Ahead of the new year 2018, cyber threat intelligence analysts at RedSocks Security gave their predictions on what trends could make the highlights. Seven months later, they are looking back at seven months of data to set the major cyber threats spotted on the Malicious Threat Detector and the labs.
No major attack yet but many breaches
2017 was marked by major worldwide attacks such as Wannacry and NotPetya. As of Summer 2018, no attack of this type has yet made the news. On the other hand, major breaches have occurred leaking sensitive files and costing even more to companies, some of them happening under the now enforced GDPR.
Example: SingHealth, TicketFly, Reddit.
The peak of appeal of cryptocurrencies
After the massive rise of their value in late 2017, the rise of criminal activities regarding cryptocurrencies was to be expected. If the peak of attraction seems to have happened in the first quarter, RedSocks analysts still believe crypto-motivated crimes will follow for the rest of the year in the following forms:
Ransomware demanding cryptocurrencies
Crypto jacking, defined by the action of sneaking a mining malware into one’s devices to use the power in order to mine cryptocurrencies.
Phishing: our phishing labs have shown numerous campaigns hijacking crypto brands, promoting fake air drops or give aways.
More untraditional threats: smart malware, fileless malware and legitimate environments
Smart malware are programs which will automatically choose their action based on the environment they have been installed on. For instance, a variant of Rakhni ransomware can decide what will be the most profitable attack: mining crypto currencies or encrypting files to demand ransom.
Another type of untraditional malware are fileless ones. The latter are malware operating directly from the memory of the computer, using Windows tools as Powershell, installed on every device, which are as of now, not detected yet by Antivirus software. Another way to bypass them has been seen in the use of .iqy files, specifically in spams. Once the user has opened the link, these files are opened by default on Office and are used to download data from the Internet, and eventually to install remote access trojans.
Similar to fileless malware using legitimate Windows tools, RedSocks Security has noticed the rise of programs using legitimate environments like Cloud Storage Services and Social Media.
Trickbot is a Trojan targeting customers of financial institutions. As an active threat since 2016, this malware is know for regular updates, remaining one step ahead of security measures. Among its features, this Trojan uses phishing campaigns and EternalBlue vulnerability for infection. The new variant discovered early 2018 installs itself on TeamViewer and proceed to lock the user’s device as a lateral movement.
The Trickbot gang behind the malware seems to prove good knowledge on their targets, which they applied to an interesting business model. Last but not least, Trickbots have since late 2017 been involved in crypto thefts.
Examples of IPs, URLs and hashes found in our labs
Malicious delivery campaigns
Major malicious delivery campaigns have been active for the first half of 2018, including the Keitaro one and the EITest malware. The latter processes through a scam: the targeted user is redirected to a fake technical support page, blocking the browser, in hope the user will panic and contact the malicious organization.
Social Engineering: phishing, spear-phishing, scareware and false flags operations
It is no news cyber attacks are technical and social operations and the threat seems to only grow along with the use of social media. Common attacks such as CEO frauds, phishing, spear phishing, prank calling do not seem to decrease, while some campaigns are still copying processes from 2016.
Along these usual trends, our analysts have observed a rise in scareware and false flags operations.
Scareware are malware design to deceit users and trick them into buying or download malicious programms.
Example: some scareware might indicate the victim of the presence of a virus on their device. Others might practice extortion and maliciously inform the user the actor owns information about them.
False flags operations are attacks designed to appear as if they were conducted by another specific actor. This type of deception is frequently used by nation-state actors
Ransomware-as-service and own botnets
The trends in the hacking community have shown a continuous development and interest for cybercrimality-as-service practices, especially regarding ransomware and financial malware. The latter have become more accessible to Script Kiddies. RedSocks Security analysts expects to see their actions multiply in the near future. They have also noticed hackers tend to create their own bots, more advanced and leaving no trace on the computers
Most exposed targets to the 2018 cyber threats
Over the past few months, popular targets have been energy organizations, hospitals which tend to have paid ransom in the past, political organizations, supply chain actors and users of IoT devices, a domain where security measures are still running far behind attackers.