Taking Stock of the Changing Threat Landscape, Circa 2018

As any commander knows, a battle can turn on the quality of the information available about the adversary.

It’s true in war and it’s also true in the security world, where businesses are locked in an ongoing battle to defend their data against savvy adversaries capable of launching increasingly potent attacks. That’s why enterprise managers thirsting for the best intelligence available about this fast-changing threat landscape can glean important new insights with the release of Symantec’s 2018 Internet Security Threat Report.

This annual compilation is a massive effort, pulling together a variety of data sources from across Symantec’s vast Global Intelligence Network. And as in years’ past, it makes for sobering reading. I’m hardly going out on the line predicting that 2018 is likely to set new records for cyber attacks. But it’s up to CSOs and CISOs to prepare their organizations for attackers coming their way from any number of directions.

Let’s take a closer look at the highlights from the report:

Explosive Increase in Cryptojacking

Cryptojacking has been around for a while. But it exploded toward the end of 2017 as sophisticated cyber criminals seized on this technique to attack their targets. The sharp growth measured on a percentage basis - an 8,500% increase year-to-year - reflected the fact that we’re starting from a relatively small base. It also attested to the fact that attackers were reading the headlines about the exponential growth in the price of virtual currencies. Up until late last year, it wasn’t worth their time. Every business needs to prepare accordingly because as long as the price of cryptocurrencies remain high, cryptojacking is here to stay.  Coin miners can slow devices, overheat batteries, and if enough of your processing power is being stolen, make devices unusable. For organizations, coin miners can put corporate servers at risk of shutdown and inflate cloud CPU usage, imposing unexpected and higher costs.

This crime can be trivial to implement, because a basic attack is browser-based. This low barrier to entry means that criminals don’t even need to try and download malware to a victim’s Mac or PC. Instead, the attacks require a couple lines of code inserted into a popular website and cyber criminals can harness stolen processing power and cloud CPU usage from consumers and enterprises. After an attacker inserts a single line of code into a legitimate website, anyone browsing that site will be unknowingly mining cryptocurrency for someone the entire time they are connected.

The search for more processing power to mine more coins and hence make more money is leading to another kind of trouble: file-based cryptojacking. When you consider the profitability of cryptojacking through a browser versus a server, there's no contest. Cyber criminals can make a lot more money if they infiltrate a company’s servers. If you fail to protect yourself from those attacks, you’re paying for someone else’s mining operation.

A couple of related points:

• Browser-based cryptojacking attacks are platform-agnostic - and Macintosh computers are not immune. Indeed, attacks against the Mac OS rose 80% in the last year, most of that from coin-mining attacks.
• The ISTR also noted a 600% increase in IoT attacks in the last year as cyber criminals sought to exploit the poor security of these devices. I can't say that all the attacks were linked to cryptojacking or cryptocurrency mining, but it certainly was a factor as cyber criminals sought to profit by controlling devices to help them mine en masse.

Attackers Stick with Single Method to Infect Victims

Even as cyber criminals become more sophisticated, the ISTR reveals that they still prefer to bank on familiar tactics that have worked so well in the past. Indeed, 71% of targeted attacks groups still use spear phishing emails to infect their victims. It may be the oldest trick in the book but it’s cheap, it’s easy and it’s highly effective. It also continues to frustrate the best efforts of CSOs and CISOs to secure their organizations. The fact remains that people still remain too easy to fool.

Some other revealing aspects of attacker behavior:

• Sophisticated and organized targeted groups are on the rise, growing by 16 percent last year.
• The use of Zero-Day attacks continues to fall out of favor. Only 27% of the 140 targeted attack groups that Symantec tracked have been known to use Zero-Day vulnerabilities at any point in the past.
• While we’ve long talked about what type of destruction might be possible with cyber attacks, we’ve moved beyond the theoretical, with more than 10% of all attacks being designed to disrupt.

 Implanted Malware Targets the Software Supply Chain

Symantec identified a 200% increase in the number of attackers trying to get past defenses by injecting malware implants into the software supply chain. Another way to interpret this: There was one attack every month last year, compared to four attacks annually in the prior years. Perhaps the most notable example of how this works was in the Petya outbreak in which attackers used accounting software as their point of entry. Once inside an organization Petya then deployed a variety of methods to spread laterally across corporate networks, spreading its malicious payload.

Ransomware is Now a Business

Hoping to make an easy score, cyber criminals swarmed into the ransomware market in 2016. But by 2017, the ransomware market had undergone what in financial parlance would be described as a correction. Falling ransom demands signaled that attackers had overpriced their product, losing “customers.”  As they saw less profit, many cyber criminals shifted their focus to coin mining and banking Trojans, hoping for more lucrative returns.

But while ransomware rates might be flattening out, don’t interpret that as a signal that ransomware is on the verge of disappearing. Indeed, the number of ransomware variants still increased by 46 percent. In other words, criminal groups are innovating less but they are still very productive. Symantec surveyed end-users around the globe and found that about 1 in 10 had been attacked by ransomware. The devastating Wannacry attack that hit the National Health Service in the UK serving as the most prominent example of the havoc ransomware can wreak.

Mobile Malware Continues to Surge

Mobile malware continues its steady climb and can no longer be ignored.  The number of new mobile malware threats continued to grow, a 54% increase from the year before.  Symantec blocked 38,000 malicious mobile applications each day in 2017. And despite the efforts to fix vulnerabilities in mobile operating systems, having patches available do not been mobile users are protected.  For example, we discovered that only 20% of Android devices run the newest version of the OS. Just 2.3% are on the latest minor release. This remains a huge and vexing issue. If users can't get the latest release version of the OS on their phones, the availability of patches is of little use.

Meanwhile, mobile users face myriad privacy risks from so-called “grayware.” These are apps that are not malicious but can still prove troublesome. Symantec found that 63 percent of grayware apps leak the device’s phone number. With grayware increasing by 20% in 2017, this is a problem organizations will continue to reckon with this year.

Want to learn more?

This is just a taste of the main findings from ISTR 23. To find out more about these and other areas of the cyber security threat landscape, download ISTR 23 now.

You can also join Symantec threat experts in your region as they review the findings:

Register here for the Americas webinar

Register here for the EMEA webinar

Register here for the APJ webinar