Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

The 3 Biggest Malware Trends to Watch in 2018

As the Threat Landscape Shifts, So Too Must Protections

As the Threat Landscape Shifts, So Too Must Protections

So far this year, IT security headlines have been dominated by two words: Meltdown and Spectre. Disclosure of the two massive CPU vulnerabilities has coincided with chip makers and OS providers scrambling to provide updates that fix the issues without causing other problems (with mixed results so far). 

Of course, adding pressure to the situation is the fact that attackers are already testing malware samples that exploit these vulnerabilities. It’s a high-stakes race to the finish, and without stable patches, organizations are being reduced to the role of passive spectators with the potential for these attacks simply hanging over them. 

While this “main event,” is getting more than its share of attention, the rest of the malware world isn’t standing by, holding its breath. Exploiting Meltdown and Spectre is just one priority that some attackers are working on. Others have plenty of additional initiatives that may not be as high profile, but are certainly just as dangerous. 

As we’ve culled through attack data from the last 12 months we’ve identified three trends that are on the rise. The attack landscape is in the midst of a major shift towards the adoption of advanced, fileless techniques. The trends below provide a good indication of how that shift is playing out and where we see things headed in 2018: 

1. More attacks are going “clickless,” bypassing user interaction altogether 

For years, end-users have been considered the “weakest link” in IT security, and organizations have invested heavily in security awareness training to reduce the likelihood that employees would be lured into clicking a malicious link or attachment. Seeing that users are getting more wary and that success rates are decreasing for those older attack types, attackers have begun to take end-users out of the equation, launching an increasing number of clickless attacks.

Last year’s WannaCry and NotPetya outbreaks are two prominent examples, both of which avoided end-user interaction completely in favor of exploiting shared access points like Microsoft’s SMB and RDP ports that had been left open and vulnerable. EternalBlue and other ransomware tapped into these vulnerabilities, and we expect this trend to continue. 

To prepare, security teams should start with the oldest security advice in the industry, ensuring that they are keeping up with patches, particularly for exposed services. Beyond that identify and limit access to open ports and implement tools that can spot malicious activity both on the network and the host.

2. Attackers are increasingly evading detection by “living off the land” 

It’s one of the most aggravating forms of attack: using your own tools and processes as weapons. Known as “living off the land,” attackers are increasingly leveraging programs that are already on their targets to evade detection and actively spread infections.

NotPetya favored this method, using PSExec and Windows Management Instrumentation (WMI) to propagate. Other malware is increasingly hijacking PowerShell, Windows Credentials Editor (WCE), and Group Policy Objects (GPOs) among others. These tools don’t typically raise red flags because they are legitimate programs and won’t be caught by scanners, and because they are so useful in managing large networks. As a result, when they are the vector for infection or spread, they move quickly and go largely undetected. This ups the complexity for IT security teams because the line is blurring between malware and administrative tool. They are forced to re-evaluate the distribution and permissions on tools that they’ve always trusted.

To mitigate the risk of attacks from within, IT teams should disable unused tools and components, while deploying endpoint protection that doesn’t rely solely on file scanning or whitelisting, since those can easily be bypassed by hijacked system tools.

3. “Plug-and-play” worming components are on the rise 

Malware campaigns are also leveraging more worm capabilities to spread laterally, making them a more formidable threat and extending their reach beyond the original infected network. WannaCry’s worm component, for example, spread ransomware to external victims, racking up some 400,000 infected machines in 150 countries in a very short time. And, it’s not just ransomware: other campaigns like Emotet, QakBot, and TrickBot have also leveraged these capabilities, harvesting or cracking credentials for remote use and to simplify propagation through network shares.

Removing this kind of malware can be extremely difficult because of its persistence capabilities. These campaigns leave behind back doors and scheduled tasks that reinstall themselves, disrupting the business all over again, like some recurring security nightmare.

This demands that IT teams shift their approach, looking beyond infection of a single endpoint. Now, that single machine can be turned into a malware slave, spreading itself automatically, quickly crippling entire networks—both internal and external. To reduce the risk of propagation, IT teams must invest in protection that can block infection at the outset.  Waiting for evidence that a system has been compromised, either by watching the system or the network, creates the likelihood that the campaign has already metastasized across the network.

The bottom line is this: As the threat landscape shifts, so too must protections. The only truly effective means of defending against rapidly evolving attacks is to deploy solutions that can recognize common behaviors and elements that continue to be reused, and that will evolve along with them. Protection needs to automatically learn about new threats, and must enhance the protection they provide in real-time. By adopting tools that leverage machine learning and prioritizing prevention over recovery, we can get — and stay — one step ahead.

RelatedIt’s Time For Machine Learning to Prove Its Own Hype

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...