The Symantec Threat Report 2018 - and 4 takeaways for the Infosec Professional
Posted on: 03-Apr-2018Author: cmk
The Symantec Threat Report for 2018 is out. It can be downloaded from Symantec’s site here. If you do not have the time to read the entire 89 page report, here is a brief summary and 3 key takeaways for you as an infosec professional to apply to your organisation. Before you read the report, there are a few things that you must know. This is not a general data breach report. If you want statistics about how much data was lost and who was responsible, this is not the report for you. This report focuses only on the threats that Symantec observed on the Internet in the year 2017. It does a good job with that. If you want a more generic understanding of the state of cyber threats and vulnerabilities in general, you should look at other reports in conjunction with this one. I have divided this into three sections for easy reading.
Trends in MalwareThe biggest threat that Symantec sees is the rise of coin miners - a type of malware that uses the affected computer’s resources to mine for cryptocurrency. This saw a 8,500% rise. The reason is quite simple - the high value of cryptocurrency makes it very attractive. Add to that, the fact that the entry barrier is very low. Browser based miners can be setup with relatively low effort - as low as 2 lines of code! Both these factors cause a rise in coin miner malware. Symantec says that the trend will continue as long as cryptocurrency continues to be highly valued. Ransomware appears to have peaked in 2016. In 2017, there were fewer ransomware families. Ransom demands also reduced to less than half of its 2016 value. One of the reasons for this could be increased detection capabilities of anti virus and anti malware software. Symantec saw a 92% increase in blocking of scripts and macro downloaders which are a major source of ransomware attacks. In some cases, there was an increase in the number of financial malware delivered by the known groups as against delivering ransomware. Emotet - a financial trojan which first emerged in 2014 saw a resurface. Mobile malware increased by 54% and the privacy risks of the same also increased with the increased use of ‘grayware’ apps - apps that are not really malicious, but can cause a bit of trouble.
Trends in Malware delivery channelsSymantec not only reports on the top malware, but also the way malware is delivered. Symantec saw a substantial (200%) increase in malware being implanted through software supply chains. CCleaner was the big name in this type of delivery in 2017. It's development environment was compromised and the attackers were able to push a malicious tool! While that is really interesting, the most common method for software delivery was spear phishing. Did you scrimp on your training budgets this year? Then you have your work cut out. Exploitation of Zero days has reduced as compared to 2016. The second most common method of malware delivery was watering hole attacks - trying to exploit websites that the intended victim generally browses. This was an interesting delivery channel that I was not even aware of! The other methods of malware delivery that are prominent in this year's report are:
- Hijacking - DNS, domains, IP routing or network traffic - these are your classic man-in-the-middle attacks and sometimes cybersquatting as well.
- Hijacking third party hosting services - There seem to be targeted phishing attacks into developer accounts so that binaries can be changed. This is an interesting insight from the report.
Symantec's predictions for the year 2018Symantec predicts the following things for the year 2018:
- Mid Tier cloud service providers might find it difficult to handle the Spectre and Meltdown vulnerabilities. This seems a very straightforward prediction by Symantec. However, I am not sure if these vulnerabilities that easy to exploit that they would lead to large scale breaches.
- The use of Eternalblue exploits to create self propagating malware might lead to the increase of Internet worms. Symantec predicts that there are chances of a large scale worm attack to the scale of slammer because there are many unpatched systems that are still vulnerable to EternalBlue
- Increase in IoT attacks. All cybersecurity firms worth their salt seem to be making this prediction. The widespread adoption of IoT means that this this prediction is very likely to come true.
- Coinminer activities will focus on organisations. A shift from individuals to organisations for coinminers seems logical as organisations have larger infrastructure.
- Increase in attack on critical infrastructure. There seem to be an uptrend in state sponsored malware as per Symantec. This will lead to increase in attacks on critical infrastructure.