The Year's Top Attack Vectors: Review and Prepare

Cyber attacks are rapidly evolving and ever-more concerning. The success of WannaCry, NotPetya, GandCrab and others have inspired a new generation of hackers looking for a quick, lucrative score. While it's impossible to predict the next attack scheme and who will be targeted, this is a good time to review the year's top threat vectors and make sure your cybersecurity defenses are ready for the challenge in the rest of 2019 and beyond.

Here are eight.

#1 Malware

The total number of malware infections have been on the rise for the last 10 years, with more than 812 million on record for 2018. Malware is any piece of software that was written with the intent of doing harm to data, devices or people. Types of malware include viruses, trojans, spyware, ransomware, adware, worms, and fileless attacks. Verizon research suggests attackers use email as their malware-delivery system of choice in up to 92% of the cases. And mobile malware is on the rise - the number of new mobile malware variants increased by 54% in 2018, according to Symantec.

On the advanced malware front, the ESET Cybersecurity Trends 2019 Outlook reports that “Cybercriminals are already using automated searches to assist in finding vulnerable machines and online accounts, and gathering massive amounts of disparate data for subsequent targeted reconnaissance. This automation will undoubtedly increase, to make their existing efforts more cost-efficient and better for social engineering attacks.”

Malwarebytes reports that attacks involving trojans are up 650% in a year, and attacks increased by 200% in Q1 2019. This currently makes trojans, like Emotet, the biggest malware threat out there. Malwarebytes describes Emotet as the “most fearsome and dangerous threat to businesses today.” Emotet is an information stealer most commonly spread via phishing emails and the EternalBlue exploit. It has self-propagation functionality and can send copies of itself via email to contacts. It can also download other malware variants such as Ryuk ransomware.

#2 Ransomware

As recent news headlines indicate, many private and public services across the nation have been seriously disrupted in the wake of ransomware attacks. Baltimore's city government was hit with a massive attack that left it crippled for over a month, with a loss value of over $18 million, according to the Baltimore Sun.

Ransomware is a type of malware designed to block access to a computer system or computer files. Most ransomware variants are executed through email or remote desktop protocol (RDP) and are designed to encrypt files on the affected computer, making them inaccessible until a ransom payment is made to restore access. According to Malwarebytes, ransomware attacks on businesses increased by 195% in the first quarter of 2019. According to Coveware, Ryuk ransomware is responsible for the large rise in ransomware payment costs as it demands $287,000 per incident, on average, compared to around $10,000 demanded by other ransomware.

#3 Phishing

Phishing is an attempt to gain sensitive information while posing via email as a trustworthy contact, such as a bank or retailer. Phishing emails have evolved significantly since the early days and often look very convincing - complete with faultless wording and genuine logos. Highly targeted attempts to gain information from an individual are referred to as spear phishing. And when a fake email from a CEO applies pressure on a CFO into making an urgent payment, this has become known as Whaling.

According to Hornet Security, on Oct 25, 2019, “A hacker successfully received payment of $530,000 after tricking a City of Ocala [Florida] employee with a sophisticated spear phishing email. The hacker was imitating a construction contractor and had used a legitimate invoice in the email to trick an employee in sending over the payment. The email address from the sender looked to be legitimate but was off by a letter. The city had no loss to their networks, so no malware was used. Law enforcement was immediately notified, and an ongoing investigation is underway.”

Phishing was involved in 87% of high-risk email threats in 2018, according to Trend Micro. A survey by Wombat Security found that 76% of businesses have been a victim of a phishing attack in the past year. Symantec reports that more than 10% of malicious emails disguise themselves as a bill. And Verizon found that a 30% of U.S. users open phishing emails, of which, 12% then open the infected links or attachments.

#4 Formjacking

According to Symantec, formjacking is the latest and greatest get-rich-quick scheme for cybercriminals. F5 Labs reports that this attack method was responsible for 71% of all analyzed web-related data breaches through 2018. In formjacking attacks, hackers inject malicious JavaScript code into a webpage form. Most often they do this to steal payment card data from e-commerce sites, but it can be used to compromise any type of online form, including login credentials, Social Security numbers, or even confidential business information, such as the contact information of sales prospects who sign up for a mailing list.

#5 Data Leakage

While cybersecurity in the workplace may seem challenging enough, it is important to remember that security must now extend beyond the office due to the widespread use of smart phones and tablets. The ubiquitous use and low cost of portable storage devices makes them a useful tool for the backup and transportation of data, which means they are also a target for data thieves.

