Published on April 27th, 2017 | by admin
Targeted Attacks Shift from Economic Espionage to Politically Motivated Sabotage and Subversion
Annual Threat Report from Symantec Details How Simple Tactics Led to Unprecedented Outcomes
- One in 131 Emails Contained a Malicious Link or Attachment – Highest Rate in Five Years
- CIOs Have Lost Track of How Many Cloud Apps are Used Inside Their Companies – When Asked Most Will Say up to 40 When in Reality the Number Nears 1,000
Sydney, AUSTRALIA – April 27, 2017 – Cyber criminals revealed new levels of ambition in 2016 – a year marked by extraordinary attacks, including multi-million dollar virtual bank heists and overt attempts to disrupt the U.S. electoral process by state-sponsored groups, according to Symantec’s Internet Security Threat Report (ISTR), Volume 22, released today.
“New sophistication and innovation is the nature of the threat landscape, but this year Symantec has identified seismic shifts in motivation and focus,” said Kevin Haley, director, Symantec Security Response. “Zero-day vulnerabilities and sophisticated malware are now used sparingly, as nation states shift their attention from espionage to straight sabotage. Meanwhile, cybercriminals caused unprecedented levels of disruption by fosuing their exploits on relatively simple IT tools and cloud services.”
“Symantec’s Internet Threat Security Report revealed new levels of ambition for cyber criminals targeting Australia in 2016,” said Nick Savvides, Symantec Security Expert. “Australia is ranked fifth in the APJ region for cyber security threats and in the top 10 for spam attacks, which is proof that attacks within the threat landscape shows no signs of slowing down. Now more than ever, businesses and consumers alike, need to be vigilant in order to safeguard against the increasingly sophisticated attacks aimed at Australians.”
Symantec’s ISTR provides a comprehensive view of the threat landscape, including insights into global threat activity, cyber criminal trends and motivations for attackers. Key highlights include:
Subversion and Sabotage Attacks Emerge at the Forefront
Cyber criminals are executing politically devastating attacks in a move to undermine a new class of targets. Cyber attacks against the U.S. Democratic Party and the subsequent leak of stolen information reflect a trend toward criminals employing highly-publicised, overt campaigns designed to destabilise and disrupt targeted organisations and countries. The upsurge in disruptive attacks coincided with a decline in covert activity, specifically economic espionage, the theft of intellectual property and trade secrets. While cyber attacks involving sabotage have traditionally been quite rare, the perceived success of several campaigns – including the U.S. election and Shamoon – point to a growing trend to criminals attempting to influence politics and sow discord in other countries.
Nation States Chase the Big Scores
A new breed of attackers revealed major financial ambitions, which may be an exercise to help fund other covert and subversive activities. Today, the largest heists are carried out virtually, with billions of dollars stolen by cyber criminals. While some of these attacks are the work of organised criminal gangs like Odinaff, for the first time nation states appear to be involved as well. Symantec uncovered evidence of North Korea attacking banks in Bangladesh, Vietnam, Ecuador and Poland.
“This was an incredibly audacious hack, and was also the first time we observed strong indications of nation state involvement in financial cyber-crime,” said Kevin Haley, director, Symantec Security ResponseWhile their sights were set even higher, the attackers from North Korea stole at least AU$125 million.”
Attackers Weaponise Commonly Used Software; Email Becomes the Weapon of Choice
In 2016, Symantec saw cyber criminals use PowerShell, a common scripting language installed on PCs, and Microsoft Office files as weapons. While system administrators may use these common IT tools for daily management tasks, cyber criminals increasingly used this combination for their campaigns as it leaves a lighter footprint and offers the ability to hide in plain sight. Due to the widespread use of PowerShell by attackers, 95 percent of PowerShell files seen by Symantec in the wild were malicious.
The use of email as an infection point also rose, becoming a weapon of choice for cyber criminals and a dangerous threat to users. Symantec found one in 131 emails contained a malicious link or attachment – the highest rate in five years. Further, Business Email Compromise (BEC) scams, which rely on little more than carefully composed spear-phishing emails – scammed more than three billion dollars (USD) from businesses over the last three years, targeting over 400 businesses every day.
Caving in to Digital Extortion: Americans Most Likely to Pay Ransom Demands
Ransomware continued to escalate as a global problem and a lucrative business for criminals. Symantec identified 100 new malware families released into the wild, more than triple the amount seen previously, and a 36 percent increase in ransomware attacks worldwide. Australia was third highest country in APJ at risk of Ransomware, and 11th in the world.
Cracks in the Cloud: The Next Frontier for Cyber crime is Upon Us
A growing reliance on cloud services has left organisations open to attacks. Tens of thousands of MongoDB (cloud) databases were hijacked and held for ransom in 2016 after users left outdated databases open on the internet without authentication turned on.
Cloud security continues to challenge CIOs. According to Symantec data, CIOs have lost track of how many cloud apps are used inside their organisations. When asked, most assume their organisations use up to 40 cloud apps when in reality the number nears 1,000. This disparity can lead to a lack of policies and procedures for how employees access cloud services, which in turn makes cloud apps riskier. These cracks found in the cloud are taking shape. Symantec predicts that unless CIOs get a firmer grip on the cloud apps used inside their organisations, they will see a shift in how threats enter their environment.
From the Experts: Security Tips and Tricks
As attackers evolve, there are many steps businesses and consumers can take to protect themselves. As a starting point, Symantec recommends the following best practices:
- Don’t get caught flat-footed: Use advanced threat intelligence solutions to help you find indicators of compromise and respond faster to incidents.
- Prepare for the worst: Incident management ensures your security framework is optimised, measureable and repeatable, and that lessons learned improve your security posture. Consider adding a retainer with a third-party expert to help manage crises.
- Implement a multi-layered defense: Implement a multi-layered defence strategy that addresses attack vectors at the gateway, mail server and endpoint. This also should include two-factor authentication, intrusion detection or protection systems (IPS), website vulnerability malware protection, and web security gateway solutions throughout the network.
- Provide ongoing training about malicious email: Educate employees on the dangers posed by spear-phishing emails and other malicious email attacks, including where to internally report such attempts.
- Monitor your resources – Make sure to monitor your resources and networks for abnormal and suspicious behavior, and correlate it with threat intelligence from experts.
- Change the default passwords on your devices and services: Use strong and unique passwords for computers, IoT devices and Wi-Fi networks. Don’t use common or easily guessable passwords such as “123456” or “password”.
- Keep your operating system and software up to date: Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
- Be extra careful on email: Email is one of the top infection methods. Delete any suspicious-looking email you receive, especially if they contain links and/or attachments. Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content.
- Back up your files: Backing up your data is the single most effective way of combating a ransomware infection. Attackers can have leverage over their victims by encrypting their files and leaving them inaccessible. If you have backup copies, you can restore your files once the infection has been cleaned up.
About the Internet Security Threat Report
The Internet Security Threat Report provides an overview and analysis of the year in global threat activity. The report is based on data from Symantec’s Global Intelligence Network, which Symantec analysts use to identify, analyse and provide commentary on emerging trends in attacks, malicious code activity, phishing and spam.
Symantec will host a webinar on this year’s ISTR results on May 16 at 10 a.m. Pacific / 1 p.m. Eastern. For more information or to register, please go here. Please visit Symantec’s website to download the full report plus supplemental assets.