Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/29/2018
10:30 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

New Threats, Old Threats: Everywhere a Threat

First-quarter data shows cryptojacking on the rise -- but don't count out some "classic" threats just yet.

In 1918, magician Harry Houdini made an elephant vanish in front of an astounded live audience at the New York Hippodrome. In 1904, British magician and inventor Nevil Maskelyne became the first hacker after disrupting Guglielmo Marconi's demonstration of wireless technology in hopes of making Marconi's proofs of "secure and private communication" seem imprudent.

What do these famous illusionists have to do with the cyber threat landscape a century later? Well, cybercriminals like to make themselves vanish. Modern illusion techniques are about obfuscation and evasion, and bad actors are switching tactics at an alarming rate today in an attempt to evade security and law enforcement. Their digital footprints are, like Houdini’s elephant, ephemeral.

A good cybersecurity strategy needs to do the opposite of a magician: make cyber threats visible and prevent critical network resources from vanishing. Knowledge of the latest threats provides the power to defeat them. Here are some of the key findings from Fortinet's Threat Landscape Report recent report for the first quarter of 2018.

Cryptojacking
We covered the explosion of cryptojacking (aka cryptomining) attacks across the threat landscape in our last report. In this type of attack, malware hijacks the victim's computer to mine cryptocurrency. Things have gotten even more jacked up from there. The prevalence of cryptomining malware has more than doubled quarter over quarter, from 13% to 28%. This malware is also evolving, making it more difficult to prevent and detect.

Cryptojacking was especially prevalent in the Middle East, Latin America, and Africa last quarter. Cryptomining malware is also showing incredible diversity for such a relatively new threat. Cybercriminals are creating stealthier fileless malware to inject infected code into browsers with less detection. Miners are also targeting multiple operating systems and a variety of cryptocurrencies, including Bitcoin and Monero. They are also fine-tuning and adopting delivery and propagation techniques from other threats based on what was successful or unsuccessful in order to improve future success rates.

In short, criminals follow the money and are quick to leverage new opportunities to achieve that goal. They've clearly discovered that hijacking systems for mining cryptocurrencies is a profitable venture, so we can expect continued investment and innovation in this business model.

Botnets
Whereas exploit and malware trends usually show the pre-compromise side of attacks, botnets give a post-compromise view. Once infected, systems often communicate with remote malicious hosts, and detecting such traffic in a corporate environment indicates something went wrong. That makes this data set valuable from a "learning from our mistakes" perspective.

We found that while 58% of botnet infections only last one day, and about 5% last more than a week. Measuring how long botnet infections persist based on the number of consecutive days in which continued communications are detected reveals that cyber hygiene involves more than just patching. It's also about cleanup. Forty-two percent of organizations did not clean up infections for one to nine or more days, while 6% took more than a week.

We've all learned by now that infections will inevitably occur at some point, even in the most hardened networks. But detecting and remediating those infections quickly to eradicate threats from the environment — and to prevent reinfection — is the sign of successful cybersecurity programs.

Gone but Not Forgotten
The Andromeda botnet, also known as Win32/Gamarue, is an HTTP-based modular botnet that's been infecting computers since it appeared in 2011. Andromeda continues to show up prominently across our sensors, despite a major law enforcement takedown operation in the fourth quarter of last year. It remains among the top three botnets for the first quarter of 2018 in both volume and prevalence. At first glance, this seems to suggest the takedown operation targeted at Andromeda wasn't very successful. However, further analysis reveals it reflects lax security hygiene.

We compared organizations that are still infected with the Andromeda botnet, which is no longer circulating in the wild, to see if they were suffering from other threats as well. They were. Firms exhibiting Andromeda infections in the first quarter had nearly three times the number of active botnets in their environment. It's likely, then, that Andromeda infections can be used as a proxy for poor security hygiene and/or sluggish incident response practices.

Destructive and Designer Attacks
The impact of destructive malware remains high, particularly as criminals combine it with designer attacks. For these more-targeted attacks, criminals conduct significant reconnaissance on an organization before launching an attack, which helps them to increase their success rates. Afterward, once they permeate the network, attackers move laterally across the network before triggering the most destructive part of their planned attack. The Olympic Destroyer malware and the more recent SamSam ransomware are examples of cybercriminals combining a designer attack with a destructive payload for maximum impact.

This combination of design specification and destructive tendencies exemplified by the malware events are worrying. As strange as it sounds, the stealthy command-and-control objectives of most malware over the last decade have caused many firms to let their guard down. Detection and response became the key challenge. With worms and destructive malware back in the forefront, it's time to get that guard back up.

Keep Your Eyes Open
From cryptojacking to botnets to malware, cybercriminals keep evolving their attack methods to increase their success rates. But forewarned is forearmed. While Houdini taught us not to believe everything we see, the data from this report tells us that the more we can see, the more easily we can defeat it. The data reminds us not to be lulled into complacency by what's gone before or to forget about the basics, such as good cyber hygiene. In this dynamically changing environment, IT security teams stand a much better chance of defeating the latest cyber schemes when they know what to look for.

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.