This document summarizes malware trends in 2018. Key findings include:
1) Cryptomining detections increased 7% in 2018 before declining mid-year. Information stealers like Emotet and TrickBot targeted businesses.
2) Major data breaches in 2018 compromised hundreds of millions of records, a 133% increase over 2017.
3) Ransomware shifted to more targeted attacks using techniques like brute force. Malware increasingly targeted businesses over consumers.
The FBI is the lead federal agency for investigating malicious cyber activity by criminals, nation-state adversaries, and terrorists. To fulfill this mission, the FBI often develops resources to enhance operations and collaboration. One such resource is the FBI’s Internet Crime Complaint Center (IC3) which provides the public with a trustworthy and convenient mechanism for reporting information concerning suspected Internet-facilitated criminal activity. At the end of every year, the IC3 collates information collected into an annual report.
Credit is due to all original authors and no financial gain was made from the blog, Simply sharing an interesting story for educational purposes,
- In 2017, financial phishing attacks increased, accounting for over half of all phishing detections according to Kaspersky Lab. Attacks targeted major banks, payment systems, and online shops.
- Banking malware attacks decreased in 2017 but still posed a threat, with the Zbot and Gozi families being the most widespread. Android banking malware also decreased slightly.
- Emerging threats in 2017 included the Silence hacking group that targeted 10 financial organizations, stealing millions, and new malware like Cutlet Maker designed to target ATMs.
Cost of Cybercrime Study in Financial Services: 2019 Report
Now in its 9th year, this new Accenture presentation explores the impact associated with cybercrime, quantifying the cost of cyberattacks and analyzing trends in malicious activities in the financial services industry. And this year for the first time, we look to the future so that financial services organizations can better target their funds and resources and open up new revenue opportunities to unlock economic value.
The document discusses improvements organizations have made to address cyber threats, but also areas that still need work. It finds that many organizations now recognize the extent of cyber threats, with 76% owning information security policies at the highest level. 70% conduct security assessments of third parties accessing their data. However, the document notes that while improvements have been made, organizations need to do more quickly to address increasing cyber risks. Leading practices and innovation are needed to better protect against known and unknown future threats.
The document summarizes a mobile threat report for Q3 2013. It finds that 252 of the 259 new mobile threat families and variants discovered were for Android, with trojans making up the largest percentage at 88%. It also notes an increasing trend of profit-motivated mobile malware, with 81.1% of new threats aiming to generate money through unauthorized SMS messages. The report discusses recent developments like the identification of the creator of the Pincer Android banking trojan and the emergence of tools that simplify inserting malware into legitimate apps.
Потребительские технологические бренды все чаще становятся инструментом для фишинговых атак. Ошибки конфигурации стали причиной более 85% случаев утечки данных. Банковские трояны и вирусы-шифровальщики преобладают среди вредоносных программ
Organizations are struggling to manage increasing cyber risks and losses from cyber attacks. While financial costs are increasing, other changes may have a greater impact. Regulations are expanding who is responsible for cybersecurity and penalties for non-compliance are becoming more aggressive. Business models may also need to change as supply chains are impacted and new technologies are adopted. However, changes may not be happening quickly enough given the rapidly evolving threat landscape.
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
The document discusses how cyber risks are costly for the insurance industry. It provides statistics on the global costs of cybercrime and cyber security spending. While insurance can help mitigate some cyber risks, the full costs to the industry are difficult to quantify due to undetected breaches, slow-burn costs from attacks, and impacts on reputation. The insurance industry faces cyber risks both from covering policyholders and securing their own systems and data.
This document provides a summary of cybersecurity threats and trends from Symantec's January 2014 Intelligence Report. Some key highlights include:
- Two large data breaches were reported in January exposing over 105 million identities total. The number exposed in a November breach was adjusted upwards to 110 million identities.
- Targeted attacks increased in January to their highest level since August 2013, with manufacturing and non-traditional services being the most targeted industries.
- 555 new vulnerabilities were reported in January, bringing the 12-month total to 6443. Google Chrome and Oracle Java had the most browser and plugin vulnerabilities respectively.
- The global spam rate decreased slightly while phishing and email virus rates also reduced. Sex
The summary provides an overview of key trends in cybersecurity threats according to Symantec's June 2015 Intelligence Report. There was a decrease in email-based threats like spam, phishing, and malware. However, new malware variants increased significantly to over 57 million in June. Ransomware and crypto-ransomware attacks also rose after declining in previous months. The manufacturing industry remained the top target of spear-phishing while small companies received the most phishing attempts. Transportation saw the highest rate of email-based malware.
The document summarizes key findings from a report on cyber threats targeting the financial services sector. The top three findings are:
1. Financial services encounters security incidents 300% more frequently than other industries due to being a prime target.
2. 33% of all reconnaissance and lure attacks target financial services, indicating large efforts to compromise financial institutions.
3. Credential stealing attacks are prominent, with the top threats like Rerdom, Vawtrak, and Geodo having credential theft capabilities. Geodo is seen 400% more in financial services.
Symantec's Internet Security Threat Report, Volume 18 revealed a 42 percent surge during 2012 in targeted attacks compared to the prior year. Designed to steal intellectual property, these targeted cyberespionage attacks are increasingly hitting the manufacturing sector as well as small businesses, which are the target of 31 percent of these attacks. Small businesses are attractive targets themselves and a way in to ultimately reach larger companies via “watering hole” techniques. In addition, consumers remain vulnerable to ransomware and mobile threats, particularly on the Android platform.
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012
Symantec's 2011 Internet Security Threat Report, Volume 17 shows that while the number of vulnerabilities decreased by 20 percent, the number of malicious attacks continued to skyrocket by 81 percent. In addition, the report highlights that advanced targeted attacks are spreading to organizations of all sizes and variety of personnel, data breaches are increasing, and that attackers are focusing on mobile threats.
Welcome to the May edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.
Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 57.6 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Intelligence, Symantec Managed Security Services, Norton consumer products, and other third-party data sources.
Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.
The average number of spear-phishing attacks rose to 53 per day in September, after a 12-month low in August. Spear phishing activity has returned to levels seen earlier in the summer, but is still down from the 12-month average of 85 attacks per day.
The .doc file type was the most common attachment type used in spear-phishing attacks, making up more than 52.9 percent of all attachments in September. At 4.8 percent, last month’s top attachment, .exe file types, dropped to fourth.
There were only four publically disclosed data breaches that took place within the month September, resulting in the exposure of 2.5 million identities. However, there were 14 additional data breaches reported in September that took place earlier in the year. The largest data breach reported in September actually took place in April, and resulted in the exposure of 56 million identities.
Ransomware continues to decline as 2014 progresses. However, crypto-style ransomware remains high, making up 38 percent of all ransomware detected in September.
There were 600 vulnerabilities disclosed in the month of September, the highest number so far in 2014 and second highest in last 12 months.
One in 2,041 emails was identified as a phishing attempt, compared with one in 1,587 for August. While at first glance this looks like a big drop, it results in only a 0.01 percentage point decrease in the overall phishing rate.
This brief presentation gives you a quick overview on how the Cyber Threat Landscape is shaping up in 2017 for individuals and business owners alike. It puts forth some important trends and predictions.
The document discusses the rise of ransomware attacks in the first half of 2016. Key points include:
- Ransomware attacks surged, with nearly 80 million threats detected. 79 new ransomware families were discovered, a 172% increase from 2015.
- Ransomware caused over $209 million in losses for businesses. Many opted to pay ransoms to regain access to encrypted files.
- New ransomware variants targeted enterprise networks and files related to businesses like databases, websites, and tax returns. Attack vectors expanded beyond email to include exploits and remote desktop applications.
- To protect against ransomware, businesses need multilayered security strategies along with software patching and employee education. Rans
The document is Datto's annual report on ransomware trends based on a survey of over 1,000 MSPs. Some key findings include:
- Ransomware remains the #1 malware threat, impacting nearly 70% of MSP clients. Phishing emails are the top attack vector.
- The average ransom demand stayed around $5,600 but downtime costs have risen significantly, averaging $274,200 per incident.
- While opinions vary, around half of MSPs saw increased attacks due to remote work during COVID-19, with healthcare most at risk.
- There remains a disconnect between MSP and client concerns about ransomware, though more clients are boosting security budgets.
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
Another year, another Hacker-Powered Security Report! We pulled out 100 of the report’s top facts—and then added 18 more, since it’s 2018. See below for a better understanding of how hacker-powered security is disrupting (in a good way) how organizations approach security. More security teams are adding VDPs, more are supplementing their skills and bandwidth with hackers, and more are augmenting their standard pen tests with hacker challenges.
In 2018, the HackerOne community and those using our platform have combined to crush every metric that we track. Organizations awarded more than $11 million in bounties. Hackers submitted more than 78,000 reports. Bounties were awarded to hackers in over 100 countries.
Unfortunately, the only metric that hasn’t changed much is the percentage of Forbes Global 2000 companies without vulnerability disclosure policies.
Read on for all of the facts!
This white paper discusses cyber security predictions and trends for the next 18 months. It outlines 5 trends: 1) major mobile exploits due to increased mobility and devices, 2) open source vulnerabilities as adversaries target these, 3) supply chain attacks remaining critical as vendors are easier targets, 4) increased industry-specific attacks and malware, and 5) greater privacy legislation in response to public concerns about data collection. The paper recommends organizations assess their use of open source software, supply chain security policies, industry-specific defenses, and data privacy practices to address these evolving threats.
Symantec's Internet Security Threat Report for the Government Sector
Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services, Norton consumer products, and other third-party data sources.
In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 60,000 recorded vulnerabilities (spanning more than two decades) from over 19,000 vendors representing over 54,000 products.
Spam, phishing, and malware data is captured through a variety of sources including the Symantec Probe Network, a system of more than 5 million decoy accounts, Symantec.cloud, and a number of other Symantec security technologies. Skeptic, the Symantec.cloud proprietary heuristic technology, is able to detect new and sophisticated targeted threats before they reach customers’ networks. Over 8.4 billion email messages are processed each month and more than 1.7 billion web requests filtered each day across 14 data centers. Symantec also gathers phishing information through an extensive anti-fraud community of enterprises, security vendors, and more than 50 million consumers.
Symantec Trust Services provides 100 percent availability and processes over 6 billion Online Certificate Status Protocol (OCSP) look-ups per day, which are used for obtaining the revocation status of X.509 digital certificates around the world. These resources give Symantec analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises, small businesses, and consumers essential information to secure their system effectively now and into the future.
Trustwave investigated hundreds of data compromise incidents across 17 countries in 2015. Some key findings:
- 45% of incidents were in North America, while 27% were in the Asia-Pacific region and 15% in Europe, Middle East, and Africa.
- The retail industry accounted for 23% of incidents, while hospitality was 14% and food/beverage was 10%.
- 40% of investigations involved corporate/internal network breaches and 38% involved e-commerce breaches.
- 60% of breaches targeted payment card data, with 31% involving card track (magnetic stripe) data from POS terminals.
The report provides insights into trends in compromised industries and regions, attack methods
As reported in the ISTR Volume 19, 2013 saw a 500 percent increase in ransomware in the latter part of the year. Overall ransomware levels remained high through March 2014, and then slowly started to decline, in part due to the disruption of the GameOver Zeus botnet back in late May.
In contrast, crypto-style ransomware has seen a 700 percent-plus increase. These file-encrypting versions of ransomware began the year comprising 1.2 percent of all ransomware detec¬tions, but now make up 31 percent at the end of August. One variant known as Trojan.Cryptodefense began to appear in large numbers in early June. By the end of July, it made up 77 percent of all crypto-style ransomware for the year to date. This follows predictions in the ISTR saying this type of malware would become more common in 2014.
Over 31.5 million identities were reported exposed in August, from 12 incidents. The jump in exposed identities is due to a large breach in South Korea, comprising 27 million identities. In the last 12 months 53 percent of data breaches were caused by hacking and 21 percent were accidentally made public.
The average number of spear-phishing emails blocked each day for August was 20, compared with 54 in July and 88 in June. This is below the year-to-date average of 86, which is slightly higher than the daily average of 84 for all if 2013.
The most frequently used malicious file types in these email-based targeted attacks were .exe and .doc file types, with .exe attachments coming out on top this month at 31.8 percent. 29 percent of spear phishing emails were sent to Manufacturing, returning it to the top of the industries targeted.
