Banking Trojans were very active in 2015, but were just one of many threats consumers and businesses had to face: ransomware activity increased throughout the year, and extortive attacks proved to be big concern for businesses as well.
In their 2015 Global Threat Report, security researchers at CrowdStrike examine the main trends in the threat landscape in 2015, including the evolution of Trojans, ransomware, phishing emails, and other threats.
Moreover, they offer a glimpse at the geo-political and socio-economic situation in various areas around the world, along with expectations for 2016.
There are many examples of prolific banking Trojans used to carry out attacks in 2015, such as the infamous Dridex and Dyre Trojans, both of which saw various code improvements during the year. In mid-2015, new malware emerged in this segment, including Shifu and Core Bot , while Tiny Banker (Tinba) was adopted by multiple groups after its source code leaked online.
Ransomware also registered a significant surge last year, with CryptoLocker successor CryptoWall becoming one of the best known threats in the segment. Toward the end of the year, CryptoWall had already reached its fourth version (v4) and was deployed via exploit kits (EKs) such as Neutrino and Angler, while ransomware such as Teslacrypt grab some market share as well.
Another important trend observed last year was the rise of cyber extortion groups such as DD4BC and Armada Collective, which threatened businesses with distributed denial -of- service (DDoS) attacks to demand bitcoin ransom payments. One notable incident involved secure email provider ProtonMail, which was hit by a large DDoS attack although it paid the ransom to Armada Collective, after which the group revealed that it did not have the resources to sustain the attack.
Rise in phishing emails and exploit kit activity
According to CrowdStrike, phishing emails continued to dominate crimeware distribution in 2015, being the main distribution mechanism for both banking Trojans and ransomware. The popularity of Office-based macros for distributing malware increased as well, paired with a surge in Microsoft Word and Excel macro builder kits in the underground.
EK usage also increased last year, with Angler being the biggest threat in the market, especially with its creators focusing on adding recently disclosed 0-days and Flash vulnerabilities to it. However, security researchers also observed an increase in the activity of EKs such as Nuclear, Rig, and Neutrino throughout 2015.
Social engineering scams flourished in 2015, many of them supposedly perpetrated by Nigeria-based criminal groups, and supposedly responsible for the largest heists last year. Additionally, CrowdStrike notes that malware usually employed in criminal activities has started to be used in cyber espionage operations and the other way around—The TeamViewer tool and DownRage (which borrows code from the Carberp banking Trojan) being two examples.
Healthcare breaches – the work of Chinese groups
CrowdStrike’s report also notes that numerous healthcare breaches in the US last year were attributed to China-based adversaries and not to actors seeking to profit from the stolen information. By using spear phishing emails, the same China-based adversaries allegedly breached government organizations in the U.S. and Japan and managed to steal various personal information associated with employees, CrowdStrike said.
Large healthcare breaches, reported between February (the Anthem breach) and May, are estimated to have resulted in the compromise of personal data of anywhere between 50 and 80 million people. Affecting 9 in 10 industries, not only organizations in healthcare, these health information breaches resulted in attackers stealing information such as customer names, Social Security numbers, physical and email addresses, and income data.
According to the CrowdStrike, the actors behind these breaches might have been looking to create a dataset on a large number of individuals. Creating detailed profiles of individuals was possible only through the theft of PII (Personally identifiable information) from multiple organizations, and similar campaigns might be observed in the future as well.
CrowdStrike also notes that Chinese cyber activity may shift dynamics, but that it is not expected to cease anytime soon. The country is expected to engage into commercial cyber espionage when opportunities arise, and the researchers suggest that an increase in attacks targeting areas such as agriculture, healthcare, and alternative energy is likely to be observed, as China has the most technological gaps in these areas.
Russia invests in cyber espionage
Russia believed to have proliferated stealthy and effective malware within the European Union to engage in reconnaissance, CrowStrike says. Russian actors have allegedly implemented Strategic Web Compromises (SWC), delivered implants, and used of spear-phishing techniques to establish a broad intelligence-gathering capability targeting government and national defense agencies in the EU.
CrowdStrike also notes that these actors might have been targeting non-governmental organizations (NGOs) in the U.S., Europe, Asia, South America and the Middle East as well, mainly driven by Russia’s precarious economic state. As it sought greater autonomy from the west, the country has been affected by economic sanctions and lower oil prices.
Russia was also looking to improve its military stance, and engaged into cyber activities that would help it do so, one example being the “Fancy Bear” threat group’s attempt to steal information involving development of Chinese domestic military technologies. Attacks carried by other threat groups were observed targeting various organizations around the world.
The Russia-Ukraine conflict also spawned a series of attacks against the Ukrainian and Russian energy sectors, some of which used the BlackEnergy malware, including recent attacks aimed at news media and electrical power organizations in Ukraine. The security researchers also observed the activity of pro-Russian separatist group CyberBerkut, which conducted DDoS attacks against German government websites and Ukrainian government websites and which is believed to have ties to Russian state security.
North Korea and Iran: Mainly Local Threats
North Korea also engaged in various cyber activities during 2015, including cyber espionage campaigns using at least three malware variants, namely Milmanbag, Hawup, and AIMRAT. The first two were found to be spreading mainly through exploit documents targeting the Hangul Word Processor (HWP) software, which is primary used in South Korea, especially in the government sector.
Iran, on the other hand, is apparently more focused on controlling user access to the Internet and to information, as the country has arrested numerous individuals for their online activity. The government deployed technical programs such as Black Spider that allowed it to locate and arrest Iranian social media users.
On June 30, 2015, Iran revealed plans to improve its infrastructure and cyber capabilities, and CrowdStrike researchers note that the country is likely to increase Internet monitoring and censorship on a national scale. This move is supposedly a reaction to the possible western influence caused by businesses renewing trade with Iran.
Given regional tensions, Iran is also believed to try using its improved cyber capabilities against its perceived enemies, such as Saudi Arabia, regional governments, and their allies. The country is determined to gain a superior status in the region and is developing a National Information Network (National Internet) for that.