Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

CrowdStrike Recaps 2015 Threat Landscape

Banking Trojans were very active in 2015, but were just one of many threats consumers and businesses had to face: ransomware activity increased throughout the year, and extortive attacks proved to be big concern for businesses as well.

Banking Trojans were very active in 2015, but were just one of many threats consumers and businesses had to face: ransomware activity increased throughout the year, and extortive attacks proved to be big concern for businesses as well.

In their 2015 Global Threat Report, security researchers at CrowdStrike examine the main trends in the threat landscape in 2015, including the evolution of Trojans, ransomware, phishing emails, and other threats.

Moreover, they offer a glimpse at the geo-political and socio-economic situation in various areas around the world, along with expectations for 2016.

There are many examples of prolific banking Trojans used to carry out attacks in 2015, such as the infamous Dridex  and Dyre Trojans, both of which saw various code improvements during the year. In mid-2015, new malware emerged in this segment, including Shifu  and Core Bot , while Tiny Banker (Tinba) was adopted by multiple groups after its source code leaked online.

Ransomware also registered a significant surge last year, with CryptoLocker successor CryptoWall becoming one of the best known threats in the segment. Toward the end of the year, CryptoWall had already reached its fourth version (v4)  and was deployed via exploit kits (EKs) such as Neutrino and Angler, while ransomware such as Teslacrypt grab some market share as well.

Another important trend observed last year was the rise of cyber extortion groups such as DD4BC and Armada Collective, which threatened businesses with distributed denial -of- service (DDoS) attacks to demand bitcoin ransom payments. One notable incident involved secure email provider ProtonMail, which was hit by a large DDoS attack although it paid the ransom to Armada Collective, after which the group revealed that it did not have the resources to sustain the attack.

Rise in phishing emails and exploit kit activity

According to CrowdStrike, phishing emails continued to dominate crimeware distribution in 2015, being the main distribution mechanism for both banking Trojans and ransomware. The popularity of Office-based macros for distributing malware increased as well, paired with a surge in Microsoft Word and Excel macro builder kits in the underground.

Advertisement. Scroll to continue reading.

EK usage also increased last year, with Angler being the biggest threat in the market, especially with its creators focusing on adding recently disclosed 0-days and Flash vulnerabilities to it. However, security researchers also observed an increase in the activity of EKs such as Nuclear, Rig, and Neutrino throughout 2015.

Social engineering scams flourished in 2015, many of them supposedly perpetrated by Nigeria-based criminal groups, and supposedly responsible for the largest heists last year. Additionally, CrowdStrike notes that malware usually employed in criminal activities has started to be used in cyber espionage operations and the other way around—The TeamViewer tool and DownRage (which borrows code from the Carberp banking Trojan) being two examples.

Healthcare breaches – the work of Chinese groups

CrowdStrike’s report also notes that numerous healthcare breaches in the US last year were attributed to China-based adversaries and not to actors seeking to profit from the stolen information. By using spear phishing emails, the same China-based adversaries allegedly breached government organizations in the U.S. and Japan and managed to steal various personal information associated with employees, CrowdStrike said.

Large healthcare breaches, reported between February (the Anthem breach) and May, are estimated to have resulted in the compromise of personal data of anywhere between 50 and 80 million people. Affecting 9 in 10 industries, not only organizations in healthcare, these health information breaches resulted in attackers stealing information such as customer names, Social Security numbers, physical and email addresses, and income data.

According to the CrowdStrike, the actors behind these breaches might have been looking to create a dataset on a large number of individuals. Creating detailed profiles of individuals was possible only through the theft of PII (Personally identifiable information) from multiple organizations, and similar campaigns might be observed in the future as well.

CrowdStrike also notes that Chinese cyber activity may shift dynamics, but that it is not expected to cease anytime soon. The country is expected to engage into commercial cyber espionage when opportunities arise, and the researchers suggest that an increase in attacks targeting areas such as agriculture, healthcare, and alternative energy is likely to be observed, as China has the most technological gaps in these areas.

Russia invests in cyber espionage

Russia believed to have proliferated stealthy and effective malware within the European Union to engage in reconnaissance, CrowStrike says. Russian actors have allegedly implemented Strategic Web Compromises (SWC), delivered implants, and used of spear-phishing techniques to establish a broad intelligence-gathering capability targeting government and national defense agencies in the EU.

CrowdStrike also notes that these actors might have been targeting non-governmental organizations (NGOs) in the U.S., Europe, Asia, South America and the Middle East as well, mainly driven by Russia’s precarious economic state. As it sought greater autonomy from the west, the country has been affected by economic sanctions and lower oil prices.

Russia was also looking to improve its military stance, and engaged into cyber activities that would help it do so, one example being the “Fancy Bear” threat group’s attempt to steal information involving development of Chinese domestic military technologies. Attacks carried by other threat groups were observed targeting various organizations around the world.

The Russia-Ukraine conflict also spawned a series of attacks against the Ukrainian and Russian energy sectors, some of which used the BlackEnergy malware, including recent attacks aimed at news media and electrical power organizations in Ukraine. The security researchers also observed the activity of pro-Russian separatist group CyberBerkut, which conducted DDoS attacks against German government websites and Ukrainian government websites and which is believed to have ties to Russian state security.

North Korea and Iran: Mainly Local Threats

North Korea also engaged in various cyber activities during 2015, including cyber espionage campaigns using at least three malware variants, namely Milmanbag, Hawup, and AIMRAT. The first two were found to be spreading mainly through exploit documents targeting the Hangul Word Processor (HWP) software, which is primary used in South Korea, especially in the government sector.

Iran, on the other hand, is apparently more focused on controlling user access to the Internet and to information, as the country has arrested numerous individuals for their online activity. The government deployed technical programs such as Black Spider that allowed it to locate and arrest Iranian social media users.

On June 30, 2015, Iran revealed plans to improve its infrastructure and cyber capabilities, and CrowdStrike researchers note that the country is likely to increase Internet monitoring and censorship on a national scale. This move is supposedly a reaction to the possible western influence caused by businesses renewing trade with Iran.

Given regional tensions, Iran is also believed to try using its improved cyber capabilities against its perceived enemies, such as Saudi Arabia, regional governments, and their allies. The country is determined to gain a superior status in the region and is developing a National Information Network (National Internet) for that.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.