Cyber criminals became “more ambitious in 2016” and cultivated advanced attack strategies as targeted attacks shifted from economic espionage to politically-motivated sabotage and subversion, according to a new global threat report from Symantec.
“New sophistication and innovation is the nature of the threat landscape, but this year Symantec has identified seismic shifts in motivation and focus,” said Symantec security response director, Kevin Haley.
“Zero-day vulnerabilities and sophisticated malware are now used sparingly, as nation states shift their attention from espionage to straight sabotage. Meanwhile, cyber criminals caused unprecedented levels of disruption by focusing their exploits on relatively simple IT tools and cloud services.”
Symantec’s Internet Security Threat Report (IS) examines multiple facets of the threat landscape, including targeted attacks, ransomware, email attacks and IoT vulnerabilities, as well attackers’ tactics and motivations.
Australia ranks fifth in the APJ region for cyber security threats and in the top 10 for spam attacks, according to local Symantec security expert Nick Savvides, who said the report revealed “new levels of ambition for cyber criminals targeting Australia in 2016,” and showed no proof attacks within the threat landscape will be slowing down.
“Now more than ever, businesses and consumers alike, need to be vigilant in order to safeguard against the increasingly sophisticated attacks aimed at Australians.”
The report revealed cyber criminals are executing “politically devastating attacks” in a move to undermine a new class of targets.
“Cyber attacks against the U.S. Democratic Party and the subsequent leak of stolen information reflect a trend toward criminals employing highly-publicised, overt campaigns designed to destabilise and disrupt targeted organisations and countries,” the report noted.
“The upsurge in disruptive attacks coincided with a decline in covert activity, specifically economic espionage, the theft of intellectual property and trade secrets. While cyber attacks involving sabotage have traditionally been quite rare, the perceived success of several campaigns – including the U.S. election and Shamoon – point to a growing trend to criminals attempting to influence politics and sow discord in other countries.”
The report also noted a “new breed of attacker”, which revealed major financial ambitions and performed exercises in a bid to help fund other covert and subversive activities.
“Today, the largest heists are carried out virtually, with billions of dollars stolen by cyber criminals. While some of these attacks are the work of organised criminal gangs like Odinaff, for the first time nation states appear to be involved as well. Symantec uncovered evidence of North Korea attacking banks in Bangladesh, Vietnam, Ecuador and Poland.
“This was an incredibly audacious hack, and was also the first time we observed strong indications of nation state involvement in financial cybercrime,” said Kevin Haley, director, Symantec Security Response. “While their sights were set even higher, the attackers from North Korea stole at least AU$125 million.”
Email ‘weapon of choice’
Email became the weapon of choice in 2016 with business email compromise (BEC) scamming more than 43 billion people in 2016, the report found.
“BEC scams, which rely on little more than carefully composed spear-phishing emails – scammed more than three billion dollars (USD) from businesses over the last three years, targeting over 400 businesses every day,” the report said.
The report also revealed how attackers weaponise commonly used software. In 2016, Symantec saw cyber criminals use PowerShell, a common scripting language installed on PCs, and Microsoft Office files as weapons.
“While system administrators may use these common IT tools for daily management tasks, cyber criminals increasingly used this combination for their campaigns as it leaves a lighter footprint and offers the ability to hide in plain sight. Due to the widespread use of PowerShell by attackers, 95 percent of PowerShell files seen by Symantec in the wild were malicious,” the report noted.
The use of email as an infection point also rose, becoming a weapon of choice for cyber criminals and a dangerous threat to users. Symantec found one in 131 emails contained a malicious link or attachment – the highest rate in five years.
Symantec predicts attackers will migrate to other messaging platforms, as well as social media.
The report also found ransomware continued to escalate as a global problem and a lucrative business for criminals. Symantec identified 100 new malware families released into the wild, more than triple the amount seen previously, and a 36 per cent increase in ransomware attacks worldwide. Australia was third highest country in APJ at risk of ransomware, and 11th in the world.
Cracks in the cloud
The report warned the next frontier for cybercrime is now upon us as cloud security continues to be a challenge for CIOs.
“CIOs have lost track of how many cloud apps are used inside their organisations. When asked, most assume their organisations use up to 40 cloud apps when in reality the number nears 1,000. This disparity can lead to a lack of policies and procedures for how employees access cloud services, which in turn makes cloud apps riskier,” the report said.
“These cracks found in the cloud are taking shape. Symantec predicts that unless CIOs get a firmer grip on the cloud apps used inside their organisations, they will see a shift in how threats enter their environment.”
A growing reliance on cloud services has left organisations open to attacks. For example, tens of thousands of MongoDB (cloud) databases were hijacked and held for ransom in 2016 after users left outdated databases open on the internet without authentication turned on, the report said.