In 1918, magician Harry Houdini made an elephant vanish in front of an astounded live audience at the New York Hippodrome. In 1904, British magician and inventor Nevil Maskelyne became the first hacker after disrupting Guglielmo Marconi's demonstration of wireless technology in hopes of making Marconi's proofs of "secure and private communication" seem imprudent.
What do these famous illusionists have to do with the cyber threat landscape a century later? Well, cybercriminals like to make themselves vanish. Modern illusion techniques are about obfuscation and evasion, and bad actors are switching tactics at an alarming rate today in an attempt to evade security and law enforcement. Their digital footprints are, like Houdini’s elephant, ephemeral.
A good cybersecurity strategy needs to do the opposite of a magician: make cyber threats visible and prevent critical network resources from vanishing. Knowledge of the latest threats provides the power to defeat them. Here are some of the key findings from Fortinet's Threat Landscape Report recent report for the first quarter of 2018.
We covered the explosion of cryptojacking (aka cryptomining) attacks across the threat landscape in our last report. In this type of attack, malware hijacks the victim's computer to mine cryptocurrency. Things have gotten even more jacked up from there. The prevalence of cryptomining malware has more than doubled quarter over quarter, from 13% to 28%. This malware is also evolving, making it more difficult to prevent and detect.
Cryptojacking was especially prevalent in the Middle East, Latin America, and Africa last quarter. Cryptomining malware is also showing incredible diversity for such a relatively new threat. Cybercriminals are creating stealthier fileless malware to inject infected code into browsers with less detection. Miners are also targeting multiple operating systems and a variety of cryptocurrencies, including Bitcoin and Monero. They are also fine-tuning and adopting delivery and propagation techniques from other threats based on what was successful or unsuccessful in order to improve future success rates.
In short, criminals follow the money and are quick to leverage new opportunities to achieve that goal. They've clearly discovered that hijacking systems for mining cryptocurrencies is a profitable venture, so we can expect continued investment and innovation in this business model.
Whereas exploit and malware trends usually show the pre-compromise side of attacks, botnets give a post-compromise view. Once infected, systems often communicate with remote malicious hosts, and detecting such traffic in a corporate environment indicates something went wrong. That makes this data set valuable from a "learning from our mistakes" perspective.
We found that while 58% of botnet infections only last one day, and about 5% last more than a week. Measuring how long botnet infections persist based on the number of consecutive days in which continued communications are detected reveals that cyber hygiene involves more than just patching. It's also about cleanup. Forty-two percent of organizations did not clean up infections for one to nine or more days, while 6% took more than a week.
We've all learned by now that infections will inevitably occur at some point, even in the most hardened networks. But detecting and remediating those infections quickly to eradicate threats from the environment — and to prevent reinfection — is the sign of successful cybersecurity programs.
Gone but Not Forgotten
The Andromeda botnet, also known as Win32/Gamarue, is an HTTP-based modular botnet that's been infecting computers since it appeared in 2011. Andromeda continues to show up prominently across our sensors, despite a major law enforcement takedown operation in the fourth quarter of last year. It remains among the top three botnets for the first quarter of 2018 in both volume and prevalence. At first glance, this seems to suggest the takedown operation targeted at Andromeda wasn't very successful. However, further analysis reveals it reflects lax security hygiene.
We compared organizations that are still infected with the Andromeda botnet, which is no longer circulating in the wild, to see if they were suffering from other threats as well. They were. Firms exhibiting Andromeda infections in the first quarter had nearly three times the number of active botnets in their environment. It's likely, then, that Andromeda infections can be used as a proxy for poor security hygiene and/or sluggish incident response practices.
Destructive and Designer Attacks
The impact of destructive malware remains high, particularly as criminals combine it with designer attacks. For these more-targeted attacks, criminals conduct significant reconnaissance on an organization before launching an attack, which helps them to increase their success rates. Afterward, once they permeate the network, attackers move laterally across the network before triggering the most destructive part of their planned attack. The Olympic Destroyer malware and the more recent SamSam ransomware are examples of cybercriminals combining a designer attack with a destructive payload for maximum impact.
This combination of design specification and destructive tendencies exemplified by the malware events are worrying. As strange as it sounds, the stealthy command-and-control objectives of most malware over the last decade have caused many firms to let their guard down. Detection and response became the key challenge. With worms and destructive malware back in the forefront, it's time to get that guard back up.
Keep Your Eyes Open
From cryptojacking to botnets to malware, cybercriminals keep evolving their attack methods to increase their success rates. But forewarned is forearmed. While Houdini taught us not to believe everything we see, the data from this report tells us that the more we can see, the more easily we can defeat it. The data reminds us not to be lulled into complacency by what's gone before or to forget about the basics, such as good cyber hygiene. In this dynamically changing environment, IT security teams stand a much better chance of defeating the latest cyber schemes when they know what to look for.