McAfee Labs Threats Report reveals 605% increase in COVID-19-themed attack detections


McAfee Corp. (Nasdaq: MCFE), the device-to-cloud cybersecurity company, today released its McAfee Labs Threats Report: November 2020, examining cybercriminal activity related to malware and the evolution of cyber threats in Q2 2020. During this period, McAfee saw an average of 419 new threats per minute as overall new malware samples grew by 11.5%. A significant proliferation in malicious Donoff Microsoft Office documents attacks propelled new PowerShell malware up 117%, and the global impact of COVID-19 prompted cybercriminals to adjust their cybercrime campaigns to lure victims with pandemic themes and exploit the realities of a workforce working from home.

“The second quarter of 2020 saw continued developments in innovative threat categories such as PowerShell malware and the quick adaptation by cybercriminals to target organisations through employees working from remote environments,” said Raj Samani, McAfee fellow and chief scientist. “What began as a trickle of phishing campaigns and the occasional malicious app quickly turned into a deluge of malicious URLs, attacks on cloud users and capable threat actors leveraging the world’s thirst for more information on COVID-19 as an entry mechanism into systems across the globe.”

Each quarter, McAfee assesses the state of the cyber threat landscape based on in-depth research, investigative analysis, and threat data gathered by the McAfee Global Threat Intelligence cloud from over a billion sensors across multiple threat vectors around the world.


COVID-19-Themed Threat Campaigns

After a first quarter that saw the world plunge into pandemic, the second quarter saw enterprises continue to adapt to unprecedented numbers of employees working from home and the cybersecurity challenges this new normal demands. In response, McAfee launched the McAfee COVID-19 Threats Dashboard to help CISOs and security teams understand how bad actors have retargeted increasingly sophisticated techniques toward businesses, governments, schools, and a workforce coping with COVID-19 restrictions and the potential vulnerabilities of remote device and bandwidth security. Over the course of Q2, McAfee’s global network of over a billion sensors observed a 605% increase in COVID-19-related attack detections compared to Q1.


Donoff & PowerShell Malware

Donoff Microsoft Office documents act as TrojanDownloaders by leveraging the Windows Command shell to launch PowerShell and proceed to download and execute malicious files. Donoff played a critical role in driving the 689% surge in PowerShell malware in Q1 2020. In Q2, the acceleration of Donoff-related malware growth slowed but remained robust, driving up PowerShell malware by 117% and helping to drive a 103% increase in overall new Microsoft Office malware. This activity should be viewed within the context of the overall continued growth trend in PowerShell threats. In 2019, total samples of PowerShell malware grew 1,902%.


Attacks on Cloud Users

McAfee observed nearly 7.5 million external attacks on cloud user accounts. This is based on the aggregation and anonymisation of cloud usage data from more than 30 million McAfee MVISION cloud users worldwide during the second quarter of 2020. This data set represents companies in all major industries across the globe, including financial services, healthcare, public sector, education, retail, technology, manufacturing, energy, utilities, legal, real estate, transportation, and business services.


Q2 2020 Threat Activity

  • Malware overall. McAfee Labs observed 419 new threats per minute in Q2 2020, an increase of almost 12% over the previous quarter. Ransomware growth remained steady compare to the first quarter of 2020.
  • Coinminer malware. After growing 26% in Q1, new Coinmining malware increased 25% over the previous quarter sustained by the popularity of new Coinmining applications.
  • Mobile malware. After a 71% increase in new mobile malware samples in Q1, Q2 saw the category slow 15% despite a surge in Android Mobby Adware.
  • Internet of Things. New IoT malware increased only 7% in Q2, but the space saw significant activity by Gafgyt and Mirai threats, both of which drove growth in new Linux malware by 22% during the period.
  • Regional cyber activity. McAfee counted 561 publicly disclosed security incidents in the second quarter of 2020, an increase of 22% from Q1. Disclosed incidents targeting North America decreased 30% over the previous quarter. These incidents decreased 47% in the United States, but increased 25% in Canada and 29% in the United Kingdom.
  • Attack vector. Overall, Malware led among reported attack vectors accounting for 35% of publicly reported incidents in Q2. Account Hijacking and Targeted Attacks accounted for 17% and 9% respectively.
  • Sector activity. Disclosed incidents detected in the second quarter of 2020 targeting Science and Technology increased 91% over the previous quarter. Incidents in Manufacturing increased 10%, but Public Sector events decreased by 14%.



Nigel Hawthorn, data privacy expert for cloud security at McAfee commented:

“The fact that there have been nearly 7.5 million attacks on users via cloud services in the second quarter of this year highlights how criminals have been quick to pivot attack methods to take advantage of the pandemic. The move to widespread remote working has required many industries to adopt new cloud services to maintain staff productivity, communication and collaboration. When managed correctly, however, the cloud is the most secure place to do business and an incredible driver of business growth, innovation and resiliency. Incorporating cloud into strong data governance policies and regular staff training are the keys to making this a reality.

“Given the surges in the malware we are tracking, IT needs to be able to quickly identify, prioritise and respond to these targeted attacks – across both device and cloud. Technology can play a key role in helping security professionals understand whether their organisation is at risk, what specific threats they are susceptible to, and how they can pre-empt an attack. Combining these insights with a proactive approach will significantly enhance cybersecurity effectiveness against today’s rapidly evolving threat landscape. This must go hand-in-hand with a shared responsibility security model. Cloud security requires a layered defence; from service providers to enterprises and individual users, everyone is accountable in some way and must play their part to protect data against cybercriminals.”