Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/4/2018
06:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Backdoors Up 44%, Ransomware Up 43% from 2017

Nearly one in three computers was hit with a malware attack this year, and ransomware and backdoors continue to pose a risk.

Backdoor and ransomware detections increased 44% and 43%, respectively, in 2018, the same year nearly 30% of computers faced at least one malicious threat online, researchers report.

The Kaspersky Security Bulletin 2018 found malware should be among everyone's top concerns as we head into the new year. Kaspersky Labs handled 346,000 new malicious files each day in the first 10 months of 2018 and detected 21,643,946 unique malicious objects this year.

Backdoor detections made up 3.7% of all new malicious files analyzed by Kaspersky Lab researchers in the first 10 months of 2018, increasing from 2.27 million to 3.26 million year over year. Ransomware (Trojan-ransom) detections made up 3.5%, up from 2.2 million detections to 3.13 million.

Trojans made up half of all new malicious files analyzed. Researchers point to banking malware and malicious programs for ATMs and point-of-sale terminals, as a threat to watch. This year, Kaspersky tools blocked attempts to deploy one or more money-stealing programs on 830,135 devices.

While sophisticated APT groups are largley focused on corporate data theft, Kaspersky Lab researchers say the bulk of cybercrime is focused on financial theft. "Cybercriminals do this in any way they can," researchers say, as indicated by phishing campaigns centered around sporting events and holidays.

The spike in backdoors and ransomware incidate cybercriminals are showing interest in all the different ways they can attack users and make money at their expense, they explain. "This involves both the reuse of already existing efficient malware, as well as the development of new malware."

Of the 10 malware families most frequently deployed against banking users, the Zbot Trojan was the most common at 26.3% of attacks, and the Nymaim Trojan took second place with 19.8% of infections, followed by the SpyEye backdoor at 14.7%. Overall, seven of the top 10 banking malware families were Trojans and three were classified as backdoor, researchers found.

Crypto-ransomware proved a consistent threat as researchers observed 39,842 modifications of encryptors and 11 new families. Detections hit a high point in November 2017, when they hit 15,462 for the month. More than 220,000 corporate users and 27,000 small and midsize business users were hit with encryptors. September 2018 was the most active month, with 132,047 instances seen.

WannaCry was the most widespread ransomware family, at 29.3% of infections, followed by a "generic verdict" — the term researchers used for new and unknown samples — at 11.4%. Gandcrab ransomware fell in third place at 6.67%, followed by Cryakl (4.59%) and PolyRansom/Virlock (2.86%) in fourth and fifth place, respectively.

Most-Targeted Applications and Systems
This year will be remembered for the large number of targeted attacks leveraging zero-day exploits, researchers say.

Notable incidents included CVE-2018-4878 and CVE-2018-5002, which exploited Adobe Flash at the end of its life cycle. Acrobat Reader bug CVE-2018-4990 was abused for the first time in a long time. We also saw vulnerabilities in Windows script engine VBSscript: CVE-2018-8174 and CVE-2018-8373, and several flaws in the win32k.sys driver used by cybercriminals to escalate privileges in Windows and bypass a sandbox (CVE-2018-8120, CVE-2018-8453, CVE-2018-8589).

That said, the researchers have noticed attacks on certain popular tools decrease.

"As in the previous year, the share of users attacked by exploits for vulnerabilities in Adobe Flash Player and Internet Explorer has decreased, even though some new zero-day publicly exploited vulnerabilities have been found in both products," researchers point out. Further, the share of exploits for Android fell 9 percentage points to 18%, a sign that security is improving.

However, they add, there was a "significant increase" in the number of people attacked with Microsoft exploits — four times the average in 2017. This drove the share of Office exploits from 17.6% to 55%, driven by mass spam email campaigns spreading malicious documents with exploits for the CVE-2017-11882 and CVE-2018-0802 vulnerabilities.

"Exploits for these vulnerabilities have gained popularity among cybercriminals due to their stability and ease of use — all that's required to create an exploit is to modify the exploit builder script published on a public resource," they explain in the report.

Researchers anticipate attackers will continue to use Office documents as they've proven a reliable attack vector over the past couple of years. While other enterprise applications are popular, they're typically used in different scenarios. Cybercriminals prefer to use them in more targeted attacks.

As they ready themselves for 2019, Kaspersky Lab researchers advise organizations to audit their systems and determine how data is stored and handled, how an attacker could compromise their systems, and which actions could mitigate the effects of an attack. 

"This includes deploying appropriate technology at all layers across the company, developing an incident response plan, and ensuring that they implement an ongoing staff awareness program," they explain. "So often, people are the means by which corporate systems are compromised."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20907
PUBLISHED: 2020-07-13
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
CVE-2020-14174
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5....
CVE-2019-20901
PUBLISHED: 2020-07-13
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
CVE-2019-20898
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
CVE-2019-20899
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.