In 2018, attackers will continue to exploit humans to install malware, transfer funds, and steal information, with significant changes in techniques and behavior.
Worms in your Inbox: Network propagation becomes common in email-delivered payloads
Prior to 2017, cybercriminals generally preferred to distribute ransomware via either email or web download. The large-scale Locky spam campaigns of 2016 marked a major escalation in the crimeware arms race, as threat actors delivered millions – and sometimes tens of millions – of messages per day bearing archived scripts or malicious documents with embedded code. At the same time though, smaller campaigns were also abundant and in early 2017 Proofpoint researchers began to observe similar regional targeting patterns for ransomware that we noted the previous year for banking Trojans.
Then, on May 11, organizations in Western Europe and the US awoke to reports of a fast-spreading ransomware strain that propagated by using the EternalBlue exploit to attack a known SMB vulnerability. Dubbed WannaCry or Wcry, this “ransomworm” marked the beginning of a new wave of destructive malware that leveraged network vulnerabilities to infect computers at scale. Wcry was followed over the course of 2017 by NotPetya and BadRabbit, all spreading via exploits or brute forced Windows management interfaces. In each of these early cases, the initial infection vector was not email, but their success demonstrated the potential strengths and weaknesses of this approach. By September, researchers had observed examples of banking Trojans Retefe, The Trick, Emotet and others spreading via EternalBlue or dictionary attacks after initial infection via email. These cases included notable differences from their high-profile ransomware counterparts: in addition to distributing banking Trojans, the Retefe campaign also included built-in constraints to limit network-based propagation. Together they point to adaptations designed to make these outbreaks less likely to attract attention or overwhelm command and control (C&C) infrastructure.
In 2018, we expect to see more widespread adoption of network-based propagation techniques by a variety of malware and a range of threat actors. Email will remain the most popular distribution vector for the initial payload, but known vulnerabilities and leaked exploits will permit rapid spread to other systems on internal networks. Unlike the ransomworms of 2017, however, these new attacks will include increasingly sophisticated features that limit the spread to computers on the local network of the initial infection. Banking Trojans, information stealers, downloaders, and coinminers will be the preferred payloads for attacks focused on profit, while ransomware, MBR wipers, and other destructive tools will remain prevalent for campaigns focused on disruption.
Cryptocurrency theft gives malware the Midas touch
The evolution of the malware landscape over the last three years traces the increasingly direct path to monetization by threat actors: from credit card and banking credential theft to banking Trojans and then ransomware, each evolutionary stage requires fewer steps between infection and monetization – and therefore greater profit and reduced risk. Coinminers steal electrons – specifically power and CPU cycles that consume up to 50% of the profits associated with legitimate mining. In this regard, cryptocurrency mining bots, or “coinminers,” represent the most direct path to profit for cybercriminals. Instead of transferring money from compromised accounts or relying on a small fraction of ransomware victims who pay to decrypt their files, every coinminer-infected computer contributes to generating funds that go to anonymous accounts controlled by the cybercriminals. These cryptocurrency funds can then be used for black market purchases or converted to the common currency of the cybercriminals’ choice.
Already in late 2017 Proofpoint researchers observed Monero coinminers distributed as secondary payloads in campaigns from a variety of threat actors, delivered by tools as diverse as downloaders and point-of-sale (POS) malware. Cryptocurrency wallet phishing and wallet credential theft also grew in 2017, complementary techniques that, together with coinminer malware reflect the rapid rise of a multi-pronged effort to steal cryptocurrency. Just as the bandwagon effect is driving new users to cryptocurrency mining and exchanges, malware developers are jumping on the cryptocurrency bandwagon with malware and related schemes.
In 2018, malware and phishing designed to steal cryptocurrency – either directly or indirectly – will become almost as prevalent as banking Trojans in email-based campaigns, targeting wallets, credentials, cryptocurrency exchanges, and CPU cycles. Moreover, as the computational costs for the most popular currencies like Monero and Litecoin rise and make generation by distributed bots impractical, actors will shift to alternatives such as Ethereum and even some ‘private-issue’ coins that gain traction with the public.
