In today’s modern environment, great reliance is placed on technology in the way we do our record keeping, administration, banking, financial transactions, communication, etc. What we don’t pay much attention to, often to our own risk and detriment, is how secure we really are as opposed to how secure we think we are.
In the February 2019 Symantec ISTR (Internet Security Threat Report), the incidents and variety of threats are made strikingly clear and business owners, fund administrators and people in general would do well in familiarising themselves with the numerous methodologies and platforms used by cyber-criminals to get a hold of you.
According to the Symantec Report, there are several types of cyber threats and what follows is a quick summary extracted from the report:
The Symantec data shows that 4,818 unique websites were compromised with formjacking code every month in 2018. With data from a single credit card being sold for up to $45 on underground markets, just 10 credit cards stolen from compromised websites could result in a yield of up to $2.2 million for cyber criminals each month. The appeal of formjacking for cyber criminals is clear.
Cryptojacking - where cyber criminals surreptitiously run coinminers on victims’ devices without their knowledge and use their central processing unit (CPU) power to mine cryptocurrencies - was the story of the final quarter of 2017 and continued to be one of the dominant features in the cyber security landscape in 2018.
Cryptojacking activity peaked between December 2017 and February 2018, with Symantec blocking around 8 million cryptojacking events per month in that period. During 2018, we blocked more than four times as many cryptojacking events as in 2017 - almost 69 million cryptojacking events in the 12-month period, compared to just over 16 million in 2017. However, cryptojacking activity did fall during the year, dropping by 52 percent between January and December 2018. Despite this downward trend, we still blocked more than 3.5 million cryptojacking events in December 2018.
Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. This is exactly what happened to Liberty Life on the 16th of June 2018 when they fell victim to a ransomware attack, with the personal data of millions of the insurance company’s customers potentially at stake. An external party claimed to have seized data from Liberty and also alerted them to alleged potential vulnerabilities in their systems and wanted to get compensation for this.
Up until 2017, consumers were the hardest hit by ransomware, accounting for the majority of infections. In 2017, the balance tipped towards enterprises, with the majority of infections occurring in businesses. In 2018, that shift accelerated and enterprises accounted for 81 percent of all ransomware infections. While overall ransomware infections were down, enterprise infections were up by 12 percent in 2018.
SUPPLY CHAIN ATTACKS
Supply chain attacks, exploit third-party services and software like for example Microsoft Office to compromise a final target. This also includes hijacking software updates and injecting malicious code into legitimate software to gain access to the target.
This trend of “living off the land” shows no sign of abating - in fact, there was a significant increase in certain activity in 2018. PowerShell usage is now a staple of both cyber-crime and targeted attacks reflected by a massive 1,000 percent increase in malicious PowerShell scripts blocked in 2018 on the endpoint.
In 2018, Microsoft Office files accounted for almost half (48 percent) of all malicious email attachments, jumping up from just 5 percent in 2017. Cyber-crime groups, such as Mealybug and Necurs, continued to use macros in Office files as their preferred method to propagate malicious payloads in 2018, but also experimented with malicious XML files and Office files with DDE payloads.
Targeted attacks (aimed at seriously disrupting a company’s operations) continued to pose a significant threat to organisations during 2018, with new groups emerging and existing groups continuing to refine their tools and tactics. The larger, more active attack groups appeared to step up their activity during 2018. The 20 most active groups tracked by Symantec targeted an average of 55 organisations over the past three years, up from 42 between 2015 and 2017.
During 2018, Symantec exposed four previously unknown targeted attack groups, bringing the number of targeted attack groups first exposed by Symantec since 2009 to 32. While Symantec exposed four new groups in both 2017 and 2018, there was a big shift in the way these groups were uncovered. Two out of the four new groups exposed during 2018 were uncovered through their use of “living off the land” tools. Indeed, one of those two groups (Gallmaker) doesn’t use any malware in its attacks, relying exclusively on “living off the land” and publicly available hacking tools.
CLOUD DATABASE ATTACKS
Poorly secured cloud databases continued to be a weak point for organisations. In 2018, S3 buckets emerged as an Achilles heel for organisations, with more than 70 million records stolen or leaked as a result of poor configuration. This was on the heels of a spate of ransomware attacks against open databases such as MongoDB in 2017, which saw attackers wipe their contents and seek payment in order to restore them. Attackers didn’t stop there—also targeting container deployment systems such Kubernetes, server-less applications and other publicly exposed API services. There’s a common theme across these incidents — poor configuration.
INTERNET OF THINGS (IOT) ATTACKS
While worms and bots continued to account for the vast majority of Internet of Things (IoT) attacks, in 2018 we saw a new breed of threat emerge as targeted attack actors displayed an interest in IoT as an infection vector.
