Volume of unique malware samples threatens to overwhelm defenders

The cyber criminal underground continues to evolve its tactics in search of the quickest path to a payday, with greater volumes of attacks employing a more diverse range of malware than has ever been seen, according to new quarterly threat research published today by BlackBerry.

In its latest Global threat intelligence report, spanning the period from 1 June to 31 August 2023, BlackBerry reported that its solutions stopped approximately 3,370,000 cyber attacks and observed an average of 4,237 unique malware samples every day against its customers – that’s 2.9 every minute – totalling over 380,000 malicious samples, up over 70% on the March to May period, and 93% on the December to February period.

This is a problem, explained BlackBerry’s vice president for the UK and Ireland and emerging markets, Keiron Holyome, because the need to account for such a high volume of unique samples can very easily overwhelm and bypass the intelligence feeds and filters in place in most traditional security operations centres (SOCs).

Speaking to Computer Weekly in advance of the report’s publication, Holyome said: “The ease with which one can now deploy an attack has meant that it is open to a lot more individuals and groups than previously. [Deploying malware] is simpler to do and there are more tools out there that enable you to do it."

He added: “The rise in and of itself I’d argue is maybe not the issue – as long as you’ve got the defence capabilities in place. The problem is the ease with which these samples are created, and the volume in which they are created, because with that comes uniqueness that some organisations may not be able to protect themselves from. It only takes one of those samples to be really good to get through the defences you have in place."

In BlackBerry’s view, this increases the need for advanced anti-malware protection leveraging artificial intelligence (AI) and machine learning (ML) capabilities to take the pressure off security teams. This is a door on which the firm has been pushing for some time, and which swung wide open in 2023 as mainstream interest in generative AI tools surged.

“If you are seeing more noise and you don’t have the right tools and you are asked to do something manually, then that volume does become a problem because you’re having to constantly refine your posture - daily, even hourly to make sure you’re capturing all the updates – if you’ve got legacy antivirus in place, for example,” said Holyome.

The highest number of unique malware hashes were observed in the US, with 52% of the total, followed by Japan with 22%, South Korea with 12%, India with 7% and Canada with 7%.

BlackBerry said that volumes of unique hashes tend to reflect more attention paid to targeting by threat actors, rather than pray-and-spray type attacks using generic malware, so this can be read as an indicator of how many high-value targets potentially exist within that country – the US and Japan are perceived as valuable targets, for example. The presence of India on the list reflects an “alarming surge” in cyber crime with which the country is currently grappling, said BlackBerry, with the tech hubs of Bengaluru and Gurugram particularly attractive.

The wider report goes into more detail on growing volumes of nation-state attacks, the move by ransomware gangs from encryption to extortion, as well as running the rule over the most active threat groups, the most commonly-abused tooling they use, and some of the most impactful vulnerabilities they exploited.

Looking ahead, the BlackBerry team predicted more targeted attacks in regional and global conflicts and more destructive cyber attacks against public institutions, while social networks and messaging apps will continue to be used to spread misinformation and whip up public hatred. Elsewhere, the vicious cycle of ransomware payments funding ever-more impactful attacks will continue.

Meanwhile, generative AI models will continue to be abused by bad actors – BlackBerry acknowledged that while many of the concerns around tools such as ChatGPT writing effective malware code were speculative ones, unvetted and unsecure large language models (LLMs) could “lower the barrier of entry for threat actors to create new malware in the very near future”.