Cyber security research & analysis February 2017

A number of reports analysing cyber security developments and trends during 2016 were published this month:

Akamai published its State of the Internet/Security report for the fourth quarter of 2016. Unsecured Internet of Things (IoT) devices continued to drive significant distributed denial of service (DDoS) attack traffic. Seven of the 12 Q4 2016 attacks with traffic greater than 100Gbit/s can be directly attributed to Mirai, though the largest DDoS attack in Q4 2016, which peaked at 517Gbit/s, came from Spike, a non-IoT botnet that has been around for more than two years.

According to its Q4 2016 DDoS Trends Report Verisign in 2016 observed a 167 percent increase in average peak attack size to 16.1Gbit/s, compared with 6.02Gbit/s in 2015. The largest and highest intensity DDoS attack observed by Verisign in Q4 2016 was a multi-vector attack, which peaked at over 125Gbit/s and around 50 Million packets per second (Mpps). Eighty-six percent of the DDoS attacks mitigated by Verisign in Q4 2016 employed multiple attack types, with 65% utilising three or more.

Cisco’s 2017 Annual Cyber Security Report is the company’s tenth and found that over one-third of organizations that experienced a breach in 2016 reported substantial customer, opportunity and revenue loss of more than 20 percent. Budget constraints, poor compatibility of systems and a skills shortage were cited as the biggest barriers to effective security; Cisco report a resurgence of classic attack vectors such as adware and email spam, the latter of which has returned to a level last seen in 2010.

ProofPoint’s Q4 Threat Summary and Year in Review found that email remained the top vector for malware as exploit kits (EKs) continued to decline. Q4’s largest malicious email campaign was 6.7 times the size of Q3’s largest. Both campaigns involved the Locky family of ransomware and were sent using compressed files and malicious JavaScript code, marking a sharp increase in these tactics compared to earlier campaigns that used document attachments with malicious macros embedded. The number of new ransomware variants increased 30 times vs the year-ago quarter and social media phishing attacks increased 500% during the year.

The European Union Agency for Network and Information Security (ENISA) published its Threat Landscape 2016 report, describing 2016 as being characterised by “the efficiency of cyber-crime monetization”. ENISA flagged the advances in the use of insecure IoT devices to deliver large scale DDoS attacks and the continued success and profitability of ransomware. ENISA also welcomed successes in preventing cyber threats through operations coordinated by law enforcement and including vendors and state actors, as well as the increased recognition of cyber security in professional education and training, particularly within universities and training organisations.

The annual Imperva Incapsula Bot Traffic Report examines 16.7+ billion visits to 100,000 randomly-selected domains on the Incapsula network. It found that bot activity is increasing after a three year decline. Humans now account for 48.2% of website visits, while “good bots” (search engine bots, commercial crawlers) account for 22.9% and “bad bots” (impersonators, scrapers, spammers) 28.9%. Impersonators are attack bots masking themselves as legitimate visitors so as to circumvent security solutions and are used in DDoS attacks to overload servers with a high number of seemingly legitimate requests.

SonicWall’s Annual Threat Report showed a decline in the volume of unique malware samples and the number of malware attack attempts for the first time in years, indicating that many security industry initiatives are helping protect companies from malicious breaches. SonicWall also observed that 62% of web traffic was Secure Sockets Layer/Transport Layer Security (SSL/TLS) encrypted in 2016, making consumers and businesses safer in terms of data privacy and integrity, a trend it expects to continue in 2017. However SonicWall also flagged the explosive growth in ransomware, the exploitation of vulnerabilities in SSL/TLS encryption and the threat of attacks from compromised IoT devices as continued causes for concern and vigilance (more from SonicWall here).

CheckPoint’s H2 2016 Global Threat Intelligence Trends Report (more here) showed that ransomware attacks doubled between July and December 2016. A small number of malware families are responsible for the majority of attacks. The most common variants detected were Locky, Cryptowall and Cerber. The report also noted the discovery of Mirai in August 2016 and its impact on multiple high volume DDoS attacks, and predicts that the sophistication, scale and diversity of attacks will increase in 2017.

Microsoft reported that attackers are now switching to less suspicious file types to trick users. Cybercriminals are using a combination of improved script and well-maintained download sites to attempt installing Locky and Kovter on more computers. Opening malicious .lnk files contained in .zip archives executes a PowerShell script that performs a download routine; Microsoft has also found a more complex version of the script, delivering more malware from more download sites. Also see Network World.

Research by BAE Systems revealed a disconnect between senior company executives and IT Decision Makers in defending against cyber threats, with each believing that the other is responsible for managing the response to an attack. Senior executives estimate the cost of a successful attack to be dramatically lower than their IT colleagues. Cyber security is the most significant business challenge according to 71% of senior executive respondents. Additionally 72% of IT decision makers expect to be targeted by an attack in the next 12 months, and both groups report that they expect the frequency and severity of attacks to increase.

More on ransomware:  Network World reported on the high number of instances where ransomware demands are paid, against the advice of law enforcement agencies such as the Federal Bureau of Investigations, further encouraging the ransomware business model. The fact that many ransomware instances go unreported compounds the problem; unfortunately in many cases the victim can afford the ransom demand more easily than the cost of losing their files and data. ZDnet reported that cybersecurity researchers at the Georgia Institute of Technology have developed a new form of ransomware designed to attack industrial systems, highlighting how a ransomware attack could disrupt critical services using an attack on a simulated water treatment plant. After gaining access, the researchers were able to command programmable logic controllers (PLCs) to shut valves, increase the amount of chlorine added to water and display false readings. F-Secure’s State of Cyber Security 2017 report noted how ransomware families have evolved to offer customer-friendly features to guide their victims in making Bitcoin payments; also see this related blog post describing exchanges on a ransomware “customer portal” chat facility and this appendix transcribing chats.

Finally, the University of Surrey is to lead a £1.1m study into how people’s behaviour can lead to cybersecurity risks, including how people become victims of cybercrimes. The project will involve 12 cybercrime and cybersecurity experts from across the world, as well as governmental (especially law enforcement) agencies, industry (cybersecurity companies) and NGOs, and will use real-world scenarios to investigate how personalised approaches can help people and organisations better to reduce human-related risks and fight against cybercrime.