Security Reports

2017 certainly pulled no punches in the world of cybercrime. We saw attackers continue to embrace many of their favorite tried and true tactics throughout the year. We also saw a noteworthy number of attacks leveraging previously unexploited vulnerabilities as well as taking advantage of known vulnerabilities on unpatched systems. We saw Conversation Hijacking Attacks gaining in popularity as attackers leveraged data stolen in phishing attacks. We also saw the resurgence of an old attack but with a new twist.

At a time when most people thought data breaches couldn’t possibly get any worst, we once again were dealt a harsh dose of reality with news of various costly breaches, and none more impactful than that of credit bureau Equifax with as many as 143 million people effected.

This 12-month report will discuss these issues and many of the others we witnessed in 2017. In addition, we will share metrics as seen by AppRiver's SecureTide™ and SecureSurf™ filters from our nodes throughout the world. We'll point out recent trends in spam and malware from an email and web perspective and share insight about what we can expect for the rest of the year.

Conversation Hijacking Attack (CHA)

Throughout 2017 we observed a major increase in phishing efforts, reaching peak levels over the summer. Much of this effort was expertly tailored to gather users’ login credentials to their preferred email provider. Ultimately attempting to compromise Office365, Gmail, Yahoo, AOL et al. The phishing attacks always were done very gracefully, redirecting in the right places etc, to minimize suspicion on the end user’s part. While we watched these attacks ramp up with such a remarkable pace we theorized on what would come next. Around September/October we got our answer. This is when we began seeing an unparalleled spike in malware attacks being launched from the compromised email accounts of users across all services.

Phase 1:

The first phase of this attack began with an increase in email traffic containing a malicious PDF. This trend continued an upward trend throughout 2017, by years end we were seeing an increase of roughly 1,000 percent over last year. The clear majority of the attached PDFs was part of the same campaign. They utilized varying themes to entice the end user into opening the attachment and clicking on the embedded URL.

This is a typical example of this attack. This message purported to contain an important document being shared via DocuSign.

As you can see, the PDF displays convincing looking DocuSign graphics and contains a link to a phishing site where the targeted user can select their email provider of choice.

The victim is then taken to a customized login page designed to match the specific provider.

 

Phase 2:

Now that the attackers have gathered the user’s login credentials they have compromised not only their email but any resource the user has access to with those credentials. However, the email appears to be their main focus. The attacker then hijacks ongoing email conversations by sending a malware attachment in a REPLY to a prior ongoing email conversation. To the end user, the message comes quite naturally as they were just having a back-and-forth exchange with the individual. The attacker usually replies with something vague like “Can you review this document,” the document usually being a macro embedded malicious word document. Though most users know they should be highly skeptical of an attachment in an unsolicited email, this scenario looks to disarm the “user awareness” aspect of security. Therefore, increasing the likelihood the end user will open the attachment and become infected by several orders of magnitude. What’s more, these attacks can be launched against internal contacts which could have equally devastating results. In today’s age of targeted attacks, one thing is certain — these multi-phased attacks are here to stay and will present even more of a threat going forward.

---

The Return of the DSD

The use of the Distributed Spam Distraction or DSD is something that we reported on many years ago. However, it has made a marked return and is using updated tactics. Ultimately, this is an attack designed to disguise a cybercriminal’s purchase or wire fraud activity in real time.

How the attack works

You’re simply going about your day, when suddenly your inbox begins to fill with hundreds upon thousands of emails whose contents are nothing but mash-ups of words and phrases from literature. There are no links to follow, no hidden JavaScript, no pictures or advertisements, just words. Every email is different as well, nearly perfectly randomized, though if you comb through them carefully, you will begin to see some repeated content. The emails themselves are obviously botnet delivered because all the senders are different, usually freemail providers, the sending IPs are all different, and the rate at which their arriving would make one’s head spin.

