What can businesses learn from the cyber threat landscape of 2017?

Powered by military-grade code allegedly leaked from the NSA, threats such as WannaCry and GoldenEye wrought havoc throughout Q2 and Q3, shutting down businesses and causing unprecedented operating losses.

The effectiveness of these threats has been compounded by novel lateral movement vectors that augment zero-day exploits such as EternalBlue and EternalRomance, allowing malware to ‘hop’ from one network to another, from organisation to organisation. These targeted attacks are reshaping corporate and government digital security, whilst simultaneously causing fallout in the consumer space.

>See also: Understanding the actor in the cyber threat landscape 

Through monitoring its global network of more than 500 million sensors and honeypots for emerging threats and cyber attacks, Bitdefender has produced a report which paints an accurate picture of the current state of the cyber security industry, and provides a clear indication of the kinds of threats that companies can expect to face throughout 2018.

Ransomware banks on business

Bitdefender telemetry shows ransomware is still the most frequently encountered type of threat. During 2017 alone, the number of new major ransomware families surpassed 160, with dozens or even hundreds of variations per family. The most prolific ransomware strain is Troldesh/Crysis, with hundreds of sub-variants seen to date.

Ransomware specifically aimed at companies has also become far more prevalent. Since the re-emergence this March of Troldesh, companies have faced extremely targeted attacks that abuse the Remote Desktop Protocol to connect to infrastructure, then manually infect computers.

Certain strains of ransomware such as Troldesh and GlobeImposter come equipped with lateral movement tools (such as Mimikatz), allowing malware to infect an organisation and log clean-up mechanisms to cover their tracks.

Miners exploit a major tech trend

Following a surge of market interest around cryptocurrencies that has continued through 2017 and into 2018, miners have diversified and proliferated. Traditional illicit coin miners have rushed to adopt lateral movement tactics such as the EternalBlue and EternalRomance exploits, allowing cybercriminals to infect computers in organisations and increase mining efforts.

>See also: The public sector and it’s approach to the cyber threat landscape

Representative of this trend is the Monero miner Adylkuzz, which appeared in early May, at roughly the same time as WannaCry. Adylkuzz uses the same Eternal Blue exploit but utilises a different technique to generate revenue for cybercriminals. Rather than encrypting users’ data, it remains undetected and exploits processing power for mining the Monero cryptocurrency.

The fact that Adlykuzz does not give any visual warnings or interfere with users’ files makes it far harder to detect than traditional ransomware. So despite having a less dramatic impact than a strain such as WannaCry, Adylukuzz serves as confirmation that cyber-criminals are building a new generation of malware based on the EternalBlue SMB exploit allegedly stolen from the NSA.

What should companies expect for 2018?

Based on threat developments in 2017, organisations should essentially prepare for more sophisticated iterations of malware based on the same theme in 2018. Bitdefender’s threat analysis experts predict an increase of zero-day exploits leaked from security agencies the world over, along with massive changes to the ways in which ransomware operates.

After years of focusing on individuals, malware authors will increasingly target enterprises and networks of computers. Lateral movement will become standard in most malware samples, either via password-grabbing utilities like Mimikatz, or by exploiting wormable vulnerabilities. In addition, the number of malicious attachments in SPAM emails will increase, particularly those written in scripting languages such as PERL or Python.

>See also: 10 ways cyber security will evolve in the face of growing threats

Fileless attacks will also increase sharply as Windows 10 adoption becomes universal, leveraging the platform’s support for Powershell or Linux Bash. Predictably, cybercriminals will remain faithful to the malware that is most easily monetised, such as ransomware, banker Trojans and digital currency miners.

However, these threats will undergo major changes in the way they perform. For example, Bitdefender expects to see ransomware that leverages GPU power for encryption purposes to move faster and attempt to circumvent anti-malware products.

And finally, large IoT botnets will become the new normal in 2018. Source code for IoT bots is already available for free on the Internet, and cybercrime groups interested in compromising IoT devices already have a solid platform to customise to their own needs. Bitdefender predicts that this code will be improved in 2018 to allow lateral movement inside compromised networks for ransomware or spam-sending purposes.

>See also: Are cyber threats still not a priority?

Taking into account the overall shift towards malware strains that are designed to evade traditional detection techniques, the organisations best placed for security success in 2018 and onwards will be those that implement security solutions that are able to identify and mitigate threats on a more sophisticated level.

In particular, solutions that that make use of ML/AI techniques to identify zero-day threats, or recognise intrusions at the raw-memory hypervisor level stand the best chance of remaining secure in this decidedly insecure era.


Sourced by Liviu Arsene, senior e-threat analyst, Bitdefender

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...