Security researchers continue to report that many of the primary threats to organizations today come from older attacks and exploits targeting vulnerable systems for which patches are readily available. In fact, older vulnerabilities seem to be preferred.
One recent report indicates that exploits targeting vulnerabilities reported in 2007 outnumber those targeting newer vulnerabilities from 2018/2019, with the same being true for every year in between. An example of this is the growing emphasis on targeting publicly-facing edge services with known vulnerabilities for remote execution exploits. Some evidence suggests that this may be a reaction by cybercriminals to organizations aggressively addressing phishing attacks with end-user training and advanced email security tools. As would be expected, cybercriminals are responding by actively expanding their ability to deliver malicious malware using methods beyond just phishing. And like their phishing malware counterparts, these attacks also generally target older vulnerabilities.
Like Older Vulnerabilities, Older Malware Remains a Problem
In addition to older vulnerabilities, aging malware also continues to plague modern networks. Of the top five botnets identified during Q3 of 2019, number four was Mirai, the botnet that caused such widespread devastation in August of 2016. In spite of its notoriety and the assumption that most organizations would at least have hardened their systems to that threat, Mirai still represents a serious threat to organizations around the world.
Emotet is another example of this phenomenon. It was first discovered in 2014 as a “simple” banking Trojan. And even though it is now more than five years old, the US Department of Homeland Security still identifies Emotet as “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”
Part of the reason it is still such a threat is that it has a very active team of developers working on it. In its latest iteration, it has evolved into a botnet with advanced modularity, such as the ability to deliver a variety of malicious payloads using its worm-like capabilities and effectively evade detection through its manipulation of registry files.
Old Problems in New Bottles: Malware and Ransomware as a Service
Emotet is also now making those capabilities available as a Malware-as-a-Service (MaaS) solution on the dark web. Criminals can now pay to access the millions of infected devices to target victims and drop additional malware, bypassing all of the effort required to initiate an initial network breach. In addition to being able to drop malware like Trickbot, Emotet can also deliver ransomware, which continues to be a serious and growing threat to organizations.
Part of the reason for the continued growth of ransomware is that the developers of GandCrab were among the first pioneers to develop Ransomware-as-a-Service (RaaS). This is part of the reason why authorities estimate that its developers were able to reap as much as $2 billion in just over a year before announcing their retirement last May. With such advanced malware now available to thousands of online criminals for the price of merely splitting any subsequent profits, its spread was a foregone conclusion. Other ransomware developers have not overlooked the success of this sort of criminal enterprise, as two more RaaS solutions were introduced in Q3 of 2019 – Sodinokibi and Nemty. Organizations should begin preparing now for a spike in ransomware attacks over the next few years.
If it Ain’t Broke…
While some efforts continue to be made by cybercriminals to develop new malware or zero-day attacks, that development process is expensive. And like other enterprises, ROI is a driving financial consideration for many criminal organizations. As a result, their efforts tend to focus on five things:
1. Refining existing malware to evade detection and deliver increasingly sophisticated and malicious payloads, such as seen with the ongoing evolution of the Emotet malware. This strategy is far more cost-effective, especially when the number of unprotected older vulnerabilities waiting to be exploited is still so large.
2. Expanding their earning potential by converting their attack tools into a MaaS or RaaS solution. The two latest additions to the growing family of RaaS solutions are just the beginning of what can be expected to be a flood of similar services. For example, Emotet has cleverly adapted this model by selling access to millions of infected devices to deliver a range of malicious payloads.
3. Changing attack vectors to catch organizations off guard. The recent spike in remote access control attacks targeting edge services to deliver malware provides an additional attack vector. Moving to an unexpected or overlooked area of the network enables cybercriminals to persist when their usual avenues of attack are being shut off.
4. Targeting older, vulnerable systems that have not been adequately secured. Cybercriminals prefer targeting older vulnerabilities not only because they already have exploits available, but also because they are often an indication that other security protocols may be lax as well.
5. Exploiting the expanding attack surface, such as operational technology, which is now being exposed to public networks. These attacks could have devastating effects on things like critical infrastructures. Exploits could allow criminals to commit acts of terrorism, steal valuable intellectual property, and hold high-value targets such as manufacturing floors for ransom.
Preparing for the Future Requires Clear Hindsight
The message is clear. Organizations cannot afford to over-focus on the latest threat trends or attack vectors. Instead, as shown with the rise in the targeting of publicly facing edge services, organizations must adopt a holistic approach to securing their distributed networked environment that enables them to see and manage their entire distributed network, including all attack vectors, through a single pane of glass. And it requires having a clear understanding of issues from the past and then mending those fences to prepare for the new threats based on them looming just over the horizon.