Security Report Finds Phishing, Not Zero-Days, Is the Top Malware Infection Vector
The latest Internet Security Threat Report (ISTR) from Symantec covers the past year in review when it comes to financial and banking security trends, the most common malware infection vectors, mobile malware and ransomware trends and much more. If you don’t have time to read the nearly 90 pages, then skim over some of the top takeaways below:
Infection Vectors & Network Compromise Techniques
According to the report, the top infection vector of malware is spear phishing (used by 71% of organized groups in 2017). Only 27% of the 140 targeted attack groups tracked by Symantec have used zero-day vulnerabilities at any point in the past to infect users.
Meanwhile, attackers often use lateral movement, a key phase that helps them explore and move across a network to infect computers/targets of interest.
...stolen credentials were the most commonly seen lateral movement technique employed.
With hacking software tools, attackers can obtain credentials from compromised computers, as well as use password hash attacks to authenticate into other computers and servers. Another lateral movement technique used was exploiting open network shares.
If you’re going to be attacked, the chances are that initial compromise … is going to be created by social engineering rather than anything technically sophisticated such as exploit of a zero-day vulnerability.
This concept has been long-touted in infosec - the need to focus on security basics, and on controls around identity, which includes the user and their device, to address social engineering risks.
Phishing attempts and malware delivered via phishing emails can lead to stolen credentials and potentially compromised or malware-infected devices, especially if those devices are unpatched and unprotected against known vulnerabilities.
By pairing multi-factor authentication (MFA) with endpoint policies and controls, you can help secure this new ‘identity perimeter’ against initial attempts to gain remote access to your networks - also referred to as zero-trust in Google’s BeyondCorp model.
Mobile & Malware Trends
When it comes to mobile devices, only 20% of Android devices were running the newest major version, with 2.3% on the latest minor release. While it’s possible that devices can be running the latest patch on out-of-date systems, keeping user devices as up to date as possible is advised.
The report also found a 54% increase in mobile malware variants, and a 46% increase in new ransomware variants from 2016 to 2017, showing that there’s no sign of malware development slowing any time soon.
Trojans & Financial Security Trends
Other trends include increased cryptocurrency coinminers and banking/financial Trojan activity. One financial Trojan that made a comeback with increased activity in the second half of 2017 is Emotet - malware that was delivered via large email campaigns, capable of stealing information from infected devices and adding infected devices to the botnet.
Aside from stealing online banking credentials, other Trojans have been seen stealing cryptocurrency wallet logins and other account details. The banking Trojan Dridex will now check the software installed on devices it has infected; enabling remote access for larger fraud attempts if accounting software is installed.
Intelligence Gathering & Industrial Control Systems
In an analysis of targeted attack groups, Symantec found that the majority of groups are focused on intelligence gathering - 90%, to be exact. This makes sense as state-sponsored actors tend to not be directly financially motivated, but rather interested in collecting data that could prove valuable - such as military info or technological advancements.
The ISTR also found a 29% increase in industrial control system (ICS)-related vulnerabilities. Once a month, there was at least one large software update supply chain attack reported in 2017 - that means attackers hijacked legitimate software updates with a malicious version with intent to distribute; an attack that could work similarly to compromise internet-enabled devices and industrial controller components.
Attacks against energy and critical infrastructure organizations have been seen recently, as reported by a technical alert released by the U.S. Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI). The multi-staged intrusions reflect all of the same attack vectors outline in the ISTR - malware, spear phishing and remote access.
After gaining remote access to energy sector networks, the threat actors were able to move laterally to gather information about industrial control systems, including configuration information on how to access ICS systems on the network.
Learn more about industrial control system, energy and critical infrastructure attacks in: