Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:05 AM
Connect Directly

Enterprise Malware Detections Up 79% as Attackers Refocus

A new report on the state of malware shows a spike in B2B malware, with former banking Trojans Emotet and TrickBot topping the list.

Enterprise threats ramped up toward the end of 2018 as cybercriminals shifted their strategies to hit business victims with unpatched, insecure networks – and found plenty of targets.

That's one of the key findings from Malwarebytes Labs' "State of Malware Report 2019," which analyzes threats from January through November 2018 and compares them with the same period from 2017. After cryptomining exploded near the end of 2017, the next year began with attackers broadening their strategies to hit Mac and Android devices and use browser-based threats.

But cryptomining began to slow down by the second quarter of 2018, researchers report, and a new set of attacks took its place. Former banking Trojans Emotet and TrickBot evolved into droppers with several modules for spam production, network propagation, and data skimming. New malware variants targeted the enterprise, hunting sensitive data they could sell for profit.

Criminals have historically gone after consumers, says Malwarebytes CEO Marcin Kleczynski, but the past year has shown they've found value in targeting the enterprise. One corporate login can grant them access to troves of far more valuable information, and it's not hard to get.

A Pivot Toward the Enterprise
Most attackers don't plan to hit specific companies, Kleczynski points out. They start by casting a wide net, conducting online research to see who's most vulnerable, then pursuing them. Business malware detections rose 79% over the last year, report Malwarebytes researchers, who link the rise to an increase in backdoors, miners, spyware, and information stealers.

While 2017 can be considered the year of global outbreaks – WannaCry and NotPetya made sure of it – 2018 was the "year of the mega breach." Attackers hit major corporations, including Facebook, Marriott, Exactis, MyHeritage, and Quora, affecting hundreds of millions of customers and driving the numbers of compromised records up 133% compared with 2017.

Companies may worry about becoming the next Marriott, Kleczynski says, but most of the attacks Malwarebytes sees aren't the big ones. Many businesses are affected with popular strains of malware like Emotet, which he explains is "going around like the flu." Trojan detections were up 132%, a rise led by the prevalence of the Emotet, which, like other info-stealing malware, uses exploits to move across corporate networks and brute-forces credentials.

Backdoors increased 173% among enterprise victims, spyware was up 142%, and RiskwareTool rose by 126%, researchers report. They attribute the rise in spyware to similar variants and families of Emotet and TrickBot being identified as spyware in the wild – a sign attackers have focused on information stealing and creating footholds in corporate networks, they explain.

Common attack vectors like spam "work so well" on business victims, Kleczynski says. "At the end of the day, it's still very common to spread an attack like Emotet," he adds, just by getting more people to click on a malicious email. It doesn't help that company websites and platforms like LinkedIn expose useful information (full names, job titles) that help make attacks targeted.

Emotet and Trickbot topped the threats of 2018 and found success in malspam, a technique that disguises the threats as a legitimate email. What made their attacks successful was how they spread.For Emotet, this meant infected attachments and embedded URLs, with social engineering tactics designed to make targets believe messages come from trusted sources.

While businesses saw more malware detections, consumers saw fewer. In 2017, there were 775,327,346 consumer detections, Malwarebytes reports. The most recent year brought about 25 million fewer instances and a 3% decline – "a healthy decrease," percentages aside.

"Always, at the end of the day, [it's] around money and the value of some of these assets," Kleczynski says of cyberattackers eyeing enterprise data. "I would claim that credit card and Social Security and passport numbers aren't as valuable as they were 10 years ago."

Ransomware: It's Complicated
Toward the end of 2017, security experts predicted the cryptomining crazy would continue. Indeed, 2018 brought the decline of ransomware and rise of cryptominers, following a spike in Bitcoin value at the end of 2017. Criminals seeking financial gain jumped on the trend, hitting Mac, Windows, and Android devices with software- and browser-based cryptomining attacks.

However, cryptomining only increased 7% last year as the second half of 2018 brought its decline. It's still one of the major malware trends of 2018, but the drop in cryptocurrency value has slowed it down. "Bitcoin losing more than 80% of its value over the last year has led cybercriminals to pivot," Kleczynski explains.

As the trend lagged, cybercriminals shifted their ransomware techniques from malvertising exploits and ransomware payloads to manual, targeted ransomware attacks. While it's not the wide-ranging threat it was in 2017, it's still a threat to keep in mind. Trends show an increase in focused, sophisticated attacks geared toward the enterprise and lack of interest in consumers.

Businesses, unlike individuals, have the potential funds to pay a ransom and several pressing reasons to get back up and running after a ransomware attack. Delays caused by ransomware can be incredibly expensive, researchers say, especially when the victim has a wealth of infected endpoints and no backup plan in place. Incident response is costlier than paying up.

SamSam, which hit the city of Atlanta and medical organizations across the US in 2018, was revamped to charge victims a more moderate price compared with recovery methods that businesses would otherwise have to pay. The change led to operators making more overall. GandCrab, the top ransomware variants of Q2 2018, adopted the Magnitude exploit kit, which plagued network admins and home users with its unusual malware-loading method.

High Risk Meets Few Resources
Kleczynski says many companies have stepped up their security game despite struggling with a lack of resources. Despite attacks over the past decade, he says, the pressure on security teams to request sufficient resources from their organizations is still relevant. In the education and state/local government sectors, for example, budgets are a significant concern.

"It's interesting to see companies doing what they can with as little as they have," he says.

Security-focused conversations are also making their way to the board, where execs are concerned about being hit with the next major breach. "I think the weight of the topic is significant," he adds. It's especially difficult for companies with small security teams, which struggle to cover every aspect of security with few people. Open source software, free tools, and outsourcing have helped drive security efforts, Kleczynski adds.

Read the report here.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.