After a blast that lasts anywhere from 12 to 24 hours, an inbox could receive tens of thousands of these seemingly benign annoyances, and then suddenly they stop. After the binary dust settles you’ll wonder what the point was. While it certainly makes it nearly impossible to use your email, it had one specific goal in mind – distracting you from your actual valid email.

The people behind this spam blast have somehow obtained personal account information for their target as well as their proper email address. In an effort to hide account transaction information confirmation emails, such as purchase receipts or balance transfers, which arrive instantly via email, the attackers turn on this deluge of spam email just before they make the illegal transactions in order for these important emails to get lost in the flood. Once the bad guys are done with their activities they’ll stop the flood.

The New DSD

This is a scenario we saw play out from time to time over the years but in 2017 this approach has been revived but with a new twist and greater frequency. It appears attackers are using automation to gather lists of under-secured Web signup forms. So instead of sending random text emails from free mail accounts or botnet nodes, they hit “go” and begin signing the target up for thousands of otherwise legitimate online accounts and newsletters so that they are flooded with thousands of legitimate “Welcome” emails. This of course serves their purpose of distracting the individual from the fraudulent activity that is taking place simultaneously.

What’s more – it does not take a sophisticated hacker to perpetrate this attack. Full profiles with names, physical and email addresses, birthdates and credit card numbers readily are available on the dark web 24-seven. Once those are acquired they just need the means to send the distracting emails. Luckily, those are available as a service on the dark web. We found this service (pictured below) which was available for $20 for 5K messages, $30 for 10K messages, $40 for 20K messages. This is yet another example how malware as a service significantly has lowered the barriers of entry into cybercrime, while boosting the capabilities of would be attackers.

---

Malware & Ransomware

Adwind RAT

Malware as a service is exploding in popularity, this allows it to be distributed openly as a service by the creators. “Customers” pay a fee for the usage of the Trojan just as businesses would for cloud provided services. This essentially allows anyone to purchase the malware for a small fee, regardless of computer skill.

One example of these services is the Adwind Remote Access Trojan or (RAT). The Adwind RAT has been quite busy in 2017.

IT staff’s ability to remotely resolve a user issue is a legitimate example of remote access tools. However, malware authors also utilize them for nefarious purposes, we term these Remote Access Trojans. They allow the operator to steal credentials, record keystrokes, take screenshots, access webcams and microphones, modify files, execute code and drop malicious programs on a machine. Many Trojans, such as Adwind RAT (also known as Jrat, SockRat, AlienSpy and Frutas), are environmentally aware. The examples we’ve researched display the ability to detect that it’s running in a virtual machine. Furthermore, it may upload computer name, machine information and cryptographic machine GUID to command & control servers. This allows the controller to tailor the malicious programs it downloads specific to the machine type. The Adwind is particularly threatening in that it can infect cross-platform. Adwind is a Java-based Trojan that is capable of infecting, not only Windows OS but also Linux, Mac and Android. Once the infection has taken place, it can harvest and exfiltrate many forms of data from the victim.

We saw a surge in Adwind activity in July and again in November. Which came in the form of fake payment confirmation emails.

The packet capture of this example shows it reaching out to two different hosts while being analyzed: 37[.]72[.]175[.]150 on port 800 &  2[.]21[.]75[.]64 on port 80.

Another noteworthy Adwind attack came in the form of fake FedEx emails which were well timed with the ramp up shipping activity surrounding the holiday shopping season.

Humorous Mr. Robot References

Malware authors and distributors definitely have a sense of humor. Some examples that we captured mid-year that gave us a laugh included references to the Mr. Robot television series in their java .class naming.  Below are raw hex snippets from two different examples, at least this malicious author isn’t Darlene!

