Threat Landscape 2018

In 2018, noticeable changes were observed with regard to the reduction in malware attacks. This was as a result of the use of improved systems for software security and the development of effective antivirus technologies. The marked reduction in the ransom malware, which had been pervasive in the past years, is proof of the improvement in organizational software security. On the other hand, there has been a resurfacing of the use of email spams

as infection vectors. Furthermore there are new trends in the cyber-attacks landscape with crypto-jacking being a prime example. Crypto-jacking refers to the cyber-attack where the attacker uses a secret device to mine crypto-currency. With the increased popularity of block chain technology, crypto-jacking has quickly overtaken some of the dominant traditional cyber threats.

Threat landscape 2017

          The threat landscape provided by ENISA threat intelligence team focused on the developments and uncovered trends using the data collected by their devices ("ENISA Threat Landscape Report 2017 — ENISA", 2018). The types of attacks witnessed in that year included information gathering, fraud, malicious code, reputation block, intrusion attempt, and availability among others. Figure 1 shows a graphical depiction in the trends of the attacks gathered by the intelligence team.

Figure 1: Trends in cyber security attacks

         From the figure, we can observe that information gathering attacks increased the most compared to the previous years. This could be a result of the increment of interconnected devices and the development of the Internet of Things technology. Ransom malware, which has been increasing rapidly on annual basis, increased by only 37 % in 2017. Although it’s still an increase, the rate of growth is decreasing due to the loud nature of the attack that makes it easily discoverable by the end user.

        An industry-specific analysis of threats revealed that the threats varied significantly with the industry type. The biotechnology industry experienced the highest increase in security threats probably due to the nature of its operations and information storage approach that makes it vulnerable to information gathering. Figure 2 shows the change in alerts for the year over year.

Figure 2: Year over year change in alerts

Threat analysis 2018

            The Fortinet network solution, a company that specializes in network security released their annual report on the threat landscape under three categories: exploits, malware, and botnets. ("Threat Landscape Report Q3 2018", 2018). The company obtains its data from millions of devices it deploys across the Internet. The numbers released by the company are shown in figure 3 below

Figure 3: Exploits, malware, and botnets statistics

2018 saw an increment in the use of crypto mining malware to attack users who relied on the block chain technology. Although cypto-jacking led the pack, scammers and bad actors still practiced ransomware development and the use of spyware was still noticeable. A detailed analysis of the major techniques used in 2018 is presented below.

Crypto-jacking

          The emergence and growth of crypto mining made it vulnerable to criminals who specialized in block chain fraud. Cyber criminals have capitalized on the lucrative nature of cyptomining. Bitcoins, digital wallets and other cryptocurrencies have been the main target for the modern day cybercriminals. Cyber criminals have also managed to distribute the malicious coins makers on a large scale with the intention of gaining the most processing power from their victim’s devices ("2.4 million Instances of Crypto-Jacking Malware in First Half of 2018", 2018). They have managed to do this through the use of exploits, supply chain attacks, mal spams, and malicious APKs. The criminals targeted mobile phones users through the use of malicious APKs. Even though both the IOS and Android platform were targeted, the Android platform was the most vulnerable platform for this attack type.

Malware

         There was a shift in the trend of malware use by attackers. Rankings done by the Fortinet company revealed that there was a shift from the traditional attack vector towards the experimental development attack. The malware types were ranked based on their prevalence on either the business or consumer context

Figure 4: Prevalence of malware by sector

An analysis on figure 4 indicates that spyware still ranked first in the business sector while adware took the lead in the consumer sector.  The report also indicated a quick rise in ranks by riskware, which is a malware used by crypto miners. This change is in line with the assertion made by the ENISA intelligence team that cybercriminals are moving from other cyber attack methods to crypto jacking.

Scams

            Scammers have evolved from making fake calls from support centers to attacking crypto wallets. Initially, scammers would set up fake accounts on Twitter and other social media platforms and redirect a victim’s search results to scam centers. The threat actors have made it much easier to empty a victim’s wallet than to create fake tech support account on social media sites. The tech support scams have also exploited vulnerable business practices. Crypto jacking perpetrators, for example, targeted the Bitcoin transactions, which lacked fraud protection features.

