Caught in the Net: Unraveling the Tangle of Old and New Threats
Caught in the Net: Unraveling the Tangle of Old and New Threats
Looking back at the most significant issues of 2018, we saw shifting cybercriminal strategies and lingering security threats. Enterprises faced a multitude of challenges, but careful study of these issues can present opportunities for improvement.
A blend of old and new cybersecurity issues inundated enterprises in 2018. Researchers discovered that nearly all running computers had serious hardware flaws, the ransomware problem persisted, unauthorized cryptocurrency mining spread and diversified, and vulnerable connected devices in homes were hit with effective new attacks. Also, in reaction to a broadening landscape of operating systems and devices, cybercriminals shifted from exploit kit-based attacks to an old but still effectual tactic: social engineering. Exploit kits and automated methods were efficient when a large number of users were using vulnerable software, but in 2018 many threat actors were trying to exploit human vulnerabilities instead.
Our annual security roundup examines these and other important security issues, providing valuable insight for enterprises and users to help them be aware of and prepared for critical threats.
. . .
As a means for important communications to and from an enterprise’s network, business email makes for an attractive platform for cybercriminals. Consequently, phishing and other social engineering schemes are among the top concerns for cybersecurity professionals, as unwanted emails designed and worded professionally can easily fool a recipient who regularly fields similar emails.
In 2018, we saw an increase in the use of various forms of messaging threats. Most notably, we observed an 82-percent increase in blocked access to phishing URLs by unique client IP address compared to the previous year. Phishing traditionally arrives via email since email-based threats are much more platform-agnostic than other types of attacks that rely, for instance, on specific exploits.
Year-on-year comparison of blocked access to phishing URLs by unique client IP address (e.g., one machine that accessed a link three times was counted as one)
Recently, apart from emails, there have also been phishing attacks that use chat, SMS, and other communication modes. The increase in numbers as well as different versions of phishing attacks shows how cybercriminals are adapting to a changing landscape. More connected devices and a widening range of operating systems mean that exploiting one particular operating system will not be as profitable for cybercriminals as in the past. Consequently, they are turning to an old but still usually effective attack.
Another form of messaging attacks that picked up pace in 2018 was business email compromise (BEC). In a typical BEC attack, an attacker initiates or intercepts communications to con an enterprise employee who has the power to release or transfer funds.
Top positions being spoofed
While the overall number of these BEC attacks was low, a successful attempt could result in high financial losses for the target company. By contrast, phishing attacks were widely launched against a number of possible victims because duping even a low percentage of users would be profitable for attackers.
. . .
Overall ransomware-related threats decreased by 91 percent from 2017 to 2018, and the number of discovered ransomware families also dropped over the same period. This steep and steady decline continued the trajectory we noted in our midyear roundup report. It could be attributed to improved ransomware solutions, growing awareness of the threat, and to a certain extent, the realization that negotiating with attackers would prove futile.
New ransomware families
Nevertheless, since the profit that attackers stood to gain outweighed the effort involved in launching attacks, we continued to see ransomware being used. Our detections for WannaCry, the family that caused the infamous ransomware outbreak of May 2017, were at a stable number (616,399) and overshadowed those for all other ransomware families by a wide margin.
Cryptocurrency mining, for its part, reached a new peak in 2018 at over 1.3 million detections — a 237-percent growth from the previous year.
There was also an upsurge in one of the attack methods used to evade traditional blacklisting techniques: fileless threats. These particular threats attempt to evade conventional solutions and can usually be detected only via other means such as traffic monitoring, behavioral indicators, or sandboxing.
. . .
The year in security began with the groundbreaking disclosure of Meltdown and Spectre, processor-level vulnerabilities that relied on flaws in the speculative execution of CPU instructions. These new classes of flaws affected different microprocessors and spawned new CPU attacks as well as a slew of mitigation troubles. And even by the end of the year, there was no straightforward solution for these micro-architectural weaknesses.
