Evasive Threats, Pervasive Effects

2019 Midyear Security Roundup

. . .


The first six months of 2019 saw organizations dealing with a broad range of incoming threats and, more urgently, tackling threats that had already gained a foothold in their systems. Malware that “lived off the land,” or took advantage of legitimate and whitelisted tools to carry out malicious actions, was prevalent. Ransomware, an old threat, refocused on particular targets. Phishing, another perennial peril, used new platforms to ensnare victims. And the number of disclosed high-impact vulnerabilities drew concern and underscored the need for a better understanding of the real-world risks faced by enterprise systems.

Our midyear security roundup highlights these and other threats that made their mark in the first half of 2019, and provides security insights to help users and organizations determine the right solutions and defense strategies against them.

. . .




Notable incidents

In the first half of 2019, cybercriminals were more selective about their ransomware targets, concentrating mainly on multinationals, enterprises, and even government organizations. Their modus operandi involved sending employees tailored phishing emails, exploiting security gaps to gain access into the network, and then moving laterally within the network.

The LockerGoga ransomware, for example, hit a Norwegian manufacturing company and halted production in several of its plants in March, eventually resulting in over US$55 million in financial losses. And the city of Baltimore, Maryland, had incurred US$5.3 million in recovery costs after its systems were infected with the RobbinHood ransomware in May.

Some municipal organizations were evidently pressured into simply paying the ransoms in hopes of quickly restoring the affected systems used for their public services. Notably, three municipalities in Florida were struck by separate ransomware attacks over the course of several weeks: Riviera Beach, by an unidentified ransomware variant, and Lake City and Key Biscayne, both by the notorious Ryuk ransomware.

  • Riviera Beach
    US$600,000May 29

  • Lake City
    US$460,000June 10

  • Key Biscayne
    No reported paymentJune 23

These high-profile attacks and high-value payouts were in line with the steep increase in our overall ransomware detections from the second half of 2018 to the first half of 2019, although the number of new ransomware families declined.

77% Overall ransomware detections compared to the second half of 2018
55% New ransomware families compared to the second half of 2018

Complex routines

We also observed destructive routines beyond file encryption. Some ransomware variants, including the examples below, were designed with notable features that decreased the chances of victims recovering files and systems.

  • Ryuk
    - Arrives via spam

    - Can render infected systems unbootable
  • LockerGoga
    - Arrives via compromised credentials

    - Modifies the passwords of infected systems’ user accounts, prevents infected systems from being rebooted
  • RobbinHood
    - Arrives via unsecure remote desktops or trojans

    - Encrypts each file with a unique key
  • BitPaymer
    - Arrives via compromised accounts and emails containing Dridex

    - Abuses PsExec tool
  • MegaCortex
    - Arrives via compromised controllers

    - Disables certain processes
  • Nozelesn
    - Arrives via spam

    - Its trojan downloader, Nymaim, uses fileless techniques to load the ransomware.

Our data showed that various ransomware families were active in the first half of the year. But the infamous WannaCry remained the most detected ransomware family, with numbers that far exceeded those of the other ransomware families combined.

Monthly comparison between detections of WannaCry and combined detections of the other ransomware families in the first half of 2019

. . .


Threats that
‘live off the land’

Threats that ‘live off the land’

Fileless events

1H 2019

Half-year comparison of fileless events blocked

As we predicted, threat actors had been increasingly “living off the land,” or abusing legitimate system administration and penetration testing tools to hide their malicious activities. Their so-called fileless threats are not as visible as traditional malware since these typically do not write to disk, are usually executed in a system’s memory, reside in the registry, or misuse normally whitelisted tools like PowerShell, PsExec, or Windows Management Instrumentation.

Here are a few notable threats we detected that used fileless techniques:

These threats had something in common: PowerShell abuse. While it is a convenient tool for system administrators, PowerShell can be used by cybercriminals to launch payloads without having to write or run a file in an affected system’s local memory.

Macro Malware

Macro malware slightly decreased from the latter half of 2018. Most of our detections for macro-based threats were due to Powload, mainly in spam emails. Powload has evolved over the years: diversifying the payloads it delivers, employing steganography, and even using region-specific brands or vocabulary. We also saw other families of macro malware being used in spam campaigns that delivered information stealers like Trickbot and used for cyberespionage.

Half-year comparison of detections of non-Powload-related macro malware and Powload-related macro malware

Exploit kits

Our data showed that blocked access to exploit kit-related sites slightly rose from the second half of 2018, although the number for the first half of 2019 was still a far cry from when exploit kits were at their peak. Exploits kits take every opportunity they can, using old but still viable vulnerabilities and different payloads, which they adapt to their specific needs.

Half-year comparison of instances of blocked access to URLs hosting exploit kits

One notable exploit kit from the first half of 2019 was Greenflash Sundown, which was used by the ShadowGate campaign through an upgraded version capable of living off the land, that is, using an updated PowerShell loader to filelessly execute the payload. ShadowGate’s last notable activity was in April 2018, when it used Greenflash Sundown to spread cryptocurrency-mining malware in East Asia.

. . .


Messaging threats

Messaging threats

Phishing scams

Phishing activities dipped in the first half of 2019. Our data showed an 18% drop in the number of times we blocked a phishing site from being accessed by a unique client IP address. Several factors could be responsible for this decline, including a rise in user awareness about phishing scams. But interestingly, within the same time frame, we noted a steep 76% increase in the number of blocked unique phishing URLs that spoofed Microsoft Office 365, specifically Outlook.

