Cryptominers leverage IoT devices; Financial sector sees 20% increase in data breaches
McAfee released its McAfee Labs Threats Report: December 2018, examining activity in the cybercriminal underground and the evolution of cyber threats in Q3 2018. McAfee Labs saw an average of 480 new threats per minute and a sharp increase in malware targeting IoT devices. The ripple effect of the 2017 takedowns of Hansa and AlphaBay dark web markets continued as entrepreneurial cybercriminals took new measures to evade law enforcement.
“Cybercriminals are eager to weaponize vulnerabilities both new and old, and the number of services now available on underground markets has dramatically increased their effectiveness,” said Christiaan Beek, lead scientist at McAfee. “As long as ransoms are paid and relatively easy attacks, such as phishing campaigns, are successful, bad actors will continue to use these techniques. Following up-and-coming trends on the underground markets and hidden forums allow the cybersecurity community to defend against current attacks and stay a step ahead of those in our future.”
Each quarter, McAfee assesses the state of the cyber threat landscape based on in-depth research, investigative analysis, and threat data gathered by the McAfee Global Threat Intelligence cloud from over a billion sensors across multiple threat vectors around the world.
The third quarter of 2018 saw the Dream, Wall Street, and Olympus markets clamoring for market share, until the mysterious disappearance of Olympus. In an effort to evade law enforcement and build trust directly with customers, some entrepreneurial cybercriminals have shifted away from using larger markets to sell their goods and have begun creating their own specialized shops. This shift has sparked a new line of business for website designers offering to build hidden marketplaces for aspiring shady business owners.
“Cybercriminals are very opportunistic in nature,” said John Fokker, head of cybercriminal investigations at McAfee. “The cyberthreats we face today once began as conversations on hidden forums and grew into products and services available on underground markets. Additionally, the strong brands we see emerging offer a lot to cybercriminals: higher infection rates, and both operational and financial security. ”
Q3 2018 Threats Activity
- Cryptomining and IoT: IoT devices such as cameras or video recorders have not typically been used for cryptomining because they lack the CPU power of desktop and laptop computers. However, cybercriminals have taken notice of the growing volume and lax security of many IoT devices and have begun to focus on them, harnessing thousands of devices to create a mining super-computer. New malware targeting IoT devices grew 72%, with total malware growing 203% in the last four quarters. New coin mining malware grew nearly 55%, with total malware growing 4,467% in the last four quarters.
- File-less malware: New JavaScript malware grew 45%, while new PowerShell malware grew 24%.
- Security incidents: McAfee Labs counted 215 publicly disclosed security incidents, a decrease of 12% from Q2. 44% of all publicly disclosed security incidents took place in the Americas, followed by 17% in Europe and 13% in Asia-Pacific.
- Vertical industry targets: Disclosed incidents targeting financial institutions rose 20%, as McAfee researchers observed an increase in spam campaigns leveraging uncommon file types, an effort to increase chances of evading basic email protections. McAfee researchers also observed banking malware include two-factor operations in web injects to evade two-factor authentication. These tactics follow a broad effort on the part of financial institutions to increase security in recent years.
- Disclosed incidents targeting health care remained stagnant, public sector decreased 2%, and education sector decreased 14%.
- Regional Targets: McAfee researchers observed a new malware family, CamuBot, targeting Brazil in Q3. CamuBot attempts to camouflage itself as a security module required by the financial institutions it targets. Although organized cyber gangs in Brazil are very active in targeting their own population, their campaigns have been crude in the past. With CamuBot, Brazilian cybercriminals appear to have learned from their peers, adapting their malware to be more sophisticated and comparable to that on other continents.
- Disclosed incidents targeting the Americas fell 18%, Asia-Pacific fell 22%, and Europe increased 38%.
- Attack vectors: Malware led disclosed attack vectors, followed by account hijacking, leaks, unauthorized access, and vulnerabilities.
- Ransomware: GandCrab, one of the most active families of the quarter, increased its required ransom payment to US$2,400 from $1,000. Exploit kits, the delivery vehicles for many cyberattacks, added support for vulnerabilities and ransomware. New ransomware samples grew 10%, and total ransomware samples grew 45% over the last four quarters.
- Mobile malware: New mobile malware decreased by 24%. Despite the downward trend, some unusual mobile threats appeared, including a fake Fortnite “cheat” app and a fake dating app. Targeting members of the Israel Defense Forces, the latter app allowed access to device location, contact list, and camera and had the ability to listen to phone calls.
- Malware overall. New malware samples increased by 53%. The total number of malware samples grew 34% in the past four quarters.
- Mac malware. New Mac OS malware samples increased by 9%. Total Mac OS malware grew 51% over the last four quarters.
- Macro malware. New macro malware increased by 32%, growing 24% over the last four quarters.
- Spam campaigns. 53% of spam botnet traffic in Q3 was driven by Gamut, the top spam-producing botnet spewing “sextortion” scams, which demand payment and threaten to reveal victim browsing habits.