One in 1,587 emails was identified as a phishing attempt, compared with one in 1,298 for July and one in 496 in June. While at first glance this looks like a big drop, it is not indica¬tive of a wider trend just yet, resulting in only a 0.01 percentage point decrease in the overall phishing rate.
We hope that you enjoy this month’s report and feel free to contact us with any comments or feedback.
As we reflect on 2019, we see some notable shifts in the threat landscape, with businesses facing new levels of complexity
in fraud orchestration. Rather than looking for the quick buck, fraudsters are playing the long game, with multi-step attacks
that do not initially reveal their fraudulent intent.
As the saying goes, ‘money makes the world go round’, and this could not be more true for the cybercrime underworld.
Fraudsters’ unrelenting demand for fresh user credentials provides the financial incentive for cyber attackers carrying out
major data breaches. When fraudsters successfully leverage the spoils from these breaches to make money, they will use
the proceeds to invest in more advanced attack toolkits and greater volumes of stolen data. As a result, organizations find it
increasingly difficult to defend against the barrage of attacks on their websites and apps.
The only sustainable approach to curbing the cybercrime cycle of success is adopting a zero-tolerance approach to fraud
prevention. Tolerating current fraud levels as a 'cost of doing business' exacerbates the problem long-term by providing the
financial incentive for fraudsters. In-depth profiling of activity across customer touchpoints helps organizations facing subtle
attacks that do not show immediate tell-tale signs of fraud. When combined with targeted friction, large-scale attacks
quickly become unsustainable for fraudsters who have become accustomed to circumnavigating systems that avoid putting
up barriers to users.
As the latest data from the Arkose Labs platform show, attack rates are continuously on the rise. Going into 2020, the fraud fighting community needs to finally win back the upper hand against fraudsters, protecting individuals and our society from
the effects of cybercrime.
The FBI is the lead federal agency for investigating malicious cyber activity by criminals, nation-state adversaries, and terrorists. To fulfill this mission, the FBI often develops resources to enhance operations and collaboration. One such resource is the FBI’s Internet Crime Complaint Center (IC3) which provides the public with a trustworthy and convenient mechanism for reporting information concerning suspected Internet-facilitated criminal activity. At the end of every year, the IC3 collates information collected into an annual report.
Credit is due to all original authors and no financial gain was made from the blog, Simply sharing an interesting story for educational purposes,
- In 2017, financial phishing attacks increased, accounting for over half of all phishing detections according to Kaspersky Lab. Attacks targeted major banks, payment systems, and online shops.
- Banking malware attacks decreased in 2017 but still posed a threat, with the Zbot and Gozi families being the most widespread. Android banking malware also decreased slightly.
- Emerging threats in 2017 included the Silence hacking group that targeted 10 financial organizations, stealing millions, and new malware like Cutlet Maker designed to target ATMs.
Cost of Cybercrime Study in Financial Services: 2019 Reportaccenture
Now in its 9th year, this new Accenture presentation explores the impact associated with cybercrime, quantifying the cost of cyberattacks and analyzing trends in malicious activities in the financial services industry. And this year for the first time, we look to the future so that financial services organizations can better target their funds and resources and open up new revenue opportunities to unlock economic value.
The document discusses improvements organizations have made to address cyber threats, but also areas that still need work. It finds that many organizations now recognize the extent of cyber threats, with 76% owning information security policies at the highest level. 70% conduct security assessments of third parties accessing their data. However, the document notes that while improvements have been made, organizations need to do more quickly to address increasing cyber risks. Leading practices and innovation are needed to better protect against known and unknown future threats.
The document summarizes a mobile threat report for Q3 2013. It finds that 252 of the 259 new mobile threat families and variants discovered were for Android, with trojans making up the largest percentage at 88%. It also notes an increasing trend of profit-motivated mobile malware, with 81.1% of new threats aiming to generate money through unauthorized SMS messages. The report discusses recent developments like the identification of the creator of the Pincer Android banking trojan and the emergence of tools that simplify inserting malware into legitimate apps.
IBM X-Force Threat Intelligence Index 2020mResearcher
Потребительские технологические бренды все чаще становятся инструментом для фишинговых атак. Ошибки конфигурации стали причиной более 85% случаев утечки данных. Банковские трояны и вирусы-шифровальщики преобладают среди вредоносных программ
Organizations are struggling to manage increasing cyber risks and losses from cyber attacks. While financial costs are increasing, other changes may have a greater impact. Regulations are expanding who is responsible for cybersecurity and penalties for non-compliance are becoming more aggressive. Business models may also need to change as supply chains are impacted and new technologies are adopted. However, changes may not be happening quickly enough given the rapidly evolving threat landscape.
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Jef Lacson
The document discusses how cyber risks are costly for the insurance industry. It provides statistics on the global costs of cybercrime and cyber security spending. While insurance can help mitigate some cyber risks, the full costs to the industry are difficult to quantify due to undetected breaches, slow-burn costs from attacks, and impacts on reputation. The insurance industry faces cyber risks both from covering policyholders and securing their own systems and data.
This document provides a summary of cybersecurity threats and trends from Symantec's January 2014 Intelligence Report. Some key highlights include:
- Two large data breaches were reported in January exposing over 105 million identities total. The number exposed in a November breach was adjusted upwards to 110 million identities.
- Targeted attacks increased in January to their highest level since August 2013, with manufacturing and non-traditional services being the most targeted industries.
- 555 new vulnerabilities were reported in January, bringing the 12-month total to 6443. Google Chrome and Oracle Java had the most browser and plugin vulnerabilities respectively.
- The global spam rate decreased slightly while phishing and email virus rates also reduced. Sex
The summary provides an overview of key trends in cybersecurity threats according to Symantec's June 2015 Intelligence Report. There was a decrease in email-based threats like spam, phishing, and malware. However, new malware variants increased significantly to over 57 million in June. Ransomware and crypto-ransomware attacks also rose after declining in previous months. The manufacturing industry remained the top target of spear-phishing while small companies received the most phishing attempts. Transportation saw the highest rate of email-based malware.
The document summarizes key findings from a report on cyber threats targeting the financial services sector. The top three findings are:
1. Financial services encounters security incidents 300% more frequently than other industries due to being a prime target.
2. 33% of all reconnaissance and lure attacks target financial services, indicating large efforts to compromise financial institutions.
3. Credential stealing attacks are prominent, with the top threats like Rerdom, Vawtrak, and Geodo having credential theft capabilities. Geodo is seen 400% more in financial services.
Symantec's Internet Security Threat Report, Volume 18 revealed a 42 percent surge during 2012 in targeted attacks compared to the prior year. Designed to steal intellectual property, these targeted cyberespionage attacks are increasingly hitting the manufacturing sector as well as small businesses, which are the target of 31 percent of these attacks. Small businesses are attractive targets themselves and a way in to ultimately reach larger companies via “watering hole” techniques. In addition, consumers remain vulnerable to ransomware and mobile threats, particularly on the Android platform.
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012Symantec
Symantec's 2011 Internet Security Threat Report, Volume 17 shows that while the number of vulnerabilities decreased by 20 percent, the number of malicious attacks continued to skyrocket by 81 percent. In addition, the report highlights that advanced targeted attacks are spreading to organizations of all sizes and variety of personnel, data breaches are increasing, and that attackers are focusing on mobile threats.
Welcome to the May edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.
Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 57.6 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Intelligence, Symantec Managed Security Services, Norton consumer products, and other third-party data sources.
Symantec Intelligence Report September 2014Symantec
Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.
The average number of spear-phishing attacks rose to 53 per day in September, after a 12-month low in August. Spear phishing activity has returned to levels seen earlier in the summer, but is still down from the 12-month average of 85 attacks per day.
The .doc file type was the most common attachment type used in spear-phishing attacks, making up more than 52.9 percent of all attachments in September. At 4.8 percent, last month’s top attachment, .exe file types, dropped to fourth.
There were only four publically disclosed data breaches that took place within the month September, resulting in the exposure of 2.5 million identities. However, there were 14 additional data breaches reported in September that took place earlier in the year. The largest data breach reported in September actually took place in April, and resulted in the exposure of 56 million identities.
Ransomware continues to decline as 2014 progresses. However, crypto-style ransomware remains high, making up 38 percent of all ransomware detected in September.
There were 600 vulnerabilities disclosed in the month of September, the highest number so far in 2014 and second highest in last 12 months.
One in 2,041 emails was identified as a phishing attempt, compared with one in 1,587 for August. While at first glance this looks like a big drop, it results in only a 0.01 percentage point decrease in the overall phishing rate.
This brief presentation gives you a quick overview on how the Cyber Threat Landscape is shaping up in 2017 for individuals and business owners alike. It puts forth some important trends and predictions.
The document discusses the rise of ransomware attacks in the first half of 2016. Key points include:
- Ransomware attacks surged, with nearly 80 million threats detected. 79 new ransomware families were discovered, a 172% increase from 2015.
- Ransomware caused over $209 million in losses for businesses. Many opted to pay ransoms to regain access to encrypted files.
- New ransomware variants targeted enterprise networks and files related to businesses like databases, websites, and tax returns. Attack vectors expanded beyond email to include exploits and remote desktop applications.
- To protect against ransomware, businesses need multilayered security strategies along with software patching and employee education. Rans
The document is Datto's annual report on ransomware trends based on a survey of over 1,000 MSPs. Some key findings include:
- Ransomware remains the #1 malware threat, impacting nearly 70% of MSP clients. Phishing emails are the top attack vector.
- The average ransom demand stayed around $5,600 but downtime costs have risen significantly, averaging $274,200 per incident.
- While opinions vary, around half of MSPs saw increased attacks due to remote work during COVID-19, with healthcare most at risk.
- There remains a disconnect between MSP and client concerns about ransomware, though more clients are boosting security budgets.
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security ReportHackerOne
Another year, another Hacker-Powered Security Report! We pulled out 100 of the report’s top facts—and then added 18 more, since it’s 2018. See below for a better understanding of how hacker-powered security is disrupting (in a good way) how organizations approach security. More security teams are adding VDPs, more are supplementing their skills and bandwidth with hackers, and more are augmenting their standard pen tests with hacker challenges.
In 2018, the HackerOne community and those using our platform have combined to crush every metric that we track. Organizations awarded more than $11 million in bounties. Hackers submitted more than 78,000 reports. Bounties were awarded to hackers in over 100 countries.
Unfortunately, the only metric that hasn’t changed much is the percentage of Forbes Global 2000 companies without vulnerability disclosure policies.
Read on for all of the facts!
This white paper discusses cyber security predictions and trends for the next 18 months. It outlines 5 trends: 1) major mobile exploits due to increased mobility and devices, 2) open source vulnerabilities as adversaries target these, 3) supply chain attacks remaining critical as vendors are easier targets, 4) increased industry-specific attacks and malware, and 5) greater privacy legislation in response to public concerns about data collection. The paper recommends organizations assess their use of open source software, supply chain security policies, industry-specific defenses, and data privacy practices to address these evolving threats.
Symantec's Internet Security Threat Report for the Government SectorSymantec
Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services, Norton consumer products, and other third-party data sources.
In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 60,000 recorded vulnerabilities (spanning more than two decades) from over 19,000 vendors representing over 54,000 products.
Spam, phishing, and malware data is captured through a variety of sources including the Symantec Probe Network, a system of more than 5 million decoy accounts, Symantec.cloud, and a number of other Symantec security technologies. Skeptic, the Symantec.cloud proprietary heuristic technology, is able to detect new and sophisticated targeted threats before they reach customers’ networks. Over 8.4 billion email messages are processed each month and more than 1.7 billion web requests filtered each day across 14 data centers. Symantec also gathers phishing information through an extensive anti-fraud community of enterprises, security vendors, and more than 50 million consumers.
Symantec Trust Services provides 100 percent availability and processes over 6 billion Online Certificate Status Protocol (OCSP) look-ups per day, which are used for obtaining the revocation status of X.509 digital certificates around the world. These resources give Symantec analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises, small businesses, and consumers essential information to secure their system effectively now and into the future.
Trustwave investigated hundreds of data compromise incidents across 17 countries in 2015. Some key findings:
- 45% of incidents were in North America, while 27% were in the Asia-Pacific region and 15% in Europe, Middle East, and Africa.