 

 

Ransomware

Ever since Cryptolocker was unleashed on a global scale in late 2013 resulting in the extortion of millions of dollars paid to the perpetrators, cybercriminals have been coming out of the woodwork to get in on the action. Many of the nefarious groups and actors in this space have created a business model very similar to what legitimate businesses use. They will provide the coding, infrastructure, payment systems, and user-friendly management interface to a “customer” for victims whom the “customer” targets. As an example, on the dark web, we’ve seen a single user infection go for $10 or unlimited infections $50 per month. Other pricing structures take a cut of the ransomware proceeds once a victim is infected and pays the ransom. The customer of malware as a service doesn’t need to have strong technical skills in order to utilize these malware as a service or ransomware-type platforms. We expect many small and inexperienced attackers will increasingly leverage these platforms going forward.

Many new variants have arrived over the past year. The Locky Ransomware was the most prolific from an email threat perspective in 2017, however we saw new versions of many popular variants hitting our filters with regularity such as Cerber, Jaff, Nemucod, Spora and, of course, WannaCry and Petya/NotPetya.

Locky

The ransomware heavy-hitter distributed via email and caught by our filters this year was by far Locky. It continues to evolve via different variants and encrypted file extensions over time as it the work of a highly skilled group. Some of the variants this year included Diablo7, Lukitus, ykcoL, and Asasin file extensions. Our SecureTide filter caught nearly 1 billion messages alone that ultimately would have led to a Locky infection this year. Some of the campaigns we saw containing Locky were arriving at the rate of 4 million messages per hour. The vast majority of traffic leading to a Locky infection was distributed by the Necurs botnet. It typically sends some type of small archive file (zip, 7z, etc.) with a .vbs or .js inside although they did occasionally change techniques and tactics and even experimented with much larger malicious DDE documents.

 

WannaCry

Another devastating attack this year was the WannaCry infection beginning May 12. It utilized the EternalBlue (Server Message Block) exploit to propagate and DoublePulsar to install a backdoor and execute. EternalBlue and DoublePuslar were developed by the National Security Agency and leaked files by The Shadow Brokers hacker group on April 14. Microsoft had released a SMB patch in March before the attack, although many unpatched systems remained vulnerable. The WannaCry attack infected hundreds of thousands of computers worldwide demanding a $300 bitcoin ransom. Luckily a “kill-switch” domain was built-in to the ransomware that a security researcher accidentally discovered. The infection would attempt to reach out to a domain but once it was registered and active that effectively acted as a kill-switch stopping the infection chain for any newly infected machine that could reach out to the domain. Within a few days the infection spread was greatly minimized because of this discovery. The kill-switch functionality isn’t typical of a normal ransomware author and many researchers concluded it was a state-sponsored attack that went wrong.

Petya/NotPetya/GoldenEye

On June 27, a new infection emerged which leveraged the same EternalBlue exploit. Initially, a Ukrainian accounting software (MeDoc) update server was hijacked by malicious actors. It pushed down the malicious infection as part of an update for the legitimate accounting software to companies in Ukraine where this software is widely used.

In addition to the EternalBlue SMB vulnerability, it also contained additional lateral movement features to help it propagate by obtaining user names and passwords and spreading across network shares. Although an infected user received a ransomware message, this was an attempt to masquerade, as the infection was never designed where files could be recovered by paying the ransom. It was ultimately intended as file-wiping software with the capabilities of installing other malicious software. In addition, only one email and payment address was tied to the fake ransom demand, and it was quickly shuttered by the email host. Ransomware typically creates a cryptocurrency payment address tied to the unique user, not one for everyone. Anyone who attempted to pay the ransom before the email address was shut down would never have their files unlocked or recovered by the malicious actors.

Jaff Ransomware

The malware campaigns are using PDF files with an embedded Word Document, which contains a malicious VBA Macro.

Example Jaff ransomware messages:

 

Opening the Word Document inside the PDF and enabling editing, allows the macro script to run on the host machine. The malware then reaches out to any one of multiple call home domains to fetch the ransomware binary.

After a successful connection to the call home domain, in this case enboite[dot]be, the binary is downloaded and the malware goes to work encrypting files on the host machine. You can see in the example below where the ransomware got its name as it appends the extension [dot]jaff to the victim’s files as they are encrypted.

