Symantec's Internet Security Threats 2017 - it’s scary down the rabbit hole

Jerry Bowles Profile picture for user jbowles May 3, 2017
Symantec’s 2017 Internet Security Threat Report reads more like a catalog of horrors for CIS and their staffs, with cyber spies and criminals running amuck everywhere. 

Key in padlock standing on circuit board- security concept © lucadp - Adobe Stock
(© lucadp - Adobe Stock)
Cyberspace became a much more dangerous place in 2016 as internet security threats mushroomed. Cyber criminals and state-sponsored saboteurs pursued aggressive capers that included multi-million dollar virtual bank heists, some of the biggest distributed denial of service (DDoS) attacks on record. and an overt attempt to disrupt the U.S. electoral process. Those are the findings of the latest edition of Symantec’s annual Internet Security Threat Report (ISTR) released late April, 2017.  Kevin Haley, director, Symantec Security Response, said:

We have seen seismic shifts in motivation and focus. Specific nation states doubled down on political manipulation and straight sabotage.  The state-sponsored hack of the Democratic National Committee (DNC) and the subsequent leak of stolen information reflect a trend towards highly-publicized, overt campaigns designed to destabilize and disrupt organizations and countries.  The focus has shifted from economic espionage to politically motivated sabotage and subversion.

While the DNC hacking got the lion’s share of attention, it was no means the only instance of state-driven cyber attacks meant to spread discord or sabotage rival governments and, even--in the case of North Korea--simply to rob banks.  The Russians used disk-wiping malware against targets in Ukraine in January and again in December, resulting in widespread power outages.

A variant of the diskwiping Trojan Shamoon reappeared after a four-year absence and was used in December 2016 and January 2017 against the labor ministry and a chemicals firm in Saudi Arabia.  Shamoon, which is also known as Disttrack, is a modular virus that can spread from an infected machine to other computers on the network. Once a system is infected, the virus continues to compile a list of files from specific locations on the system, upload them to the attacker, and erase them. To avoid leaving any trail, the virus finally overwrites the master boot record of the infected computer, making it unbootable.

Shamoon had first appeared in Saudi Arabia in 2012 when a group named "Cutting Sword of Justice" claimed responsibility for an attack on 35,000 Saudi Aramco workstations, causing the company to spend a week restoring their services.   Most experts believe that both Shamoon attacks were the work of Iran.

On the plain old criminal front, Symantec says it uncovered evidence of North Korea attacking banks in Bangladesh, Vietnam, Ecuador and Poland and stealing at least US $94 million.

Perhaps the most striking finding of the Symantec study is that cyber attackers are moving away from customized malware and relying more on legitimate software tools—like email--to compromise targeted networks.  Symantec reports that one in 131 emails contained malware, the highest rate in five years.  And Business Email Compromise (BEC) scams, relying on spear-phishing emails, targeted over 400 businesses every day, draining $3 billion over the last three years.

Diginomica readers will recall that it was a simple spear-fishing email—a spoofed email instructing Hillary Clinton’s campaign manager John Podesta to reset his Gmail password--that got Russian hackers into the Democratic National Committee’s database, allowing them to release reams of information damaging to the Clinton campaign.   Said Symantec:

Attackers are increasingly attempting to hide in plain sight. They rely on straightforward approaches, such as spear-phishing emails and “living off the land” by using whatever tools are on hand, such as legitimate network administration software and operating system features.

One example of this opportunistic approach is the use of a combination of PowerShell, a common scripting language installed on PCs, and Microsoft Office to allow intruders to leave a lighter footprint and harder to detect footprint. Last year, 95 percent of PowerShell files seen by Symantec in the wild were malicious.

The Internet of Things (IoT) has become an emerging threat For the first time ever in 2016, attackers used Mirai, a malware that turns networked devices running out of date versions of Linux into remotely controlled "bots", to build an  IoT botnet big enough to carry out the largest DDoS attack ever seen. Mirai primarily targets online consumer devices such as remote cameras and home routers. Symantec reported  a twofold increase in attempted attacks against IoT devices over the course of 2016 and, at times of peak activity, the average IoT device was attacked once every two minutes.

Ransomware continued to grow in popularity with cyber criminals last year. Symantec identified 100 new malware families, more than triple the amount seen previously, and a 36 percent increase in ransomware attacks worldwide. The United States was the biggest – and softest – target, with 64 percent of Americans willing to pay a ransom, compared to 34 percent globally. And the average ransom spiked 266 percent, with criminals demanding an average of $1,077 per victim.

The growing reliance of government agencies and businesses on cloud services has not gone  unnoticed by cyber criminals and exposed  new vulnerabilities to exploit.  Tens of thousands of MongoDB (cloud) databases were hijacked and held for ransom in 2016 simply because users left outdated versions exposed, without authentication turned on.   You can wager that the number of cloud attacks will accelerate in 2017.

My take

It’s a jungle out there.  In an incredibly hostile environment, CIOs in both the private and public sectors need to be both very well-prepared and very lucky to avoid major breaches of their networks.  A recent study by SentinelOne discovered that half of the organizations surveyed have responded to a ransomware campaign within the last year, with 85 percent indicating that they’ve suffered from three or more attacks. Traditional cybersecurity, like anti-virus, has increasingly shown itself to be no match for a new generation of malware.

Email remains the primary point of attack which requires that all end users be trained to identify and avoid phishing attempts. It is imperative to have in place a robust disaster recovery and back-up plan, as well as advanced security and multi-layered protection to protect cloud workloads.

Remember that cloud providers secure the internet and physical infrastructure, but customers are generally responsible for protecting their own data and systems.  Daily backups and a cloud-based disaster recovery system can enable an organization to failover production to a cloud service provider in the event of a ransomware attack and quickly restore production systems within minutes.

Keep a tight lid on the number of cloud apps you’re using and control who is allowed to use what.  When asked by Symantec to estimate how many cloud apps they were using, most CIOs guessed 40.  In reality the number was nearly 1,000.  Ungoverned access and shadow IT are an invitation to exploit these cracks in the cloud.

A grey colored placeholder image