Check Point Research released its 2019 mid-year report on Cyber Attack Trends last month. The report puts targeted ransomware attacks at the top of its list of dominant ongoing trends in 2019. Cryptomining attacks, on the other hand, have declined considerably over the past year, with only 21 percent organizations affected by cryptominers’ attacks this year, compared to 42 percent in 2018.
Top vulnerabilities, malware and malicious file types
The most high-profile global vulnerabilities this year were Microsoft’s wormable BlueKeep RDP vulnerability (CVE-2019-0708), Oracle WebLogic Server vulnerabilities (CVE-2017-10271, CVE-2019-2725), and DoS Vulnerabilities in Linux and FreeBSD – TCP SACK Panic (CVE-2019-11477, CVE-2019-11478, CVE-2019-5599, CVE-2019-11479).
The top five malware families were CoinHive, Cryptoloot, XMRig, JSEcoin and Emotet. Among specific malware categories, Cryptoloot and CoinHive were found to be the top cryptomining malware types, while Ramnit and Trickbot topped the list of banking malware. Emotet and Dorkbot remained the most popular botnet malware types; Triada and Lotoor continued to be significant in the mobile malware category.
The top malicious file types were exe, pdf, doc, msi, js and xls for web-based (HTTP) attacks, and exe, doc, js, rtf, pdf, xlsx and docx for email-based (SMTP) attacks. Fifty-eight percent malicious files were spread via email, and the remaining forty-eight percent via the web.
Important attack vectors
The four main attack vector categories discussed in the report in some detail are – (1) software supply chain attacks, (2) email scams, (3) attacks against cloud environments and (4) attacks on the mobile landscape.
Software Supply Chain Attack Categories
- Targeted attacks – Targeted attacks try to find the weakest links among the suppliers of pre-chosen targets and use the most vulnerable supply-chain partner as an entry point. A recent example is the ShadowHammer attack on ASUS, that involved attackers implanting malicious code (including a hardcoded list of several hundred network adapters’ MAC addresses) into the ASUS Live Update Utility to gain a backdoor entry into millions of remote computers.
- Attacks designed to do maximum damage (“compromise as many victims as possible”) – The attack on e-commerce platform PrismWeb is an example of attacks designed to compromise a large number of victims.
- Supply-chain attacks in the mobile arena – Supply-chain attacks are seen as such a serious cybersecurity threat that the US Department of Homeland Security (DHS) established a task force specifically for managing supply chain risks in October 2018. In May 2019, the White House signed an executive order that declared foreign supply chain threats a national emergency, eventually leading to a ban on Chinese technology giant Huawei.
The report says that there has been a steep rise in sextortion and Business Email Compromise (BEC) emails in recent months. Both kinds of emails are hard to detect as malicious because they do not come with the usual telltale signs like suspicious attachments and links.
Attackers have started adopting techniques such as encoded emails and complex underlying code to bypass security features that help detect malicious emails. Social engineering tactics, too, have evolved as public awareness about such attacks has gone up.
Misconfiguration and poor cloud-resource management continue to be the leading causes of cloud-related security incidents. With the number of organizations using the public cloud growing at a rapid pace, data theft incidents and cryptomining campaigns specific to the cloud are becoming more frequent. Additionally, public cloud infrastructure attack vectors are increasing in number, providing new entry-points to malicious actors.
Attacks on the Mobile Landscape
The mobile landscape has become an attractive target for hackers as more and more people conduct their financial transactions on mobile devices. In particular, banking malware, which has been popular with hackers for a while is now successfully infiltrating the mobile environment. Mobile banking malware uses banks’ mobile applications to steal both customers’ financial information and the funds in their accounts. Attackers can even pay malware builders to create new and more advanced versions of mobile-specific malware designed to infiltrate banking apps and steal data.
Other tactics used to conduct and avoid the detection of mobile-based attacks are:
- delayed execution to avoid sandboxes
- using transparent icons with empty application labels
- encrypting the malicious payload
Other major threats
- Targeted ransomware remains popular. Frequently used ransomware includes Ryuk and LockerGoga.
- Cryptomining incidents, in general, have gone down, but cryptominers are still quite active. They changed tactics after the shutdown on CoinHive and are now focusing on potentially more lucrative, high-return targets such as corporations and cloud resources.
- DNS attack campaigns like DNSpionage and SeaTurtle, too, continue to be popular.
Download the full report at Check Point’s website: https://research.checkpoint.com/cyber-attack-trends-2019-mid-year-report/