a network of hijacked computers and devices infected with bot malware and remotely controlled by a hacker. In the past, botnets were popularly used to execute DDoS attacks. But more recent botnet operations were observed to have the ability to mine bitcoins, intercept any data in transit, send logs that contain sensitive user information to the botnet master, and consume the user’s machine resources. What is a C&C server? A command-and-control (C&C) server is a computer controlled by an attacker or cybercriminal, which is used to send commands to systems compromised by malware and receive stolen data from a target network. Many campaigns have been found using cloud-based services, such as webmail and file-sharing services, as C&C servers to blend in with normal traffic and avoid detection. • Number of Botnet Connections is the number of unique endpoints that queries/connects to a C&C server, not necessarily blocked as it depends on the product setting. • Number of Botnet C&C Servers is the number of unique active C&C Servers where the endpoint queries/connects.