Caught in the Net: Unraveling the Tangle of Old and New Threats

Looking back at the most significant issues of 2018, we saw shifting cybercriminal strategies and lingering security threats. Enterprises faced a multitude of challenges, but careful study of these issues can present opportunities for improvement.
  • Messaging Threats
  • Ransomware
  • Critical Vulnerabilities
  • IoT Attacks
  • Trend Micro Research
  • Threat Landscape
  • PDF Download

A blend of old and new cybersecurity issues inundated enterprises in 2018. Researchers discovered that nearly all running computers had serious hardware flaws, the ransomware problem persisted, unauthorized cryptocurrency mining spread and diversified, and vulnerable connected devices in homes were hit with effective new attacks. Also, in reaction to a broadening landscape of operating systems and devices, cybercriminals shifted from exploit kit-based attacks to an old but still effectual tactic: social engineering. Exploit kits and automated methods were efficient when a large number of users were using vulnerable software, but in 2018 many threat actors were trying to exploit human vulnerabilities instead. 

Our annual security roundup examines these and other important security issues, providing valuable insight for enterprises and users to help them be aware of and prepared for critical threats.

. . .

Messaging threats

As a means for important communications to and from an enterprise’s network, business email makes for an attractive platform for cybercriminals. Consequently, phishing and other social engineering schemes are among the top concerns for cybersecurity professionals, as unwanted emails designed and worded professionally can easily fool a recipient who regularly fields similar emails.  

In 2018, we saw an increase in the use of various forms of messaging threats. Most notably, we observed an 82-percent increase in blocked access to phishing URLs by unique client IP address compared to the previous year. Phishing traditionally arrives via email since email-based threats are much more platform-agnostic than other types of attacks that rely, for instance, on specific exploits.

2017
11,340,408
2018
20,617,181

Year-on-year comparison of blocked access to phishing URLs by unique client IP address (e.g., one machine that accessed a link three times was counted as one)

Recently, apart from emails, there have also been phishing attacks that use chat, SMS, and other communication modes. The increase in numbers as well as different versions of phishing attacks shows how cybercriminals are adapting to a changing landscape. More connected devices and a widening range of operating systems mean that exploiting one particular operating system will not be as profitable for cybercriminals as in the past. Consequently, they are turning to an old but still usually effective attack.

28%
2017-2018

Another form of messaging attacks that picked up pace in 2018 was business email compromise (BEC). In a typical BEC attack, an attacker initiates or intercepts communications to con an enterprise employee who has the power to release or transfer funds.

  • CEO
  • Managing Director/Director
  • President
  • General Manager/Manager
  • Chairman
  • Others

Top positions being spoofed

While the overall number of these BEC attacks was low, a successful attempt could result in high financial losses for the target company. By contrast, phishing attacks were widely launched against a number of possible victims because duping even a low percentage of users would be profitable for attackers.

. . .

Ransomware

Overall ransomware-related threats decreased by 91 percent from 2017 to 2018, and the number of discovered ransomware families also dropped over the same period. This steep and steady decline continued the trajectory we noted in our midyear roundup report. It could be attributed to improved ransomware solutions, growing awareness of the threat, and to a certain extent, the realization that negotiating with attackers would prove futile.

2017
631,128,278
2018
55,470,005

Ransomware-related threats

2017
327
2018
222

New ransomware families

Nevertheless, since the profit that attackers stood to gain outweighed the effort involved in launching attacks, we continued to see ransomware being used. Our detections for WannaCry, the family that caused the infamous ransomware outbreak of May 2017, were at a stable number (616,399) and overshadowed those for all other ransomware families by a wide margin.

Cryptocurrency mining, for its part, reached a new peak in 2018 at over 1.3 million detections — a 237-percent growth from the previous year. 

1,350,951
2018
400,873
2017

Cryptocurrency mining detections

Apart from the rise in detections, we also observed a “gold rush” in cryptocurrency-mining attack methods throughout the year: penetrating ad platforms, popup ads, a malicious browser extension, mobile phones, botnets, bundling with legitimate software, exploit kits, and repurposed ransomware

819%
in fileless threats
Aug 2017 - Dec 2018

There was also an upsurge in one of the attack methods used to evade traditional blacklisting techniques: fileless threats. These particular threats attempt to evade conventional solutions and can usually be detected only via other means such as traffic monitoring, behavioral indicators, or sandboxing.

. . .

Critical vulnerabilities

The year in security began with the groundbreaking disclosure of Meltdown and Spectre, processor-level vulnerabilities that relied on flaws in the speculative execution of CPU instructions. These new classes of flaws affected different microprocessors and spawned new CPU attacks as well as a slew of mitigation troubles. And even by the end of the year, there was no straightforward solution for these micro-architectural weaknesses.

Another unfortunate first in 2018 was the discovery of a critical vulnerability in the open-source cloud orchestration software Kubernetes. Fortunately, this particular flaw was quickly patched.

