Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/4/2018
06:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Backdoors Up 44%, Ransomware Up 43% from 2017

Nearly one in three computers was hit with a malware attack this year, and ransomware and backdoors continue to pose a risk.

Backdoor and ransomware detections increased 44% and 43%, respectively, in 2018, the same year nearly 30% of computers faced at least one malicious threat online, researchers report.

The Kaspersky Security Bulletin 2018 found malware should be among everyone's top concerns as we head into the new year. Kaspersky Labs handled 346,000 new malicious files each day in the first 10 months of 2018 and detected 21,643,946 unique malicious objects this year.

Backdoor detections made up 3.7% of all new malicious files analyzed by Kaspersky Lab researchers in the first 10 months of 2018, increasing from 2.27 million to 3.26 million year over year. Ransomware (Trojan-ransom) detections made up 3.5%, up from 2.2 million detections to 3.13 million.

Trojans made up half of all new malicious files analyzed. Researchers point to banking malware and malicious programs for ATMs and point-of-sale terminals, as a threat to watch. This year, Kaspersky tools blocked attempts to deploy one or more money-stealing programs on 830,135 devices.

While sophisticated APT groups are largley focused on corporate data theft, Kaspersky Lab researchers say the bulk of cybercrime is focused on financial theft. "Cybercriminals do this in any way they can," researchers say, as indicated by phishing campaigns centered around sporting events and holidays.

The spike in backdoors and ransomware incidate cybercriminals are showing interest in all the different ways they can attack users and make money at their expense, they explain. "This involves both the reuse of already existing efficient malware, as well as the development of new malware."

Of the 10 malware families most frequently deployed against banking users, the Zbot Trojan was the most common at 26.3% of attacks, and the Nymaim Trojan took second place with 19.8% of infections, followed by the SpyEye backdoor at 14.7%. Overall, seven of the top 10 banking malware families were Trojans and three were classified as backdoor, researchers found.

Crypto-ransomware proved a consistent threat as researchers observed 39,842 modifications of encryptors and 11 new families. Detections hit a high point in November 2017, when they hit 15,462 for the month. More than 220,000 corporate users and 27,000 small and midsize business users were hit with encryptors. September 2018 was the most active month, with 132,047 instances seen.

WannaCry was the most widespread ransomware family, at 29.3% of infections, followed by a "generic verdict" — the term researchers used for new and unknown samples — at 11.4%. Gandcrab ransomware fell in third place at 6.67%, followed by Cryakl (4.59%) and PolyRansom/Virlock (2.86%) in fourth and fifth place, respectively.

Most-Targeted Applications and Systems
This year will be remembered for the large number of targeted attacks leveraging zero-day exploits, researchers say.

Notable incidents included CVE-2018-4878 and CVE-2018-5002, which exploited Adobe Flash at the end of its life cycle. Acrobat Reader bug CVE-2018-4990 was abused for the first time in a long time. We also saw vulnerabilities in Windows script engine VBSscript: CVE-2018-8174 and CVE-2018-8373, and several flaws in the win32k.sys driver used by cybercriminals to escalate privileges in Windows and bypass a sandbox (CVE-2018-8120, CVE-2018-8453, CVE-2018-8589).

That said, the researchers have noticed attacks on certain popular tools decrease.

"As in the previous year, the share of users attacked by exploits for vulnerabilities in Adobe Flash Player and Internet Explorer has decreased, even though some new zero-day publicly exploited vulnerabilities have been found in both products," researchers point out. Further, the share of exploits for Android fell 9 percentage points to 18%, a sign that security is improving.

However, they add, there was a "significant increase" in the number of people attacked with Microsoft exploits — four times the average in 2017. This drove the share of Office exploits from 17.6% to 55%, driven by mass spam email campaigns spreading malicious documents with exploits for the CVE-2017-11882 and CVE-2018-0802 vulnerabilities.

"Exploits for these vulnerabilities have gained popularity among cybercriminals due to their stability and ease of use — all that's required to create an exploit is to modify the exploit builder script published on a public resource," they explain in the report.

Researchers anticipate attackers will continue to use Office documents as they've proven a reliable attack vector over the past couple of years. While other enterprise applications are popular, they're typically used in different scenarios. Cybercriminals prefer to use them in more targeted attacks.

As they ready themselves for 2019, Kaspersky Lab researchers advise organizations to audit their systems and determine how data is stored and handled, how an attacker could compromise their systems, and which actions could mitigate the effects of an attack. 

"This includes deploying appropriate technology at all layers across the company, developing an incident response plan, and ensuring that they implement an ongoing staff awareness program," they explain. "So often, people are the means by which corporate systems are compromised."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17545
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVE-2019-17546
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
CVE-2019-17547
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
CVE-2019-17501
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
CVE-2019-17539
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.