A new report from Check Point discusses major cyber incidents from 2018. From these data points, Check Point’s analysts look for current trends in malware and attacks, in order to prepare for 2019’s future attacks.
According to Check Point’s Cyber Attack Trends Analysis 2019 report, the major attack categories and incidents from 2018 include ransomware (such as attacks against the City of Atlanta and the Ukraine Energy Ministry); data breaches (such as those affecting Exactis, and Marriott Hotels); mobile malware (such as AdultSwine and Man in the Disk); cryptocurrency attacks (such as Jenkins Miner and RubyMiner); botnet attacks (such as those from IoTroop and attacks against Democrat candidates during the 2018 primary’s season); and APT attacks (such as Big Bang and SiliVaccine).
“Indeed,” says the report (PDF), “never does a day go by that we do not see organizations under constant attack from the ever-growing number of malware spreading at higher rates than ever.”
By analyzing these data points, Check Point then seeks to understand the malicious trends that have emerged over the last twelve months.
“Cryptomining is here to stay,” it says. There was a boom in the early months of 2018 as criminals sought to profit from soaring cryptocurrency values. As the values crashed later in the year, some analysts have reported lesser cryptomining activity; but Check Pont disagrees. “A year after they took the world by storm, cryptominers show no intention of slowing down soon,” it reports. “New, sophisticated malware families keep integrating mining capabilities to their code and tens of thousands of websites are constantly compromised to exploit their users’ resources.”
Many analysts have commented on the apparent decline of ransomware through 2018, sometimes suggesting a linkage with the growth of cryptomining — that is, criminals follow the easy money and have migrated from ransomware to cryptomining. Again, Check Point disagrees in detail. It is the nature of ransomware that is changing rather than the threat itself. Defense against spray and pray ransomware has improved — so this is being abandoned in favor of ‘boutique‘ ransomware.
“In 2018,” says Check Point, “we witnessed Ransomware adapting to become more targeted to ensure more lucrative profits. This evolution is a direct result of a noted decrease in the actual ransom payments, probably derived from the growing security awareness and mitigation techniques adopted by many companies, including routine back-up policies and the free availability of decryption tools.”
These new targeted attacks are typified by the SamSam attack on the City of Atlanta. No ransom was paid, but the clean-up costs have expanded into many millions of dollars. “The equation is simple,” says Check Point; “the greater the potential damage, the higher the chance the ransom will be paid.”
Check Point has also noted what it calls the evolution of malware synergy. Malware is increasingly being used in conjunction with other malware. For example, the Ryuk targeted ransomware attack on North Carolina’s Onslow Water and Sewer Authority also included the installation of TrickBot, AdvisorsBot and Emotet. The principle is simple and compelling for attackers: if you’re going to break into a network, make it as profitable as possible. A single attack will increasingly involve bank fraud, data stealing and finally ransomware.
Just as economics and digital transformation are forcing companies to make ever greater use of the public cloud, so, says Check Point, have attackers developed “multiple new techniques, tools and exploitations” to attack it. “Nonetheless,” it continues, “the majority of the attacks observed targeting the cloud are mainly derived from poor security measures including misconfigurations and the use of weak credentials which usually involve data compromise and information leakage.”
The Exactis breach in June, the personal details of 120 million Brazilians disclosed in December, and January 2019’s leak of 1 million Chinese patients disclosed by researcher ‘Justin’ are a few examples.
Of course, attacks against the large cloud companies will also continue and potentially increase. “From fitness apps like Under Armour and PumpUp to retailers and ticket box office companies like TicketFly, not to mention Facebook, data breaches occurred on a daily basis and will continue to do so across all industries due to the value they hold for cyber criminals.”
In its mobile analysis, Check Point see an increasing move towards targeting Apple devices. This is seen in traditional malware, such as Pegasus Spyware and Roaming Mantis being upgraded to target iOS devices, but is dwarfed by specially crafted attacks such as that of FallChill. “This was the first time to see an APT activity, allegedly carried out by the Lazarus Group, targeting OSX devices,” reports Check Point.
Elsewhere in mobile, adware and cryptominers have proliferated, and will continue to do so. AdultSwine infected 60 games and downloaded inappropriate ad content to up to 7 million children. RottenSys has infected over 5 million devices since 2016; and cryptominers have entered the mobile threat landscape.
APT groups are allegedly nation-sponsored attack groups. While many researchers urge caution in attributing specific attacks to specific APT groups, and then those groups to specific national governments, Check Point is less reserved. It claims that nation-states are no longer behaving like officers and gentlemen but are becoming open and provocative. “While no country takes responsibility for cyberattacks,” it says, “attribution is sometimes not too difficult to assign;” adding, “While the West retains a degree of statehood in cyberspace, there are nation-states, mainly eastern ones, who appear to be acting unbridled in their own interests.” The implication is clear: potential targets should expect an increasing number of sophisticated APT attacks.