Most vulnerabilities are found and then responsibly disclosed by security researchers and vendors so that they cannot be used in any widespread attacks. But disclosing a vulnerability to the public also means alerting threat actors to it, so creating a fix before information is released is vital. Threat actors actively abuse vulnerabilities to create operational exploits.

Recently, no widespread zero-day exploit attacks were identified, unlike in the past, when two or three major zero-day attacks would define a year. Rather, the attacks that were discovered in 2018 were of limited scope. Cybercriminals were also abusing vulnerabilities that had already been patched, banking on the assumption that many users did not speedily apply the available fixes, if at all. 

*Hover to flip to the attack date

*Tap to flip to the attack date

Drupal vulnerability used to deliver cryptocurrency miners

CVE-2018-7602
PATCH DATE:
April 25, 2018

ATTACK DATE:
5 hours after release of patch

Apache CouchDB vulnerabilities used to deliver cryptocurrency miners

CVE-2017-12635,
CVE-2017-12636
PATCH DATE:
Nov. 14, 2017

ATTACK DATE:
Feb. 15, 2018
3 months later

Oracle WebLogic WLS-WSAT vulnerability used for cryptocurrency mining

CVE-2017-10271
PATCH DATE:
Oct. 16, 2017

ATTACK DATE:
Feb. 26, 2018
4 months later

Vulnerability that allows permanent rooting of Android phones used in AndroRat

CVE-2015-1805
PATCH DATE:
March 16, 2016

ATTACK DATE:
Feb. 13, 2018
23 months later

Notable attacks in 2018 involving exploits for known and patched vulnerabilities

Of the vulnerabilities found in 2018, a considerable percentage was for software used in industrial control systems (ICSs). And most of those vulnerabilities were in human-machine interface (HMI) software for ICSs and supervisory control and data acquisition (SCADA) environments. The HMI is the main hub for monitoring, managing, and implementing the states of different processes in facilities. Exploiting a critical HMI vulnerability could allow an attacker to affect the functionality of the physical components of an enterprise facility. 

. . .

IoT attacks

Router-based attacks continued unabated despite the repercussions faced by the creators of Mirai and Satori. In 2018, we found that recycled Mirai code was still being used against routers. And VPNFilter, another form of router malware, was updated with added capabilities, such as reconnaissance and persistence components, that led to the abuse of routers beyond distributed denial of service (DDoS). We also found routers being used in cryptocurrency mining and pharming attacks, which continued the trend of increased functionalities we noted in our midyear roundup report.

There were two examples of attack incidents in 2018:


  1. Cryptojacking

    Attackers exploited a patched security flaw in MikroTik routers in Brazil and injected malicious Coinhive script to mine Monero.


  2. Malicious redirection

    The exploit kit Novidade could change router Domain Name System (DNS) settings so that an unsuspecting user could be redirected to fake pages controlled by the attacker.

As more smart devices are getting connected to the internet of things (IoT), more home owners are effectively becoming “smart home network administrators.” As such, they must take on the responsibility of making sure that their routers do not become an entry point for attackers. Since routers function as the main hub for managing connections to and from the different devices that need the internet, it is critical that they are secured.

. . .

Trend Micro Research


Machine Learning Solutions

  • Ahead of the Curve: A Deeper Understanding of Network Threats Through Machine Learning
  • Adversarial Sample Generation: Making Machine Learning Systems Robust for Security
  • Uncovering Unknown Threats With Human-Readable Machine Learning

Connected Hospitals, Energy Providers, Water Companies

  • Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries
  • The Fragility of Industrial IoT’s Data Backbone
  • Securing Connected Hospitals: A Research on Exposed Medical Systems and Supply Chain Risks

Cybercriminal Investigations and Takedowns

  • The Rise and Fall of Scan4You
  • The Evolution of Cybercrime and Cyberdefense

. . .

Threat Landscape

48387151118

Overall threats blocked in 2018

Threat components blocked 1H 2018 2H 2018 2018 total
Email threats 16,997,711,547 24,521,948,297 41,519,659,844
Malicious files 2,956,153,112 2,867,738,653 5,823,891,765
Malicious URLs 534,534,550 509,064,959 1,043,599,509
Overall threats 20,488,399,209 27,898,751,909 48,387,151,118

Half-year comparison of blocked email, file, and URL threats


Year WannaCry family Other ransomware families
2017 321,814 244,716
2018 616,399 126,518

Year-on-year comparison of WannaCry detections versus other ransomware detections combined


Monthly comparison of fileless threat detections


  •  
  • 147%
  • 33%
  • 35%
  • 38%
  • 94%
  • 27%

Year-on-year comparison of vulnerabilities of selected software vendors

For more insight into the most important cybersecurity issues of 2018, download our annual security roundup.

. . .

DOWNLOAD FULL REPORT

. . .
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.