Eight new malware samples were recorded every second during the final three months of 2017. The use of fileless attacks, primarily via PowerShell, grew; and there was a surge in cryptocurrency hijacking malware. These were the primary threats outlined in the latest McAfee Lab’s Threat Report covering Q4 2017.
The growth of cryptomining malware coincided with the surge in Bitcoin value, which peaked at just under $20,000 on Dec. 22. With the cost of dedicated mining hardware at upwards of $5,000 per machine, criminals chose to steal users’ CPU time via malware. It demonstrates how criminals always follow the money, and choose the least expensive method of acquiring it with the greatest chance of avoiding detection.
Since December, Bitcoin’s value has fallen to $9,000. Criminals’ focus on Bitcoin is likewise being modified, with Ethereum and Monero becoming popular. Last week, Microsoft discovered a major campaign focused on stealing Electroneum. “We currently see discussions in underground forums that suggest moving from Bitcoin to Litecoin because the latter is a safer model with less chance of exposure,” comments Raj Samani, chief scientist and McAfee fellow with the Advanced Threat Research Team.
Adapting to changing market conditions
The speed with which criminals adapt to their latest market conditions is also seen in the way they maximize their asymmetric advantage. “Adversaries,” writes Samani, “have the luxury of access to research done by the technical community, and can download and use opensource tools to support their campaigns, while the defenders’ level of insight into cybercriminal activities is considerably more limited, and identifying evolving tactics often must take place after malicious campaigns have begun.”
Examples of attackers making use of legitimate research include Fancy Bear (APT28) leveraging a Microsoft Office Dynamic Data Exchange technique in November 2017 that had been made public just a few weeks earlier. The hackers used it in a phishing campaign that cited the New York City terror attacks. A second example comes from the December Gold Dragon attacks on organizations involved with the Winter Olympics. In this case the attackers employed steganography, “and a new tool released days before the attack.”
Contrast in the speed of attack and defence tactics
The speed of changing tactics and adopting new techniques is in sharp contrast to the delays inherent in defending against new vulnerabilities; with the two-months plus failure of Equifax to patch all of its systems with the Apache Struts patch being a prime example.
Healthcare organizations remained a significant target throughout 2017, with a 210% increase in publicly disclosed incidents, year on year, although figures declined 78% in Q4. McAfee’s research conclusion is that many of the incidents were caused by failures to comply with security best practices or to address vulnerabilities in medical software.
Botnets are a continuing problem. However, in Q4 2017, just two botnets, Necurs and Gamut, accounted for 97% of all spam botnet traffic. Gamut was responsible for delivering job offer-themed phishing (and possible money mule recruitment), in English, German, and Italian; while Necurs delivered ‘lonely girl’ spam, pump and dump stock spam, and Locky ransomware downloaders.
New ransomware detections grew consistently throughout 2017, culminating in more than 2,000,000 detections in Q4 (compared to less than 500,000 in Q4, 2016). “A big contributor to ransomware growth was Ransom:Win32/Genasom (also known as Stampado, with variants such as ‘Philadelphia’). This family provides an inexpensive entree for cyber criminals, being offered for sale as low as $39 for a lifetime license.
Ransomware didn’t merely increase in volume (59% year on year, and 35% in Q4 alone), it also diversified beyond just extorting money. “Actors devised strategies to create ‘smoke and mirrors’ by distracting defenders from actual attacks,” writes Samani, “such as the emergence of pseudoransomware, seen in NotPetya and a Taiwan bank heist.”