Taking further their abuse of people’s trust in known brands and tools, cybercriminals also used multiplatform social engineering threats for phishing.

  • Android photo apps were used in a phishing scheme aimed at stealing images.

  • A phishing campaign used the watering hole technique to steal user credentials.

  • Phishers abused a browser extension called SingleFile to disguise fraudulent login pages.

Compromising schemes

Business email compromise (BEC) is a simple but increasingly costly scam that enterprises must be wary of. BEC scammers use various social engineering techniques, typically impersonating CEOs and other executives, to trick unwitting employees into transferring funds to their accounts.

52% BEC attempts compared to the second half of 2018
CEO Most spoofed position

BEC has been part of the threat landscape for years, and scammers have been developing new ways to take advantage of their victims. Consequently, they have also been compromising personal and vendor email accounts and spoofing lawyer email accounts. There have also been instances that support our prediction that BEC scammers would target employees farther down the company hierarchy.

Sextortion, a messaging threat focused on personal and reputational damage, had also been on the rise. Our data showed that sextortion schemes via spam more than quadrupled from the second half of 2018 to the first half of 2019, which matched the trajectory we predicted last year. This was unsurprising given that sextortion made up the majority of extortion-related complaints received by the FBI in 2018.

Because of the personal and sensitive nature of sextortion scams, victims are likely to be coerced into acquiescing to sextortionists’ demands. One specific example in April found malicious actors attempting to extort money from Italian-speaking users by threatening them with the release of compromising videos.

Half-year comparison of detections of sextortion-related spam emails

. . .




Hardware-level flaws

The disclosure of Meltdown and Spectre at the start of 2018 opened up a new class of challenges in the mitigation and patching of vulnerabilities. In the first half of 2019, more hardware-level vulnerabilities were uncovered.

In February, researchers revealed a proof of concept showing how hackers could misuse enclaves designed to protect and access data in Intel’s Software Guard Extensions (SGX), a set of instructions found in Intel’s Core and Xeon processors.

In May, researchers disclosed several microarchitectural data sampling vulnerabilities in modern Intel processors. Their impact was demonstrated through the side-channel attacks ZombieLoad, Fallout, and Rogue In-Flight Data Load (RIDL), with methods similar to those of Meltdown and Spectre. These side-channel attacks could enable hackers to execute code or exfiltrate data.

High-impact bugs

Risky vulnerabilities prevailed in the threat landscape of the first half of 2019. The majority of the vulnerabilities reported through our Zero Day Initiative (ZDI) program were rated high in severity, a sign of their pervasive impact.





Here are a few of the notable vulnerabilities seen in the first half of 2019 and the dangers they pose to enterprises:

Aka BlueKeep, a critical vulnerability in remote desktop services

Can give malware extreme propagation capabilities

A vulnerability in Windows 10’s Task Scheduler

Can allow hackers to access protected files

A vulnerability in runC, a runtime component used for container platforms

Can give hackers full control of the host running an affected container

A vulnerability in Kubernetes’ command-line interface for running commands and managing resources

Can push users into downloading malicious container images

A vulnerability in the workflow automation tool StackStorm

Can expose servers to unauthorized access

. . .


IoT and IIoT Attacks

IoT and IIoT Attacks

Botnet and worm wars

Just as we predicted, botnets and worms had been fighting for control of exposed devices connected to the internet of things (IoT). The various contenders trying to edge out and literally erase the competition — including Bashlite as well as Mirai variants like Omni, Hakai, and Yowai — had this routine in common: scanning for competitors on infected IoT devices, deleting the other malware, and embedding their own payloads.

Strikes on critical infrastructures

The industrial internet of things (IIoT) has transformed how industrial facilities and critical infrastructures run, providing an unmatched boost in efficiency and visibility into enterprise operations. However, the convergence of operational technology (OT) and information technology (IT) has also brought new security risks and resulted in broader attack surfaces.

According to a survey published in March, 50% of surveyed organizations already experienced an attack on their critical infrastructures in the past two years. And in 2019, malicious actors seemed to be assessing IIoT targets. The Xenotime hacking group, believed to be behind the Triton aka Trisis malware, was seen probing the industrial control systems (ICSs) of power grids in the U.S. and Asia-Pacific region. The malware scanned for and listed its targets’ remote login portals and vulnerabilities in their networks.

. . .



Overall threats blocked in the first half of 2019

Email, file, and URL threats blocked decreased slightly in the second quarter of the year: Quarterly comparison of blocked email, file, and URL threats and of email, file, and URL reputation queries in the first half of 2019

Quarterly comparison of malicious Android apps blocked in the first half of 2019

Quarterly comparison of Android app queries in the first half of 2019

PDF barely overtook XLS as the most common file type in spam email attachments: Distribution of file types used as attachments in spam emails in the first half of 2019

Midway through, 2019 has seen many persistent and stealthy threats, ready to find and exploit vulnerabilities in processes, people, and technologies. There is no easy answer for comprehensive defense — enterprises and users have to find a multilayered approach that can address their specific security gaps. Protection is needed for gateways, networks, servers and endpoints. For enterprises that face malware using sophisticated techniques, solutions that combine human expertise and security technologies are needed to better detect, correlate, respond to, and remediate threats.

Our full midyear security roundup, “Evasive Threats, Pervasive Effects,” gives deeper insight into the most noteworthy threats of the first half of 2019 and their corresponding solutions.


. . .


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.