One of the most frustrating aspects of cybersecurity is the cat-and-mouse game played by cybercriminals and organizations: By the time an organization mounts an effective defense against one threat vector, cybercriminals have already begun to exploit another newly discovered vulnerability. Such is the case with both ransomware and, now, cryptomining malware.
According to the X-Force Threat Intelligence Index 2019 report from IBM, attempts to install ransomware on the systems that IBM actively monitors declined to less than half (45 percent) of the attempts made in the first quarter. At the same time, cryptojacking attacks more than quadrupled in the same time frame, to 450 percent. But as the value of digital currencies such as Bitcoin collapsed, the rate at which cryptomining attacks are growing has already started to slacken, said Michelle Alvarez, a threat research manager for IBM X-Force security team.
Both attack vectors are still being widely employed, but cybercriminals are in many cases turning their focus to more subtle exploits that have been shown to be tried and true, said Alvarez. For example, according to the the IBM research report, there has been less reliance on malicious files in favor of employing PowerShell or WMI command-line utility to inject malware directly into memory to enhance obfuscation and evade antivirus detection software.
The IBM report, however, does dispel several popular cybersecurity perceptions:
- While publicly disclosed misconfiguration incidents increased 20 percent year over year, it turns out misconfigurations in 2018 were not responsible for as many compromised records as they were in 2017. There was a 52 percent decrease in records compromised because of this threat vector.
- With few exceptions, all major malware spam campaigns in 2018 came from a single botnet. The Necurs botnet that has compromised millions of devices to distribute everything from spam to targeted malware has now risen above all other botnets in terms of volume of attacks being generated.
- In 2018, the media sector topped the charts, with 40 percent of publicly disclosed incidents. Half of these incidents involved misconfigured cloud servers and other improperly configured systems that leaked data or allowed a remote attacker to exploit the asset.
- The United States—not some smaller country without an effective legal system—tops the chart as the No. 1 host of malware command-and-control (C&C) servers in 2018, with 36 percent of the total number of C&C servers.
- Nearly 40 percent of all spam in 2018 originated from China, making it the primary source from which malware is generated. But the lion’s share of this statistic can be attributed to two major spam campaigns launched from Chinese-based hosts in 2018. In February and March, X-Force observed a large campaign that harvested email addresses, followed in July to September by a high-volume phishing campaign that contained random text followed by URLs that directed users to one of eight different malicious domains.
- Nearly one-third—29 percent—of attacks analyzed by X-Force involved compromises via phishing emails. Of those, 45 percent involved business email compromise (BEC) scams, also known as “CEO fraud” or whaling attacks. BEC scams purport to originate from an owner or CEO or a high-ranking employee and are typically sent to individuals who control the company’s bank accounts with instructions to execute a confidential wire transfer. The FBI estimates BEC fraud has cost organizations $12.5 billion globally. The X-Force report notes Microsoft Office 365 is the most widely employed means of launching a BEC scam.
As concerning as all those attack vectors may seem, the IBM X-Force report notes they are in many cases just the tip of the iceberg. IBM has been able to identify an average of 1,440 unique vulnerabilities per organization. Going into 2019, most cybersecurity teams will clearly need to rely on both skill and luck in equal measures to find them all.