Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/4/2018
06:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Backdoors Up 44%, Ransomware Up 43% from 2017

Nearly one in three computers was hit with a malware attack this year, and ransomware and backdoors continue to pose a risk.

Backdoor and ransomware detections increased 44% and 43%, respectively, in 2018, the same year nearly 30% of computers faced at least one malicious threat online, researchers report.

The Kaspersky Security Bulletin 2018 found malware should be among everyone's top concerns as we head into the new year. Kaspersky Labs handled 346,000 new malicious files each day in the first 10 months of 2018 and detected 21,643,946 unique malicious objects this year.

Backdoor detections made up 3.7% of all new malicious files analyzed by Kaspersky Lab researchers in the first 10 months of 2018, increasing from 2.27 million to 3.26 million year over year. Ransomware (Trojan-ransom) detections made up 3.5%, up from 2.2 million detections to 3.13 million.

Trojans made up half of all new malicious files analyzed. Researchers point to banking malware and malicious programs for ATMs and point-of-sale terminals, as a threat to watch. This year, Kaspersky tools blocked attempts to deploy one or more money-stealing programs on 830,135 devices.

While sophisticated APT groups are largley focused on corporate data theft, Kaspersky Lab researchers say the bulk of cybercrime is focused on financial theft. "Cybercriminals do this in any way they can," researchers say, as indicated by phishing campaigns centered around sporting events and holidays.

The spike in backdoors and ransomware incidate cybercriminals are showing interest in all the different ways they can attack users and make money at their expense, they explain. "This involves both the reuse of already existing efficient malware, as well as the development of new malware."

Of the 10 malware families most frequently deployed against banking users, the Zbot Trojan was the most common at 26.3% of attacks, and the Nymaim Trojan took second place with 19.8% of infections, followed by the SpyEye backdoor at 14.7%. Overall, seven of the top 10 banking malware families were Trojans and three were classified as backdoor, researchers found.

Crypto-ransomware proved a consistent threat as researchers observed 39,842 modifications of encryptors and 11 new families. Detections hit a high point in November 2017, when they hit 15,462 for the month. More than 220,000 corporate users and 27,000 small and midsize business users were hit with encryptors. September 2018 was the most active month, with 132,047 instances seen.

WannaCry was the most widespread ransomware family, at 29.3% of infections, followed by a "generic verdict" — the term researchers used for new and unknown samples — at 11.4%. Gandcrab ransomware fell in third place at 6.67%, followed by Cryakl (4.59%) and PolyRansom/Virlock (2.86%) in fourth and fifth place, respectively.

Most-Targeted Applications and Systems
This year will be remembered for the large number of targeted attacks leveraging zero-day exploits, researchers say.

Notable incidents included CVE-2018-4878 and CVE-2018-5002, which exploited Adobe Flash at the end of its life cycle. Acrobat Reader bug CVE-2018-4990 was abused for the first time in a long time. We also saw vulnerabilities in Windows script engine VBSscript: CVE-2018-8174 and CVE-2018-8373, and several flaws in the win32k.sys driver used by cybercriminals to escalate privileges in Windows and bypass a sandbox (CVE-2018-8120, CVE-2018-8453, CVE-2018-8589).

That said, the researchers have noticed attacks on certain popular tools decrease.

"As in the previous year, the share of users attacked by exploits for vulnerabilities in Adobe Flash Player and Internet Explorer has decreased, even though some new zero-day publicly exploited vulnerabilities have been found in both products," researchers point out. Further, the share of exploits for Android fell 9 percentage points to 18%, a sign that security is improving.

However, they add, there was a "significant increase" in the number of people attacked with Microsoft exploits — four times the average in 2017. This drove the share of Office exploits from 17.6% to 55%, driven by mass spam email campaigns spreading malicious documents with exploits for the CVE-2017-11882 and CVE-2018-0802 vulnerabilities.

"Exploits for these vulnerabilities have gained popularity among cybercriminals due to their stability and ease of use — all that's required to create an exploit is to modify the exploit builder script published on a public resource," they explain in the report.

Researchers anticipate attackers will continue to use Office documents as they've proven a reliable attack vector over the past couple of years. While other enterprise applications are popular, they're typically used in different scenarios. Cybercriminals prefer to use them in more targeted attacks.

As they ready themselves for 2019, Kaspersky Lab researchers advise organizations to audit their systems and determine how data is stored and handled, how an attacker could compromise their systems, and which actions could mitigate the effects of an attack. 

"This includes deploying appropriate technology at all layers across the company, developing an incident response plan, and ensuring that they implement an ongoing staff awareness program," they explain. "So often, people are the means by which corporate systems are compromised."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Security Pros Value Disclosure ... Sometimes
Dark Reading Staff 9/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I wish they'd put a sock in it.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10754
PUBLISHED: 2019-09-23
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
CVE-2019-10755
PUBLISHED: 2019-09-23
The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml.
CVE-2019-1255
PUBLISHED: 2019-09-23
A denial of service vulnerability exists when Microsoft Defender improperly handles files, aka 'Microsoft Defender Denial of Service Vulnerability'.
CVE-2019-1367
PUBLISHED: 2019-09-23
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.
CVE-2019-11277
PUBLISHED: 2019-09-23
Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation, facilitating the malicious space developer to deny se...