Cybersecurity reports are seldom comforting, and this year's Midyear Security Roundup report that Japan-based security company Trend Micro released last week is no exception. Somewhat surprising is that although microprocessor vulnerabilities like Meltdown and Spectre top the news, ransomware and cryptomining malware delivered the old fashioned way, by hacking, phishing, or drive-by attack, are perhaps the most active threats.
At VMworld in Las Vegas I asked Greg Young, Trend Micro's VP of cybersecurity, what he thought to be the biggest takeaway from this year's report.
"I think what we've seen this year is that the threat actors are really flexing quickly and that doesn't always happen," he said. "In past years threats would kind of stay within a silo or stay within a lane. Now, as they're being pushed around by more advanced solutions, more surveillance and the like, they're getting much more flexible.
"They're also flexible across platforms. They know that enterprises and companies are going to be multi-cloud, they're going to be in different environments, and they're going to have a weak link. They're going to flex to find that. Everything's not a zero-day nowadays. They're going to take the cheapest, easiest angle, and I think that's the lesson."
The "cheapest and easiest angle" is often our old friend ransomware and the relative newcomer, cryptomining malware, which seems to be gaining some ground.
The number of ransomware attacks has been leveling off from the steep rise in infections that was being observed only months ago. According to Trend Micro's figures, the number of ransomware detections nearly doubled in 2017, from nearly 197,000 in the first half of the year to almost 370,000 in the second half. For the first half of 2018, the company is reporting about 380,000 detections, an increase of only three percent.
Young stressed that this doesn't mean the threat is going away.
"Ransomware is still almost at the top of the list," he said, "because it's such an easy effort to make money. If you steal credit card numbers, there are a couple of steps you have to take to monetize that. But ransomware, with one step, is quickly monetizable."
Black hats employing ransomware have been evolving their approach to designing, maintaining and deploying their malicious payloads. Four new ransomware families that emerged this year, GandCrab, BlackHeart, SynAck, and Black Ruby, are singled out in the report for improved encryption and decryption routines as well as for their persistence once successfully installed.
Ransomware is also evolving in other ways. BlackHeart, for example, packages its malicious payload alongside an outdated version of the remote desktop tool, AnyDesk, evidently as a way to hide what the ransomware is doing. SynAck uses process doppelgänging, a technique that makes detection and analysis difficult, and Black Ruby doubles down by functioning both as ransomware and as a miner for the cybercurrency Monero, meaning it's utilizing two of the most prevalent trends in malware in one neat package.
"Cryptomining is more immediately monetizable and the risk is much lower," Young said. "You steal resources and that's a hard case to make for law enforcement. If I hold you ransom, that gets a lot of attention, but with stealing resources there's a low chance of detection, a low chance of punishment, and a much quicker path to money. Resource utilization also isn't something that a lot of security operations centers are going to be looking for."
He pointed out that cryptomining operations can be difficult to detect, because the malware isn't attacking the assets that security operators are working to protect.
"Unfortunately, a lot of security organizations aren't being tasked with watching this kind of metric," he said. "They're watching for the attack on the data or the ransom attack, but they're not watching utilization and they're not watching capacity. The good news is that security is being transferred more often now to the ops groups, so there's an alignment there, but not everybody is watching from a security perspective."
Another problem with Bitcoin mining hacks is that even when security teams discover the initial intrusion, they often don't recognize the nature of the attack because their focus is on determining whether sensitive data has been compromised, and an intrusion to plant cryptomining software can appear at first glance to be an intrusion in which nothing was accomplished when approached from that perspective.
The good news with ransomware is that even if black hats successfully get past defenses to get their payload installed on a system, the cost of the attack can be mitigated through frequent backups, and with cryptomining assaults the malware is usually easily removable once discovered. However, the best way to deal with any malware attack is through strong preventative action - which basically boils down to prudent application of patches.
"The sad part is, ransomware doesn't have to be smart nowadays, because they're going after old vulnerabilities, old exploits that often have been out there more than one year," Young said. "The door is open, in many cases, with things not being patched for a very long time, in a lot of cases for many years, which is making it very easy for ransomware right now."
Ransomware and cryptomining are not the only threats causing grief to those in charge of keeping systems safe, of course. Successful email-based phishing attacks continue to rise, and plain vanilla software vulnerabilities continue to be a major issue.
The report notes that in the first half of 2018, Trend Micro published 602 software advisories (up from 578 in the previous half year) with most advisories going to Advantech’s industrial IoT software. Most home and office software advisories concerned Adobe, mostly for Acrobat Pro DC, followed by software from Foxit and Microsoft.
“Interestingly, Foxit, which is largely considered an alternative PDF reader, had vulnerability issues of its own,” the report stated. “As for Microsoft, roughly a third of its vulnerabilities had to do with its Internet Explorer and Edge browsers, while the rest were mostly in Windows.”