Recent months have seen a dramatic reshaping of the cyber security threat landscape, according to the “Global Threat Landscape Report—2017,” by Bitdefender.
More traditional threats such as generic Trojans, ransomware attacks, and spam bots have been complemented in a big way by data destructors. Powered by military-grade code allegedly leaked from the U.S. National Security Administration (NSA), both WannaCry and GoldenEye wrought havoc throughout the second and third quarters of 2017, shutting down businesses and causing unprecedented operating losses, the report said.
Novel lateral movement vectors have complemented zero-day exploits such as EternalBlue and EternalRomance to take over the enterprise space, the study noted. Other significant trends in 2017 were the increased focus on freeware or open-source tools stitched together by custom-built code to weaponize them to support the attacker’s agenda.
Targeted attacks are reshaping the corporate and government security landscape and causing fallout in the consumer space as well, as commercial cyber criminals rush to adopt leaked exploits and advanced lateral movement technologies into their own payloads.
Bitdefender is constantly monitoring its global network of more than 500 million sensors for emerging threats or low-key cyber attacks that try to fly under the radar of security products. The aggregated data allows the company to paint an accurate picture of what’s going on in the security landscape and help it develop new mitigations for the upcoming generation of cyber threats.
Among the key findings of the report is that Bitdefender telemetry shows ransomware is still the most frequently encountered threat. During 2017, the number of new major ransomware families exceeded 160, with dozens or even hundreds of variations per family.
The most prolific ransomware strain is Troldesh/Crysis, with hundreds of sub-variants reported to date. GlobeImposter, another extremely prolific ransomware family, is head-to-head with Troldesh in the number of released sub-variants. The commercial malware ecosystem is intensely focused on developing and planting ransomware.
Ransomware that’s specifically aimed at companies has become more common. Since the re-emergence of the Troldesh ransomware family, companies have faced extremely targeted attacks that abuse the Remote Desktop Protocol to connect to infrastructure, then manually infect computers. Threats such as Troldesh and GlobeImposter have lateral movement tools to infect an organization and log clean-up mechanisms to cover their tracks.
Bitdefender’s threat intelligence shows the United States is still the number one destination for cyber crime. The U.S. ranks first in the number of malicious incidents detected throughout 2017, with 19% of incidents detected by the Bitdefender sensors.
The report ranks the top 10 malware threats worldwide in 2017. First on the list is illicit Bitcoin miners, which accounted for more than 1.05% of all infections detected worldwide. Application.BitdcoinMiner is representative of this category and consists of a legitimate miner configured to hijack mining efforts to various wallets, the report said. The application, along with its configuration file, is surreptitiously planted on victims’ computers.
Ranking third in 2017 malware is an older threat called Trojan.LNK. This detection deals with multiple families of malware that use maliciously modified shortcut files with a .LNK extension that are designed to trick users into mistakenly launching a malicious file.
Next most common is the Downadup worm, which is still active on unpatched computers. For nearly 10 years the Downadup worm has been a constant presence in the top threats, beginning with its emergence in 2008. It continues to spread and create scheduled tasks on infected computers.
Fifth and sixth places are held by the JS:AdwareJS.Agent and JS:TrojanJS.Agent families, two large categories of Trojans used for various purposes. Ranking seventh, JS.TeslaCrypt4 is a generic downloader that brings the TeslaCrypt executable to a victim’s computer. This threat comes bundled via email and acts as a first-stage downloader that fetches and executes TeslaCrypt’s current payload.
In ninth place is Report Trojan.AutorunInf. Even though its spreading mechanisms no longer work on modern operating systems, malicious Autorun files are still detected on removable media that have made contact with infected computers running Windows XP.
Win32.Sality ranks tenth in the list of most frequently encountered threats. This polymorphic file infector has been around for years, the report said, and it infects executable files on local or removable storage media and joins the infected computer to a peer-to-peer network of compromised machines, where it awaits further instructions.