These are the 10 biggest cyberthreats right now

Bad actors are spending more money developing more complex malware with more capabilities, and businesses need to be aware of what the biggest threats are and the latest techniques being used in order to find them first, according to Craig Williams, director of Talos outreach for Cisco Systems.

Much of this conversation has focused heavily on critical vulnerabilities or zero-day exploits that are high-profile enough to be given a cool name, according to Luke McNamara, principal analyst at FireEye. But more basic malicious tools, techniques and procedures with a proven track record are very effective as well, McNamara said.

From a defense standpoint, the industry has been most focused on increasing its ability to detect, alert and block a greater number of potential threats, according to Christian Have, chief product officer at LogPoint. But companies can only realistically look at one or two security incidents per day on their own, Have said, highlighting the need for significant advances in automation.

Here's a look at 10 new and emerging cyberthreats that are creating chaos across organisations of all sizes and stature this year.

Advanced persistent threats

The cost of carrying out an advanced persistent threat (APT) attack has come down recently, meaning that well-funded, well-motivated adversaries have access to much higher-quality malware than before, according to LogPoint's Have.

Attackers like to navigate the path of least resistance, Have said, and APTs have made it easier to target and put immense amounts of pressure on critical infrastructure. Organisations often think they can detect an APT if it were to happen, but Have said that's complicated by the cell-like composition of a company's ecosystem, where every component is interrelated to one another.

Businesses need to think about how an adversary will exploit their network, Have said. Organisations and their adversaries have access to much better vulnerability data today than a few years ago, according to Have, meaning that specific vulnerabilities can be easily scanned for and seized upon to automatically exploit the entire machine.

Cryptomining

Organisations that fall prey to cryptomining probably left a door open somewhere, raising questions as to what else is in their network, according to Cisco's Williams.

Known, longstanding exploit kits are typically used to carry out cryptomining, Williams said, meaning that businesses that succumb to it have usually had unsecured systems present for a long time. Cryptomining is orders of magnitude more prevalent today than any other type of attack, Williams said, since it can persist for an incredibly long period of time and is nearly risk-free for attackers.

Unlike ransomware—which has a payout rate of between 1 percent and 2 percent—attackers that successfully carry out cryptomining get paid 100 percent of the time, Williams said. Rather than taking the ransomware approach of trying to get an organisation to pay a large sum to regain access to a single machine, Williams said cryptomining brings in smaller amounts of money from many, many machines.

Insider threat

Some employees deliberately use the credentials and trust put in by their own employer to their advantage, Have said, “forgetting” the USB key with sensitive data on the subway or bringing a list of contacts over from an old employer to a new one, according to LogPoint's Have. Motivations for insider threats include political and financial gain, Have said.

The risk is compounded by the fact that more sensitive business data is being moved to the cloud, Have said, meaning that organisations now need a completely different skill set to safeguard against insider threats.

As challenging as it was to find people with knowledge of an organisation's internal system, Have said finding a good cloud security architect is even more difficult. In addition, Have said controls for in-house systems are typically covered by data governance and access policies, but obtaining similar visibility in the cloud would require that the business audit its data in Microsoft Azure, Office 365 or Salesforce.

Macro viruses

Many nation-state actors and criminal groups have turned to macro-enabled Microsoft Word, Excel or PowerPoint documents to gain an initial foothold in the victim's organisation, according to FireEye's McNamara.

For instance, McNamara said a group might deploy and drop malware into a macro-enabled Word or PowerPoint document focused on financial earnings when going after the company's finance department. And once that succeeds at establishing an initial foothold, McNamara said attackers can use it as a launch point to move laterally throughout the network.

Macro-based campaigns can be incredibly effective since they exploit the human element to let attackers in, McNamara said. Businesses must look at the follow-on indicators of compromise to figure out who's behind the macro-based activity, McNamara said.

Olympic Destroyer

The Olympic Destroyer malware contained several similarities to the 2017 NotPeyta outbreak in that it had four threat vectors rather than the one found in normal malware, according to Cisco's Williams. Although many of the most successful vectors were stolen from other attacks, Williams said Olympic Destroyer also added credential theft from the browser.