The overall volume of IoT attacks remained high in 2018 and consistent (-0.2 percent) compared to 2017. Routers and connected cameras were the most infected devices and accounted for 75 and 15 percent of the attacks respectively.
It’s unsurprising that routers were the most targeted devices given their accessibility from the internet. They’re also attractive as they provide an effective jumping-off point for attackers. The notorious Mirai distributed denial of service (DDoS) worm remained an active threat and, with 16 percent of the attacks, was the third most common IoT threat in 2018. Mirai is constantly evolving and variants use up to 16 different exploits, persistently adding new exploits to increase the success rate for infection, as devices often remain unpatched. The worm also expanded its target scope by going after unpatched Linux servers. Another noticeable trend was the increase in attacks against industrial control systems (ICS). The Thrip group went after satellites, and Triton attacked industrial safety systems, leaving them vulnerable to sabotage or extortion attacks. Any computing device is a potential target.
The emergence of VPNFilter in 2018 represented an evolution of IoT threats. VPNFilter was the first widespread persistent IoT threat, with its ability to survive a reboot making it very difficult to remove. With an array of potent payloads at its disposal, such as man in the middle (MitM) attacks, data exfiltration, credential theft, and interception of SCADA communications, VPNFilter was a departure from traditional IoT threat activity such as DDoS and coin mining. It also includes a destructive capability which can “brick,” or wipe a device at the attackers’ command, should they wish to destroy evidence. VPNFilter is the work of a skilled and well-resourced threat actor and demonstrates how IoT devices are now facing attack from many fronts.
In 2018, employees of small organisations were more likely to be hit by email threats—including spam, phishing, and email malware—than those in large organisations. We also found that spam levels continued to increase in 2018, as they have done every year since 2015, with 55 percent of emails received in 2018 being categorised as spam. Meanwhile, the email malware rate remained stable, while phishing levels declined, dropping from 1 in 2,995 emails in 2017, to 1 in 3,207 emails in 2018. The phishing rate has declined every year for the last four years.
We also saw fewer URLs used in malicious emails as attackers refocused on using malicious email attachments as a primary infection vector. The use of malicious URLs in emails had jumped to 12.3 percent in 2017, but it dropped back to 7.8 percent in 2018. Symantec telemetry shows that Microsoft Office users are the most at risk of falling victim to email-based malware, with Office files accounting for 48 percent of malicious email attachments, jumping from 5 percent in 2017.
Malware is defines as software that is specifically designed to disrupt, damage, or gain unauthorised access to a computer system. These include things like Adware, Bots, Bugs, Ransomware, Rootkit, Spyware, Trojans, Worms, etc.
Emotet continued to aggressively expand its market share in 2018, accounting for 16 percent of financial Trojans, up from 4 percent in 2017. Emotet was also being used to spread Qakbot, which was in 7th place in the financial Trojans list, accounting for 1.8 percent of detections. Both of these threats present further serious challenges for organisations due to their self-propagating functionality.
Use of malicious PowerShell scripts increased by 1,000 percent in 2018, as attackers continued the movement towards living off the land techniques. A common attack scenario uses Office macros to call a PowerShell script, which in turn downloads the malicious payload. Office macro downloaders accounted for the majority of downloader detections, while VBS.Downloader and JS.Downloader threats declined.
In 2018, 1 in 10 URLs analysed were identified as being malicious, up from 1 in 16 in 2017. Additionally, despite a drop off in exploit kit activity, overall web attacks on endpoints increased by 56 percent in 2018. By December, Symantec was blocking more than 1.3 million unique web attacks on endpoint machines every day.
Formjacking was one of the biggest cyber security trends of the year, with an average of 4,800 websites compromised with formjacking code every month in 2018.
Spam is the electronic sending of mass unsolicited messages. The most common medium for spam is email, but it is not uncommon for spammers to use instant messages, texting, blogs, web forums, search engines, and social media. While spam is not actually a type of malware, it is very common for malware to spread through spamming. This happens when computers that are infected with viruses, worms, or other malware are used to distribute spam messages containing more malware. Users can prevent getting spammed by avoiding unfamiliar emails and keeping their email addresses as private as possible.
While the overall number of mobile malware infections fell during 2018, there was a rapid increase in the number of ransomware infections on mobile devices, up by a third when compared to 2017.
The U.S. was the worst affected by mobile ransomware, accounting for 63 percent of infections. It was followed by China (13 percent) and Germany (10 percent).
Managing mobile device security continues to present a challenge for organisations. During 2018, one in 36 devices used in organisations were classed as high risk. This included devices that were rooted or jailbroken, along with devices that had a high degree of certainty that malware had been installed.
Download the full February 2019 Symantec ISTR (Internet Security Threat Report)