McAfee reported that internet of things malware was up 73 percent in the third quarter, while cryptocurrency mining malware was up 71 percent, even as the value of many cryptocurrencies have declined. Meanwhile, the ripple effect of the 2017 takedowns of Hansa and AlphaBay dark web markets continued as entrepreneurial cybercriminals took new measures to evade law enforcement.
“Cybercriminals are eager to weaponize vulnerabilities both new and old, and the number of services now available on underground markets has dramatically increased their effectiveness,” said Christiaan Beek, lead scientist at McAfee, in a statement. “As long as ransoms are paid and relatively easy attacks, such as phishing campaigns, are successful, bad actors will continue to use these techniques. Following up-and-coming trends on the underground markets and hidden forums allow the cybersecurity community to defend against current attacks and stay a step ahead of those in our future.”
McAfee said new mobile malware decreased 24 percent. The financial sector data breaches increased 20 percent in the third quarter. Spam botnets are spewing “sextortion” claims, where they threaten to reveal a victim’s web browsing habits. And new ransomware increased 10 percent in Q3, even as unique ransomware families continue to decline.
Each quarter, McAfee assesses the state of the cyber threat landscape based on research, investigative analysis, and threat data gathered by the McAfee Global Threat Intelligence cloud from over a billion sensors across multiple threat vectors around the world.
Cybercriminal underground and hidden chat forums reveal trends
In an effort to evade law enforcement and build trust directly with customers, some entrepreneurial cybercriminals have shifted away from using larger markets to sell their goods and have begun creating their own specialized shops. This shift has sparked a new line of business for website designers offering to build hidden marketplaces for aspiring shady business owners.
“Cybercriminals are very opportunistic in nature,” said John Fokker, head of cybercriminal investigations at McAfee, in a statement. “The cyberthreats we face today once began as conversations on hidden forums and grew into products and services available on underground markets. Additionally, the strong brands we see emerging offer a lot to cybercriminals: higher infection rates, and both operational and financial security.”
Hacker forums provide an elusive space for cybercriminals to discuss cybercrime-related topics with their peers. McAfee researchers witnessed conversations around the following topics in Q3:
- Successful breaches fueled markets for data and copycat attacks.
- User credentials: Due to many recent successful large data breaches, user credentials remain a popular topic. Hacked email accounts are of particular interest to cybercriminals as they are used to restore login credentials for other online services.
- Ecommerce site malware: Cybercriminals have shifted their focus from point-of-sale systems to payment platforms located on large ecommerce sites. Cybercriminal groups such as Magecart have successfully skimmed thousands of credit card details directly from victim websites, which has fueled demand for both credit card details and the malicious tools that can be used to steal them.
- Common entry and attack methods remain popular.
- Common vulnerabilities and exposures (CVE): McAfee researchers witnessed numerous mentions of CVEs in discussions focused on browser exploit kits RIG, Grandsoft, and Fallout, and on GandCrab ransomware. The popularity of these topics signals the importance of vulnerability management for organizations around the globe.
- Remote desktop protocol (RDP): Shops offering logins to computer systems worldwide, ranging from the consumer home to medical devices and government systems, remained popular throughout Q3. These shops provide one stop for cybercriminals looking to commit fraud, selling RDP access as well as social security numbers, bank details, and online account access.
- Ransomware-as-a-service (RaaS): Ransomware remains popular, evidenced by 45 percent growth over the past four quarters and strong interest on underground forums for leading RaaS families such as Gandcrab. The number of unique ransomware families has declined since Q4 2017 as partnerships between essential services have increased — for example, the partnership between GandCrab ransomware and crypter service NTCrypt seen in Q3. Partnerships and affiliate schemes have bettered the level of service provided to customers and increased infection rates.
Q3 2018 threats activity
Cryptomining and IoT
IoT devices such as cameras or video recorders have not typically been used for cryptomining because they lack the processing power of desktop and laptop computers. However, cybercriminals have taken notice of the growing volume and lax security of many IoT devices and have begun to focus on them, harnessing thousands of devices to create a mining supercomputer.
New malware targeting IoT devices grew 203 percent in the past four quarters. New coinmining malware grew nearly 55 percent, with total malware growing 4,467 percent in the past four quarters.
McAfee Labs counted 215 publicly disclosed security incidents, a decrease of 12 percent from Q2.
Disclosed incidents targeting financial institutions rose 20 percent, as McAfee researchers observed an increase in spam campaigns leveraging uncommon file types, an effort to increase chances of evading basic email protections. McAfee researchers also observed banking malware include two-factor operations in web injects to evade two-factor authentication. These tactics follow a broad effort on the part of financial institutions to increase security in recent years.
Disclosed incidents targeting health care remained stagnant, public sector decreased 2 percent, and education sector decreased 14 percent.
McAfee researchers observed a new malware family, CamuBot, targeting Brazil in Q3. CamuBot attempts to camouflage itself as a security module required by the financial institutions it targets. Although organized cyber gangs in Brazil are very active in targeting their own population, their campaigns have been crude in the past. With CamuBot, Brazilian cybercriminals appear to have learned from their peers, adapting their malware to be more sophisticated and comparable to that on other continents.
Disclosed incidents targeting the Americas fell 18 percent, Asia-Pacific fell 22 percent, and Europe increased 38 percent.
Malware led disclosed attack vectors, followed by account hijacking, leaks, unauthorized access, and vulnerabilities.
GandCrab, one of the most active families of the quarter, increased its required ransom payment to $2,400 from $1,000. Exploit kits, the delivery vehicles for many cyberattacks, added support for vulnerabilities and ransomware. New ransomware samples grew 10 percent, and total ransomware samples grew 45 percent over the past four quarters.
New mobile malware decreased by 24 percent. Despite the downward trend, some unusual mobile threats appeared, including a fake Fortnite “cheat” app and a fake dating app. Targeting members of the Israel Defense Forces, the latter app allowed access to device location, contact list, and camera and had the ability to listen to phone calls.
New malware samples increased by 53 percent. The total number of malware samples grew 34 percent in the past four quarters.
New Mac OS malware samples increased by 9 percent. Total Mac OS malware grew 51 percent over the past four quarters.
New macro malware increased by 32 percent, growing 24 percent over the past four quarters.
Some 53 percent of spam botnet traffic in Q3 was driven by Gamut, the top spam-producing botnet spewing “sextortion” scams, which demand payment and threaten to reveal victim browsing habits.