- The retail industry accounted for 23% of incidents, while hospitality was 14% and food/beverage was 10%.
- 40% of investigations involved corporate/internal network breaches and 38% involved e-commerce breaches.
- 60% of breaches targeted payment card data, with 31% involving card track (magnetic stripe) data from POS terminals.
The report provides insights into trends in compromised industries and regions, attack methods
In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?
- Ransomware and digital extortion will remain highly profitable methods for cybercriminals in 2018. Ransomware-as-a-service models and cryptocurrencies like bitcoin enable widespread ransomware attacks. Cybercriminals may also extort companies by threatening to expose private data violations under new regulations like GDPR.
- Vulnerabilities in internet-of-things (IoT) devices will expand the potential attack surface as more devices connect to networks. Cybercriminals could abuse IoT devices for distributed denial-of-service attacks or to anonymize their online activities. The lack of secure update mechanisms for many IoT devices also poses risks.
- Specific device types like drones, wireless
Cybercriminals will continue to exploit new technologies like machine learning and blockchain in 2018:
- Ransomware and digital extortion will remain lucrative criminal business models, fueled by ransomware-as-a-service and cryptocurrencies like bitcoin.
- Vulnerabilities in IoT devices will expand the attack surface as more devices connect to networks.
- Losses from business email compromise scams will exceed $9 billion globally as these scams prove effective through social engineering.
- Cyberpropaganda efforts will spread using tried-and-true spam techniques on social media to manipulate public opinion.
- Threat actors will leverage machine learning and blockchain to advance their evasion techniques and stay one
Career in Cyber Security - City University.pptxBoni Yeamin
This document discusses cyber security threats and career opportunities in cyber security. It provides statistics on major cyber attacks globally and in Bangladesh. The key points are:
- 76% of cyber attacks are financially motivated according to Verizon's 2018 report. The average cost of a data breach is $3.6 million and increasing yearly.
- Bangladesh faces significant cyber security challenges with high infection rates and cyber attacks increasing each year, including the Bangladesh Bank cyber heist of $101 million in 2016.
- There is a growing need for cyber security professionals to develop secure frameworks, tools, and protect organizations from upcoming threats in areas like ransomware, IoT, and industrial systems. Career opportunities in cyber security are expanding across network
HACKERONE
HACKER-POWERED SECURITY REPORT
2017
Executive Summary
Hacker-Powered Security: a report drawn from 800+ programs
and nearly 50,000 resolved security vulnerabilities.
Bug bounty and hacker-powered security programs are becoming the norm, used by organizations as diverse as Facebook and the U.S. government. Forty-one percent of bug bounty programs were from industries other than technology in 2016. Top companies are rewarding hackers up to $900,000 a year in bounties and bounty rewards on average have increased 16 percent for critical issues since 2015. Despite
bug bounty program adoption and increased reward competitiveness, vulnerability disclosure programs still lag behind. Ninety-four percent of the Forbes Global 2000 companies do not have policies.
It’s time to give security teams the tools they need to keep up with ever-faster development. This report examines the broadest platform data set available and explains why organizations like General Motors, Starbucks,
Uber, the U.S. Department of Defense, Lufthansa, and Nintendo have embraced continuous, hacker-powered security.
Go to www.esgjrconsultinginc.com to learn more about Software/Network Engineering Solutions for the 21st Century Digital Economy, IoT and IoE Concepts.
Combating Cybersecurity Challenges with Advanced AnalyticsCognizant
Using an AI-powered analytics platform, IT organizations can shift from a reactive approach to security breaches, to proactively identifying increasingly sophisticated threat vectors and quickly resolving exploitable vulnerabilities.
The report for Q1 2018 includes:
- WatchGuard Firebox Feed Trends. In this regular section, we analyze threat intelligence shared by tens of thousands of WatchGuard security appliances. This analysis includes details about the top malware and network attacks we saw globally throughout the quarter. Using that data, we identify the top attack trends, and how you might defend against them.
- Top Story: GitHub DDoS Attack In Q1 2018, attackers launched a record-breaking distributed denial of service (DDoS) attack against GitHub using a technique called UDP amplification. In this section we analyze this attack and describe how the lesser-known Memcached service allowed this huge amplification.
- Announcing The 443 Podcast Rather than our normal threat research section, this quarter we announce a new podcast from the WatchGuard Threat Labs team, and the authors of this report. Learn what this new podcast contains and come subscribe wherever podcasts are found.
- The Latest Defense Tips As usual, this report isn’t just meant to inform you of the latest threats, but to help you update your defenses based on the latest attacks. Throughout the report, we share defensive learnings and tips, with a summary of the most important defenses at the end.
The document summarizes key findings from Symantec's 2019 Internet Security Threat Report. It describes the rise of formjacking attacks that steal credit card details from compromised websites. It also discusses the decline of ransomware and cryptojacking in 2018 but the continued use of living-off-the-land techniques by targeted attackers. Cloud security remains a challenge as misconfigured storage buckets expose over 70 million records. Social media also continues to be a battleground for election interference despite increased security efforts during the 2018 US midterms.
This document discusses ransomware attacks, including their history, impact, and mitigation strategies. It provides an overview of common ransomware types and how they work. Statistics are presented on organizations and countries most affected by ransomware. The COVID-19 pandemic is noted to have increased ransomware attacks by exploiting remote work vulnerabilities. Effective mitigation involves backups, antivirus software, user training, and following best practices if a ransomware attack occurs.
This document discusses how digital transformation and the data economy are impacting banks' use of customer data and requiring improved cybersecurity and threat detection strategies. Key points include:
1) Digital developments like open banking, crypto assets, and increased online services have made customer data more important and vulnerable, while also providing opportunities if properly leveraged.
2) Banks need an enterprise-wide cybersecurity strategy incorporating technologies like AI, ML, and improved collaboration between security teams to detect threats faster amid more sophisticated attacks.
3) Digital identity management and authentication have become central issues, as banks are well-positioned to take a leading role in securely enabling the data economy and improving customer experience.
4) Adopt
1. The number of users encountering ransomware fell by almost 30% from 2016-2017 to 2017-2018, while the proportion of users encountering ransomware out of all malware also declined.
2. Cryptocurrency mining is rising as cybercriminals turn away from ransomware towards more sustainable profits from mining.
3. The main ransomware actors shifted in 2017-2018, with WannaCry responsible for 50% of attacks compared to a more diverse landscape in 2016-2017.
4. Countries with the highest rates of ransomware attacks changed over the period, with Thailand, UAE, and Iran topping the list in 2017-2018 while attacks declined in countries like Turkey.
The average enterprise ransom payment soared to over $100,000, with demands averaging a cool $5.3 million. But here's the kicker: 80% of organizations have a "Do-Not-Pay" policy, and yet, 41% ended up paying the ransom last year. And for those thinking insurance might save the day, think again. A whopping 77% of organizations found out the hard way that ransomware is the party crasher not covered by their security insurance. It's like showing up to a hurricane with an umbrella.
With Ransomware as a Service (RaaS) making it easier for any wannabe cybercriminal to join the fun, we can only expect more chaos, more victims, and more snarky retellings like this one. So, here's to 2023, a year that will be remembered not for technological breakthroughs or cyber defense victories, but for the sheer audacity and success of ransomware groups. May 2024 be a bit less... successful for them.
Similar to Malwarebytes labs 2019 - state of malware report 2 (20)
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
The document discusses strategies for red teaming Active Directory security. It begins with an overview of Active Directory components and how they can be exploited by attackers. It then covers offensive PowerShell techniques and how PowerShell security can be bypassed. The document also provides methods for effective Active Directory reconnaissance, including discovering administrator accounts and network assets without port scanning. Finally, it discusses some Active Directory defenses that can be deployed and potential bypass techniques.
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
The document discusses vulnerabilities found in seismological network devices that could allow remote exploitation. It begins with a disclaimer and agenda. The speakers are then introduced as researchers from Costa Rica who were interested in these networks due to potential attack scenarios. Through a search engine, they discovered vulnerabilities in devices from multiple vendors. The talk demonstrates taking control of a device and outlines impacts such as sabotage. Recommendations are made to vendors to improve security of these critical scientific instruments.
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
This document appears to be a preview of slides for a presentation at DEF CON 24 about compelled decryption. The slides discuss the difference between first and third parties in communications and the Communications Assistance for Law Enforcement Act. It also lists several third parties like technology companies and individuals that could potentially be compelled to decrypt communications. The document indicates that it is a preliminary version and the slides may be altered before the actual presentation.
Deep learning systems are susceptible to adversarial manipulation through techniques like generating adversarial samples and substitute models. By making small, targeted perturbations to inputs, an attacker can cause misclassifications or reduce a model's confidence without affecting human perception of the inputs. This is possible due to blind spots in how models learn representations that are different from human concepts. Defending against such attacks requires training models with adversarial techniques to make them more robust.
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
This document outlines various strategies and tactics for overthrowing a government through covert and clandestine means, including cyber espionage, propaganda, agitation of public unrest, sabotage of critical infrastructure, and manipulation of financial systems. It discusses using mercenaries and private intelligence agencies to carry out these activities at an arm's length from sponsorship by nation states. Specific examples from Kuwait in 2011 are referenced to illustrate techniques for fomenting revolution through cyber and information operations.
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
This document discusses various ways that hardware can become "bricked", or rendered unusable, through both software and hardware issues. It covers 101 different bricking scenarios across firmware, printed circuit boards, connectors, integrated circuits, and unexpected situations. Examples include wiping firmware, damaging traces on PCBs, breaking solder joints on connectors, applying too much voltage to ICs, and devices being bricked by environmental factors. The document provides tips for both bricking and avoiding bricking hardware, as well as techniques for potentially unbricking devices.
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
This document provides an overview of a talk on novel USB attacks that can provide remote command and control of even air-gapped machines with minimal forensic footprint. It describes building an open-source toolset using freely available hardware that implements a stealthy bi-directional communication channel over USB using a keyboard/mouse and generic HID profiles to deploy payloads and proxy traffic without touching the network. The talk will demonstrate attacking Windows systems by staging payloads in memory to avoid disk artifacts and establishing a VNC session without user interaction or malware deployment. Source code and documentation for the toolset, called USaBUSe, will be released on GitHub at Defcon.
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
The document discusses common challenges and failures that can occur when conducting phishing campaigns professionally. It outlines eleven stories of phishing failures caused by issues like poor scheduling, spam filters blocking emails, not having enough target email addresses, domain name choices being too obvious, and lack of communication. For each failure, it provides recommendations on how to avoid the problem by improving collaboration, communication, planning and negotiation with the client organization. The overall message is that success requires treating phishing engagements as multi-party negotiations and managing expectations through clear communication and involvement of all stakeholders.
The document discusses vulnerabilities found in human-machine interface (HMI) solutions used for industrial control systems. It details a case study of multiple stack-based buffer overflow vulnerabilities found in Advantech WebAccess through an RPC service that could allow remote code execution. The vulnerabilities were caused by improper validation of user-supplied input to functions like sprintf and strcpy. While patches were released, analysis showed the fixes did not fully address the underlying problems with input handling.
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
This document summarizes tool-assisted speedruns (TAS) of video games. It discusses how emulators and tools are used to play games faster than humanly possible by deterministically recording every input. Advanced techniques like memory searching and scripting push games to their limits. Console verification devices were developed to play back TAS movies on original hardware. The document argues that TAS tools are like penetration testing tools and can be used to find and exploit vulnerabilities in games. It demonstrates an arbitrary code execution in Pokemon Red using an unintended opcode execution.
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
This document shows a graph with distance on the x-axis ranging from 0 to 35 meters and Received Signal Strength (RSS) in dBm on the y-axis ranging from -100 to -40 dBm. The graph contains a line for a model with a path loss exponent of 2.0 as well as scattered data points representing collected RSS measurements.
This document provides an overview of a hands-on, turbocharged pragmatic cloud security training that covers topics in a fraction of the normal time by slimming down four days of material into four hours. It will cover configuring production-quality AWS accounts, building deployment pipelines, and automating security controls. Most examples will use Ruby and Python. Nearly all labs will be in AWS. There will be minimal slides and hand-holding. Participants are responsible for their own AWS bills after the training.
