In the past couple of years, while we have seen a rise in businesses adopting new cyber-security policies, appointing CISOs, hiring professional security firms, buying cyber-insurance policies and investing in advanced security solutions, such measures have not been able to curb the rise of malicious malware and cyber-weapons that have frequently been employed by hackers with devastating results.
In a detailed report on the impact of specialised malware and tools stolen by hackers from the CIA and the NSA on industries, security firm Cylance revealed that the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4 percent between 2016 and 2017 and that email and drive-by downloads emerged as the top two infection vectors globally.
In terms of frequency, ransomware attacks led from the front and rose three-fold in 2017. Several malware families such as WannaCry, Upatre, Cerber, Emotet, Locky, Petya, Ramnit, Fareit, PolyRansom and Terdot/Zloader caused havoc on a global scale, followed by other tools such as crypto-miners, wallet-swiping trojans, and malicious code that exploited firmware and hardware vulnerabilities.
"The attacks and threats of 2017 are a reminder of the ingenuity and destructive capabilities of threat actors. All indicators point to a perfect storm with the explosion in the number and types of endpoints requiring protection, the rise in the diversity of attack types, and the ease with which they can be accessed and weaponised," said Aditya Kapoor, head of security research at Cylance.
The firm noted that more than 50 percent of the threats it observed were not seen in any other environment, thereby signifying that many organisations did not even know that they were targeted by such malware attacks and that they need to consider advanced malware detection and prevention technologies to accurately access the risks to their digital infrastructure.
It also observed that 50 percent to 70 percent of attacks that took place in 2017 exploited known vulnerabilities which were reported more than nine months prior to such attacks. The continued exploitation of known vulnerabilities suggests that many organisations did not take steps to plug existing gaps or did not adequately update their software to prevent similar attacks in the future.
For example, SMB flaws, which were descibed in CVE-2017-0144 and for which patches were issued in March 2017 are still heavily exploited by hackers. Similarly, the Oracle WebLogic flaw, whose exploit and proof-of-concept code became well-known by the end of 2017, is still being exploited on a gland scale.
"Cyber-criminals are adept at modifying their malware and methods to stay ahead of traditional protections that organisations deploy, as seen by the rise in infections and sophistication of attacks in 2017. It's critical that companies are aware of the threats, keep up-to-date with patches, and use defences that protect against constantly evolving malware," said Rahul Kashyap, worldwide chief technology officer at Cylance.
While system damage and data destruction represented the top risks for industries that faced such attacks, the healthcare sector was the hardest hit, of which the WannaCry ransomware attack on NHS institutions in 2017 was a glaring example. While the sector suffered 34 percent of all attacks in 2016, the figure rose to 58 percent in 2017, signifying how lucrative the sector had become to cyber-criminals across the globe.
Between 2016 and 2017, while cyber-criminals turned their attention to the healthcare industry, other industries such as manufacturing, education, and professional services suffered fewer attacks with the exception of the food industry which faced 17 percent of all attacks in 2017. Attacks on the manufacturing sector went down from 17 percent in 2016 to 10 percent in 2017.
Researchers at Cylance also observed the continued rise in polymorphic and single-use malware, 70 percent of which were not seen by anyone other than Cylance. According to them, hackers often deploy single-use malware as they do not want their creations to end up on publicly-available repositories of malware signatures such as CVE.
New single-use malware variants are highly successful as they do not contain tell-tale signatures of existing malware and are hence not detected by most anti-malware solutions. A number of them stay hidden for months while operating and it is often by a stroke of luck that a file gets uploaded to a public repository, resulting in vulnerabilities getting patched.
"The fact of the matter is that public repositories of signatures are by no means comprehensive, complete, up-to-date, or a reliable record of all the malware that could impact an organisation," they said, adding that the most worrisome malware, from the high-level commodity code to the ultra-sophisticated targeted attacks, will never show up there.
Commenting on the success rate and widespread use of single-use malware, Andy Norton, director of threat intelligence at Lastline, told SC Magazine UK that up to 65 percent of malware that reaches behavioural analysis is single-use, having no matching pattern on any virus repository, or being subsequently submitted from a different target.
"Not only is the malware one time, but the method of detection is AI based and heuristic, ignoring the data theft aspects of malware, punching a hole of risk through incident response processes and allowing for credential based attacks to come back into the targeted organisation," he added.
The researchers also described the impact of well-known malware families on various sectors, signifying that many of these malware variants were developed to target specific entities.
While the WannaCry ransomware impacted the food industry the most (58 percent) followed by manufacturing industry (25 percent), 33 percent of professional services were impacted by the Upatre malware family, the manufacturing sector suffered 76 percent of Cerber ransomware attacks, transportation firms suffered 28 percent of all Emotet attacks, and hospitals suffered 60 percent of all Locky ransomware attacks.
While ransomware variants caused the maximum damage to industries between 2016 and 2017, supply-chain attacks carried out by hackers by deploying malicious code also rose in frequency in the same period.
"Attackers are going to great lengths to identify the weak link in the supply chain, taking months or years conducting appropriate and thorough reconnaissance. Once they identify a smaller-route (third party) into a larger and final target, they will continue to the next phase of the campaign.
"In 2016 and 2017, we saw three major publicly-disclosed supply chain compromises, CCleaner, Shadowpad, and NotPetya. We consider these compromises to be trendsetters that have raised the bar," they added.
To limit the impact of ransomware attacks and supply-chain attacks, the researchers suggested that businesses need to keep their hardware and software updated, wisely manage access and permissions within their environment, strictly limit and monitor remote access, train personnel to identify social engineering and phishing attacks, and maintain strong physical security over vulnerable infrastructure.