The Internet Security Threat Report notes that from the sudden spread of WannaCry and Petya/NotPetya, to the swift growth in coinminers, 2017 provided us with another reminder that digital security threats can come from new and unexpected sources.
With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse, with attackers working harder to discover new avenues of attack and cover their tracks while doing so.
Coin-mining attacks explode
Cyber criminals who have been firmly focused on ransomware for revenue generation are now starting to explore other opportunities. During the past year, the astronomical rise in cryptocurrency values inspired many cyber criminals to shift to coin mining as an alternative revenue source.
This coin mining gold rush resulted in an 8,500% increase in detections of coinminers on endpoint computers in 2017. With a low barrier of entry—only requiring a couple lines of code to operate—cyber criminals are using coinminers to steal computer processing power and cloud CPU usage from consumers and enterprises to mine cryptocurrency. While the immediate impact of coin mining is typically performance related—slowing down devices, overheating batteries and in some cases, rendering devices unusable—there are broader implications, particularly for organizations.
Corporate networks are at risk of shutdown from coinminers aggressively propagated across their environment. There may also be financial implications for organizations who find themselves billed for cloud CPU usage by coinminers. As malicious coin mining evolves, IoT devices will continue to be ripe targets for exploitation. Symantec™ already found a 600% increase in overall IoT attacks in 2017, which means that cyber criminals could exploit the connected nature of these devices to mine en masse.
Spike in software supply chain attacks
Despite the EternalBlue exploit wreaking havoc in 2017, the reality is that vulnerabilities are becoming increasingly difficult for attackers to identify and exploit. In response to this, Symantec is now seeing an increase in attackers injecting malware implants into the supply chain to infiltrate unsuspecting organizations, with a 200% increase in these attacks—one every month of 2017 as compared to four attacks annually in years prior.
Hijacking software updates provides attackers with an entry point for compromising well-protected targets, or to target a specific region or sector. The Petya/NotPetya (Ransom.Petya) outbreak was the most notable example: after using Ukrainian accounting software as the point of entry, Petya/NotPetya used a variety of methods to spread across corporate networks to deploy the attackers’ malicious payload.
Ransomware business experiences market correction
When viewed as a business, it’s clear that ransomware profitability in 2016 led to a crowded market with overpriced ransom demands. In 2017, the ransomware “market” made a correction with fewer ransomware families and lower ransom demands—signalling that ransomware has become a commodity.
Many cyber criminals may have shifted their focus to coin mining as an alternative to cash in while cryptocurrency values are high. Some online banking threats have also experienced a renaissance as established ransomware groups have attempted to diversify. Last year, the average ransom demand dropped to $522, less than half the average of the year prior.
And while the number of ransomware variants increased by 46%, indicating the established criminal groups are still quite productive, the number of ransomware families dropped, suggesting they are innovating less and may have shifted their focus to new, higher value targets.
Drop in zero days can’t halt the rise in targeted attacks
Symantec has found that overall targeted attack activity is up by 10% in 2017, motivated primarily (90%) by intelligence gathering. However, a not-so-insignificant 10% of attack groups engage in some form of disruptive activity.
The “Living off the Land” trend continues with attack groups opting for tried-and-trusted means to infiltrate target organisations. Spear phishing is the number one infection vector employed by 71% of organised groups in 2017. The use of zero days continues to fall out of favor. In fact, only 27% of the 140 targeted attack groups that Symantec tracks have been known to use zero-day vulnerabilities at any point in the past.
Mobile malware continues to surge
Threats in the mobile space continue to grow year-over-year. The number of new mobile malware variants increased by 54% in 2017, as compared to 2016. And last year, there were an average of 24,000 malicious mobile applications blocked each day.
While threats are on the increase, the problem is exacerbated by the continued use of older operating systems. In particular, on Android™, only 20% of devices are running the newest major version and only 2.3% are on the latest minor release.
Mobile users also face privacy risks from grayware, apps that aren’t completely malicious but can be troublesome. Symantec found that 63% of grayware apps leak the device’s phone number. With grayware increasing by 20% in 2017, this isn’t a problem that’s going away.