 

The processes and techniques that Jaff uses during the infection process have many similarities to the Locky ransomware, which leads us to believe this is the new strain from the same individual or group responsible for Locky. The Jaff ransomware is currently demanding roughly $1,800 payment via Bitcoin.

Necurs Awakens

While the WannaCry ransomware was causing major panic across the internet, another threat was re-emerging. After a relatively quiet several months, and in the wee hours of the morning May11, the Necurs botnet once again started blasting out malicious emails in massive volumes. Throughout most of 2016 we were seeing this botnet distributing the Locky ransomware and the Dridex Banking Trojan, until a large fall-off in volume around December 24, 2016.

On the morning of May 11, 2017, that all changed, the monster had awakened and had picked up right where it left off, sending email en-masse containing a new ransomware strain dubbed “Jaff” as well as copies of the Dridex banking Trojan.

 

 

Hancitor/Chanitor

The Hancitor malware loader group continues to be very aggressive in their malspam campaigns by continuously evolving themes and tactics. We blogged earlier this year regarding the trends we’ve observed. They have spoofed many large known companies such as UPS, FedEx, USPS, RingCentral, eFax, Delta, Office365, and Google Docs. However, some attacks use more generic themes such as voicemails and billing emails with the latest campaigns using a generic email about invoices the recipient’s company has yet to pay. The goal of this group is to infect the end user with malware designed to commit data theft.

The majority of the time they send different themes at the same time or switch themes during the day. The common denominator in these messages is an exploited site link in the body leading to a malicious document file download. Sometimes the exploited site link is surrounded by legitimate links to help add what appears to be authenticity to the message. Once an unsuspecting user clicks on the malicious link it typically downloads a Word document containing malicious macros that infect the machine with the Hancitor loader. However, the group has also experimented with documents containing malicious DDE formulas and CVE-2017-0199 exploits as well. The Hancitor loader has pulled down different payloads over the past year. These payloads have included: Pony, EvilPony, DELoader/ZLoader, ZeusPandaBanker, IcedID, Locky, and Vortex.  They have ultimately led to a financial theft type of activity against the infected user.

Here's an example of a Hancitor message we quarantined recently:

 

Breaches

Every year there is a substantial list of data breaches that occur at various companies throughout the world. Many of the breaches go unreported by the company breached as they stand to lose business or possibly be held liable if made public. Data breaches reportedly reaching record highs in 2016 with losses totaling $16 billion, according to estimates released by Javelin Strategy and Research. Below we’ve highlighted some of the largest publicly-disclosed breaches occurring this year.

Equifax

We’ll begin with the elephant in the room highlighted as one of the worst breaches ever. The Equifax breach was attributed to a hole in the Apache Struts web-application software. A patch for the hole was released two months before the Equifax attack. This patch, unfortunately, was never applied to credit monitoring site, and malicious actors took advantage from mid-May until discovery of the breach in late July. While not the largest number of people affected at approximately 145 million, the sensitivity of the data stolen is on the highest order to consumers. Data obtained in the breach included names, addresses, dates of birth, credit card numbers, social security numbers, driver’s license numbers and other personal information. Subsequent handling of the breach was poor as consumer notification was slow and the site Equifax set up in response to the breach contained cross-site scripting vulnerabilities. When the dust had finally settled, an estimated 145 million people’s data was exposed.

InterContinental Hotels Group

InterContinental Hotels Group owns some popular hotel chains such as Holiday Inn, Candlewood Suites, Crowne Plaza, and others. Malware was discovered on their payment processing servers for their on-site restaurants and bars. Fortunately it did not affect the front desk payment systems. It was active August to December of 2016.  The malware gleaned information such as credit/debit cardholder names, numbers, expiration, and security verification codes typically found on the back of cards. Initial disclosure in February was limited to 12 company-owned hotels but in April was expanded to approximately 12,000 total hotels with the rest being franchised properties.

