Coin mining, ransomware, targeted attacks, mobile security, and attacks leveraging the software supply chain. These are just some of the topics that made headlines in infosec in 2017 and which are covered in ISTR 23, your comprehensive guide to the cyber security threat landscape, which is available to download now.
The biggest trend in 2017 was the explosion in cryptocurrency coin mining. The surge in interest in this area was such that detections of coinminers on endpoint computers in 2017 surged by 8,500 percent.
A coinminer is a file or script that is used to mine cryptocurrencies such as Monero. Cyber criminals started trying to make money this way primarily because there was a huge rise in the value of cryptocurrencies in the last quarter of 2017, making this type of cyber crime extremely profitable.
Cyber criminals use coinminers to steal victims’ computer processing power and cloud CPU usage to mine cryptocurrencies. The barrier to entry for coin mining is pretty low—potentially only requiring a couple of lines of code to operate—and coin mining can allow criminals to fly under the radar in a way that is not possible with other types of cyber crime. Victims may not even realize a coinminer is slurping their computer’s power as the only impact may be a slowdown of their device that they could easily attribute to something else. However, coin mining on a device could potentially cause batteries to overheat and devices to become unusable. Coin mining also has implications for organizations. Self-propagating coinminers may require corporate networks to be shut down. Coin mining in the cloud also has financial implications for organizations that are being billed based on CPU usage.
While malicious coinminers appear to thus far be primarily targeting computers, and mobile phones to some extent, as it evolves cyber criminals may increasingly target IoT devices. We observed a 600 percent increase in overall attacks on IoT devices in 2017, showing that while they didn’t make headlines like they did thanks to the Mirai botnet in 2016, they are still very much a target for cyber criminals.
Ransomware made headlines in 2017 thanks to the WannaCry ransomware (Ransom.WannaCry) and Petya/NotPetya (Ransom.Petya), which was a destructive wiper that masqueraded as a ransomware. However, these were not “typical” ransomware attacks, and both appear to have been the work of targeted attack groups, rather than typical cyber criminals. They were part of a new trend we have observed where ransomware is being used by targeted attack groups as a decoy, to cause disruption or, in the case of WannaCry, to try and generate revenue.
The “traditional” cyber crime ransomware market made a “correction” in 2017, with fewer new ransomware families and lower ransom demands. Ransomware’s profitability in 2016 led to a crowded market and overpricing of ransom demands, but in 2017 cyber criminals seemed to find the sweet spot that victims are willing to pay. The average ransom demand in 2017 was $522, less than half of the average of 2016.
Ransomware variants increased by 46 percent in 2017, which indicates that established cyber crime groups are still quite active, but there was a drop in the number of new families discovered. This may indicate less innovation on behalf of cyber criminals, and may be a sign that their focus is currently elsewhere. Some online banking threats experienced a renaissance in 2017 as ransomware groups sought to diversify, while many cyber criminals may also have focused on coin mining while cryptocurrency values were high.
In this year’s ISTR we also examined the tools, tactics, and motivations of targeted attack groups. There are currently 140 targeted attack groups actively tracked by Symantec. We found that overall targeted attack activity increased by 10 percent in 2017, and the primary motive of 90 percent of groups was intelligence gathering. However, one-in-ten groups was also engaged in some kind of disruptive activity.
Analysis also showed that the use of “living off the land” tools and techniques is still favored by many attack groups. The use of zero days continues to fall out of favor for many groups, with only 27 percent of the targeted attack groups known to Symantec having ever used zero days.
There was an average of one supply chain attack every month in 2017, compared to four attacks annually in previous years.
Somewhat related to this is another trend we observed in 2017: an increase in software update supply chain attacks. This attack type sees attackers inject malware implants into the supply chain to infect unsuspecting victims. This type of attack was the initial infection vector for the Petya/NotPetya malware, which used a Trojanized update for a Ukrainian accounting software to gain a foothold on corporate networks, before eventually spreading worldwide using the EternalBlue exploit and other methods. There was an average of one supply chain attack every month in 2017, compared to four attacks annually in previous years. These types of attacks allow attackers to infiltrate well protected networks by exploiting weaker links in their software supply chain.
Threats on the mobile threat landscape continued to grow in 2017. New mobile malware variants increased by 54 percent, and an average of 24,000 malicious mobile applications were blocked every single day. The threat from grayware increased in 2017 as well. Grayware encompasses apps that aren’t entirely malicious but can be troublesome, and this type of threat increased by 20 percent compared to 2016.
The challenge of ensuring mobile security is also exacerbated by the high percentage of devices, particularly Android devices, running outdated mobile operating systems. Only 20 percent of mobile devices are running the latest major release of Android, meaning 80 percent of devices are missing out on protections contained in that update.
Want to learn more?
This is just a taste of the main findings from ISTR 23. To find out more about these and other areas of the cyber security threat landscape, download ISTR 23 now.
You can also join Symantec threat experts in your region as they review the findings: