Legal Informatics, Privacy and Cyber Crime Part 6 Etalle 2019

Content of these slides The Trends 2019 Internet Security Threat Report, available at Symantec.com We will compare with 2018 and 2017

2018 Trends (2019 IS Threat Report) Formjacking was the breakthrough threat of 2018 Cryptojacking and ransomware declining but not out (formjacking has replaced them as non-targeted vector) Targeted (enterprise) and mobile ransomware raising 0-day exploit declining Living off the land and supply chain attacks are now a staple of the new threat landscape. Cloud is showing to be a weak point. users facing challenges on multiple fronts through data leaks from cloud storage and low-level chip vulnerabilities. Targeted attack groups show increasing interest in operational targets; greater number of groups adopting destructive malware.

2017 Trends (2018 IS Threat Report) With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse, with attackers working harder to discover new avenues of attack and cover their tracks while doing so. Coin-mining attacks explode Spike in software supply chain attacks Ransomware business experiences market correction Drop in zero days can’t halt the rise in targeted attacks Mobile malware continues to surge

2016 Trends (2017 IS Threat Report) Targeted attacks: Subversion and sabotage Cyber attacks against the US Democratic Party Ukraine 2016; Shamoon used in Saudi Arabia (several organizations) Financial cyber attackers chase the big scores Usually customer-focused, some attackers are now targeting the banks Living off the land Attackers ranging from cyber criminals to state-sponsored groups have begun to change their tactics, making more use of operating system features, off-the-shelf tools, Resurgence of email as favored attack channel One in 131 emails were malicious, highest rate in five years. Ransomware escalating demands Avg ransom demand in 2016: $1,077, up from $294 in 2015 New frontiers: IoT and cloud move into the spotlight

Let’s look at the trends

Coin-mining attacks 2018: -52% A correction (formjacking now “better”) (bt still significant: Symantec blocked >3.5m cryptojacking events in December 2018 only!) 2017: +8500%, the explosion 2016: +300% This coin mining gold rush resulted in an 8,500 percent increase in detections of coinminers on endpoint computers in 2017. Coinmining: The process of updating the Bitcoin blockchain or the ledger. Allows new bitcoins to enter the system. Need computational resources. Reward: transaction fees and a ”reward” (12.5BTC?) when a new block is mined. Not necessarily illegal (depends on the country). In any case: illegal to do on someone’s else computer. With a low barrier of entry

Ransomware 2018: lower total number of attacks (for the first time) Focus on enterprise (81% of all infections) -20% general ransomware +12% enterprise ransomware (more targeted) +33% mobile ransomware (but the main target is still Windows) 2017: market correction. Avg ransom $522 (-50%) # attacks still high, but fewer ransomware families and lower ransoms: ransomware is now commodity. Focus shifted to coin mining or more higher-value target Focus shifts on enterprise ransoms 2016: huge year for Ransomware Average ransom $1079 (up from $294) Very profitable (at the time), but the market is getting crowded Focus on Consumers

FormJacking “New” in 2018 A form of persistent XSS: inject code into an online storeto steal e.g. CC. > 4,800 monthly compromised websites  > 3.7m times blocked (2018) 1/3 of them in November and December small and medium retailers are most compromised

Software supply chain attacks 1/2 2018: +78% 2017: +200% 2016: not even mentioned Reason: despite the EternalBlue exploit wreaking havoc in 2017, the reality is that vulnerabilities are becoming increasingly difficult for attackers to identify and exploit. (see also living off the land) Easier for attackers injecting malware implants into the supply chain to infiltrate unsuspecting organizations Two types Target the “maintenance guys” Target the software update (see Petya/NotPetya)

Software supply chain attacks 2/2 Motivation for attackers: 01  Infiltration of well-protected organizations by leveraging a trusted channel 02  Fast distribution: number of infections can grow quickly as users update automatically 03  Targeting of specific regions or sectors 04  Infiltration of isolated targets, such as those in industrial environments 05  Difficult for victims to identify attacks as trusted processes are misused 06  May provide attacker with elevated privileges during installation

Tools: IoT attacks 2018: 2017: 2016: The breakout of IoT attack, Volumes high but constant wrt 2017 Routers (75%) and Cameras (15%) the primary targets Mirai (IoT-based DDOS) still active 2017: 600% increase in overall IoT attacks in 2017, which means that cyber criminals could exploit the connected nature of these devices to mine en masse. 2016: The breakout of IoT attack, Krebs & DYN: first, unprecedented, massive IoT-based DDoS attacks