Predictions of possible exploits vulnerabilities

A total of three vulnerabilities initiated processor attacks in 2018. Intel processors experienced meltdown vulnerability whereas the spectre was used to infect all types of processors. The adobe flash exploit was also announced during the year and it is speculated that North Koreans emailed the exploit to their southern neighbors. The exploits and vulnerabilities predicted for use in future attacks are presented. First is the foreshadow-NG and foreshadow. These are new breeds of attacks speculated to be attacking Intel’s sgx technology. Although there is no confirmation of active attacks at the moments, these exploits are the on the cyber security expert’s radar as imminent tools that can be deployed by attackers to cripple Intel’s access protection systems. Second is the Ntspectre, a unique version of Spectre that has been identified as the next major threat. Researchers speculate that the Ntspectre can make a network-based side channel attack possible.

Advanced persistent threat malware in communications

            APT is a prolonged cyber-attack where cyber-criminals gain access to a network and remain undetected for a long period (Daly, 2009). Most of these intruders are into it for information gathering aspect rather than for illegal revenue collection .For an intruder to gain access to a network, they have to use advanced methods such as the social engineering methods and the spear phishing techniques. The intruders hide their presence in the networks through complex identity evasion techniques such as rewriting malicious codes to avoid detection.

Email spear phishing

This is the favored method by intruders to gain illegal access to organizations. It is defined as “highly targeted phishing aimed at specific individuals or groups within an organization.” Analogous to spearfishing, this method targets a specific user data.  An example of email spear phishing is an attack targeting a user’s specific identify instead of general information like generic titles. Intruders prefer the tactic as it uses high profile vulnerable targets to open the email baits. The attacks often use email attachments, which appear to be valid documents because most companies rely on email messaging as a way of information sharing (Wang et al., 2012).

Tools used for a spear phishing attack

Email.

Intruders usually lure the target into downloading an email file attachment that seems to be harmless or to click a link that leads the target to a site with exploits or malware. The vulnerable exploit attachment introduces a malware to the target machine after which the malicious software awaits to receive commands from a remote user (Wang et al., 2012). The malware will open a decoy document when to conceal its malicious activity in the host computer (Wang et al., 2012).

Attachments

            File types such as PDF, Excel and Word files account for most of spear phishing emails. Executable files, however, do not fall in this list because they are easily detected and eliminated by security software installed in the target computer. Monitoring reveals that malicious file attachments form the main vectors for target emails whereas the rest use malicious links and web exploits. In the corporate and government sector, people share files such as memos and resumes mainly because downloading files from the Internet poses the most security risk (Halevi & Memon, 2015). However, corporate sectors and government are not off the hook since intruders target the emails to install malware. Figure 6 illustrates the percentage of intruder targets for email phishing. We can observe that the corporate and government sectors form the most target.

Figure 5: Intruder targets for email phishing

The corporate and government sectors account for the largest percentages because phishing email attachment could be easily overlooked due to the large number of computer users in the respective sectors (Halevi & Memon, 2015). The APT campaigns have been made more effective through the availability of organizational information providing the intruders with a vulnerable target to exploit.

References

Aki, J. (2018). 2.4 million Instances of Crypto-Jacking Malware in First Half of 2018. Retrieved

from https://blockonomi.com/crypto-jacking-malware/

Daly, M. K. (2009). Advanced persistent threat. Usenix, Nov, 4(4), 2013-2016.

ENISA (2018). ENISA Threat Landscape Report 2017. Retrieved from

https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017

Fortinet (2018). Threat Landscape Report Q3 2018. Retrieved from

https://www.fortinet.com/fortiguard/threat-intelligence/threat-landscape.html

Halevi, T., Memon, N., & Nov, O. (2015). Spear-phishing in the wild: A real-world study of

personality, phishing self-efficacy, and vulnerability to spear-phishing attacks.

Wang, J., Herath, T., Chen, R., Vishwanath, A., & Rao, H. R. (2012). Research article phishing

susceptibility: An investigation into the processing of a targeted spear-phishing email. IEEE transactions on professional communication, 55(4), 345-362.