WannaCry and NotPetya inspiring new attacks

Designs and techniques used in 2017’s global cyber attacks have inspired a new breed of malware that exploits software vulnerabilities, according to a McAfee report

Malware that exploits software vulnerabilities grew 151% in the second quarter of 2018, according to the latest threat report by security firm McAfee.

The report, based on McAfee Labs threat statistics and investigative analysis from its research team, shows these new threats include malware exploiting vulnerabilities that were patched in 2014.

The finding again underlines the importance of effective software patch management, but the fact that attackers are still exploiting old vulnerabilities successfully shows that this remains a top security failing.

The McAfee data shows that a year after the outbreaks of WannaCry and NotPetya, cyber criminals are copying the designs and techniques of these innovative campaigns to develop new malware.

McAfee saw the exploits from these two high-profile threats repurposed within new malware strains, and newly discovered vulnerability exploits similarly adapted to produce entirely new threats.

“WannaCry and NotPetya provided cyber criminals compelling examples of how malware could use vulnerability exploits to gain a foothold on systems and then quickly propagate across networks,” said Christiaan Beek, lead scientist and senior principal engineer with McAfee Advanced Threat Research.

“It’s still surprising to see numerous vulnerabilities from as far back as 2014 used successfully to spearhead attacks, even when there have been patches available for months and years to deflect exploits. “This is a discouraging testament to the fact that users and organisations still must do a better job of patching vulnerabilities when fixes become available,” he said.

Read more about malware

The report also confirms that the cryptocurrency mining malware surge that began in late 2018 continued into the first half of 2018, including an 86% increase in known samples in the second quarter alone. The trend demonstrates that cyber criminals are seeking easier ways to monetise their hacking activity, the report said.

Although less common than ransomware, the report said cryptomining malware has quickly emerged as a factor on the threat landscape.

After growing around 400,000 in the fourth quarter of 2017, new cryptomining malware samples grew 629% to more than 2.9 million samples in the first quarter of 2018. This trend continued in Q2 as total samples grew by 86% with more than 2.5 million new samples, including older malware such as ransomware newly retooled with mining capabilities.

Mining for cryptocurrencies requires significant computing power and equipment can be expensive. Cyber criminals are using malware to tap into a victim’s computing power to mine for coins or to locate and steal the user’s cryptocurrency. Some estimates put the value of stolen cryptocurrency in the past two years at around $1.5Bn.

Cyber crime is a business, and market forces, such as the rise in cryptocurrency values, will continue to shape where adversaries focus their efforts,” said Raj Samani, McAfee fellow and chief scientists.

“Cryptomining malware is simpler, more straightforward, and less risky than traditional cyber crime activities – causing these schemes to skyrocket in popularity over the last few months. In fact, cryptomining malware has quickly emerged as a major player on the threat landscape.

“Organisations need to remain vigilant to these threats – particularly in today’s cloud-first landscape, when many companies are seeing a rapid increase in cloud applications and environments to secure,” he said.

People, process and technology

To keep crypto-criminals at bay, Samani said businesses must find the right combination of people, process and technology to protect their assets, detect cryptomining threats and, when targeted, rapidly correct systems in the cloud and on-premise.

“Removing siloed security teams and making sure tools and systems can work together is the first step to gaining the upper hand,” he said.

While cryptomining malware primarily targets PCs, other devices have become victims. For instance, the report said Android phones in China and Korea have been exploited by the ADB.Miner malware into producing Monero cryptocurrency for its perpetrators.

“A few years ago, we wouldn’t think of internet routers, video-recording devices, and other internet of things [IoT] devices as platforms for cryptomining because their CPU speeds were too insufficient to support such productivity,” said Beek.

“Today, the tremendous volume of such devices online and their propensity for weak passwords present a very attractive platform for this activity. If I were a cyber criminal who owns a botnet of 100,000 such IoT devices, it would cost me next to nothing financially to produce enough cryptocurrency to create a new, profitable revenue stream,” he said.

McAfee Labs also saw mobile malware accelerate for the second successive quarter by 27%, while its mobile security researchers exposed the existence of mobile billing fraud apps on Google Play.

The new campaign demonstrates that cyber criminals keep finding new ways to steal money from victims using apps on official stores such as Google Play, the report said.

Cortana security issues

During the second quarter, McAfee researchers identified and analysed multiple security issues in the Cortana voice assistant in Microsoft Windows 10 and the most prominent attack vectors targeting emerging blockchain technologies, which include phishing, malware and implementation vulnerabilities.

The vulnerability in Cortana, for which Microsoft released a patch in June after being notified by McAfee, could have allowed attackers to execute code from the locked screen of a Windows 10 machine.

Despite the growing popularity of illicit cryptocurrency mining, the report shows the total number of ransomware samples continued to grow in the second quarter, increasing 57% over the past four quarters.

Although the appearance of new ransomware families has slowed overall in recent quarters, the report said established ransomware families continue to spawn new variants. For instance, McAfee saw a dozen new variants of the Scarab ransomware family appear in the Q2 alone.

Other findings include a 204% increase in new samples of JavaScript malware that suggests that hackers appear to have shifted to a new generation of JavaScript malware, and that while PowerShell has been active among fileless malware developers in recent previous quarters, new samples slowed to 15% growth as new LNK malware continued to grow – with cyber criminals increasingly using .lnk shortcuts to surreptitiously deliver malicious PowerShell scripts and other malware.

Read more on Hackers and cybercrime prevention

Data Center
Data Management