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
Little Snitch is a host-based firewall for macOS that intercepts connection attempts and allows the user to approve or deny them. The document discusses understanding, bypassing, and reversing Little Snitch. It provides an overview of Little Snitch's components and architecture, describes several methods for bypassing its network filtering, and examines techniques for interacting with and disabling Little Snitch's kernel extension through the I/O Kit framework.
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
The document summarizes two presentations on cracking electronic safe locks. It discusses cracking a Sargent & Greenleaf 6120 safe lock by using a power analysis side-channel attack to recover the keycode stored in clear in the lock's EEPROM. It also discusses cracking a Sargent & Greenleaf Titan PivotBolt safe lock by using a timing side-channel attack to recover the keycode, and defeating the lock's incorrect code lockout feature.
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
This document discusses hacking heavy trucks and related networking protocols. It describes building a "Truck-in-a-Box" simulator to experiment with truck electronics and protocols like J1939 and J1708. The document outlines adventures in truck hacking, including modifying engine parameters, impersonating an engine control module, and exploiting bad cryptography. Details are provided on new hardware tools like the Truck Duck for analyzing truck communication networks.
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
The document provides an overview of a workshop on practical Android application exploitation. The workshop aims to teach skills for performing reverse engineering, static and dynamic testing, and binary analysis of Android applications. It will use demonstrations and hands-on exercises with custom applications like InsecureBankv2. The workshop focuses on discovery and remediation, targeting intermediate to advanced skill levels. It will cover tools, techniques, and common vulnerabilities to exploit Android applications.
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
The document discusses vulnerabilities in VNC implementations that allow unauthenticated access. It notes that a scan of the internet found over 335,000 VNC servers, with around 8,000 having no authentication. This lack of authentication allows attackers to access and "pivot" into internal networks. The document provides statistics on different VNC protocol versions found and describes exploits that could allow compromising devices to access additional internal systems through insecure VNC implementations and proxies.
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
Droid-FF is an Android fuzzing framework that aims to automate the fuzzing process on Android devices. It uses Python scripts and integrates fuzzing tools like Peach and radamsa to generate test case data. The framework runs fuzzing campaigns on Android devices, processes the logs to identify crashes, verifies the crashes are unique, maps crashes to source code locations, and analyzes crashes for exploitability using a GDB plugin. The goal of Droid-FF is to make fuzzing easier on mobile devices and help find more crashes and potential vulnerabilities in Android applications and frameworks.
Blockchain technology is transforming industries and reshaping the way we conduct business, manage data, and secure transactions. Whether you're new to blockchain or looking to deepen your knowledge, our guidebook, "Blockchain for Dummies", is your ultimate resource.
Are you interested in dipping your toes in the cloud native observability waters, but as an engineer you are not sure where to get started with tracing problems through your microservices and application landscapes on Kubernetes? Then this is the session for you, where we take you on your first steps in an active open-source project that offers a buffet of languages, challenges, and opportunities for getting started with telemetry data.
The project is called openTelemetry, but before diving into the specifics, we’ll start with de-mystifying key concepts and terms such as observability, telemetry, instrumentation, cardinality, percentile to lay a foundation. After understanding the nuts and bolts of observability and distributed traces, we’ll explore the openTelemetry community; its Special Interest Groups (SIGs), repositories, and how to become not only an end-user, but possibly a contributor.We will wrap up with an overview of the components in this project, such as the Collector, the OpenTelemetry protocol (OTLP), its APIs, and its SDKs.
Attendees will leave with an understanding of key observability concepts, become grounded in distributed tracing terminology, be aware of the components of openTelemetry, and know how to take their first steps to an open-source contribution!
Key Takeaways: Open source, vendor neutral instrumentation is an exciting new reality as the industry standardizes on openTelemetry for observability. OpenTelemetry is on a mission to enable effective observability by making high-quality, portable telemetry ubiquitous. The world of observability and monitoring today has a steep learning curve and in order to achieve ubiquity, the project would benefit from growing our contributor community.
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Bert Blevins
Today’s digitally connected world presents a wide range of security challenges for enterprises. Insider security threats are particularly noteworthy because they have the potential to cause significant harm. Unlike external threats, insider risks originate from within the company, making them more subtle and challenging to identify. This blog aims to provide a comprehensive understanding of insider security threats, including their types, examples, effects, and mitigation techniques.
Transcript: Details of description part II: Describing images in practice - T...BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and slides: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsMydbops
This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization.
Key Takeaways:
* Understand why connection pooling is essential for high-traffic applications
* Explore various connection poolers available for PostgreSQL, including pgbouncer
* Learn the configuration options and functionalities of pgbouncer
* Discover best practices for monitoring and troubleshooting connection pooling setups
* Gain insights into real-world use cases and considerations for production environments
This presentation is ideal for:
* Database administrators (DBAs)
* Developers working with PostgreSQL
* DevOps engineers
* Anyone interested in optimizing PostgreSQL performance
Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Chris Swan
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionBert Blevins
Cybersecurity is a major concern in today's connected digital world. Threats to organizations are constantly evolving and have the potential to compromise sensitive information, disrupt operations, and lead to significant financial losses. Traditional cybersecurity techniques often fall short against modern attackers. Therefore, advanced techniques for cyber security analysis and anomaly detection are essential for protecting digital assets. This blog explores these cutting-edge methods, providing a comprehensive overview of their application and importance.
Best Practices for Effectively Running dbt in Airflow.pdfTatiana Al-Chueyr
As a popular open-source library for analytics engineering, dbt is often used in combination with Airflow. Orchestrating and executing dbt models as DAGs ensures an additional layer of control over tasks, observability, and provides a reliable, scalable environment to run dbt models.
This webinar will cover a step-by-step guide to Cosmos, an open source package from Astronomer that helps you easily run your dbt Core projects as Airflow DAGs and Task Groups, all with just a few lines of code. We’ll walk through:
- Standard ways of running dbt (and when to utilize other methods)
- How Cosmos can be used to run and visualize your dbt projects in Airflow
- Common challenges and how to address them, including performance, dependency conflicts, and more
- How running dbt projects in Airflow helps with cost optimization
Webinar given on 9 July 2024
7 Most Powerful Solar Storms in the History of Earth.pdfEnterprise Wired
Solar Storms (Geo Magnetic Storms) are the motion of accelerated charged particles in the solar environment with high velocities due to the coronal mass ejection (CME).
Choose our Linux Web Hosting for a seamless and successful online presencerajancomputerfbd
Our Linux Web Hosting plans offer unbeatable performance, security, and scalability, ensuring your website runs smoothly and efficiently.
Visit- https://onliveserver.com/linux-web-hosting/
Mitigating the Impact of State Management in Cloud Stream Processing SystemsScyllaDB
Stream processing is a crucial component of modern data infrastructure, but constructing an efficient and scalable stream processing system can be challenging. Decoupling compute and storage architecture has emerged as an effective solution to these challenges, but it can introduce high latency issues, especially when dealing with complex continuous queries that necessitate managing extra-large internal states.
In this talk, we focus on addressing the high latency issues associated with S3 storage in stream processing systems that employ a decoupled compute and storage architecture. We delve into the root causes of latency in this context and explore various techniques to minimize the impact of S3 latency on stream processing performance. Our proposed approach is to implement a tiered storage mechanism that leverages a blend of high-performance and low-cost storage tiers to reduce data movement between the compute and storage layers while maintaining efficient processing.
Throughout the talk, we will present experimental results that demonstrate the effectiveness of our approach in mitigating the impact of S3 latency on stream processing. By the end of the talk, attendees will have gained insights into how to optimize their stream processing systems for reduced latency and improved cost-efficiency.
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfjackson110191
These fighter aircraft have uses outside of traditional combat situations. They are essential in defending India's territorial integrity, averting dangers, and delivering aid to those in need during natural calamities. Additionally, the IAF improves its interoperability and fortifies international military alliances by working together and conducting joint exercises with other air forces.
The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.
2. 2019 STATE OF MALWARE
| 2
Table of contents
Executive summary........................................................3
Methodology..................................................................3
Top 10 takeaways...........................................................4
Top detections of 2018..................................................6
Consumer detections..................................................6
Business detections.....................................................7
Regional threats............................................................8
Threats by country.....................................................10
Threats by vertical.....................................................11
Noteworthy malware...................................................13
Cryptominers...............................................................13
Trojans.....................................................................16
Information stealers..................................................17
Ransomware..............................................................20
Noteworthy attack vectors.........................................23
Malspam.................................................................23
Website attacks..........................................................24
Malicious browser extensions................................25
Exploits......................................................................26
Mass compromises via routers..............................27
CMS hacks....................................................................28
Noteworthy scams.......................................................29
Exploitable business practices..............................29
Targeting PII.................................................................29
Sextortion.....................................................................29
Tightening the noose................................................30
A look ahead................................................................30
2019 predictions...........................................................31
3. Executive summary
2018 came in like a lion and out like—a different lion. It’s
fair to say that, despite a sleepy second quarter (there’s
the lamb), this year was action-packed from start to
finish. Fresh on the heels of a cryptomining explosion in
the last quarter of 2017, 2018 began with threat actors
diversifying their cryptomining tactics, broadening
their reach to Android, Mac, cryptomining malware, and
experimenting with new innovations in browser-based
attacks.
While cryptomining died down by the second quarter,
a new set of threats were eager to take its place:
information stealers. These former banking Trojans—
especially Emotet and TrickBot—evolved into droppers
with multiple modules for spam production, lateral
propagation through networks, data skimmers, and
even crypto-wallet stealers. These variants of malware
focused their energies on ensnaring businesses,
gleaning the most profit from ultra-sensitive data that
could be sold on the black market for re-targeting in
future campaigns.
Speaking of business victims, other malware families
soon followed in Emotet and TrickBot’s footsteps,
redirecting their focus toward organizations whose
networks were unpatched and insecure. And they
found plenty of targets. From massive data breaches to
ransomware attacks that brought critical infrastructure
to a halt, businesses finally experienced what
consumers have been dealing with for years now, but
on a much larger and more dangerous scale.
As a result, 2018 came to a close with a different set of
problems for a different set of users, with the promise
that we’re likely to see just as much drama in 2019 as
the previous year.
Methodology
In contrast to our quarterly Cybercrime Tactics and
Techniques reports, which zoom in on metrics gathered
over a three-month period, our annual State of Malware
report compares January through November 2018
with the same period in 2017. We combine intelligence
gathered by our researchers with data collected by
honeypots, virtual sandboxes, and our business and
consumer product telemetry in order to identify top
threats for the year and trends in both volume and
distribution.
In addition, our annual report examines threats by
region—North America, Asia Pacific, Latin America, and
Europe, the Middle East, and Africa (EMEA)—as well
as top industry verticals for the most prolific forms of
malware.
Without further ado, here’s what we learned about the
state of malware in 2018.
2019 STATE OF MALWARE
| 3
4. Top 10 takeaways
Make way for cryptominers
Ransomware was dethroned in the first half of 2018
to make way for a massive wave of cryptominers,
following a meteoric spike in Bitcoin value at the tail
end of 2017. Threat actors seemingly abandoned
all other forms of attack for experimentation in this
new technique, spanning from desktop to mobile;
Mac, Windows, and Android operating systems; and
software- and browser-based attacks. Cryptomining
detections increased by seven percent year over
year—a small percentage overall, as the second half of
the year was slow for this threat.
The year of the mega breach
Unlike the ransomware plagues that were indicative
of 2017, there were no major global outbreaks in
2018. Instead, it was the year of the mega breach.
Major businesses, including Facebook, Marriott,
Exactis, MyHeritage, and Quora were penetrated,
with hundreds of millions of customers affected. The
number of compromised records increased by 133
percent in 2018 over the previous year.
Ransomware gets tricky
In 2018, we saw a shift in ransomware attack
techniques. Instead of the one-two punch of
malvertising exploits which delivered ransomware
payloads, threat actors engaged in targeted, manual
attacks. The shotgun approach was replaced with brute
force, as witnessed in the most successful SamSam
campaigns of the year.
Businesses take a hit
Malware authors pivoted in the second half of 2018
to target organizations over consumers, recognizing
that the bigger payoff was in making victims out of
businesses instead of individuals. Overall business
detections of malware rose significantly over the
last year—79 percent to be exact—and primarily due
to the increase in backdoors, miners, spyware, and
information stealers.