Chipotle

The popular, fast-food Mexican chain suffered a breach of more than 2,200 Chipotle restaurants in 47 states from late march to mid-April of this year. An undisclosed number of customer were affected. Malware was found obtaining the magnetic strip information from swiped cards. Before the breach occurred they had reported to the Security and Exchange Commission their payment systems were a risk.

Kmart

Retail chain Kmart’s in-store payment systems were infected with malware and credit card information was compromised. However, online shoppers were not impacted. The company did not disclose the number of stores affected or the timespan of the breach.

Sonic

Early September approximately 5 million credit and debit card numbers were discovered for sale on the dark web. A substantial amount of them were linked to Sonic drive-ins although some may have been sourced from other breached companies. Sonic’s card processor notified them of unusual customer activity on their customers cards and began working with investigator on the scope of the incident.

Yahoo

This year, Yahoo released that every customer was affected from a 2013 hack that appears to be state sponsored. The new information points to approximately 3 billion customer accounts versus the previous 1 billion number that was released.

Uber

In late November Uber released information regarding a data breach that occurred in late 2016. The breach affected 57 million users and drivers. Upon initial discovery Uber payed the hackers $100,000 to keep the breach a secret and delete the data instead of immediately notifying users, law enforcement, and regulatory agencies. The hackers found Amazon Web Service credentials inside files engineers had upload to Github and obtained archives from the AWS server. Inside the archive were names, phone numbers, and email addresses of customers in addition to 600,000 drivers licenses for Uber drivers.

Imgur

Imgur recently notified 1.7 million users that emails and passwords had been stolen back in 2014.  An investigation is underway but Imgur’s blog indicates their database SHA-256 algorithm may have been cracked via brute force attempts. Last year they had upgraded to the bcrypt algorithm, which substantially helps prevent brute force attacks vs a SHA* hash.

TIO Networks

TIO Networks, a recently acquired payment processor of Paypal, suspended operations on November 10 due to a compromise of personally identifiable information for around 1.6 million customers.  An investigation is still underway, and the company, who operate of network of utility and bill payments kiosks across North America, stated on their website they are reaching out to companies they service to notify customers and provide credit monitoring services via Experian.

Breach notification legislation

On December 1, three senators proposed legislation that would require more strict requirements for breach notifications. The proposal attempts to outline requirements an organization must follow once a data breach exposure has been discovered. This includes that the breach be reported publicly within 30 days of discovery and carries some harsh penalties for individuals attempting to conceal a data breach event. The bill also calls for the FTC to establish best practice security protocols that should be followed to better protect consumer data, along with incentives to businesses who utilize encryption technology that would help stolen data from being read. This legislation does echo some of the details in the EU’s General Data Protection Regulation(GDPR), which is slated for implementation in 2018. While laws regarding breach disclosure already exist in 48 states, this bill looks to standardize and expand upon those. The avalanche of breaches that took place in 2017 has certainly caused the topic to garner some much needed attention but the end results of this effort remain to be seen.

---

The Rise of DDE Attacks

The Dynamic Data Exchange (DDE) protocol garnered a lot of attention in the last quarter of 2017. Sensepost researchers authored an article detailing how the protocol may be exploited back in 2016. However, the attack didn’t generate mainstream traction until October of this year when highly targeted emails spoofing the Security and Exchange Commission’s EDGAR system began to circulate. These emails were later attributed to the FIN7 APT (advanced persistent threat) group by FireEye. The attackers leveraged the built-in Office feature that allowed specially-crafted DDE formulas to be created. While originally intended for legitimate purposes, this also allowed malicious command execution and the loading of files hosted on remote servers. 

Exactly one week after the targeted attacks attributed to FIN7 circulated, the DDE attack vector gained further traction when the largest botnet (Necurs) began to distribute malicious DDE documents.  During October our filters captured just shy of approximately 50 million malicious DDE-laced documents on various days before the Necurs attack subsided at the end of October. They used this method to distribute the “Asasin” variant of Locky ransomware. Since these attacks, other actors have used this attack in smaller quantities but we fully expect to continue to see this method utilized as users are less knowledgeable about these attacks vs more common Office attack vectors, such as malicious macros.

