lolloj - Fotolia

Cyber attackers are more ambitious than ever, Symantec warns

Cyber attackers displayed new levels of ambition in 2016, according to the latest threat report from security firm Symantec

2016 was marked by extraordinary cyber attacks, including multi-million dollar virtual bank heists and overt attempts to disrupt the US electoral process by state-sponsored groups, say researchers.

The past year also saw some of the biggest distributed denial of service (DDoS) attacks on record powered by a botnet of devices making up the internet of things (IoT).

Targeted attacks shifted from economic espionage to politically motivated sabotage and subversion, Symantec’s 2017 internet security threat report revealed.

This shift points to a growing trend of criminals attempting to influence politics discord in other countries and raises questions about the role of cyber security in changing geopolitical dynamics.

Cyber attacks against the US Democratic Party and the subsequent leak of stolen information were one of the major talking points of the US presidential election.

With the US Intelligence Community attributing the attacks to Russia and concluding the campaign would have been judged a success, the report said it is likely these tactics will be reused in efforts to influence politics and sow discord in other countries.

Cyber attacks involving sabotage have traditionally been rare, but 2016 saw two separate waves of attacks involving destructive malware. Disk-wiping malware was used against targets in Ukraine in January and again in December – attacks which also resulted in power outages.

Read more about ransomware

The disk-wiping Trojan Shamoon also reappeared after a four-year absence and was used against multiple organisations in Saudi Arabia.

The upsurge in disruptive attacks coincided with a decline in some covert activity, the report said, such as economic espionage, the theft of intellectual property, and trade secrets.

Following a 2015 agreement between the US and China, which saw both countries promise not to conduct economic espionage in cyber space, researchers found that malware linked to suspected Chinese espionage groups dropped considerably.

However, they said this does not mean economic espionage has disappeared entirely and comes at a time when other forms of targeted attack, such as subversion or high-level financial attacks, have increased.

Symantec uncovered evidence linking North Korea to attacks on banks in Bangladesh, Vietnam, Ecuador and Poland. “This was an incredibly audacious hack as well as the first time we observed strong indications of nation state involvement in financial cyber crime,” said Kevin Haley, director, Symantec security response. “While their sights were set even higher, the attackers stole at least $94m.”

Until recently, cyber criminals mainly focused on bank customers, raiding accounts or stealing credit cards. However, the report said a new breed of attacker has bigger ambitions and is targeting the banks themselves, sometimes attempting to steal millions of dollars in a single attack.

Gangs such as Carbanak have led the way, demonstrating the potential of this approach by pulling of a string of attacks against US banks. During 2016, two other cyber crime groups upped the ante by launching even more ambitious attacks, the report said.

Exploiting weaknesses

The Banswift group managed to steal $81m from Bangladesh’s central bank by exploiting weaknesses in the bank’s security to infiltrate its network and steal its Swift credentials, allowing them to make the fraudulent transactions.

Another group, known as Odinaff, was also found to be mounting sophisticated attacks against banks and other financial institutions. It too appeared to be using malware to hide customers’ own records of Swift messages relating to fraudulent transactions carried out by the group.

While Banswift and Odinaff demonstrated some technical expertise and employed tactics associated with advanced groups, the report said much less sophisticated groups also stole massive sums of money.

Business email compromise (BEC) scams, which rely on little more than carefully composed spear-phishing emails, continue to cause major losses, the report warned, with more than $3bn stolen using this technique in the past three years.

While cyber attacks managed to cause unprecedented levels of disruption in 2016, the report said attackers frequently used very simple tools and tactics to make a big impact.

Zero-day or unknown vulnerabilities and sophisticated malware now tend to be used sparingly and attackers are increasingly attempting to hide in plain sight.

Attackers relying on straightforward approaches

Attackers are mainly relying on straightforward approaches, such as spear-phishing emails, and using whatever tools are on hand, such as legitimate network administration software like Microsoft PowerShell – as well as macros and operating system features.

The most high-profile case involving this “living off the land” approach, the report said, took place during the US elections, when a simple spear-phishing email provided access to Hillary Clinton’s campaign chairman John Podesta’s Gmail account without the use of any malware or vulnerabilities.

This approach provides many advantages to attackers. Identifying and exploiting zero days has become harder as improvements in secure development and bounty programs take hold. As a result, web attack toolkits have fallen out of favour, the report said, probably due to the effort required in maintaining fresh exploits and a backend infrastructure.

These default features of Windows and Microsoft Office can facilitate remote access and malware downloads without the use of vulnerabilities or malicious tools. Despite existing for almost 20 years, the report notes that Office macros have re-emerged on the threat landscape as attackers use social engineering techniques to defeat security measures that were put in place to tackle the former problem of macro viruses.

When executed well, the report said “living off the land” approaches can result in almost symptomless infections, allowing attackers to hide in plain sight.

Similarly, malicious emails emerged as the weapon of choice for a wide range of cyber attacks during 2016 by attackers ranging from state-sponsored cyber espionage groups to mass-mailing ransomware gangs. One in 131 emails sent were malicious – the highest rate in five years.

The factors behind email’s renewed popularity

Email’s renewed popularity, the researchers said, has been driven by several factors:

  • It is a proven attack channel.
  • It does not rely on vulnerabilities.
  • It uses simple deception to lure victims into opening attachments, clicking links, or disclosing credentials.

Malicious emails disguised as routine correspondence, such as invoices or delivery notifications, were the favoured means of spreading ransomware.

The availability of spam botnets-for-hire, such as Necurs, allowed ransomware groups to mount massive email campaigns during 2016, pumping out hundreds of thousands of malicious emails daily. The report also confirmed that ransomware continues to be a growing threat, with the average ransom escalating significantly in 2016.

Ransomware, continues to plague businesses and consumers, with indiscriminate campaigns pushing out massive volumes of malicious emails.

Ransoms are also increasing, with the average ransom demand in 2016 rising to $1,077, up from $294 a year earlier. The number of new ransomware families uncovered during 2016 more than tripled to 101 and Symantec logged a 36% increase in ransomware infections.

Read more about IoT security

The report confirmed that the IoT is becoming the new “holy grail” for cyber criminals.

Mirai, the botnet behind a wave of major DDoS attacks, was primarily made up of infected routers and security cameras, low-powered and poorly secured devices. In the wrong hands, even relatively benign devices and software can be used to devastating effect.

Symantec witnessed a twofold increase in attempted attacks against IoT devices over the course of 2016 and, at times of peak activity, the average IoT device was attacked once every two minutes.

Several of Mirai’s targets were cloud-related services, such as DNS provider Dyn. This, coupled with the hacking of millions of MongoDB databases hosted in the cloud, shows how cloud attacks have become a reality and are likely to increase in 2017.

A growing reliance on cloud services should be an area of concern for enterprises, as they present a security blind spot.

Symantec found the average organisation was using 928 cloud apps, up from 841 earlier in the year. However, most CIOs think their organisations only use around 30 or 40 cloud apps, meaning the level of risk could be underestimated, leaving them open to attack from newly emergent threats.

Read more on Hackers and cybercrime prevention