Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/22/2018
06:50 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Supply Chain Cyberattacks Surged 200% in 2017

Symantec's annual Internet Security Threat Report also shows that zero-day exploits fizzled and cryptocurrency mining exploded.

Major software update compromises occurred at least once a month last year as attackers adopted this more stealthy and efficient way to reach their targets – compared to just three such attacks per year previously.

That 200% increase in such supply chain attacks only accounts for breaches in 2017 that were reported publicly, so the actual rate of these attacks could be even higher, according to new cyber threat data from Symantec's annual "Internet Security Threat Report," published today.

These are attacks where hackers hijack the software update process and replace it with malicious code; the most high-profile of these incidents last year was NotPetya, where Russian hackers compromised a Ukrainian accounting vendor's software as a way to spread malware to its targets.

"All of a sudden this is a huge issue," says Kevin Haley, director of Symantec Security Response. "This is something organizations really need to be concerned about. It's not just some on-offs."

Supply chain attacks were one of the main trends cited by Crowdstrike in its annual threat report as well. In additon to NotPetya, there were attacks on Avast's CCleaner and the HandBrake media player software for Apple Mac machines, notes Adam Meyers, vice president of intelligence at Crowdstrike. Attackers can target victims via plugins and other software updates, he says. 

"It used to be that we talked about the hardware supply chain" being at risk, Meyers says. "Now you get updates via an app store that will validate as much as possible" but still can be corrupted or abuse permissions, he says.

It's tough to defend against supply chain attacks because patching software with the latest releases is a best security practice. "You can't stop" patching, but organizations should start looking at their supply chain vendors and be sure they are protecting them," Symantec's Haley says. 

Behavior monitoring is another way to track any suspicious activity with an application update, but app vendors also need controls to catch any unauthorized changes in their update systems and processes, Symantec advises.

The spike in supply chain attacks coincided last year with a drop in zero-day attacks detected by Symantec. It's getting harder to find - and less appealing to burn – expensive zero-day vulnerabilities in an attack. Just under 30% of the 140 cyber threat groups Symantec tracks that wage targeted attacks have ever used an 0day in an attack. It's all part of the trend of sophisticated attackers employing legitimate tools and applications on their victims' networks to stay camouflaged for the long haul.

Targeted cyberattacks increased by 10% last year, with some 90% of the attacks purely for intelligence-gathering, including spying, information-stealing, and surveillance. Most of the attackers here are  nation-state sponsored groups. About 10% of targeted attack groups wage disruptive attacks on their victims. Another 9% are doing so for financial gain, and spear phishing is the main initial attack vector (71%) in all targeted attacks.

Symantec has discovered an average of three new targeted attack groups per year, it says, and the most active ones hit an average of 42 organizations in the past three years. Researchers at Symantec identified 29 new such groups this past year. "And those are only the ones we know about," Haley says.

The US unsurprisingly is the most attacked, with nearly 30% of all targeted attack incidents.

Destructive targeted attacks that cause disruption or destroy data are on the rise, however. Like 0days, they call often unwanted attention to the attackers, so it's a calculated risk for the threat group to wage one. Just 6% of the targeted attack groups Symantec watches deploy destructive malware, but that number could rise.

"'Success' breeds imitation. Those attacks can be looked at as a success. We expect to see more" attacks inspired by known destructive attacks, Haley says.

One of the more infamous such attacks was by North Korea's Lazarus Group against Sony Pictures in 2014. The hackers dumped emails, unreleased movies, and wiped hard drives as part of the noisy and destructive hack purportedly in response to a film considered disparaging to Kim Jong-un.

Cryptocurrency Mining Cashes In

One of the most dramatic shifts in security threats Symantec studied in 2017 was the eyepopping 34,000% (yes, that's three zeroes) increase in cryptocurrency mining attack attempts. These so-called cryptojacking attacks infect victim computers in order to use their processing power (and electricity) to mine virtual currency in massive quantities. In December 2017 alone, the security firm blocked more than 8 million of these attacks, and in the fourth quarter of 2017, Symantec endpoint technology saw an 8,500% increase in detections of cryptojacking malware.

Cybercriminals – and nation-states such as North Korea – dropped ransomware for the most part in exchange for the more lucrative and easier to deploy cryptojacking attacks. While the wave now is riding the exchange rate for virtual currency, Haley doesn't expect these attacks to decline any time soon.

The attack rates are holding at highs so far this year, he says. "They are not going away."

As the average price for ransomware attacks dropped, attackers jumped ship to cryptojacking. "We think there is some movement from ransomware to" cryptojacking because it's easier money, he says. "With ransomware, there were way too many competitors in the market and they were overpricing their product. Only so many victims were willing to pay to get their files back: they were not going to pay $1,000," for instance, he says.

The average ransom demand in 2017 declined by about 50%, to $522, but the number of ransomware variants actually rose by 46%. So ransomware isn't dead.

The challenge with cryptomining versus ransomware is the visibility and pain of the attack: ransomware was an in-your-face, work-stop event, for example. Cryptocoin mining can be less obvious and some organizations don't consider that it's a form of hacking. The malware, though, can ultimately can drag down machine performance, overheat batteries, sap electricity, and even break components and cause an enterprise network shutdown. There's also the risk of being billed for the attackers' use of CPUs via your cloud provider, Symantec notes in its report.

Haley says enterprises are prime targets for cryptocurrency attacks, even if the currency value declines. "Enterprises have more processing power, so if I want to maximize my earnings, that's where I can go to get even more powerful systems," he says. Employees, too, may abuse their corporate networks to mine coins.

Meantime, Symantec saw mobile malware variants increase by 54% last year over 2016. Its products blocked some 24,000 malicious mobile apps per day. Android devices continue to be the biggest security problem for enterprises and consumers, as only 20% of Android users have devices with the most up-to-date software.

Another hotspot to watch out for: Internet of Things (IoT) threats. Symantec said attacks on IoT rose 600% last year.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Early Bird Rates Expire Friday March 23. Use Promo Code DR200 to save $200.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.