Consumer detections fall by
marginal percentage
Despite the focus on business targets, consumer
malware detections only decreased by three percent
year over year, thanks to increases in backdoors,
Trojans, and spyware malware categories throughout
2018. While 2017 saw 775,327,346 consumer detections
overall, 2018 brought with it about 25 million fewer
instances of infection—a healthy decrease in number,
percentages aside.
SMB vulnerabilities spread Trojans
like wildfire
The fallout from the ShadowBrokers’ leak of NSA
exploits in 2017 continued, as cybercriminals used
SMB vulnerabilities EternalBlue and EternalRomance
to spread dangerous and sophisticated Trojans, such
as Emotet and TrickBot. In fact, information stealers
were the top consumer and business threat in 2018,
as well as the top regional threat for North America,
Latin America, and Europe, the Middle East, and Africa
(EMEA).
2019 STATE OF MALWARE
| 4
5. Malspam replaces exploits as the
favorite attack vector
The exploit landscape became a bit barren by the end
of 2017, with many of the kit creators locked behind
bars. As a result, threat actors returned to an old
favorite—malspam—which replaced exploits as the
major delivery mechanism for threats in 2018.
Rogue extensions and malicious apps
appear in legitimate webstores
Browser-based security became even more important,
as rogue apps and extensions fooled users and app
stores alike, worming their way past security reviews
in Google Play, iTunes, and the official web stores for
Chrome, Firefox, Safari, and others with sneaky social
engineering tactics.
Attacks on websites steal user data
The criminal group Magecart was behind a series of
high-profile attacks on ecommerce websites, stripping
credit card information and other Personally Identifiable
Information (PII) from payment platforms in plain text
and in real time.
Sextortion scams
And finally, major scams for the year capitalized on
stale PII from breaches of old. Phishing emails were
blasted out to millions of users in extortion (or in some
cases, sextortion) attempts, flashing victims’ old, but
potentially still viable, passwords and warning them
that they’d expose their secrets if they didn’t pay up.
2019 STATE OF MALWARE
| 5
6. Top detections of 2018
Consumer detections
In our Q3 2018 Cybercrime Tactics and Techniques
report, we noted a decline in the amount of threats
facing consumers. Zooming out for the full year, we
can see that the total amount of malware detections
changed only slightly between 2017 and 2018.
Surprisingly enough, the overall difference is only
three percent less than the previous year, thanks to
some large increases in Trojan, backdoor, and spyware
detections.
Consumer detections 2017/2018
Pos. Threat Y/Y% Change
1 Adware -39%
2 Trojan 19%
3 Riskware Tool 7%
4 Backdoor 34%
5 HackTool -36%
6 Hijacker -84%
7 Worm -28%
8 Spyware 27%
9 Ransom -29%
10 Rogue -39%
Overall Detections
2017 775,327,346
-3%
2018 750,296,307
Figure 1. Top 10 Malwarebytes consumer detections of 2018
That being said, we observed a decline in many
malware types that used to exclusively target
consumers. Over the year, we have seen more attacks
against businesses, more detections of malware
on their endpoints, and a greater focus on what
cybercriminals consider a more lucrative target.
Adware dropped significantly, as well as hacktools,
hijackers, worms, ransomware, and rogue malware. This
decline is likely because these types of malware are
often detected together, as they make similar system
modifications to affected machines. For example, many
adware system modifications are identified and fixed
by our hijacker detection tool—and hijacker detections
decreased by 84 percent.
We also saw an increase in detections of Trojans,
RiskwareTools (our detection name for cryptomining),
backdoors, and spyware in 2018, some by a significant
amount. Backdoor.Vools, for example, our current top
backdoor detection, has been seen all over the world
this year, yet it was non-existent the year before. The
increase in backdoor, spyware, and Trojan detections
can be attributed to the current trend of exploiting
vulnerabilities—EternalBlue, for example—to inject
malware that can establish a foothold on a network.
On the other hand, the slight overall increase in
RiskwareTool detections came from a massive influx
of cryptomining malware at the beginning of the year,
which trailed off by mid-2018.
Consumer BitCoinMiner detections 2018
Figure 2. Consumer detections of RiskWare.BitCoinMiner in 2018
RiskWare.BitCoinMiner, our most popular miner
detection, declined steadily throughout the 2018. By
July, we saw a similar number of detections as what we
witnessed in early 2017. However, we did note a slight
spike in detections starting in mid-September.
2019 STATE OF MALWARE
| 6
7. Cryptomining in 2017
Figure 3. Cryptomining spike in fall 2017
This spike precedes the rise of Bitcoin value that took
place in October 2017 by about a month. Perhaps the
criminals behind these cryptomining knew something
the rest of us didn’t.
Bitcoin Core (BTC) Price Jun - Dec 2018
Figure 4. Spike in Bitcoin value in October 2017 Photo credit: Bitcoin
2018
A large-scale flood of cryptocurrency miners was
deployed between October 2017 and March 2018.
During this time, malware affecting consumers was
also on the uptick. However, the cryptocurrency fever
eventually broke months after, which led to a decline of
criminal interest in consumers.
The majority of the threats we see in the wild today
use tactics and techniques that we’ve mostly seen with
state-sponsored malware in the past.
This means that larger targets—networks with multiple
endpoints—will be disrupted far more. Unless we
observe new evolutions of consumer-facing malware
that specifically exploit weaknesses in the individual,
then the shift in focus to businesses may move beyond
a passing trend.
Business detections
With the overall detection count for consumer
endpoints down by three percent year over year, one
might assume that overall malware production is also
down. However, this trend instead demonstrates the
shift in focus by cybercriminals away from the average
Joe and instead on juicier targets, such as businesses.
In fact, four of our top seven business detections
increased by more than 100 percent from 2017 to 2018.
Business Detections 2017/2018
Pos. Threat Y/Y% Change
1 Trojan 132%
2 Hijacker 43%
3 Riskware Tool 126%
4 Backdoor 173%
5 Adware 1%
6 Spyware 142%
7 Ransom 9%
8 Worm -9%
9 Rogue -52%
10 HackTool -45%
Overall Detections
2017 39,970,812
79%
2018 71,823,114
Figure 5. Top 10 Malwarebytes business detections in 2018
Overall business detections of malware rose
significantly over the last year—79 percent to be
exact—and primarily due to the increase in backdoors,
miners, spyware, and information stealers. The
“cryptocraze” wasn’t only on the consumer side, as
we’ve observed plenty of malicious cryptominers
forcing their way onto corporate networks.
2019 STATE OF MALWARE
| 7
8. Our Trojan detections were topped by the Emotet
family, which can move laterally throughout corporate
networks using exploits and credential brute forcing.
This same functionality is mirrored in other information
stealing malware, such as TrickBot, but also in backdoor
malware, such as Vools, our top detection among
backdoor infections in 2018. Vools uses the same
exploits mentioned to infect and expand on endpoints.
Ransom detections in the business world have
increased only slightly this year, by nine percent, much
of which is from ongoing, yet dormant WannaCry
infections being flagged in our system. While we
have seen advancements by ransomware families like
GandCrab and SamSam, we did not see the kind of
problematic outbreaks that were witnessed in 2017.
Finally, spyware detections have climbed significantly
due to similar variants and families of Emotet and
TrickBot being identified as spyware in the wild—a
clear sign of the focus threat actors have placed
on information stealing and establishing holds on
corporate networks.
Regional threats
Not all malware attacks focus on a particular part of
the world. In fact, many families end up spreading to
numerous countries because attacks are opportunistic,
and the Internet has no borders (except in China and
North Korea.) However, there are campaigns that push
malware to different countries and regions in the hopes
that their culture, economy, or political climate would
make them more likely victims.
While cybercrime is an international problem, and
we like to analyze trends and events on a global
scale, it’s important to dig into what is happening in
specific regions to understand patterns of attack, as
well as what pain points customers in those regions
experience. Here’s what we found for the regions of
North America, Asia Pacific (APAC), Europe, the Middle
East, and Africa (EMEA), and Latin America (LATAM).
North America
Top North America Detections 2017/2018
Business
Pos.
Consumer
Y/Y Threat Threat Y/Y
99% Trojan 1 Adware -19%
33% Hijacker 2 Trojan 7%
121% RiskwareTool 3 RiskwareTool 38%
29% Adware 4 Backdoor 10%
82% Spyware 5 Hijacker -41%
11% Backdoor 6 Spyware 18%
-27% Worm 7 HackTool -40%
-15% Ransom 8 Rogue -35%
-55% Rogue 9 Rootkit -50%
-64% Rootkit 10 Virus -57%
Figure 6. Top North American business and consumer detections
North America mainly dealt with an influx of
business-focused, information stealing malware
and cryptocurrency miners infecting businesses at
higher rates than we have seen previously. On the
consumer side, we saw a drop in the majority of top
consumer detection categories, with the exception of
cryptocurrency miners.
Asia Pacific (APAC)
Top APAC Detections 2017/2018
Business
Pos.
Consumer
Y/Y Threat Threat Y/Y
5137% Backdoor 1 Trojan 88%
261% Trojan 2 Backdoor 591%
-48% Adware 3 Adware -36%
170% RiskwareTool 4 RiskwareTool -18%
148% Ransom 5 Ransom 79%
305% Worm 6 Worm -26%
50% Hijacker 7 HackTool -25%
3690% Exploit 8 Exploit 740%
-7% HackTool 9 Spyware 16%
9% Spyware 10 Hijacker -48%
Figure 7. Top APAC detections, consumer and business
2019 STATE OF MALWARE
| 8
9. The Asia Pacific region of the world saw massive
increases in backdoor malware and the use of exploits
against their endpoints. Considering the primary
backdoor threat in 2018 was Vools, a malware family
that uses exploits to spread, seeing an increase in both
threat types makes sense. However, the reason why
APAC has been targeted far more than other regions is
still not clear.
On the consumer side, we saw the same spikes in
backdoor and exploit detections, with a drop in most
other types of malware seen earlier in the year.
Europe, the Middle East, and Africa (EMEA)
Top EMEA Detections 2017/2018
Business
Pos.
Consumer
Y/Y Threat Threat Y/Y
150% Trojan 1 Adware -40%
122% Hijacker 2 Trojan -15%
-59% Adware 3 RiskwareTool -23%
20% RiskwareTool 4 HackTool -41%
-6% Backdoor 5 Backdoor -15%
-41% HackTool 6 Worm -5%
-1% Spyware 7 Spyware 25%
-14% Ransom 8 Hijacker -57%
-37% Worm 9 Ransom -53%
-56% Rogue 10 Rogue -62%
Figure 8. Top EMEA business & consumer detections
Europe, the Middle East, and Africa (EMEA) grappled
with many of the same issues as North America. In
fact, of the 150 percent increase in Trojan activity for
businesses in EMEA, we know that the majority was
Emotet (just as it was in North America). Due to the
intense focus cybercriminals are now giving to certain
families of malware, we see a drop in nearly all other
types of threats.
Despite interesting spikes of Trojan and hijacker
detections for EMEA consumers, we’ve otherwise
observed a significant drop in nearly every type of
malware, except for spyware. This is another sign
that the focus of cybercriminals is moving away from
consumers and taking aim at businesses.
Latin America (LATAM)
Top LATAM Detections 2017/2018
Business
Pos.
Consumer
Y/Y Threat Threat Y/Y
176% Trojan 1 Adware -55%
137% RiskwareTool 2 Trojan -1%
-56% Adware 3 RiskwareTool -25%
137% Ransom 4 HackTool -32%
23% Backdoor 5 Backdoor -33%
343% Spyware 6 Worm -16%
101% Worm 7 CrackTool -35%
-47% HackTool 8 Spyware 43%
-60% Hijacker 9 Ransom 59%
473% Rootkit 10 FraudTool -97%
Figure 9. Top LATAM detections
Latin America had a fascinating year in malware
development. The criminals who target this region have
dropped everything to increase all types of malware on
the business side, from Trojans to miners, spyware, and
even rootkits. Organizations that operate out of LATAM
might want to beef up their security quickly, as the next
year could result in an even greater increase.
