Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Derek Manky
Derek Manky
Connect Directly
E-Mail vvv

New Threats, Old Threats: Everywhere a Threat

First-quarter data shows cryptojacking on the rise -- but don't count out some "classic" threats just yet.

In 1918, magician Harry Houdini made an elephant vanish in front of an astounded live audience at the New York Hippodrome. In 1904, British magician and inventor Nevil Maskelyne became the first hacker after disrupting Guglielmo Marconi's demonstration of wireless technology in hopes of making Marconi's proofs of "secure and private communication" seem imprudent.

What do these famous illusionists have to do with the cyber threat landscape a century later? Well, cybercriminals like to make themselves vanish. Modern illusion techniques are about obfuscation and evasion, and bad actors are switching tactics at an alarming rate today in an attempt to evade security and law enforcement. Their digital footprints are, like Houdini’s elephant, ephemeral.

A good cybersecurity strategy needs to do the opposite of a magician: make cyber threats visible and prevent critical network resources from vanishing. Knowledge of the latest threats provides the power to defeat them. Here are some of the key findings from Fortinet's Threat Landscape Report recent report for the first quarter of 2018.

We covered the explosion of cryptojacking (aka cryptomining) attacks across the threat landscape in our last report. In this type of attack, malware hijacks the victim's computer to mine cryptocurrency. Things have gotten even more jacked up from there. The prevalence of cryptomining malware has more than doubled quarter over quarter, from 13% to 28%. This malware is also evolving, making it more difficult to prevent and detect.

Cryptojacking was especially prevalent in the Middle East, Latin America, and Africa last quarter. Cryptomining malware is also showing incredible diversity for such a relatively new threat. Cybercriminals are creating stealthier fileless malware to inject infected code into browsers with less detection. Miners are also targeting multiple operating systems and a variety of cryptocurrencies, including Bitcoin and Monero. They are also fine-tuning and adopting delivery and propagation techniques from other threats based on what was successful or unsuccessful in order to improve future success rates.

In short, criminals follow the money and are quick to leverage new opportunities to achieve that goal. They've clearly discovered that hijacking systems for mining cryptocurrencies is a profitable venture, so we can expect continued investment and innovation in this business model.

Whereas exploit and malware trends usually show the pre-compromise side of attacks, botnets give a post-compromise view. Once infected, systems often communicate with remote malicious hosts, and detecting such traffic in a corporate environment indicates something went wrong. That makes this data set valuable from a "learning from our mistakes" perspective.

We found that while 58% of botnet infections only last one day, and about 5% last more than a week. Measuring how long botnet infections persist based on the number of consecutive days in which continued communications are detected reveals that cyber hygiene involves more than just patching. It's also about cleanup. Forty-two percent of organizations did not clean up infections for one to nine or more days, while 6% took more than a week.

We've all learned by now that infections will inevitably occur at some point, even in the most hardened networks. But detecting and remediating those infections quickly to eradicate threats from the environment — and to prevent reinfection — is the sign of successful cybersecurity programs.

Gone but Not Forgotten
The Andromeda botnet, also known as Win32/Gamarue, is an HTTP-based modular botnet that's been infecting computers since it appeared in 2011. Andromeda continues to show up prominently across our sensors, despite a major law enforcement takedown operation in the fourth quarter of last year. It remains among the top three botnets for the first quarter of 2018 in both volume and prevalence. At first glance, this seems to suggest the takedown operation targeted at Andromeda wasn't very successful. However, further analysis reveals it reflects lax security hygiene.

We compared organizations that are still infected with the Andromeda botnet, which is no longer circulating in the wild, to see if they were suffering from other threats as well. They were. Firms exhibiting Andromeda infections in the first quarter had nearly three times the number of active botnets in their environment. It's likely, then, that Andromeda infections can be used as a proxy for poor security hygiene and/or sluggish incident response practices.

Destructive and Designer Attacks
The impact of destructive malware remains high, particularly as criminals combine it with designer attacks. For these more-targeted attacks, criminals conduct significant reconnaissance on an organization before launching an attack, which helps them to increase their success rates. Afterward, once they permeate the network, attackers move laterally across the network before triggering the most destructive part of their planned attack. The Olympic Destroyer malware and the more recent SamSam ransomware are examples of cybercriminals combining a designer attack with a destructive payload for maximum impact.

This combination of design specification and destructive tendencies exemplified by the malware events are worrying. As strange as it sounds, the stealthy command-and-control objectives of most malware over the last decade have caused many firms to let their guard down. Detection and response became the key challenge. With worms and destructive malware back in the forefront, it's time to get that guard back up.

Keep Your Eyes Open
From cryptojacking to botnets to malware, cybercriminals keep evolving their attack methods to increase their success rates. But forewarned is forearmed. While Houdini taught us not to believe everything we see, the data from this report tells us that the more we can see, the more easily we can defeat it. The data reminds us not to be lulled into complacency by what's gone before or to forget about the basics, such as good cyber hygiene. In this dynamically changing environment, IT security teams stand a much better chance of defeating the latest cyber schemes when they know what to look for.

Related Content:

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.