Another unfortunate first in 2018 was the discovery of a critical vulnerability in the open-source cloud orchestration software Kubernetes. Fortunately, this particular flaw was quickly patched.
Most vulnerabilities are found and then responsibly disclosed by security researchers and vendors so that they cannot be used in any widespread attacks. But disclosing a vulnerability to the public also means alerting threat actors to it, so creating a fix before information is released is vital. Threat actors actively abuse vulnerabilities to create operational exploits.
Recently, no widespread zero-day exploit attacks were identified, unlike in the past, when two or three major zero-day attacks would define a year. Rather, the attacks that were discovered in 2018 were of limited scope. Cybercriminals were also abusing vulnerabilities that had already been patched, banking on the assumption that many users did not speedily apply the available fixes, if at all.
*Hover to flip to the attack date
*Tap to flip to the attack date
Drupal vulnerability used to deliver cryptocurrency miners
April 25, 2018
5 hours after release of patch
Apache CouchDB vulnerabilities used to deliver cryptocurrency miners
Nov. 14, 2017
Feb. 15, 2018
3 months later
Oracle WebLogic WLS-WSAT vulnerability used for cryptocurrency mining
Oct. 16, 2017
Feb. 26, 2018
4 months later
Vulnerability that allows permanent rooting of Android phones used in AndroRat
March 16, 2016
Feb. 13, 2018
23 months later
Notable attacks in 2018 involving exploits for known and patched vulnerabilities
Of the vulnerabilities found in 2018, a considerable percentage was for software used in industrial control systems (ICSs). And most of those vulnerabilities were in human-machine interface (HMI) software for ICSs and supervisory control and data acquisition (SCADA) environments. The HMI is the main hub for monitoring, managing, and implementing the states of different processes in facilities. Exploiting a critical HMI vulnerability could allow an attacker to affect the functionality of the physical components of an enterprise facility.
. . .
Router-based attacks continued unabated despite the repercussions faced by the creators of Mirai and Satori. In 2018, we found that recycled Mirai code was still being used against routers. And VPNFilter, another form of router malware, was updated with added capabilities, such as reconnaissance and persistence components, that led to the abuse of routers beyond distributed denial of service (DDoS). We also found routers being used in cryptocurrency mining and pharming attacks, which continued the trend of increased functionalities we noted in our midyear roundup report.
There were two examples of attack incidents in 2018:
Attackers exploited a patched security flaw in MikroTik routers in Brazil and injected malicious Coinhive script to mine Monero.
The exploit kit Novidade could change router Domain Name System (DNS) settings so that an unsuspecting user could be redirected to fake pages controlled by the attacker.
As more smart devices are getting connected to the internet of things (IoT), more home owners are effectively becoming “smart home network administrators.” As such, they must take on the responsibility of making sure that their routers do not become an entry point for attackers. Since routers function as the main hub for managing connections to and from the different devices that need the internet, it is critical that they are secured.
. . .
Trend Micro Research
Machine Learning Solutions
Ahead of the Curve: A Deeper Understanding of Network Threats Through Machine Learning
Adversarial Sample Generation: Making Machine Learning Systems Robust for Security
Uncovering Unknown Threats With Human-Readable Machine Learning
Connected Hospitals, Energy Providers, Water Companies
Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries
The Fragility of Industrial IoT’s Data Backbone
Securing Connected Hospitals: A Research on Exposed Medical Systems and Supply Chain Risks
Cybercriminal Investigations and Takedowns
The Rise and Fall of Scan4You
The Evolution of Cybercrime and Cyberdefense
. . .
Overall threats blocked in 2018
Threat components blocked
Half-year comparison of blocked email, file, and URL threats
Other ransomware families
Year-on-year comparison of WannaCry detections versus other ransomware detections combined
Monthly comparison of fileless threat detections
Year-on-year comparison of vulnerabilities of selected software vendors