While malware distribution has been churning on the
business side, it’s not the same case for consumers,
where the only increases in threat detections we’ve
observed are from spyware and ransomware. Keep in
mind, however, that many ransomware detections this
year have been from WannaCry gone wild, identifying
vulnerable systems and infecting them, but refraining
from encrypting files. Instead, the infections are merely
hopping from system to system, with no apparent
fallout associated. Therefore, we detect large amounts
of WannaCry in areas where patching against this
threat hasn’t been paramount.
2019 STATE OF MALWARE
| 9
10. Threats by country
Top 10 countries with most consumer detections
Country Biggest threat
1 United States Information theft
2 Brazil Click fraud
3 United Kingdom Adware
4 Vietnam Backdoors
5 India Backdoors
6 Indonesia Backdoors
7 France Adware
8 Italy Cryptomining
9 Thailand Backdoors
10 Russia Backdoors
Figure 10. Top 10 countries with the most consumer detections, plus
their biggest threats
The United States came out as the country with the
most consumer malware detections, with Emotet as
its biggest problem this year. This should not be a
surprise, since most malware targets Western countries
for their strong economies, most especially the US.
Brazil had its fair share of dealings with click fraud
malware in 2018, a similar issue to the previous year.
The United Kingdom and France were targeted with
adware more so than other categories of malware.
Note that adware’s capabilities should no longer be
questioned, as they’re capable of modifying system
settings and disabling security software to install
malware.
The biggest consumer threat facing many of these
countries falls under the category of backdoor, a type
of malware that finds its way into the system, then
leaves a door open for future attackers to get back in.
Vietnam, India, Indonesia, Thailand, and Russia—almost
all APAC countries—have a serious issue with backdoor
malware, likely due to a greater need to patch and
secure endpoints.
Top 10 countries with most business detections
Country Biggest threat
1 United States Information theft
2 Indonesia Backdoors
3 United Kingdom Information theft
4 France Information theft
5 Malaysia Backdoors
6 Thailand Backdoors
7 Australia Cryptomining
8 Germany Information theft
9 Brazil Adware
10 Philippines Information theft
Figure 11. Top 10 countries with the most business detections, plus
their biggest threats
Our top 10 countries for business detections shows
a significant problem for much of the world with
information-stealing malware. This malware category
infects an endpoint, drops additional malware, and
moves laterally through the network, infecting every
connected computing device it can. From there, the
malware can steal credentials, install additional threats,
and spread itself further via email.
Western countries, such as the US, UK, France,
and Germany, seem to have taken the brunt of the
information-stealing attacks, although many other
countries have also been hit. Meanwhile, in the East,
countries such as Indonesia, Malaysia, and Thailand
have been fending off an influx of backdoor malware in
their business networks.
Countries such as Australia and Brazil, whose main
threats in 2018 were adware and cryptomining, have
plenty of reason to be concerned, as many miners
and adware families drop additional malware, modify
system settings, slow down or use up computing
power, or otherwise disrupt operations.
2019 STATE OF MALWARE
| 10
11. Threats by vertical
Top 10 Business Detections, Education
Figure 12. Top 10 business detections for education industry, 2018
Education, manufacturing, and retail were the top
industries impacted by the top malware of the year—
Trojans. However, when we zoom in on the Trojan
category to look at its top family, Emotet, the industries
shift. Consulting shoots to the top of the list and
hospitality makes an appearance in fourth place.
In addition, ransomware had a few other industries in
mind for targeting. Consulting was once again a top
target for malware authors, with education coming in a
strong second. Manufacturing, retail, and government
rounded out the top five.
But what about if we turn the tables and filter our
business product telemetry to look at the industry first?
For example, education, which makes an appearance in
nearly all of our threat categories, was hit hardest with
adware in 2018.
Note that two Mac malware families—detected as
OSX.Genieo and Adware.OperatorMac—made the
list, demonstrating both the popularity of Macs in
education and as vertical targets.
Meanwhile, consulting, which took the top spot for
both the ransomware category and the Emotet family
of Trojans, saw several others in the Trojan category,
including bankers, downloaders, and packers.
Backdoors, hijackers, and worms also set their sights
on consultants in 2018.
2019 STATE OF MALWARE
| 11
12. Despite the many major stories throughout 2018
dealing with healthcare and government attacks, they
remained fairly lowkey as vertical targets, sometimes
not even making the top 10 industries for the most
popular threats of the year. However, looking at
healthcare, it’s clear which forms of malware found this
industry most appealing: Emotet and TrickBot, our new
Bonnie and Clyde. Hijackers, rootkits, and riskware also
rounded out the top healthcare threats.
Government threats were similar to those pointing
toward healthcare, though hijackers took the top spot
over Emotet, which came in second. In addition, more
adware variants made the list, while TrickBot was not
invited to the government party.
Top 10 Business Detections, Healthcare
Figure 13. Top 10 threats aimed at the healthcare industry
2019 STATE OF MALWARE
| 12
13. Noteworthy malware
While categories such as adware and backdoors
maintained a healthy presence, it was truly Trojans
(information stealers) and cryptominers who were the
all-stars of the year, with ransomware making quiet,
yet impactful changes in the background. Let’s take
a closer look at these threats and how they affected
consumers and businesses in 2018.
Cryptominers
Our number one security prediction for 2018 was
that the cryptomining “gold rush” would be the
top priority for cybercriminals. Indeed, in riding the
cryptocurrencies valuation wave, we saw a number of
threat actors distributing coin miners in their classic
malware binary form, as well as via drive-by mining.
Mining on infected devices
Online criminals dropped a variety of cryptominers—
sometimes even loading several on the same victim—
via exploit kits, including RIG. Unlike other threats,
such as ransomware, this type of malware wants to
remain undetected. But the need for CPU cycles is
often the first telltale sign that something is going on,
with machines becoming slow and their cooling fans
continuing to hum.
Drive-by mining: no infection required
On the browser side, drive-by mining quickly became
our most detected web threat, completely eclipsing
exploit kits. Thanks to vulnerabilities in content
management systems, in particular the infamous
Drupalgeddon campaigns, criminals were busy injecting
websites with cryptojacking scripts in Q1 and Q2.
Figure 14. RIG EK dropping Monero and Electroneum miners
2019 STATE OF MALWARE
| 13
14. Mining is cross-platform
Other platforms such as Android or macOS haven’t
been immune to cryptomining. In February, we blogged
about a cryptominer for the Mac that, upon further
review, showed it already had 23 variants. Just a few
months later, we reported on yet another miner using a
malicious implementation of the XMRig program.
Our latest discovery was OSX.DarthMiner, which was
installed alongside the EmPyre backdoor and came via
a booby-trapped application, as is often the case with
Mac malware.
Decline in mining: Is it over already?
According to our telemetry, Q3 and Q4 have started
to confirm a downward trend with cryptominers. The
craze generated by the high valuation of Bitcoin seems
to have somewhat dissipated, and profits from mining,
especially for web-based miners, are disappointingly
lower than expected, according to various studies.
Figure 15. Thousands of Drupal websites injected with cryptomining scripts
Figure 16. Script that downloads malicious MacOS app
2019 STATE OF MALWARE
| 14
15. Despite this drop in activity from Coinhive, other
services also focusing on Monero show signs that
browser-based mining isn’t completely over. CoinIMP in
particular has gained popularity in recent months.
Overall, it seems as though criminals have reached
the consensus that sometimes stealing is better
than mining. In fact, a number of malware families,
such as TrickBot, have added the capability to
rob cryptocurrency wallets directly. In the same
vein, there is also great interest from attackers to
exploit vulnerabilities in the JSON-RPC protocol
implementation of many cryptocurrencies.
In those cases, the simple act of browsing a malicious
website could result in your wallet being emptied.
Despite a drop in their value, cryptocurrencies remain
attractive to online criminals. A such, 2018 has seen
large campaigns of miners distributed via many
platforms with considerable success. But cryptojacking
may have already had its heyday in the fall of 2017
and the first few months of 2018, especially for its
in-browser model. Indeed, there are other types of
payloads that are far more lucrative—as we have seen
with the recent wave of web skimming attacks.
Figure 18. Coinhive detections November–December 2018 show an average of 100,000 daily hits
Figure 17. Coinhive detections from January–February 2018 show an average of 3 million daily hits
Figure 19. CoinIMP detections November–December 2018
2019 STATE OF MALWARE
| 15
16. Trojans
The term “Trojan” is broad, applying to a wide variety
of malware with different targets, goals, and behaviors.
While Trojan became synonymous with the legend of
the Trojan horse to those in cybersecurity, specifically, it
speaks to the malware’s ability to sneak in undetected
under the guise of a friendly gesture—how a piece of
code can hide within another piece of code to get past
security measures.
When the term “Trojan” was first used to describe a
type of malware, there weren’t many other threats
that employed the same tactics for infection. Today,
however, almost all malware has some kind of “Trojan”
functionality, as hiding from security software is one of
the pillars of modern cyberwarfare. In addition, Trojan
is a useful term when referring to malware families that
do not fall directly into spyware or adware or backdoor
categories, but rather multiple buckets.
The Emotet family, for example, started as a run-of-
the-mill banking Trojan. After infection, it looked for
instances where users logged into their bank accounts
or provided financial details on a website, stole that
data, and then sent it back to the command-and-
control (C&C) server.
As time passed, Emotet evolved in interesting ways: It
is now able to use exploits to infect systems, spread
additional malware, and even send emails to contacts.
These capabilities, individually, would put Emotet in
multiple malware categories, such as worm, spyware,
backdoor, and downloader. Combined, they are a
Trojan.
In this section, we are going to examine how much of a
global problem Trojans have been this year compared
to last year, and the trends of the biggest Trojan
families we are tracking.
Business-facing Trojans
Trojan malware was less often observed on corporate
endpoints in 2017, making the influx of information-
stealing Trojans primarily a 2018 problem. Figure
20 expresses the low detection numbers of Trojan
malware through Q1 to Q3 2017, which then spiked in
September and kicked off a new base level of Trojans
being detected by our corporate customers.
2017 - 2018 Global business Trojan detections
Figure 20. Global Trojan detections for businesses
Information-stealing malware is the primary cause of
the number of Trojan detections observed in 2018.
Possible reasons range from the fallout from policies,
such as the Global Data Protection Regulation (GDPR)
to the use of exploits, such as EternalBlue, and
backdoors, such as DoublePulsar.
The trend in information-stealing Trojans being
leveraged for business breaches does not appear to
be slowing down. However, the deployment of patches,
network and data segmentation, as well as user rights
management configuration might keep the Trojan
invasion from spreading so easily.
Consumer-facing Trojans
While Trojans have been doing a number on
businesses, they’ve remained fairly steady on the
consumer side, chugging along with only slight
variation between 2017 and 2018.
2019 STATE OF MALWARE
| 16
17. 2017 - 2018 Global consumer Trojan detections
Figure 21. Global Trojan detections for consumers
The total detection variation between 2017 and 2018
was about 30 million, with 2018 coming in at 190 million
Trojan detections, and 2017 registering 160 million. The
majority of what we’ve seen has been either information
stealers, malicious miners, or generic detections.
We don’t expect to see meaningful change in this
trend on an annual scale in 2019, however, quarterly
evaluation will likely reveal interesting variations among
Trojan families.
Information stealers
Two of the biggest Trojan type threats of this year were
Emotet and TrickBot, information-stealing malware that
enjoys infecting and spreading, then infecting again.
We’ve covered both of these families extensively on our
blog and in other reports released this year. Let’s now
take a look at overall detection trends for the year.
Emotet
This information-stealing spammer was a huge menace
in 2018, as it’s one of the breakout families to infect on a
large scale, both on the business and consumer sides.
2017 - 2018 Global business Emotet detections
Figure 22. Emotet business detections, April 2017–November 2018
Emotet business detections are similar to detections
on the consumer side; however, they are smaller in
scale. Note how the detection spikes for consumer and
business Emotet infections are parallel in Figure 23.
Now, observe the shape and size of the business and
consumer detections line of Q3 2018—it looks like a
dog’s head. The difference between the two shapes
is about 78,000 detections, while the first two shapes
were roughly 475,000 greater on the consumer side
than the business side.
2019 STATE OF MALWARE
| 17
18. Why is this important to point out? Because the similar
shapes of the detection humps for both business
and consumer during the same time period show us
that Emotet campaigns cast a large net against both
consumers and businesses. Historically, these nets
have caught far more victims on the consumer side,
however the gap between the two is shrinking.
2017 - 2018 Global consumer Emotet detections
Figure 24. Emotet consumer detections, April 2017–November 2018
The attackers behind Emotet are intentionally
attempting to spread their malware to business
targets. Combine this with the family’s upgrades in
functionality, such as the ability to move laterally and
spread malicious spam from the infected endpoint, and
the motive of the Emotet controllers becomes evident.
TrickBot
If more business-focused Emotet attacks didn’t make
you think information stealers have found a better
target, look no further than malware that is not only
piling up business victims on its own, but is also being
dropped as a secondary payload by Emotet itself.
2017 - 2018 Global business Trickbot detections
Figure 25. Global business detections of TrickBot
TrickBot is a nasty information stealer that can
download components for specific malicious
operations, such as keylogging and lateral movement
within a network. As Figure 25 shows, this family didn’t
start making waves until the end of 2017 and was one
of the most common payloads pushed by Emotet.
2017 - 2018 Business vs. consumer Emotet detections
Figure 23. Business vs. consumer Emotet detections
2019 STATE OF MALWARE
| 18
19. 2017 - 2018 Global consumer Trickbot detections
Figure 26. Global consumer detections of TrickBot
Overall detections of TrickBot on business and
consumer endpoints show a 200,000 difference
between the two, with businesses taking the top
position. Business endpoints have detected 1.5 million
TrickBot instances, while consumers detected nearly
1.3 million times.
Most malware we deal with tends to have greater
detection numbers on the consumer side than on
corporate endpoints. When analyzing these newfound
detections on the business side, we are able to parse
out cybercriminals’ intent to target businesses and
exploit their vulnerabilities.
Trojans by vertical
As mentioned in our Trojan introduction, Trojans can
refer to multiple malware types that are either hiding
their intent or don’t fit neatly into one category. When
we zoom out and look at the industries that Trojans
target, the picture is similar to that of our global
detections combined. Education, manufacturing, and
retail top the chart, with consulting, government, and
healthcare occupying the middle ground. Food and
beverage are in last place, and hospitality, which made
waves in the news with the Marriott breach, doesn’t
even make the list.
Top 10 industries affected by Trojan malware
1 Education
2 Manufacturing
3 Retail
4 Consulting
5 Government
6 Telecommunications
7 Healthcare
8 Technology
9 Business services
10 Food and beverage
Figure 27. Top 10 industries impacted by Trojans
However, when we clarify the Trojan category to look at
the top family of Trojans, Emotet, the industries shift.
Consulting shoots to the top of the list and hospitality
makes an appearance in fourth place. In addition,
transportation and logistics and chemicals join the top
10, pushing out telecommunications, business services,
and food and beverage industries.
Top 10 industries affected by Emotet Trojan malware
1 Consulting
2 Education
3 Manufacturing
4 Hospitality/Leisure
5 Government
6 Retail
7 Transportation and logistics
8 Chemicals
9 Healthcare
10 Technology
Figure 28. Top 10 industries impacted by Emotet
Trojans of tomorrow
The current trends we’ve been observing with Trojans
are likely to continue while there are opportunities for
criminals to exploit weak configurations and outdated
assets. However, the greater concern is the copycats
and new generations of families that are likely going to
dominate 2019.
2019 STATE OF MALWARE
| 19
20. At the moment, we don’t see much competition
for Emotet (outside of TrickBot) as it either targets
organizations on its own or acts as an infection vector
for another family. However, if the ransomware trends
of 2012 to 2016 are any indicator of things to come,
we’ll see competitors pop up quickly in the next 12
months.
Ransomware
Ransomware isn’t the wide-ranging threat it was in
2017, but it’s still a force to be reckoned with. Overall
trends show a drop in volume for the year, but an
increase in focused, sophisticated attacks aimed at
businesses. Indeed, the only real spike in numbers has
been in the realm of the workplace, with a distinct lack
of interest and innovation aimed at consumers.
While there has been some surprising reworking
of older files to perform new attacks, and a few big
splashes from famous variants such as WannaCry,
ransomware in 2018 remained mostly dormant.
2017 - 2018 Global ransomware detections
Figure 29. 2018 global ransomware detections
Consumer vs. business
The drop in overall attacks is significant: In 2017, we
saw 8,016,936 attacks across business and consumer
globally. Compare that to 2018, where there were
5,948,417 detections recorded—a decline of 26
percent.
The difference in interest for business targets over
consumer is easy to see, with one steadily increasing
while the other declines.
2017 - 2018 Global business ransomware detections
Figure 30. Global business detections of ransomware
2017 - 2018 Global consumer ransomware detections
Figure 31. Global consumer detections of ransomware
Given that businesses house so much valuable data
and critical systems, they are proving to be a more
profitable target for criminals. Not only do they have
the potential funds to pay a ransom, they’re also likely
to have multiple pressing reasons for wanting to get
back into action. Ransomware delays can be incredibly
costly, especially when an affected organization has
no backup plan in place and multiple endpoints to
remediate. Incident response and digital forensics all
add to the cost, which is often a lot more than simply
paying the ransom (a tactic we do not recommend).
2019 STATE OF MALWARE
| 20
21. Vertical business stats
You may be wondering: How popular is ransomware
across various industry sectors? Which verticals took
the hardest hit? Our data shows that consulting took
the top spot, with education swooping up second
place.
Top 10 industries affected by ransomware
1 Consulting
2 Education
3 Manufacturing
4 Retail
5 Government
6 Transportation
7 Telecommunications
8 Electronics
9 Healthcare
10 Technology
Figure 32. Top industries affected by ransomware
Despite the many major stories throughout 2018
dealing with healthcare and government attacks, other
industries felt the brunt of the ransomware menace—
with government taking the middle spot on the list, and
healthcare down in ninth place.
SamSam
SamSam caused chaos across medical networks in the
US, exploiting and brute forcing its way into systems
to make over $1 million dollars for holding systems to
ransom. One of its many older variants revamped to be
more appealing to criminals, charging victims a more
moderate price than alternative recovery methods,
making significantly more money as a result.
From January to March, SamSam took down everything
from hospitals to city services, including departments
of transportation and city-facing applications in Atlanta.
Additional major attacks took place in September, with
both the ports of San Diego and Barcelona suffering
outbreaks.
2017 - 2018 Global SamSam detections
Figure 33. 2018 global SamSam detections
Although law enforcement agencies believe they know
who is behind the infection, the alleged duo are still
at large, and we still continue to see spikes in attacks.
SamSam will continue to be a strong source of malware
infections well into 2019.
GandCrab
GandCrab was also a major player in 2018, making use
of various exploit kits shortly after its first appearance
in January. Numbers levelled off and remained constant
for most of the year, with a huge spike of activity in
February, thanks to multiple spam campaigns in Q1.
Moving to the Magnitude exploit kit for distribution,
GandCrab continued to cause trouble for network
admins and home users. This is partly thanks to
Magnitude’s unconventional malware-loading methods.
Everything from fileless techniques to binary padding
(where extra data is added to files to bypass scanning)
were used in the race to make it the biggest player in
town.
2019 STATE OF MALWARE
| 21
22. 2017 - 2018 Global GrandCrab detections
Figure 34. 2018 global GandCrab detections
GandCrab, the top ransomware variant of Q2 2018,
is also notable for being the first ransomware to
ask its victims for a cryptocurrency payment other
than Bitcoin. At a time when business ransomware
detections were up by 28 percent, but the overall
volume remained low, it became one of the leading
sources of malicious ransomware campaigns—to the
eternal aggravation of its victims.
End of year
Although ransomware has lost ground to other players,
such as cryptominers and Trojans, it still packs a punch,
and 2018 has been a year of quiet experimentation and
reassessment. The public at large are much more aware
of such attacks now, and the same old tricks won’t work
forever. We expect to see more innovative reworkings of
older files and strengthened ties to cutting-edge exploit
kits to push ransomware further still.
2019 STATE OF MALWARE
| 22
23. Noteworthy attack vectors
2018 was a mixture of the old and new, with malware
authors both falling back on traditional delivery
techniques, such as malspam and social engineering,
and exploring new territory with browser-based
cryptomining. In addition, threat actors got even
more creative at avoiding detection by injecting
malicious code into online payment platforms, slipping
rogue apps into legitimate webstores, and stealing
information out from under users’ eyes with plugins
that did more harm than good. Let’s have a look at the
most noteworthy attack vectors of the year.
Malspam
Emotet and TrickBot, two of 2018’s worst nightmares,
tag-teamed for an effective attack that included
distribution via malspam disguised as legitimate
email—your classic phishing/spear phishing campaign.
However, what made their attacks so impactful were
not just how the malware was delivered, but how it
spread.
Emotet is commonly spread by malspam that includes
infected attachments or embedded URLs. There is a
social engineering factor involved. Since Emotet takes
over victim email accounts, malicious emails appear
to come from trusted sources to their recipients. The
infected attachment usually comes in the form of a
Microsoft Word document with macros enabled.
Once Emotet has infiltrated a network, it uses
EternalBlue, one of the SMB vulnerabilities leaked
by the ShadowBrokers Group last year, to exploit
unpatched systems. Infected machines attempt to
spread Emotet laterally via brute force of domain
credentials, as well as externally via its built-in spam
module. As a result, the Emotet botnet is quite
active and responsible for much of the malspam we
encounter.
Figure 35. Emotet vs. TrickBot global detections
TrickBot is another active Trojan that uses malspam
to infect systems. It primarily relies on infected Word
documents, but also uses embedded URLs that lead to
infected PDF files. Like Emotet, TrickBot uses one of the
SMB vulnerabilities—this time, EternalRomance—for
lateral movement inside a network.
Relatively new on the malspam front are Office
documents that manage to escape the macOS sandbox
for Office macros. The Word macro malware, currently
detected as OSX.BadWord, sets up a backdoor using
Python on the affected system.
2019 STATE OF MALWARE
| 23
24. Website attacks
In 2018, we saw a steady increase of high-profile
attacks on trusted, legitimate ecommerce sites via
third-party compromise for skimming credit card
details and other PII. One such attack on British Airways
impacted nearly 400,000 customers, whose names,
home addresses, and financial information were stolen.
By lurking on trusted websites, the threat actor
group known as Magecart stole payment and contact
information that visitors entered when checking out
their purchases. The Magecart attacks exploited
weaknesses in the code of the payment processing
pages and used cross-site scripting (XXS). Several
groups using Magecart tactics sometimes compete
with each other by tampering with one another’s code.
The malicious code below, the work of Magecart, was
appended to a legitimate and trusted script in an
obfuscated format.
After decoding the script, we can see the code
responsible for harvesting the data when customers
hit the checkout button. At the network level, this looks
like a POST request where each field (name, address,
credit card number, expiry date, CVV, etc.) is sent in
Base64 format to a rogue server (in this case, info-
stat[.]ws) controlled by the criminals.
This kind of attack happens transparently to both the
merchant and customer. In contrast to breaches that
involve leaked databases where the information may
be encrypted, web skimmers are able to collect data in
clear text and in real-time.
Figure 36. Malicious code from Magecart
2019 STATE OF MALWARE
| 24
25. Malicious browser extensions
In 2018, malicious browser extensions (plugins) made
quite a splash. Whether legitimate extensions were
compromised and used in supply-chain attacks or rogue
extensions promised user privacy while tracking their
movements online, there were plenty of examples to
choose from. Some of the standout cases we saw were:
»» Compromised legitimate extensions in a supply-
chain attack, most notably filesharing MEGA.nz’s
Chrome extension, which stole usernames and
passwords. Users could only notice the difference
from the original extension because of the extra
permissions the hacked version asked for.
»» A slew of Firefox extensions (and also some Chrome
ones) were caught red-handed spying on their users’
browsing history.
»» Extensions that mimicked popular plugins to trick
users into installing them, including an extension
that claimed it didn’t track its users or store their
data, but instead protected users from the prying
eyes of the browsers themselves. Of course, what
users really got was an extension that simply
redirected their homepage to Yahoo!
On the bright side, major browsers were compelled to
take action against these malicious extensions. Here
are the changes they have implemented so far:
»» Stopped inline installs. Everything must now go
through the official web stores.
»» Blocked obfuscated code in the extensions.
