Evolution and Escalation: Two Key Cyber Threat Trends
2.5.2017 securityweek CyberCrime
Existing threats escalated and new threats emerged in a turbulent 2016. Ransomware spiked, IoT-based DDoS threatened the internet, political subversion and sabotage grew, and hackers moved towards non-malware based attacks -- or 'living off the land'. These and more threats are highlighted in Symantec's new Internet Security Threat Report (ISTR).
Ransomware continued its rise throughout 2016. "The number of new ransomware families uncovered during 2016 more than tripled to 101 and Symantec logged a 36 percent increase in ransomware infections." The ransom demands also escalated, "with the average ransom demand in 2016 rising to $1,077, up from $294 a year earlier," notes the report (PDF).
In fact, the threat is now so severe that earlier this week, F-Secure security advisor Sean Sullivan warned governments need to find some way of curtailing the use of bitcoins for ransom payments. "If the U.S. pursues all the forms of potentially illegal payments, ransomware's growth could be abated. Otherwise, we expect to see the new ransomware families we discovered in 2017 at least double." He explained to SecurityWeek, "My point is about Bitcoin exchanges and brokers that trade euros/pounds/dollars for Bitcoin – like a bank... Regulations don't need to require identification – they only need to limit easy access to accounts by victims. That adds overhead, and that decreases profits for the cybercriminals."
The cyber threat from insecure internet of things (IoT) devices has been a talking point for several years. That threat became fact in 2016 with the emergence of the Mirai botnet. Mirai comprises hundreds of thousands of compromised IoT devices, such as routers and security cameras, that can be used to target massive DDoS attacks. In October, it was used against DNS company Dyn, and disrupted many of the world's leading websites, including Netflix, Twitter, and PayPal. In September, Mirai delivered the largest ever DDoS against French hosting company OVH, peaking at 1 Tbps.
"With Gartner predicting that there will be more than 20 billion IoT devices in the world by 2020, it's important that security problems be addressed or campaigns like Mirai could be seen on an even larger scale," warns Symantec.
The emergence of cyber-based political subversion was one of the more startling developments over the year. Cyberattacks against the Democratic Party and the subsequent leak of information are believed to have been an attempt to influence the 2016 US presidential election. "With the US Intelligence Community attributing the attacks to Russia and concluding the campaign would have been judged a success," warns Symantec, "it is likely these tactics will be reused in efforts to influence politics and sow discord in other countries."
This is already happening, with both France and Germany warning that Russian actors might attempt to influence their own elections. In the UK, GCHQ has written to the major political parties with advice on how to protect their networks -- although there has been no public suggestion of interference in the Brexit referendum of 2016.
"The ongoing conflict in Ukraine, the US election, and the Olympics were all affected by campaigns designed to steal and leak data in order to influence public opinion, create an atmosphere of distrust, and possibly influence political outcomes," notes Symantec.
The potential for cyber-based political sabotage has been evident since the Stuxnet attacks against the Iranian nuclear program in 2010. It was also evident in Shamoon disk wiping attacks on Saudi oil company Aramco in 2012. Shamoon has now reappeared with further attacks against multiple Saudi organizations, while a similar disk wiping trojan (KillDisk) was used against power facilities in the Ukraine. This brings the threat of destructive attacks against western critical infrastructures very much to the fore.
'Living off the land' is the term used by Symantec to describe the growing practice of hackers avoiding the use of malware in their attacks. Other companies use the term 'fileless', while Carbon Black has used the term 'non-malware attacks'. "Zero-day vulnerabilities have become less important and some adversaries are no longer as reliant on malware, increasingly 'living off the land' -- making use of the resources to hand including legitimate administrative and penetration testing tools to carry out attacks," notes Symantec.
The purpose of the fileless attack is to deposit no or minimal files onto the compromised network. With no new file to detect, it becomes harder for anti-virus defenses to detect the presence of an intruder. The approach comes in two distinct varieties, both starting with breaching the network without using malware. Spear-phishing is the preferred method, since it can gain legitimate access credentials that won't raise a red-flag when used. Sometimes, this is all that is needed; for example, if the attack is specifically seeking access to the target's emails.
At other times, the phishing email will carry an MS Office document carrying weaponized macros. If the target can be pursuaded to open the document and allow macros to run, the macro might load a script into something like PowerShell. Symantec notes that a version of this method was used to spread Shamoon.
"If the file was opened, a macro ran a PowerShell script that provided remote access and performed basic reconnaissance of the compromised computer. If a computer was of interest, they then installed malware (Backdoor.Mhretriev).
"From there, the attackers used a cornucopia of legitimate administrative and penetration testing tools to traverse the target's network and identify computers for infection." If the purpose of the attack is destructive or ransom, then malware can be dropped to trigger immediately -- in theory the malware could be detected, but it may be too late for the defenders to do anything.
If the purpose of the attack is to exfiltrate data, then 'living off the land' can complete the task without ever depositing any malware.
Two fundamental developments in cyber threats come from the Symantec ISTR: evolution and escalation. Attackers are continually refining their methods -- as shown in living off the land and harnessing the IoT for DDoS attacks. Escalation is best seen in the purpose of the attacks. In traditional attacks, there has been a distinct growth in attacks against banks and financial systems (such as SWIFT), where previously the majority of attacks were against bank customers. It can also be seen in the size of DDoS attacks now possible, and in the physical sabotage attacks and the attempts to influence public opinion in entire geopolitical regions. "New sophistication and innovation are the nature of the threat landscape, but this year Symantec has identified seismic shifts in motivation and focus," said Kevin Haley, director at Symantec Security Response.