Tools: Zero Day vs Living off the Land. Use of zero day is declining steadily 2018: only 23% of TA groups use zero-day 2017: 0days declining, only 27% of TA groups use 0days. 2016: 0day use slightly declining from 2015 (and 2014) Living off the Land: increasing steadily in 2016-2018 2018: LotL “increasingly used by TA groups” 2017: “Living off the Land” increasing #1 infection vector: spear phishing (71%) 2016: first signs of “living off the land”

About Living off the Land From https://www.darkreading.com/analytics/stealing-data-by-living-off-the-land/d/d-id/1322063 (2015) Hackers latest tactic involves a malware-free attack using a company's own system credentials and admin tools to gain access.  “cyber criminals are using the target company’s own system credentials and legitimate software administration tools to move freely throughout their network, infecting and collecting valuable data. Burdette, who is part of the CTU operations team, says this has been the method to gain access to networks in nearly all of the intrusions responded to by the Incident Response Team over the past year.” Basically: attackers now minimize the use of vulnerabilities. / name of department 25-8-2019

Targeted Attacks 2018: new TA groups emerging, old one refining tactics New trend: diversification in targets including OT technology (old pioneers: Dragonfly, with the energy companies) Thrip TA group compromised a satellite communications operator Chafer (IR-based) group compromised a telecoms service provider in Middle East New trend: indictments in the US for state-sponsored espionage (2018: 49 people, 2017: 4, 2016: 5) 2017: TA activity up 10%, new trend: disruptive activity 90% by intelligence gathering, 10% some form of disruptive activity. )

Mobile malware continues to surge 2017 The number of new mobile malware variants up 54% Avg: 24,000 malicious mobile applications blocked each day. the problem is exacerbated by the continued use of older operating systems. Mobile users also face privacy risks from grayware, apps that aren’t completely malicious but can be troublesome. Symantec found that 63 percent of grayware apps leak the device’s phone number. With grayware increasing by 20 percent in 2017, this isn’t a problem that’s going away.

OLD MATERIAL

Predictions for 2018 (1 of 3) Mid-tier mature cloud providers will likely see the impact of the Meltdown and Spectre vulnerabilities Meltdown and Spectre can affect all kinds of computers, but the most worrying possible impact is in the cloud, because an attack on a single server could lead to the compromise of multiple virtual machines running on that server WannaCry and Petya/NotPetya may inspire new generation of self-propagating threats Worms enjoyed their heyday around the turn of the century. E.g. Slammer in 2003. Until May 2017, it seemed unlikely that another threat could cause global disruption in the same way. That all changed with the arrival of WannaCry and Petya/ NotPetya. Both threats were capable of self-propagation largely because they used the EternalBlue exploit. Attackers will no doubt have noticed how effective both threats were. EternalBlue’s usefulness may be exhausted at this stage but there are other techniques that can be used.

Predictions for 2018 (2 of 3) IoT attacks will likely diversify as attackers seek new types of devices to add to botnets While IoT attacks weren’t in the headlines as much in 2017 as they were in 2016, they certainly haven’t gone away. In fact, attacks against IoT devices were up by 600 percent last year. Some IoT attackers have already started looking beyond routers and have begun to target other connected devices in a serious way. Coinminer activity will likely continue to grow but will increase focus on organizations Although the immediate rewards may ostensibly seem lower, coin mining offers a long-term, passive revenue stream if the miners can remain undiscovered for longer. We believe that coin-mining activity will increase in the mobile space into 2018 and beyond. We saw an uptick at the end of 2017 and if this proves lucrative, it may grow.

Predictions for 2018 (3 of 3) Attacks on critical infrastructure likely to step up in 2018 Attackers have been exhibiting a growing interest in critical infrastructure in recent years and the scale and persistence of these attacks is now reaching worrying proportions. Our latest research on the Dragonfly group found that it has continued to target the energy sector in Europe and North America These attacks would likely give Dragonfly the ability to sabotage or gain control of these systems should it decide to do so. However, it seems unlikely that any group would go to these lengths unless it was prepared to launch disruptive attacks. Nonetheless, there is a real risk that at some stage soon, Dragonfly’s masters may decide to play this card.