Evidence paints a moving picture of cyber attacks: 2018 figures in brief
Like most areas of commerce today, cyber security has its fair share of marketing hype. It’s difficult sometimes to discern the kernels of truth amid the flood of cyber defense information hitting our inboxes daily. So, therefore, it makes a refreshing change for a report to appear that presents empirical information regarding the cyber security threat landscape in some detail.
Such a report is the Internet Security Threat Report that covers the year passed across the entire picture of digital threats. It covers the types and nature of the risks that all organizations face daily, with a minimum of exaggeration and hyperbole that these documents typically contain. To read the report in its entirety, it’s available for free download, but for the pages of TechHQ, we’re covering just a few of the key findings as we see them applying to our readers.
The report looks at the various forms that cyber criminals’ actions take, and while the academic divisions between phrases like malware, virus, ransomware and so forth are a matter of definition, the report condenses down the threat landscape into discrete areas for an agnostic view.
Each month the company found over 4,800 sites being compromised in this way but managed to block 308,000+ such attempts last year. It found that many incursions were via third-party plug-ins to sites, such as – in the case of the Ticketmaster hack – a chatbot on the site that was designed to help rather than steal from customers. And while high-profile cases such as Ticketmaster’s made the headlines, the use of a third-party reflects a trend throughout 2018 of attacks on the various elements of a company’s supply chain.
The rise in the number of formjacking incidents may be down to the well-known slide in the value of various cryptocurrencies; specifically, Monero, a near-anonymous currency that can be mined by very modest computing power. Cyber criminals’ motive is often money (political influence, less so), so 2018 saw a fall from 69 million cryptojacking attempts in 2017 to 16 million last year.
Cryptojacking is when illicit code, usually distributed by a website, installs a simple mining algorithm that takes over much of (or more cleverly, just a small part of) the infected machine’s CPU.
The code then works away quietly, using the computer to contribute to the criminals’ mining activities. Such activity is difficult to detect on most networks, as it masquerades as guileless traffic. Despite this, and the fact that due to the cryptocurrencies’ fall in value, Symantec still blocked 3.5 million cryptojacking events in December 2018 alone.
The nature of Monero mining is that many (virtual) hands make light work, so although the exchange price for that currency may have dropped significantly, given enough successful breaches, there are still significant rewards.
Unlike crytpocurrency mining, which runs quietly in the background on PCs and various other endpoints with no sign other than sluggish performance (hardly a rare occurrence in most users’ day-to-day experience), ransomware is very obvious once a compromise has taken place.
The infected machine usually locks up, and the malware encrypts the hard drive making the device unusable. In some instances, paying the ransom (by anonymous cryptocurrency) will unlock the infected computer – but not always.
There are new techniques that involve behavioral analysis routines aided by machine learning algorithms that have helped reduce the number of instances overall, but one alarming trend for Tech HQ readers is that gangs are increasingly and explicitly targeting business users, not everyday consumers.
As a single example of this, Symantec has found that the number of Dharma/Crysis infection attempts on businesses more than tripled in 2018 to over 4,900 per month in 2018, up from 1,473 a month the year previously. Perhaps this trend is not surprising, as business-critical data stored on endpoints will not only be of more value to companies than to targeted “civilians”, but also larger organizations tend to present a bigger attack target, meaning the lateral movement of malware can lead to quite a large group of available targets.
The last few years have seen a trend – one that shows no signs of abating – of “living off the land.” That is, using the off-the-shelf tools and applications that are built into many computers already. That’s particularly true on Windows PCs, where PowerShell and Office are standard and almost-standard, respectively. Malware is increasingly making use of these conduits to deploy payloads into infection targets, and there are fewer so-called zero-day attacks.
Zero-day exploits that use new code instances have fallen, from comprising 27 to 24 percent of all attacks seen by Symantec from 2017 to 2018, the company’s report shows. Nevertheless, Symantec is aware that malicious attempts utilizing PowerShell only make up less than one percent of that app’s usage, such is its widespread nature. Symantec’s systems managed to stop, on average, 115,000 such attacks per month last year, so in combination with Microsoft Office-borne attacks means that the very tools most people use every day are a highly attractive incursion vector for attackers.
IN BRIEF CONCLUSION
The fullness of the report (available for free download here) also gives significant insight into attacks on cloud instances (especially S3 buckets on AWS) as well as the increase in attacks on increasingly common IoT devices – with routers and internet-ready cameras of particular concern. Of significance for data security officers is the rise, furthermore, of mobile malware, which propagates on the BYOD devices that are literally walked across every organization’s threshold by staff, each day.
Space alone does not permit us to detail these emerging and alarming targets, and the prevalence of attacks on them. We urge interested readers to digest the report in full, for more information.
Its Global Intelligence Network gives Symantec analysts unrivaled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in malicious code activity of every type. It’s technologies that those that have informed this report – and is therefore very much a tale from the front line. Learn more about the company’s significant strengths in cyber security provision here.
16 February 2024
15 February 2024