The past few months have spurred a dramatic reshaping of the threat landscape. Traditional threats such as generic Trojans, ransomware and spam bots have been massively complemented by data destructors. Powered by military-grade code allegedly leaked from the NSA, both WannaCry and GoldenEye wrought havoc throughout Q2 and Q3, shutting down businesses and causing unprecedented operating losses.
Novel lateral movement vectors have complemented zero-day exploits such as EternalBlue and EternalRomance to take over the enterprise space. Other signifi cant trends in 2017 are the increased focus on freeware or open-source tools stitched together by custom-built code to
weaponize them to support the attacker’s agenda.
Our APT and targeted attack investigations in 2017 reveal free tools such as password recovery utilities from Nirsoft and legitimate encryption utilities such as DiskCryptor and so on, which makes detection and remediation increasingly difficult.
These targeted attacks are reshaping the corporate and government security landscape, and causing fallout in the consumer space, as commercial cyber-criminals rush to adopt leaked exploits and advanced lateral movement technologies into their own payloads.
Bitdefender is constantly monitoring its global network of more than 500 million sensors and honeypots for emerging threats or low-key cyber-attacks that try to fly under security products’ radar. The aggregated data allows us to paint an accurate picture of what is happening in the industry and helps us develop new mitigations for the upcoming generation of cyber-threats.
This report is based exclusively on information collected via a wide range of security services within GravityZone: Security for Virtualized Environments, Security for Endpoints, Security for Mobile and Security for Exchange, consumer-oriented products such as Bitdefender Antivirus, Bitdefender Internet Security or Bitdefender Total Security, as well as from Bitdefender BOX, the innovative solution for protecting devices in the IoT space.
Bitdefender telemetry shows ransomware is still the most frequently encountered threat. During 2017 alone, the number of new major ransomware families surpassed 160, with dozens or even hundreds of variations per family. The most prolifi c ransomware strain is Troldesh / Crysis, with hundreds of sub-variants seen to date. GlobeImposter, another extremely prolifi c ransomware family, competes head-to-head with Troldesh in the number of released sub-variants.
Another spectacular development in the 2017 threat landscape is the re-emergence of Qbot (also known as Brresmon or Emotet), a multi-purpose, network-aware worm with backdoor capabilities that has been around for years. It has larely re-emerged with a significant redesign of the command and control infrastructure and, more importantly, with a cloud-based polymorphic engine that allows it to take a virtually unlimited number of forms to avoid AV detection.
Ransomware specifi cally aimed at companies is now a thing. Since the re-emergence this March of the Troldesh ransomware family, companies have faced extremely targeted attacks that abuse the Remote Desktop Protocol to connect to infrastructure, then manually infect computers. Ransomware like Troldesh and GlobeImposter have lateral movement tools (such as Mimikatz) to infect the organization and log clean-up mechanisms to cover their tracks.
Crypto-currency miners have taken multiple shapes and approaches in 2017. Traditional illicit coin miners have rushed to adopt lateral movement tactics such as the EternalBlue and EternalRomance exploits, allegedly originating from the NSA, to infect computers in organizations and increase mining efforts. Representative of this category is the Monero miner Adylkuzz, which appeared in early May, roughly at the same time as WannaCry. Another notable development is attackers’ move to integrate mining code in compromised web sites to reach a broader audience and increase the mining yield.