Security firm McAfee catalogued 478 new cyber threats every minute in the last quarter of 2017, as cyber criminals embraced novel techniques and schemes to capture new revenue streams, with an 18% increase in the number of reported security incidents across Europe.
The firm’s researchers also observed the increasing use of fileless malware attacks using Microsoft PowerShell, according to the latest McAfee Labs threat report.
“Even tried-and-true tactics, such as ransomware campaigns, were leveraged beyond their usual means to create smoke and mirrors to distract defenders from actual attacks,” said Raj Samani, McAfee fellow and chief scientist.
“Collaboration and liberalised information-sharing to improve attack defences remain critically important as defenders work to combat escalating asymmetrical cyber warfare.”
The report combines threat data gathered by the McAfee Global Threat Intelligence cloud from hundreds of millions of sensors across multiple threat vectors around the world with in-depth investigative analysis of cyber attacks from around the globe by McAfee Advanced Threat Research.
New strategies and tactics
The fourth quarter of 2017 saw the rise of newly diversified cyber criminals, the report said, as a significant number of actors embraced novel criminal activities to capture new revenue streams.
The quarter saw a significant number of ransomware operators to branch out into hijacking Bitcoin and Monero wallets. McAfee researchers discovered Android apps developed exclusively for the purpose of cryptocurrency mining and observed discussions in underground forums suggesting Litecoin as a safer cryptocurrency than Bitcoin, with less chance of exposure.
“By going digital along with so many other things in our world, crime has become easier to execute, less risky and more lucrative than ever before,” said Steve Grobman, chief technology officer for McAfee. “It should be no surprise to see criminals focusing on stealthy fileless PowerShell attacks, low risk routes to cash through cryptocurrency mining, and attacks on soft targets such as hospitals.”
Although publicly disclosed security incidents targeting healthcare decreased by 78% in the fourth quarter of 2017, the sector experienced a dramatic 210% overall increase in incidents in 2017. McAfee analysts found that many incidents were caused by organisational failure to comply with security best practices or address known vulnerabilities in medical software.
The analysts looked into possible attack vectors related to healthcare data, finding exposed sensitive images and vulnerable software.
“Healthcare is a valuable target for cyber criminals who have set aside ethics in favour of profits,” said Christiaan Beek, McAfee lead scientist and senior principal engineer.
“Our research uncovered classic software failures and security issues such as hardcoded embedded passwords, remote code execution, unsigned firmware, and more.
“Both healthcare organisations and developers creating software for their use must be more vigilant in ensuring they are up to date on security best practices,” he said.
In the healthcare sector, disclosed incidents rose 210% in 2017, but fell 78% in Q4. The public sector saw decreases of 15% in 2017 and 37% in Q4. The figures for the education sector rose 125% in 2017, remaining unchanged in Q4, while for the finance sector, disclosed incidents rose 16% in 2017, falling 29% in Q4.
McAfee Labs counted 222 publicly disclosed security incidents in Q4, a decrease of 15% from Q3, with 30% of all publicly disclosed security incidents in Q4 took place in the Americas, followed by 14% in Europe and 11% in Asia.
Although the number of disclosed security incidents decreased overall in Q4, figures for Asia were up 28% and up 18% for Europe.
The rise in security incidents across Europe in the last three months of 2017 is worrying, especially in the light of the fact that not all incidents are reported, Nigel Hawthorn, data privacy expert, McAfee’s cloud security business unit.
“This will change when the GDPR comes into force in May, when non-compliance could lead to negative brand impact that could easily be more costly than fines from the regulators. Cited as “the most comprehensive privacy regulation globally”, the GDPR will introduce extensive requirements to minimise risk to personal data when it is introduced.
“Being GDPR compliant requires a combination of knowledge, processes, policies, technology and training, as well as detailed understanding of data flows to and from third parties and cloud services. Cyber threats have never been more of a concern and with cyber criminals often targeting personal data, a ‘privacy first’ IT philosophy is a must,” he said.
Given the complex requirements of the GDPR and its governance on where data goes, how it is shared and who can access it, Hawthorn said businesses need to be prepared to take a holistic approach to GDPR compliance.
“Businesses must confidently understand GDPR compliance gaps and implement necessary controls to address them across all cloud services – including services like Office 365, Box, Salesforce and Slack, as well as custom applications running in public infrastructure as a service platforms,” he said.
Disclosed attack vectors
In Q4 and 2017 overall, McAfee research shows that malware led disclosed attack vectors, followed by account hijacking, leaks, distributed denial of service and code injection.
The fourth quarter saw notable industry and law enforcement successes against criminals responsible for ransomware campaigns. New ransomware samples grew 59% over the last four quarters, while new ransomware samples growth rose 35% in Q4. The total number of ransomware samples increased 16% in the last quarter to 14.8 million samples.
New malware samples increased in Q4 by 32%. The total number of malware samples grew 10% in the past four quarters, the report said. New mobile malware decreased by 35% from Q3. In 2017 total mobile malware experienced a 55% increase, while new samples declined by 3%.
New Mac OS malware samples increased by 24% in Q4. Total Mac OS malware grew 58% in 2017, while new macro malware increased by 53% in Q4, but declined by 35% in 2017.
Spam botnet traffic
Most spam botnet traffic in Q4 (97%) was driven by the Necurs botnet – recent purveyor of “lonely girl” spam, pump-and-dump stock spam, and Lockey ransomware downloaders, and by Gamut – sender of job offer–themed phishing and money mule recruitment emails.
“At the beginning of 2017, McAfee analysts predicted the hard-to-solve challenges the cyber security industry would face in the coming year, naming the asymmetry of information as a major hurdle,” said Samani.
This means adversaries have the luxury of access to research done by the technical community, and can download and use opensource tools to support their campaigns, while the defenders’ level of insight into cyber criminal activities is considerably more limited.
“As a result, identifying evolving tactics often must take place after malicious campaigns have begun,” said Samani, adding that major attacks in Q4 2017 demonstrated that growing asymmetrical cyber warfare is in full effect.