Attacks/Breaches

5/29/2018
10:30 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

New Threats, Old Threats: Everywhere a Threat

First-quarter data shows cryptojacking on the rise -- but don't count out some "classic" threats just yet.

In 1918, magician Harry Houdini made an elephant vanish in front of an astounded live audience at the New York Hippodrome. In 1904, British magician and inventor Nevil Maskelyne became the first hacker after disrupting Guglielmo Marconi's demonstration of wireless technology in hopes of making Marconi's proofs of "secure and private communication" seem imprudent.

What do these famous illusionists have to do with the cyber threat landscape a century later? Well, cybercriminals like to make themselves vanish. Modern illusion techniques are about obfuscation and evasion, and bad actors are switching tactics at an alarming rate today in an attempt to evade security and law enforcement. Their digital footprints are, like Houdini’s elephant, ephemeral.

A good cybersecurity strategy needs to do the opposite of a magician: make cyber threats visible and prevent critical network resources from vanishing. Knowledge of the latest threats provides the power to defeat them. Here are some of the key findings from Fortinet's Threat Landscape Report recent report for the first quarter of 2018.

Cryptojacking
We covered the explosion of cryptojacking (aka cryptomining) attacks across the threat landscape in our last report. In this type of attack, malware hijacks the victim's computer to mine cryptocurrency. Things have gotten even more jacked up from there. The prevalence of cryptomining malware has more than doubled quarter over quarter, from 13% to 28%. This malware is also evolving, making it more difficult to prevent and detect.

Cryptojacking was especially prevalent in the Middle East, Latin America, and Africa last quarter. Cryptomining malware is also showing incredible diversity for such a relatively new threat. Cybercriminals are creating stealthier fileless malware to inject infected code into browsers with less detection. Miners are also targeting multiple operating systems and a variety of cryptocurrencies, including Bitcoin and Monero. They are also fine-tuning and adopting delivery and propagation techniques from other threats based on what was successful or unsuccessful in order to improve future success rates.

In short, criminals follow the money and are quick to leverage new opportunities to achieve that goal. They've clearly discovered that hijacking systems for mining cryptocurrencies is a profitable venture, so we can expect continued investment and innovation in this business model.

Botnets
Whereas exploit and malware trends usually show the pre-compromise side of attacks, botnets give a post-compromise view. Once infected, systems often communicate with remote malicious hosts, and detecting such traffic in a corporate environment indicates something went wrong. That makes this data set valuable from a "learning from our mistakes" perspective.

We found that while 58% of botnet infections only last one day, and about 5% last more than a week. Measuring how long botnet infections persist based on the number of consecutive days in which continued communications are detected reveals that cyber hygiene involves more than just patching. It's also about cleanup. Forty-two percent of organizations did not clean up infections for one to nine or more days, while 6% took more than a week.

We've all learned by now that infections will inevitably occur at some point, even in the most hardened networks. But detecting and remediating those infections quickly to eradicate threats from the environment — and to prevent reinfection — is the sign of successful cybersecurity programs.

Gone but Not Forgotten
The Andromeda botnet, also known as Win32/Gamarue, is an HTTP-based modular botnet that's been infecting computers since it appeared in 2011. Andromeda continues to show up prominently across our sensors, despite a major law enforcement takedown operation in the fourth quarter of last year. It remains among the top three botnets for the first quarter of 2018 in both volume and prevalence. At first glance, this seems to suggest the takedown operation targeted at Andromeda wasn't very successful. However, further analysis reveals it reflects lax security hygiene.

We compared organizations that are still infected with the Andromeda botnet, which is no longer circulating in the wild, to see if they were suffering from other threats as well. They were. Firms exhibiting Andromeda infections in the first quarter had nearly three times the number of active botnets in their environment. It's likely, then, that Andromeda infections can be used as a proxy for poor security hygiene and/or sluggish incident response practices.

Destructive and Designer Attacks
The impact of destructive malware remains high, particularly as criminals combine it with designer attacks. For these more-targeted attacks, criminals conduct significant reconnaissance on an organization before launching an attack, which helps them to increase their success rates. Afterward, once they permeate the network, attackers move laterally across the network before triggering the most destructive part of their planned attack. The Olympic Destroyer malware and the more recent SamSam ransomware are examples of cybercriminals combining a designer attack with a destructive payload for maximum impact.

This combination of design specification and destructive tendencies exemplified by the malware events are worrying. As strange as it sounds, the stealthy command-and-control objectives of most malware over the last decade have caused many firms to let their guard down. Detection and response became the key challenge. With worms and destructive malware back in the forefront, it's time to get that guard back up.

Keep Your Eyes Open
From cryptojacking to botnets to malware, cybercriminals keep evolving their attack methods to increase their success rates. But forewarned is forearmed. While Houdini taught us not to believe everything we see, the data from this report tells us that the more we can see, the more easily we can defeat it. The data reminds us not to be lulled into complacency by what's gone before or to forget about the basics, such as good cyber hygiene. In this dynamically changing environment, IT security teams stand a much better chance of defeating the latest cyber schemes when they know what to look for.

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11763
PUBLISHED: 2018-09-25
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
CVE-2018-14634
PUBLISHED: 2018-09-25
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerabl...
CVE-2018-1664
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. ...
CVE-2018-1669
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote atta...
CVE-2018-1539
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.