»» Ceased support for legacy protocols like TLS 1.0 and
1.1. This was announced for 2020.
While major browsers have taken measures to shield
malicious extensions from entering their stores, we still
see a lot of adware and PUPs coming through. Most of
these are hijackers, which can change your browser’s
default search provider or its Start or New Tab pages.
Sometimes, they pretend to enhance your search privacy.
And while we keep telling users that they should
get their apps from the official stores, popular game
Fortnite decided to offer up its Android version of
the game outside of Google Play. To get the game,
users have to enable the “allow installs from unknown
sources” option, which can lead to other unwanted
installs. To make matters worse, their installer allowed
man-in-the-disk attacks, a way for rogue apps to hijack
the installer and install their own junkware in place of
the legitimate app.
Figure 37. Magecart code sends details to a rogue server
2019 STATE OF MALWARE
| 25
26. Exploits
We expected to continue seeing attacks via malicious
spam and Microsoft Office documents in 2018, as
this was a trend we had already observed during the
previous year.
We have seen an interesting shift happening with
regards to how vulnerabilities are being used in the
wild, however. Because browsers have become more
secure, as well as automatically updated, drive-by
downloads are far fewer in between. As such, the
email vector is one of the most relied upon ways threat
actors have to compromise systems.
Plugin and browser exploits
To kick off the year, we saw a zero-day vulnerability
in the Flash Player (CVE-2018-4878) being used in
targeted attacks against South Korea, attributed by
many to the Lazarus group.
The exploit was embedded within a decoy Excel
spreadsheet and loaded as an ActiveX object. Soon
after, a number of exploit kit authors had adopted this
vulnerability as part of their web-based distribution
toolkits.
Another zero-day for the VBScript engine (CVE-2018-
8174) was discovered in late April and was significant
because it had been two years since we had seen a
fresh exploit affecting the popular Internet Explorer
browser. However, it is worth noting that this zero-day
was once again packaged in a document rather than
as a drive-by. Following the typical zero-day [->] patch [->]
Proof-of-Concept (PoC) cycle, this new exploit became
mainstream among browser exploit kits, relegating its
predecessor, CVE-2016-0189.
Figure 38. Hidden Flash ActiveX embedded in lure document
2019 STATE OF MALWARE
| 26
27. Mass compromises via routers
April was a busy month indeed, as a critical flaw affecting
MikroTik routers (CVE-2018-14847) was found inside
RouterOS, the operating system powering those devices.
Restricting access to Winbox (MikroTik’s management
panel) via the firewall was highly recommended to
prevent intrusions. Attackers automated login attempts
and even used malware to exploit the path traversal
vulnerability.
Fixing the issue not only required to apply security
patches but also to clean up certain configuration
files. Those files were often used to inject Coinhive
cryptojacking scripts, thereby making anybody
connected to an infected router, regardless of
the device or website they were visiting, mine for
cryptocurrencies.
Figure 39. Malware scanning for other vulnerable devices on the default Winbox port (8291)
Figure 40. Shodan scan showing over 100,000 compromised MikroTik devices
2019 STATE OF MALWARE
| 27
28. CMS hacks
It would be hard not to mention Content Management
Systems (CMS) and how they were affected by exploits
in 2018. Attackers often discovered or exploited
Remote Code Execution vulnerabilities in popular
software such as WordPress, Jooma, or Drupal.
Drupal was one the most probed CMSes in the first half
of 2018, in large part due to back-to-back flaws (CVE-
2018-7600 and CVE-2018-7602) that led to massive
compromises.
Compromises by Drupal Version
Figure 41. Most compromised sites by Drupal version (7.x branch)
A majority of website owners do not keep their CMS
(or its plugins) up to date and unsurprisingly suffer
compromises. The fear of breaking a site by upgrading
it is often cited as a reason to remain on an older
revision. Having said that, unless those sites are
protected behind some kind of application firewall, they
will easily be hacked.
Zero-days in browsers and plugins were high on the list
in 2018, but not necessarily used in the way one would
expect. Indeed, attackers have instead been combining
them with spear phishing or social engineering attacks
embedded within Office files.
Criminals have also been targeting hardware devices—
particularly routers—to perform compromises on
a large scale. As we know, those devices are often
outdated and will likely never be patched until they
stop working altogether. This is a perfect scenario
for attackers, and one that is difficult to combat for
security vendors without user awareness.
2019 STATE OF MALWARE
| 28
29. Noteworthy scams
In 2018, we experienced a wide range of scams that
often mirrored developments in malware distribution
and creation. In Q1, cryptomining took over just about
every aspect of cybercrime—scams included. The more
successful players consolidated resources
and turned to more inventive tactics, transporting
themselves beyond simple tech support scams to drain
cryptowallets themselves. By Q2, we noticed a shift
away from cryptoscams to targeting PII—a tactic that
remains active today.
Most notably, Coinbase-themed TSS achieved thefts
of spectacular scale, based largely on the lack of fraud
protection involved with Bitcoin and Coinbase itself.
Victim reports on Twitter claiming empty wallets and
losses in the five figures suggest that these threat
actors found it easier to simply drain wallets at their
leisure rather than provide fake tech support.
Scammers were also observed updating their lead
generation tactics using API abuse to assist in freezing
the victim’s browser at the beginning of 2018. The
primary target for this technique was Chrome, but it
also impacted Firefox and Brave.
Exploitable business practices
Tech support scams primarily rely on exploitable
business processes rather than specific tools. In the
case of Coinbase-themed scams, scammers exploited
the lack of fraud protection inherent to Bitcoin
transactions to boost their profits significantly above
average. With the API abuse referenced, the real
exploit is the significant lag between reporting to the
companies in question and an eventual patch.
Given that a particular browser function generally has
a legitimate function to many users, patch lag time for
tech support cases tends to be relatively long. As such,
scammers can exploit that period for large gains.
We expect both Bitcoin-themed scams and browser
abuse to be useful tools for scammers for quite some
time.
Targeting PII
Moving into Q2, scammers increasingly began targeting
PII. We first observed scammers blatantly stealing PII
from victims with Bitcoin scams. Light regulation, limited
fraud protection, and poor support on exchanges
contributed to making social engineering attacks against
Bitcoin wallets highly lucrative. But as the victim pool for
traditional tech support scams contracted in the face of
user awareness and increased enforcement, scammers
started stealing passwords, bank account information,
and email accounts with increasing frequency. New
GDPR regulations likely added fuel to the PII theft fire, as
that type of information snatches a healthy paycheck on
the black market.
Sextortion
In early July, an extortion scam campaign attracted
our notice due to its large scale and unique twist.
Unlike traditional sex-based extortion scams, this email
campaign came with a user’s password as a sign that
the sender had “hacked” the victim. These credentials
came from a variety of past high-profile breaches, most
likely drawn from one of several omnibus collections
of leaks over the past four years. The credentials were
accurate, although most victims said the threat actors
were using old and often outdated passwords.
Using leaked credentials as a social engineering tool
is a relatively novel approach to this sort of attack,
allowing an additional monetization channel for the
credentials themselves, and adding a veneer of
plausibility to the subsequent extortion attack. As third-
party breaches show no signs of decline, we expect
this technique to remain in use as an aid to phishing,
extortion, and other scams.
2019 STATE OF MALWARE
| 29
30. Tightening the noose
Over the past quarter, we’ve observed a hard shift away
from credit card processing by scammers targeting
Malwarebytes customers. Credit card processors have
increasingly been taking action against scammers
abusing their platforms, prompting a shift to less
closely monitored platforms like PayPal, as well as
formats with less built-in fraud protection like Bitcoin
and personal checks. While this provides the threat
actors with a more stable revenue stream, it also limits
the scope of their activities, resulting in a lower number
of reporting victims over the past quarter.
Another response to increased enforcement activity
has been a gradual shift away from blind cold calls
to voice messages requesting a call back. Callbacks
are a well-tested means to get in touch with only the
most vulnerable victim populations, excluding people
inclined to ask probing questions on an initial call.
A look ahead
Moving forward, we expect PII-enabled social
engineering attacks similar to the sextortion email
wave to gain popularity. Given the escalating tempo
of large-scale breaches, combined with widespread
credential reuse across platforms, leveraging leaked
PII to increase social engineering efficacy offers a
threat actor a force multiplier with limited downside or
expense. Best of all for the attacker—as demonstrated
with the sextortion campaign—PII used in a social
engineering pitch doesn’t even have to be accurate or
up to date to be effective. As a result, more campaigns
of this tenor are expected in the future.
2019 STATE OF MALWARE
| 30
31. 2019 predictions
As we look forward to the new year, we’re often asked to
predict which trends will die down and which new ones
will appear. While we can use our intel to make educated
guesses about the ebbs and flows of cybercrime, no
amount of experience can prepare us for disruptive
innovations the likes of which we experienced with the
cryptomining craze. When it comes to cybercrime, we
still don’t know what we don’t know.
But that doesn’t mean we shouldn’t take some time
to think about the future and prepare ourselves for
potential dangers around the corner. Here’s what we
think could take place in 2019. Hold onto your butts.
New, high-profile breaches will push
the security industry to finally solve
the username/password problem.
The ineffective username/password conundrum
has plagued consumers and businesses for years.
There are many solutions out there—asymmetric
cryptography, biometrics, blockchain, hardware
solutions, etc.—but so far, the cybersecurity industry
has not been able to settle on a standard to fix the
problem. In 2019, we will see a more concerted effort to
replace passwords altogether.
IoT botnets will come to a device
near you.
In the second half of 2018, we saw several thousand
MikroTik routers hacked to serve up coin miners. This
is only the beginning of what we will likely see in the
new year, with more and more hardware devices being
compromised to serve up everything from cryptominers
to Trojans. Large scale compromises of routers and IoT
devices are going to take place, and they are a lot harder
to patch than computers. Even just patching does not fix
the problem if the device is infected.
Digital skimming will increase in
frequency and sophistication.
Cybercriminals are going after websites that process
payments and compromising the checkout page
directly. Whether you are purchasing roller skates or
concert tickets, when you enter your information on the
checkout page, if the shopping cart software is faulty,
information is sent in clear text, allowing attackers to
intercept in real time. Security companies saw evidence
of this with the British Airways and Ticketmaster hacks.
EternalBlue or a copycat will become
the de facto method for spreading
malware in 2019.
Because it can self-propagate, EtnernalBlue and others
in the SMB vulnerability, including EternalRomance and
EternalChampion, present a particular challenge for
organizations, and cybercriminals will exploit this to
distribute new malware.
Cryptomining on desktops, at least on
the consumer side, will just about die.
Again, as we saw in October (2018) with MikroTik
routers being hacked to serve up miners,
cybercriminals just aren’t getting value out of targeting
individual consumers with cryptominers. Instead,
attacks distributing cryptominers will focus on
platforms that can generate more revenue
(servers, IoT) and will fade from other platforms
(browser-based mining).
2019 STATE OF MALWARE
| 31
32. Attacks designed to avoid detection,
like soundloggers, will slip into the
wild.
Keyloggers that record sounds are sometimes called
soundloggers, and they are able to listen to the
cadence and volume of tapping to determine which
keys are struck on a keyboard. Already in existence, this
type of attack was developed by nation-state actors
to target adversaries. Attacks using this and other new
attack methodologies designed to avoid detection are
likely to slip out into the wild against businesses and
the general public.
Artificial Intelligence will be used in the
creation of malicious executables.
While the idea of having malicious AI running on a
victim’s system is pure science fiction at least for the
next 10 years, malware that is modified by, created
by, and communicating with an AI is a dangerous
reality. An AI that communicates with compromised
computers and monitors which and how certain malware
is detected can quickly deploy countermeasures. AI
controllers will enable malware built to modify its own
code to avoid being detected on the system, regardless
of the security tool deployed. Imagine a malware
infection that acts almost like “The Borg” from Star
Trek, adjusting and acclimating its attack and defense
methods on the fly based on what it is up against.
Bring your own security grows as trust
declines.
More and more consumers are bringing their own
security to the workplace as a first or second layer
of defense to protect their personal information.
As industries become more aware of the dangers
associated with BYOS, they are taking proactive
measures to protect their company from the breach of
sensitive data. In fact, Malwarebytes recently conducted
global research and found that nearly 200,000 companies
had a consumer version of Malwarebytes installed.
Education was the industry most prone to adopting
BYOS, followed by software/technology, and business
services.
2019 STATE OF MALWARE
| 32