Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/29/2018
10:30 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

New Threats, Old Threats: Everywhere a Threat

First-quarter data shows cryptojacking on the rise -- but don't count out some "classic" threats just yet.

In 1918, magician Harry Houdini made an elephant vanish in front of an astounded live audience at the New York Hippodrome. In 1904, British magician and inventor Nevil Maskelyne became the first hacker after disrupting Guglielmo Marconi's demonstration of wireless technology in hopes of making Marconi's proofs of "secure and private communication" seem imprudent.

What do these famous illusionists have to do with the cyber threat landscape a century later? Well, cybercriminals like to make themselves vanish. Modern illusion techniques are about obfuscation and evasion, and bad actors are switching tactics at an alarming rate today in an attempt to evade security and law enforcement. Their digital footprints are, like Houdini’s elephant, ephemeral.

A good cybersecurity strategy needs to do the opposite of a magician: make cyber threats visible and prevent critical network resources from vanishing. Knowledge of the latest threats provides the power to defeat them. Here are some of the key findings from Fortinet's Threat Landscape Report recent report for the first quarter of 2018.

Cryptojacking
We covered the explosion of cryptojacking (aka cryptomining) attacks across the threat landscape in our last report. In this type of attack, malware hijacks the victim's computer to mine cryptocurrency. Things have gotten even more jacked up from there. The prevalence of cryptomining malware has more than doubled quarter over quarter, from 13% to 28%. This malware is also evolving, making it more difficult to prevent and detect.

Cryptojacking was especially prevalent in the Middle East, Latin America, and Africa last quarter. Cryptomining malware is also showing incredible diversity for such a relatively new threat. Cybercriminals are creating stealthier fileless malware to inject infected code into browsers with less detection. Miners are also targeting multiple operating systems and a variety of cryptocurrencies, including Bitcoin and Monero. They are also fine-tuning and adopting delivery and propagation techniques from other threats based on what was successful or unsuccessful in order to improve future success rates.

In short, criminals follow the money and are quick to leverage new opportunities to achieve that goal. They've clearly discovered that hijacking systems for mining cryptocurrencies is a profitable venture, so we can expect continued investment and innovation in this business model.

Botnets
Whereas exploit and malware trends usually show the pre-compromise side of attacks, botnets give a post-compromise view. Once infected, systems often communicate with remote malicious hosts, and detecting such traffic in a corporate environment indicates something went wrong. That makes this data set valuable from a "learning from our mistakes" perspective.

We found that while 58% of botnet infections only last one day, and about 5% last more than a week. Measuring how long botnet infections persist based on the number of consecutive days in which continued communications are detected reveals that cyber hygiene involves more than just patching. It's also about cleanup. Forty-two percent of organizations did not clean up infections for one to nine or more days, while 6% took more than a week.

We've all learned by now that infections will inevitably occur at some point, even in the most hardened networks. But detecting and remediating those infections quickly to eradicate threats from the environment — and to prevent reinfection — is the sign of successful cybersecurity programs.

Gone but Not Forgotten
The Andromeda botnet, also known as Win32/Gamarue, is an HTTP-based modular botnet that's been infecting computers since it appeared in 2011. Andromeda continues to show up prominently across our sensors, despite a major law enforcement takedown operation in the fourth quarter of last year. It remains among the top three botnets for the first quarter of 2018 in both volume and prevalence. At first glance, this seems to suggest the takedown operation targeted at Andromeda wasn't very successful. However, further analysis reveals it reflects lax security hygiene.

We compared organizations that are still infected with the Andromeda botnet, which is no longer circulating in the wild, to see if they were suffering from other threats as well. They were. Firms exhibiting Andromeda infections in the first quarter had nearly three times the number of active botnets in their environment. It's likely, then, that Andromeda infections can be used as a proxy for poor security hygiene and/or sluggish incident response practices.

Destructive and Designer Attacks
The impact of destructive malware remains high, particularly as criminals combine it with designer attacks. For these more-targeted attacks, criminals conduct significant reconnaissance on an organization before launching an attack, which helps them to increase their success rates. Afterward, once they permeate the network, attackers move laterally across the network before triggering the most destructive part of their planned attack. The Olympic Destroyer malware and the more recent SamSam ransomware are examples of cybercriminals combining a designer attack with a destructive payload for maximum impact.

This combination of design specification and destructive tendencies exemplified by the malware events are worrying. As strange as it sounds, the stealthy command-and-control objectives of most malware over the last decade have caused many firms to let their guard down. Detection and response became the key challenge. With worms and destructive malware back in the forefront, it's time to get that guard back up.

Keep Your Eyes Open
From cryptojacking to botnets to malware, cybercriminals keep evolving their attack methods to increase their success rates. But forewarned is forearmed. While Houdini taught us not to believe everything we see, the data from this report tells us that the more we can see, the more easily we can defeat it. The data reminds us not to be lulled into complacency by what's gone before or to forget about the basics, such as good cyber hygiene. In this dynamically changing environment, IT security teams stand a much better chance of defeating the latest cyber schemes when they know what to look for.

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
A Lawyer's Guide to Cyber Insurance: 4 Basic Tips
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  7/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-18
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access ...
CVE-2019-10100
PUBLISHED: 2019-07-18
domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change admin password. The component is: http://127.0.0.1/settings/password/ http://127.0.0.1/admin/users/add.php http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector ...
CVE-2019-10100
PUBLISHED: 2019-07-18
domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can add the administrator account. The component is: http://127.0.0.1/admin/users/add.php. The attack vector is: After the administrator logged in,...
CVE-2019-10100
PUBLISHED: 2019-07-18
domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change the read-only user to admin. The component is: http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector is: After the administrato...
CVE-2016-10762
PUBLISHED: 2019-07-18
The CampTix Event Ticketing plugin before 1.5 for WordPress allows CSV injection when the export tool is used.