Security is an industry obsessed with measurements. And as 2018 ends, it naturally becomes the time to take stock of the year that was—the threats that have changed the face of cybersecurity, the evolution of attacks and, more importantly, the learnings for 2019.
SophosLabs researchers evaluate the changes in the threat landscape every year, uncovering trends and seeking to understand their impact to the cybersecurity market moving forward. Here’s what we found in the SophosLabs 2019 Threat Report.
Attackers are getting personal
The attack vectors used by cybercriminals are evolving. Over the past five years, we’ve witnessed a barrage of ‘spray and pray’ automated attacks. Attackers have built up a repertoire of automation, increasingly using artificial intelligence and machine learning, in an attempt to rapidly attack their targets. Automation has taken various forms—from the weaponisation of word documents, to phishing emails (as we’ve seen in Australia with fake AGL and Medicare emails making the rounds).
With automated attacks, once a business realises an email contains something malicious, it can take steps to block it. This usually will include increasing security (i.e. spam filters) and improving internal security practices. As a result of increased awareness and the predictable nature of automated attacks, cybercriminals are moving towards highly targeted, manual attack methods, which will be a key trend shaping the security industry into 2019.
An example of this is the SamSam ransomware, for which two men were recently indicted. Instead of using mass spamming techniques, the SamSam orchestrators (SamSammers) identified networks where there was a security hole, such as a remote access portal with a guessable password. Attackers make their way onto a network and once in, they escalate their own privileges and spread a payload laterally across the network; a sleeper cell that lays in wait until ready to begin encrypting. This manual attack method has earned its creators a whopping US$6.5 million in three years.
“Living off the land” is the new law of the land
Most malware continues to be designed to run exclusively on Windows computers (this is not news). But what is interesting is how cybercriminals are abusing legitimate admin tools on the Windows operating system’s (OS)—such as PowerShell, WMI and Windows Scripting Host—to evade detection and bring a new wave of attacks to victims.
Living off the land is a simple strategy, and it’s hard to detect. In recent years, protections such as disabling macros inside documents or using preview mode have blunted this technique. However, criminals are fighting back and have developed methods to encourage users to enable their attacks.
As a result, the scope of what one might consider a dangerous file has expanded over the past two years to encompass a wide range of Windows file types, not all of which are executables. When used in conjunction with malicious email messages, these file types are often encased in compressed file formats, such as .zip files, and may also be password protected to further thwart automatic detection.
Mobile and IoT malware is not slowing down
As internet users transition from desktop computers and laptops to mobile and the Internet of Things (IoT), so too are cybercriminals. We’re seeing that users of mobile devices are increasingly subject to malicious activity that’s pushing malware apps to their phones, tablets and other devices running Android and iOS. The favoured tactic of cybercriminals is to sneak malicious apps past Google’s Play Store and Apple’s App Store. Other popular tactics include:
1. Cryptominers – Cryptominers can be hidden as a function inside another innocent-looking app, making it difficult for users to notice their device’s processor straining under the load.
2. Advertising click fraud – Like cryptomining, this is embedded inside apps that simulate users clicking ads to generate revenue. The negative for users is the same —battery and process drain—while advertisers are charged for useless clicks and the cost of online advertising is driven up.
3. Supply chain compromise – Earlier this year, SophosLabs researchers discovered a legitimate app supplied as part of the stock firmware of a small phone maker that had been ‘Trojanised’ in the supply chain, before anyone purchased the device.
Similarly, as IoT becomes more embedded in our daily lives, cybercriminals are unleashing new ways to hijack and compromise these devices.
A popular method among attackers is to hijack IoT devices to use as nodes in massive botnets. These botnets are then leveraged in distributed denial-of-service (DDoS) attacks, as well as for cryptomining and network infiltration activities. Attacks such as these are difficult to detect as it’s rarely apparent that the device is affected—until something has gone wrong on the network.
Over the last two years there has been significant growth in the volume of attacks targeting IoT devices. It’s highly likely that the IoT target list will continue to expand to include database servers, commercial-grade routers and internet-connected CCTV systems.
What should Australian businesses remember?
Of the malicious cyber incidents reported under the Notifiable Data Breaches (NDB) scheme between 1 July and 30 September 2018, the tactics were varied—spanning phishing, brute-force attack, compromised or stolen credentials, malware, hacking and ransomware.
The Office of the Australian Information Commissioner’s NDB quarterly statistics reports are consistent with what Sophos is seeing. Phishing is getting worse, brute-force attacks are stable, and even with the SamSammers behind bars, copy cats will rise up and fill the hole.
Ransomware has dipped—it accounted for just three per cent of cyber incidents reported under the NDB scheme in this period. Cybercriminals have built up a repertoire of attacks making ransomware less needed. Ransomware is noisy, threatening and most people are trained not to pay—making it a last resort.
But this doesn’t mean ransomware is going away. Over the last year, many of the worst manual ransomware attacks started when the attacker discovered that an administrator had opened a hole in the firewall for a Windows computer’s remote desktop. Closing these easy loopholes goes a long way to preventing ransomware attacks.
Malicious spam is a primary vector of malware with email messages most commonly the source of bad links and attachments. At the very least, organisations need to be aware that malware may leverage files that aren’t typically considered dangerous, like Office documents, to start the infection process. Educate employees about the risk of email, how to spot a bad link and the importance of validating files before opening them.
Practice the security fundamentals such as using a password manager and never reusing passwords. Change the default administrator passwords on things like home routers, modems and network-attached storage servers and add a passcode or password pattern to phones. For administrators, it’s vital to keep up to date with operating system patches and app or software updates, which so frequently provide the means of attack to criminals.
And finally, use multi-factor authentication for everything you can use it for. Multi-factor authentication is an amazingly effective tool for preventing the abuse of stolen credentials. For organisations not using it now, you should be.
For 2019, my best advice? Stay mindful and practice reflexive distrust of unknown files, messages or links.