Data leakage is the unauthorized transmission of electronic or physical data from within an organization to an external destination or recipient. If your organization employs staff (full-time or as contractors), there is a possibility they could leak data by mistake or maliciously. Verizon reports that 34% of all breaches in 2018 were caused by insiders. According to specialist insurance provider Beazley, “accidental disclosure” was the top cause (31%) of data breaches reported by healthcare organizations in 2018 and was the direct cause of 20% of incidents across all industries. In comparison, Beazley found that only 6% of incidents were attributed to portable devices and 5% from the physical loss of non-electronic records.

Mobility makes preventing data loss especially difficult for enterprises, because users often inadvertently make ill-advised decisions about which apps are able to see and transfer their information or blatant errors - like transferring company files onto a public cloud storage service, pasting confidential info in the wrong place or forwarding an email to an unintended recipient.

#6 Targeted Attacks

Gaining access to IT systems from outside an organization still offers attractive payoffs for criminals. In a targeted attack, anonymous threat actors actively pursue and compromise a target entity's infrastructure. These hackers have sufficient expertise and resources to conduct their schemes over a long-term period, as well as adapt, adjust or improve their attack methods to counter their victim's defenses. Not surprisingly, some of the costliest data breaches in history have happened in this category, including Experian, Equifax, Target, and Capital One.

Targeted attacks often employ similar methods found in traditional online threats such as malicious emails, compromised or malicious sites, exploits and malware, but are typically conducted in campaigns. Through a series of failed and successful attempts, hackers are able to get deeper and deeper into a target's network. Bank account information or credit card databases are common targets, but intellectual property can be valuable as well.

Positive Technologies reports that 90% of active advanced persistent threat (APT) groups use phishing at the initial access stage, and 14% of groups conduct watering hole attacks at the penetration stage. Once breached, organizations may have less than 20 minutes to detect infections and isolate hacked computers before a simple intrusion turns into a compromise of their entire network, according to CrowdStrike. Hacking supply-chain companies instead of attacking targets directly has become a major trend to watch out for in 2019.

#7 Cloud

In 2018, more than 70 million records were stolen or leaked from poorly configured S3 buckets, according to Symantec. McAfee reports that 21% of files in the cloud contain sensitive data, and the average organization has 2,200 individual IaaS (infrastructure-as-a-service) misconfiguration incidents in the cloud. Off-the-shelf tools on the web allow attackers to identify misconfigured cloud resources. Hardware chip vulnerabilities, including Meltdown, Spectre, and Foreshadow, allow intruders to access protected memory spaces on cloud services hosted on the same physical server.

Further, McAfee reports that organizations experience an average of 12.2 incidents each month in which an unauthorized third party exploits stolen account credentials to gain access to corporate data stored in a cloud service. These incidents affect 80.3% of organizations at least once a month. Additionally, 92% of companies have cloud credentials for sale on the dark web.

#8 Internet of Things

Your favorite IoT device is a hacker's best friend. Targeted attack groups are increasingly focusing on IoT as a soft entry point, which they use to destroy or wipe a device, steal credentials and data, and intercept SCADA (industrial control system) communications. A new IoT bricking worm, malware dubbed Silex, has been hitting Linux-based devices, and it's designed to permanently disable the hardware it infects, effectively rendering the devices useless. SonicWall reports that IoT malware attacks jumped 215.7%, to 32.7 million, in 2018 (up from 10.3 million in 2017). The first two quarters of 2019 outpaced the first two quarters of 2018 by 55%.

Although routers and connected cameras make up 90% of infected devices, according to Symantec, almost every IoT device is vulnerable, from smart light bulbs to voice assistants. On average, it only takes five minutes for a device to be attacked once connected to the Internet, according to the NETSCOUT Threat Intelligence Report. Compounding the problem is the fact that fewer than 20% of risk professionals can identify a majority of their organization's IoT devices, according to Ponemon.

Conclusion

It is unrealistic to think that you can protect your organizations against 100% of the threats 100% of the time. Prioritizing security investments by focusing on the end goals - whether that be safeguarding intellectual property, protecting client data or avoiding network outages that might disrupt business operations - can help provide the direction you need to smartly allocate your security budget and balance sometimes difficult trade-offs. Also, an adaptive and layered security approach can help you create a feedback loop of threat visibility, detection and prevention that consistently becomes more effective - to be covered in a future article.

Marcus Chung is chief executive officer of cybersecurity and data-protection advisory services company BoldCloud. Earlier he worked in key roles at Sygate (acquired by Symantec) and as COO at MalwareBytes. He has previously contributed to GARP Risk Intelligence Employees Are Best Defense Against Ransomware and Ransomware Terrorism: Should We Be Worried?