Asasin Ransomware Utilizing DDE

The message theme was straightforward and simple, claiming to be an invoice and spoofed to appear to come from the same domain of the recipient. They all carried a .doc attachment that uses the DDE “feature” to call PowerShell. It then reached out to an infected web page to pull down more malicious code.

You can see below how the attackers are using DDE to call PowerShell and to envoke System.Net.WebClient. This is then downloading the malicious payload from the infected web page alexandradickman[dot]com.

Here’s a look at the XML the attacker is using to deliver this payload:

 

 After opening the attachment, the user will see the two following prompts:

 

Once the user has clicked through the prompts, the attack chain is complete. The ransomware then goes to work doing its normal routine of encrypting files and demanding ransom from the user.

The Common Vulnerabilities and Exposures

The Common Vulnerabilities and Exposures (CVE) system is a list of known and verified security issues that has been shared and publicly-known. The United States government-funded Mitre Corporation maintains the list to help the security community maintain awareness of potential attack vectors.  The malicious actors also keep tabs of this list and commonly base attacks from the known vulnerabilities detailed. This is nothing new, however, the “favored” attacks from this list by the malicious actors change yearly. 

While attackers attempt many different CVE vulnerabilities, the one from this list that has been exploited the most and caught by our filters this year was CVE-2017-0199. This is a vulnerability that allows attackers to exploit the Object Linking and Embedding (OLE) feature of Microsoft Office and WordPad.  Most of the attempts to exploit this weakness we have seen utilize rich text file Word documents although Excel and PowerPoint versions also have been observed. 

Another CVE that has been trending lately is CVE-2017-8759.  Like 2017-0199, this vulnerability is due to input validation in the Windows .NET framework, specifically the WSDL parser module. While not exploited with the volume of CVE-2017-0199, from our experience this one appears to be used for more targeted spearphishing attacks. Although Microsoft has patched these vulnerabilities, many users have not updated their Windows and attackers continue to take advantage as we see them attempt to exploit CVE’s from as far back as 2006 in our filters.

---

Cryptocurrencies

The cryptocurrency (Bitcoin, Ethereum, etc.) values have increased tremendously over the past couple years but this year they sky-rocketed. As the currencies have exploded in popularity, so have the malicious actors who want to own them. Most ransomware demands we have seen demand Bitcoin as they want to make it as easy as possible for victims to pay. However, other cryptocurrencies such as Monero offer more privacy than the Bitcoin blockchain. Monero also is becoming the most preferable for many transactions taking place on the dark web. As an example, the WannaCry attackers converted their Bitcoin ransoms over to Monero. Some malware we capture now attempts to steal traditional financial information and cryptocurrency information from the victim.

Cryptocurrency Miners

In order for the decentralized cryptocurrencies to function properly, there has to be machines that conduct “mining” operations. Mining uses the processing power of machines to perform the cryptographic number crunching necessary for validating transactions and creating new currency.  The miners earn currency rewards for performing these operations but some cryptocurrencies are more profitable to mine than others.  Many miners will combine forces to “pool” together processing resources and split the payouts received.  The bad guys essentially use your processing power and electricity to generate cryptocurrency they profit from.

Early this year, we authored a blog describing how our SecureSurf web-filtering product blocked a client’s machine from reaching out to a website. Our client wanted more information on what was occurring after we blocked 629 suspicious attempts by the machine to a specific website. After investigating, it turned out the machine was infected with malware that was specifically designed to mine the Monero cryptocurrency surreptitiously. It was attempting to turn its results for currency into one of the seedier Monero pools. Our web filter blocked this communication and the bad guys weren’t able to profit off our customers machine.  Upon discovering this, our client was able to clean the infection. 