Exploits come and go but “the human factor” is forever
Automated exploits appeared to make a comeback in 2017. Shadow Brokers disclosures, recently patched vulnerabilities such as CVE-2017-0199 (Microsoft Office) and CVE-2017-12929 (Adobe Flash), and the widespread use of newer vulnerabilities by both high-volume and targeted threat actors, all grabbed headlines. However, appearances were misleading. Threat actors such as TA505, known for their use of social engineering, moved quickly to leverage exploits for newly disclosed vulnerabilities in their campaigns, but then returned just as quickly to their normal techniques of document macros and zipped scripts. The exploits that demonstrated the greatest durability were those few that were commoditized by incorporation into document exploit builders such as Microsoft Word Intruder (MWI).
These rapid cycles highlight the short shelf-life of vulnerabilities and exploits compared to social engineering techniques that exploit the “human factor” by tricking victims into enabling embedded code or running attached or downloaded scripts. Overall, attacks based on social engineering remained prevalent in email-based threats while gaining broader adoption in web-based threats in the form of prompts to download fake updates for Google Chrome fonts, Adobe Flash updates, and others. In addition, the OAuth worm and the appearance and durability of Dynamic Data Exchange (DDE) abuse showed that threat actors continued to innovate in the techniques that are best suited to social engineering attacks, techniques that can be summarized as using “good tools for bad purposes.”
In 2018, threat actors will exhibit more innovation in these “good for bad” techniques, but with shorter periods of widespread use. Like DDE abuse, these techniques will see rapid adoption by threat actors, but then after several weeks will decrease in prevalence and become part of a rotating toolkit of infection techniques from which threat actors can choose to carry-out social engineering-based attacks that spread malware, steal credentials and information, and steal funds. Exploits for new vulnerabilities will be rapidly adopted and then dropped by most threat actors, with longer-term use by a handful of specialized threat actors who distribute RATs and other information- and access-stealing malware.
Social media threats mature: Bots, coinmining, and domain fraud
2017 has seen the maturation of social media and domain-related threats, with actors refining approaches to support fraud – also known as “angler phishing” in which individuals are tricked into providing fake support accounts with credentials, financial information and more. Social media spam as well has remained an ongoing issue, as unsolicited, off-topic, malicious, or offensive content continues to dilute messaging on brand social media channels. However, whereas 2017 has been a period of refinement and evolution in this space, several factors appear poised to influence 2018 social media cybersecurity trends significantly.
In particular, we predict an increase in social-media bots in 2018. We expect the use of social media bots will expand beyond public influence campaigns to financial gain, automatically distributing malware, linking to spam sites, phishing, and more. As these bots evolve, they will become less distinguishable from humans, increasing both their potential influence and effectiveness. Many of these social media bots will be homegrown, but may also leverage existing services and accounts compromised through social engineering attacks.
Moreover, we expect that pirated content on social media – which has already increased 20% since the beginning of 2017 – will increase rapidly as actors use the promise of free content to lure users to cryptocurrency mining pages. Streaming sites are ideal platforms for conducting in-browser coinmining as they are quite sticky and keep users on the same page for long periods of time.
Finally, we have already observed a 20% year-over-year increase in suspicious domain registrations. These domains are likely intended for fraud, typosquatting, spoofing, and other malicious schemes, and we expect this trend to increase due to widespread adoption of email authentication. Industry-wide efforts to roll out email authentication services will result in significant increases in malicious domain registrations as threat actors move away from less effecting spoofing to registration of lookalike domains.
Policy mandates push email authentication past the tipping point
Driven in large part by the growing threat of business email compromise (BEC) attacks, adoption of DMARC and other email authentication technologies has grown steadily over the last two years. However, it still lags in many sectors: for example, only 17% of US civilian federal agencies had a DMARC record in place as of October 2017. DMARC received a boost late this year when the US Department of Homeland Security mandated email authentication for all civilian federal agencies. At the same time, the potential impact of GDPR on registry WHOIS services will likely create additional demand for an alternative solution to replace a current source of domain attribution and reputation information.
As a result, we anticipate that 2018 will represent a tipping point in DMARC adoption as private enterprises and public agencies respond to policy directives. Businesses will also start demanding that their trading partners implement email authentication as threat actors take greater advantage of supply chain vulnerabilities in order to defraud or infect enterprises. Proofpoint data show that instances of “partner spoofing” currently remain relatively rare in BEC and targeted phishing attacks. However, as enterprises improve the identification and authentication of messages within their own infrastructure, attackers will make greater use of this technique in 2018 in order to abuse billing and other supply-change relationships.