2018 @ the Half: Surveying the Cyber Threat Landscape at Mid-Year
By Steve Grobman, CTO, McAfee
The year 2018 has already shown itself to be extraordinary in terms of cyber threat activity.
There were new revelations concerning complex nation-state cyber-attack campaigns targeting users and enterprise systems worldwide. Bad actors demonstrated a remarkable level of technical agility and innovation. Criminals continued to adopt cryptojacking to easily monetize their criminal activity, while minimizing the effort and risk normally associated with cybercrime.
As we move into the second half of 2018, it is worth taking time to consider some notable threat landscape events and trends shaping our world:
Gold Dragon and the Winter Olympic Games
In January, McAfee Advanced Threat Research reported an attack targeting organizations involved in the Pyeongchang Winter Olympics in South Korea. The attack was executed via a malicious Microsoft Word attachment containing a hidden PowerShell implant script. The script was embedded within an image file and executed from a remote server. Dubbed Gold Dragon, the resulting fileless implant encrypted stolen data, sent the data to the attackers' command and control servers, performed reconnaissance functions, and monitored anti-malware solutions to evading them.
Lazarus and cryptocurrency campaigns
The Lazarus cybercrime ring launched a highly sophisticated Bitcoin-stealing phishing campaign—HaoBao—which targeted global financial organizations and Bitcoin users. When recipients open malicious email attachments, an implant would scan for Bitcoin activity and establishes an implant for persistent data gathering and crypto mining.
GhostSecret/Bankshot
Operation GhostSecret targeted the healthcare, finance, entertainment, and telecommunications sectors. Operation GhostSecret is believed to be associated with the international cybercrime group known as Hidden Cobra. The campaign, which employs a series of implants to appropriate data from infected systems, is also characterized by its ability to evade detection and throw forensic investigators off its trail. The latest Bankshot variation of GhostSecret uses an embedded Adobe Flash exploit to enable execution of implants. It also incorporates elements of the Destover malware, which was used in the 2014 Sony Pictures attack, and the Proxysvc implant, a previously undocumented implant which operated undetected since mid-2017.
Cryptojacking: Infect and Collect
Cybercriminals extended their activity into the area of cryptojacking, the infection of user systems for the purpose of hijacking them and using them to mine for cryptocurrencies. Coinminer malware grew from just under 400,000 known samples in the last quarter of 2017 to more than 2.9 million samples in the first quarter of 2018. This suggests that cybercriminals are warming to the prospect of being able to easily monetize the infection of user systems and collect payments without prompting victims to pay, as is the case with popular ransomware schemes.
The second half of 2018 should see continued nation-state activity, as many new forms of familiar attacks as new attack techniques, and more expansion in cryptojacking as criminals seek to make cybercrime easier to execute, less risky and more lucrative than ever before.