Not only have nefarious actors used malware for secret mining, now some websites have started to utilize scripts to do this in visitors’ browsers.  Most recently, some have been found using small pop-up/under windows that hide under other things such as the clock located in your taskbar.  This way the mining continues even after closing the web browser as the pop-under window persists.

 

The Internet if Things (IoT)

The explosive growth in IoT certainly could lead to a new reality, one even more rife with cyberattacks and breaches and ones that have meaningful impact on the physical world around us.

There are a staggering number of IoT devices being brought to market. The categories of devices in this space are very diverse but some common examples include smart TVs, home routers, voice-activated assistants (Google Home, Amazon’s Alexa, etc.), door locks, light bulbs, security cameras, thermostats, Bluetooth trackers, smart appliances, Wi-Fi plugs, sprinkler controllers, the list goes on. IoT devices are coming in droves from various (mostly overseas) manufacturers. With most of these IoT devices, security is little more than an afterthought.

The security issue with these devices comes from a lack of good security practices from the beginning of the devices creation. With issues such as unpatched vulnerabilities and hardcoded default passwords on devices, it makes it much simpler for an attacker to gain access and use the devices for nefarious reasons. With most smart devices running some form of Linux, they are essentially small computers. Most of these are built around convenience. The unfortunate reality is that security is often little more than an after-thought until it becomes a serious privacy and usability issue for the device itself.

IoT Botnets

A botnet is a network of compromised devices under control by an entity and most typically used for malicious purposes. Security vulnerabilities may not only be attributed to manufacturer’s security design for an IoT device. Users not changing default passwords and updating patches for these (just like a computer) may also make them susceptible to attacks. What makes things worse is many devices are manufactured with firmware not designed to be updateable so they can’t be patched. 

Many attackers have taken notice and the Mirai botnet was formed. This botnet was seen in the later part for 2016 being involved with DDOS attacks in excess of 600 gigabits per second. Attacks like these against websites or service providers can disrupt services completely for extended period of time. This attack was used against the DNS provider Dyn, which in turn effected services of large content providers like Twitter, Netflix, and Reddit during the attack.

In the latter half of 2017 reports began to surface of a new massive and growing IoT botnet. The new botnet named Reaper was found, with some reports estimating its size at more than 2 million devices. To the best of our knowledge we have yet to see this cyberweapon leveraged against the Internet in a way similar to Mirai but these things tend to come without warning so be prepared for more of this activity going forward.

---

Bluetooth Vulnerabilities

On September 12, IoT security researchers at Armis released information they had discovered eight different Bluetooth vulnerabilities that was termed “BlueBorne.” These vulnerabilities theoretically could impact more than 8 billion devices, nearly anything with Bluetooth capabilities including Android, iOS, Windows, Linux, and other IoT devices. 

Typically, Bluetooth is trusted traffic and inherits elevated privileges on a device. This allows successful attackers nearly complete control of the compromised device without taking the extra steps to elevate privileges. The device does not have to be paired with an attacker’s device or changed to a “discoverable mode.” 

Being a wireless attack, it also enables hackers a channel to compromise air-gapped networks. These typically are more secure networks that are disconnected from the Internet and other networks. In addition, traditional security solutions such as A/V protection, firewalls, and mobile device managers don’t have the capability to detect and prevent this type of attack.

Many manufacturers have released patches for the BlueBorne attacks including Amazon, Google, iOS, and Android. That said, less than half of Android devices are patchable – Nougat and Marshmallow. More than 1 billion Android devices that run Gingerbread, ice Cream Sandwich, Jelly Bean, KitKat & Lollipop operating systems are vulnerable. Depending on the attack vector and vulnerability chosen, hackers could either take over the whole device or conduct a man in the middle attack.  The combination of attacks available allows them to virtually conduct any malicious activity they wish to a vulnerable device. Current consumer recommendations include ensuring the most recent updates available for every device that contains Bluetooth are applied and turn Bluetooth off when not being used to minimize attack exposure.

