According to the latest cybercrime tactics and techniques report, published by Malwarebytes this morning, threat actors are refocusing their attack efforts on businesses rather than the consumer.
The analysis of data from the Malwarebytes intelligence, research and data science teams combined with telemetry from both consumer and business product deployments, revealed that the threat against business has risen by more than 200 percent over this time last year. At the same time, Malwarebytes analysts say that consumer attack detections declined by nearly 40 percent. Pervasive Trojans have been a particular thorn in the side of the enterprise with Emotet attacks targeting business up by 200 percent over the last quarter of 2018. A resurgence in ransomware, which has been in steady decline across the consumer threatscape, has had business firmly in the cross hairs with an increase of 195 percent quarter over quarter.
"There have been numerous developments over the last two years in adding functionality to commercial malware families like Emotet that is more effective against larger networks" Adam Kujawa, Director of Malwarebytes Labs, told SC Media UK. The EternalBlue and eternalromance exploits, as used in the WannaCry attack, have also been added to numerous malware families that make them far more effective against businesses according to Kujawa. "They are able to not only ransom or extract data from a much larger source than a single infection" he explains, "but also do so with more success due to these exploits."
Yet the enterprise has more money, more resources and more experience to throw at data security than your average consumer. So does this mean Malwarebytes is seeing cyber criminals stepping up the sophistication of their campaigns overall? "At the end of the day, a phishing attack requires a user to fall for a very old trick and yet it remains the primary method for distribution today" Kujawa says, continuing "an enterprise does have more security than your average consumer, but they also have hundreds or thousands of potential weak points: their employees." Despite that, Kujawa says that Malwarebytes has observed an increase in sophistication of many enterprise-focused attacks over the last few years, with some of the same tactics and technologies that you'd expect to see in the playbook of advanced persistent threat actors.
Not everyone that SC Media UK spoke to has seen this same shift away from consumer to business threats. "I believe it’s more a case of increased threats to both" Naaman Hart, Cloud Services Security Architect at Digital Guardian says, adding "there is too much easy money to be made from hitting consumer targets, so I expect them to continue to be a large target in coming years." Tim Mackey, Senior Technical Evangelist at Synopsys, suggests that any conclusions indicating a bias within the cyber-criminal community are more likely a function of the nature of the dataset than a shift in focus by malicious actors. "Malicious actors seek weak or misconfigured devices, attempt to exploit unpatched vulnerabilities and use social engineering in various forms to gain access to systems" Mackey explains "often at the outset they don’t know what type of device they’ve gained access to.
Others agree with the conclusion that business is the new black for threat actors. "We’ve definitely noticed this shift and it appears to be part of a broader criminal trend of improved target selection and planning in criminal attacks" Kelvin Murray, Senior Threat Researcher at Webroot told SC. This shouldn't really come as any great surprise as the motivation for hacking has shifted in recent years from hacktivism to financial gain. "While hacking an individual might be easier" says Uri Bar-El, Global Head of the Cyber Security Division at Qualitest, "the financial gain and power of scale is definitely with the business side."
So, what is the most important thing an enterprise can do in order to protect itself from this new wave of more business-focused threats? "Organisations should ensure they do not have a false sense of security" Craig Harber, CTO at Fidelis Cybersecurity advises, continuing "adversaries who are targeting organisations will know your defences and your gaps and exploit them to breach your network and access sensitive data." Which means understanding your cyber terrain; what assets you have, where your sensitive data is, what’s connecting, what vulnerabilities exist. As Harber rightly concludes, "you can’t defend what you don’t know and can't see..."