If we summed up the 2019 threat landscape in one word, it would be “more.” Targeting was more specific. More people are crossing over to the dark side. There were new tricks—and more ransomware than you can shake a stick at. Without further ado, here are the top six trends that we noted in 2019.
More Specific Targeting
Attackers became pickier about their targets. Some targeted specific systems, like AnteFrigus ransomware, which targeted specific users’ USB drives to encrypt. Some had distinct industry preferences like APT33 which likes the oil industry, or Silence APT and its passion for banks worldwide. The Lazarus APT group was even more choosey, focusing on banks in India. Still, other attacker groups chose to target specific or countries or regions (Sodinokibi mainly targeted Asia), such as Varenyky spambot attacks in France and Clop ransomware attacks in the U.S. Finally, there are groups who take advantage of the chaos to inject even more mayhem, such as the Machete Operation, which has stolen gigabytes of confidential documents from Venezuelan government institutions.
More APT “Groupies”
APT groups have grown as large numbers of newcomers and amateurs joined their ranks. How do we know this? Their code gives it away. We saw many attacks written in basic code, designed with re-used and open source code, and containing many testing/debug code snippets. It appears that many attackers are self-developing and testing attacks on the fly. What they might lack in sophistication they make up for in high-end distribution techniques. For instance, using the RIG Exploit Kit (RIG EK), even newbies can deliver code to networks of pre-infected machines.
Same Attackers, New Tricks
In 2019, we saw some new tricks. With high levels of complexity and automation, MegaCortex ransomware shook up enterprises in May. MegaCortex terminates running programs, and can kill system security services, disable installed security software and the new trick on top of all – it changes Windows user passwords.
The aptly named Evil Clippy enables hiding malicious macros in Microsoft Office documents across Linux, OSX, and Windows systems, bypassing most malware detection tools including sandbox solutions.
We also found malware hiding in digital certificates, turning them into covert communication channels.
DealPly adware abuses Microsoft SmartScreen and McAfee WebAdvisor reputation services to evade security defenses. It arrives through legitimate software installers and executes with them, launching a three-stage attack and establishing a C&C link.
Finally, hackers were found using Virtual Disk Files (disk images) to hide malware inside. Disk images were downloaded and clicked on by the victim; opening them in the same way a zip file would be opened, allowed threat actors to unleash a malicious payload file. Since—antivirus solutions do not scan inside virtual disk files, they miss malicious payloads thus delivered.. Mission accomplished.
More Supply Chain and Watering Hole Attacks
These threats have become much larger and more serious for enterprises. Supply chain attacks target specific pools of users through legitimate system utilities and updates. This year, Operation ShadowHammer APT compromised ASUS Live Update software to target a specific group of users. Watering hole attacks use fake websites to lure visitors into downloading malware. In 2019, we saw fake veteran hiring, fake PayPal, fake Office365, and fake Pirate Chick VPN websites that were used to spread Nemty ransomware, trickbot trojans, AZORult trojans, and other malware.
Rising Living-Off-The-Land Attacks
Why be detected if you can use tools already installed on users’ computers? Existing, legitimate tools—PowerShell, Microsoft Teams, BITSAdmin and many more—enable attackers to use existing system resources (hence “living off the land”) to bypass security solutions without arousing suspicion. Living Off the Land (LOTL) binaries and scripts are readily available at GitHub for attackers and defenders alike. We saw many instances of the notorious Astaroth malware using LOTL techniques to steal passwords, keystrokes, and personal data in fileless attacks.
More Ransomware Than Ever
Even though ransomware has been around for a long time, people still click on the phishing emails that deliver it. Obligingly, cyberattackers diversified their efforts and distributed ransomware themselves or via Ransomware As a Service (RaaS). Just a small selection of what we found this year includes Sodinokibi, AnteFrigus, PureLocker, Megacortex, Dharma, GermanWiper, Clop, Gandcrab, Lockergoga, Ryuk, RobbinHood, DoppelPaymer…and we could go on. And on.
Continuous Threats Demand Continuous Security Risk Assessments
Of course, as we track these trends, we also get more insight into attackers and their TTPs. With nonstop attacks from more types than ever—you simply have to know how well your controls are defending your organization. And the only way to know if you’re safe is to perform continuous security risk assessments. This means you need to challenge your controls with simulated cyberattacks, evaluate what needs to be fine-tuned, and then remediate your gaps to continuously optimize your security posture.
Learn more by reading about Testing Security Effectiveness with the MITRE ATT&CK™ solution brief, or signing up for a free trial today.