The most interesting part of Olympic Destroyer is that the author behind the malware intentionally went into the code and cut and pasted random pieces of other attacks, Williams said. This was intentionally designed to fool researchers into misattributing the malware, according to Williams.

This tactic messed with people attempting to do pattern matching, Williams said, and proved that attempting to do attribution based off a single malware sample is a fool's errand.

Overall, Williams said Olympic Destroyer is the continuation of an escalating series of campaigns that involve countries acting irresponsibly on the internet.

Open-source malware

Advanced espionage groups have access to advanced development resources and boutique toolsets, according to FireEye's McNamara, but are increasingly opting for open-source malware to avoid attribution. These groups often establish their foothold using open-source tools, McNamara said, and then pivot to unique toolsets to move laterally within the organisation.

This presents a challenge to businesses that are attempting to use intelligence to prioritise the most critical threats and figure out who they should be the most concerned about, according to McNamara. Organisations need to be able to distinguish between less skilled, less talented operators and capable espionage groups that target a particular industry for intellectual property, McNamara said.

Although attackers attempt to hide their noise by using commonly available tools, McNamara said examining follow-up indicators should help organisations figure out how to prioritize their resources. Specifically, he said businesses need to know what tools, techniques and procedures the threat actor is using to move laterally in the victim's network.

Supply chain attacks

Large enterprises need to focus not only on securing the data within their own network, but also on the data that trusted third parties and vendors have access to, according to FireEye's McNamara. Compromising law firms, auditing firms, or software providers that the target organisation works with can be a promising way to gain access to the intended victim's data and network, McNamara said.

McNamara said it can be challenging to detect the full scope of threat activity if adversaries are going after managed service providers or other third parties that have access to a variety of the enterprise's data.

One of the most effective ways to minimize damage from a supply chain attack is segmentation, which Cisco's Williams said is the cyber-equivalent of adding more locked doors inside of a building. Servers with software don't need to talk with servers in a company's data centre, Williams said, and setting up the network so that can happen makes it easier for bad actors to touch all of a company's servers.

Targeted attacks

Going after things that are inherently difficult to create such as intellectual property, schematics, recipes or chemical compounds means that successful efforts will yield a big payout, according to LogPoint's Have.

Although this information can end up in the hands of Chinese manufacturers, Have doubts that the manufacturers themselves are carrying out offensive cyberoperations. Instead, Have said these offensive cybercapabilities have become a tool of nation-states to help their industries become more competitive against the West.

Businesses can defend against targeted operations by looking at behavioral changes within their organisation to ascertain how systems and users are communicating, according to Have. Companies should have the necessary security analytics in place to compare their current operations to how things should be functioning under normal circumstances, Have said.

VPNFilter

VPNFilter is designed to result in complete, end-to-end compromise of networks found in a home or small office, according to Cisco's Williams. The potential for damage from VPNFilter has been huge, Williams said, since it can entirely wipe a device's firmware.

VPNFilter isn't a once-and-done malware like a keylogger, Williams said, instead allowing for persistent interception of network traffic with the capability to destroy a device. Some 500,000 devices globally have been susceptible to VPNFilter, Williams said, and were made primarily by smaller manufacturers.

Williams said VPNFilter is characteristic of what he typically sees in nation-state threats since it's modular, expandable, and goes well beyond the complexity of crimeware-type malware. Specifically, Williams said VPNFilter said actually expanded the privileges of an affected device, and masks the command-and-control server in a very complicated manner.

Whitelisting

Whitelisting can be difficult for organisations to figure out how to deal with since a lot of third-party tools such as Dropbox or cloud infrastructure can be used for both benign and malicious purposes, according to FireEye's McNamara. As a result, McNamara said the company's Security Operations Center might see it as normal traffic and not sound the alarm.

If a cloud storage provider, webmail or social media application has been whitelisted and approved, McNamara said it's much harder to catch anomalous behavior coming out of it. As a result, McNamara said businesses must continually balance how much access they want to provide for third-party systems coming into their environment.

As usage of platforms and applications continues to increase, McNamara said it has become easier for threat actors to exploit the systems by blending into the noise. Adversaries will specifically focus their efforts on funneling malicious activity through the applications, tools and platforms that are seeing the most legitimate use and traffic within an organisation, according to McNamara.

This article originally appeared at crn.com