---

By The Numbers

Malware Traffic

In 2017, our SecureTide email solution quarantined about 1.46 billion emails containing malware. Malware was off to a slow start in 2017 but halfway through the year attacks ramped up sharply and persisted throughout.

This year’s malicious traffic was similar in that malicious Word files with embedded macros were the most prevalent attack vector.

We also saw attackers embracing some new approaches, such as the DDE feature within Word, to deliver infections. We also saw an uptick in malicious PDF and WSF files. Below is a breakdown of some of the most popular malicious file attachment types.

Spam Traffic

In total we quarantined 14.5 billion spam messages in 2017 with traffic reaching its peak in October.

Top Ten

Of the billions of spam messages quarantined in 2017, the majority originated in one of these 10 countries.

2018 Predictions

Large Data Breaches effects will be felt

With the volume of personal data the has fallen into the wrong hands over the past year, when will the rooster come home to roost? The data from the Equifax breach has the potential to result in identity theft on the level that has never been seen before. Widespread credit fraud could cause a good deal of hysteria for consumers and lenders. This activity could include a laundry list of fraudulent activities done in someone else’s name – such as opening credit cards, applying for mortgages, filing fake tax returns, receiving medical treatment and collecting Social Security benefits.

Attacks from Trusted Sources

Between the resurgence in phishing attacks and the volumes of stolen personal data available online, we expect to see more malicious attacks leveraged from hacked accounts and profiles. A perfect example of this is the CHA attacks. We expect to see crybercriminals expound upon this effort in 2018.

Federal Legislation

We witness large data breaches every year but the severity of the Equifax breach and Uber hack cover-up will increase regulation. More security breach notifications laws will be passed regarding incident handling and how it will be required to be reported to regulators, law enforcement, financial institutions, and consumers.

Unpatched vulnerabilities will be exploited

The Eternal Blue exploit is a great example of unpatched vulnerabilities. This exploit had been released publicly and a patch had been released months before the WannaCry attacks that lead to so much hysteria across the globe. Despite the fair warning, WannaCry was able to cause havoc once released into the wild. It’s not that most organizations just don’t care about applying patches but there may be other reasons for this as well. In some cases, the sheer volume of patches may be difficult to manage for some IT departments. Patches also can disrupt a network and therefore disrupt operations and productivity.

The worst is yet to come for IOT botnets

The Internet of Things (IoT) continues to grow, and internet-connected devices are quickly becoming standard for mainstream consumers. There have been very few reports so far indicating reliance upon these devices have caused physical harm to the consumer. Unfortunately, we expect as they become more widely adopted intended and unintended physical consequences will occur to consumers. One thing is certain, IoT botnets will continue to evolve, expand and increase in sophistication.

State Sponsored Attacks will increase

The distinction between criminal hackers and state-sponsored attacks will be harder to distinguish. A few notable examples are detailed below.

• This year’s WannaCry attack was reported to be the work of a North Korean project gone awry.
• South Korean cryptocurrency exchanges have been targeted by North Korea.
• Alleged Russian backed APT28 attacks for espionage purposes.

Ransomware will continue to expand and proliferate

Ransomware as a Service will continue to grow enabling people with no hacking skill to attack others using this framework. Malware providers typically take a cut of paid ransoms and provide all the infrastructure. Cerber is a large example for this occurring this year. Botnets such as Necurs will continue to distribute ransomware on a global scale.

Cryptocurrency Theft and Mining

Malware that not only looks for traditional financial information but also cryptocurrencies such as Bitcoin has been around for years. However, we have noticed an increase in the volume of malicious files that also have this capability. As more cryptocurrencies are embraced and the value continues to rise, we expect malware authors will build on capabilities to steal cryptocurrency payment information and wallets.

Some web sites have begun to use scripts which utilize the processing power of visitors machines to mine for cryptocurrencies. We fully expect the nefarious sites will continue to use sneaky techniques such as hidden windows that persist even when a user closes the browser window and other similar methods.