2017 has been a turning point in terms of the increasing severity and frequency of cybersecurity attacks – specifically phishing, ransomware, and DDoS attacks. As businesses continued to improve their cyber defense, attackers successfully shifted and adopted new tactics while searching out unwitting targets. While financial gains remained a top motive behind attacks, ransomware became the attack of choice to extort money from victims, displacing the Trojan botnets and POS attacks used heavily in the past. Large breaches led to public disclosure of customer account details, credentials, or Personally Identifiable Information (PII), including the account data of over one billion Yahoo users. The point of this blog post is to explore the recent trends in cybersecurity attacks, specifically the threat actors involved, the tactics used, and the industries targeted. The intent of this analysis of cybersecurity incident information can hopefully help organizations improve threat response time, improve cybersecurity defenses, and allocate cybersecurity resources more effectively.
High profile cybersecurity incidents have largely been attributed to organized criminal groups, nation-states or state-affiliated actors, insiders, or cyber-activists. This year, organized criminal groups were responsible for several financially-motivated cyber-attack campaigns, most notably the use of ransomware to extort money from victims and continued attacks on Point of Sale (POS) systems in an attempt to steal payment card data.
The largest attack of 2017 thus far, the WannaCry ransomware attack impacted over 230,000 systems across 150 countries in an attempt to extort ransom payments from victims. WannaCry exploited a known Windows vulnerability in older versions of Microsoft Windows using the EternalBlue exploit and the DoublePulsar tool to install and execute a copy of itself. WannaCry’s impact was tremendous as organizations had to bring down critical systems and install patches on countless machines. The EternalBlue was shared online by the Shadow Brokers organization and is believed to have been created by the National Security Agency (NSA).
Although WannaCry demanded $300 in Bitcoin to unlock victim files, it only netted the perpetrators between $50K - $100K due to widespread and rapid emergency patching and the use of decryptors which became available just days after the attack.
Another attack perpetrated by an organized criminal group was a Point of Sale (POS) system breach at Chipotle that led to direct and devastating financial and brand damage. Chipotle reported a breach on April 25 that affected more than 2,000 restaurant locations and a massive number of its customers across 47 states. An investigation of the breach concluded the point-of-sale (POS) malware attack lasted from March 24 to April 18 and searched for “track data,” including card numbers, expiration dates, and internal verification codes, according to Chipotle's security alert. Chipotle’s stock price has plummeted from nearly $500 per share to just over $400 while the benchmark S&P has hit new highs.
Clearly, crime has changed from holding a teller up at the neighborhood bank branch to creating malware to electronically syphon money from the institution. Criminals, whether they are organized crime creating their own malware and schemes or individual criminals that use kiddie scripts to steal credit card numbers or sensitive information, the number and the cost of these crimes are increasing at a nearly astronomical rate.
A consistent pattern throughout the past year has been the rise in incidents and breaches attributed to nation-state attackers. Typically advanced attacks or Advanced Persistent Threats (APTs), these sophisticated attackers typically act for political reasons. The 2016 Presidential election continues to make the news as the investigation into Russian hacking continues. This year saw a shift – from Chinese-sponsored espionage cyberattacks to Russian interference in the election. In the past, major state-sponsored attack campaigns were attributed to the People’s Liberation Army Unit 61398, an elite hacking unit targeting state secrets and intellectual property of US Government and US businesses – including 22 million PII records and other sensitive information from the U.S. Office of Personnel Management.
However, a comprehensive effort by the Obama administration, including a formal agreement to cooperate in preventing malicious cyber activities. While nation-state hacking remains a top cyber threat, it is now more often attributed to Russian actors than Chinese. This includes more than election-related hacking, most notably a prolonged cyber-attack campaign against the U.S. energy grid. Nation-states are likely to remain a prominent actor in cybersecurity incidents in the years ahead, and remain under increased scrutiny as the election hacking continues to absorb the headlines of CNN, MSNBC and other news outlets in the United States.
Insider-threats were certainly another significant security issue in the past year, highlighted when healthcare workers accessed medical databases to steal PII for identity theft. However, insiders were not as common a threat source as external actors. Cyber-activists did not make as high-profile an impact as in the past, when large hacked data sets were regularly posted to Pastebin. However several attacks did take place surrounding protests of alleged police misbehavior.
A breakdown of cyber incidents and breaches over the past year underscores several interesting trends in the industries targeted. Each industry has its own threat exposure, risk profile, and assets that are targeted by different attackers for different reasons. Restaurants and especially quick service restaurants usually have smaller IT departments and security budgets and make an opportunistic target for attackers because they accept payment cards.
Wendy’s, Arby’s, Chipotle, and Landry’s Restaurant Group were included in high profile payment system hacks this past year. While advancements like EMV Chips and End-to-End encryption continue to secure more systems, they are expensive and many food service companies remain vulnerable targets.
The healthcare industry suffered from insider-threat attacks more than any other industry. Insider misuse, often the unauthorized access to Personal Health Information (PHI) for purposes of identity theft – was the predominant attack pattern for the industry. An incredible 69% of organizations reported a data breach or attempted data breach by an insider in a recent survey.
Insider threats are a difficult attack vector to protect; as a trusted user with valid credentials is misusing legitimate privileges. In addition, insiders not only already have access to valuable company and customer information in most cases, but also know what data is most valuable to competitors or organizations that may want to sell the data on the dark web or alternative black market.
The manufacturing industry suffered numerous breaches this year tied to nation-state attacker espionage campaigns. The research & development data critical to manufacturing success was a target for attackers trying to steal trade secrets. In addition, industrial control systems (ICS) and SCADA systems are being attacked at a rate twice the rate of just a year earlier.
The manufacturing industry has been attacked increasingly over the past 3 years and because of the intellectual property value and malware like Heartbleed and Shellshock which allows attackers to eavesdrop on communications, steal data directly from the services and users, and to impersonate services and users. The FBI estimates that $400 billion of intellectual property is leaving the US each year though attacks to manufacturing companies.
Criminal organizations or simply rogue hackers wanting to cause damage to organizations that manufacture products have access to malicious code which is increasingly available on nefarious sites. Malware like BlackEnergy or Stuxnet can bring down systems and cause disruption that is not likely to be screened out by defense technology or controls. ICS systems often run copies of Windows or Unix that was installed a year or more ago and have difficulty updating the software without causing their own disruption to the system.
Lastly, the retail industry fell victim this year primarily to hacking attacks on ecommerce websites. Web application hacking often targeted retailers using input validation vulnerabilities present on websites, like SQL injection or Cross Site Scripting, in an effort to steal the payment card data processed by the retailers. Nearly one in three retailers has already suffered revenue losses as a result of a cyberattack and with the trend toward IoT and the ability to provide consumers access anytime, anywhere, on any device, retailers are scrambling to close vulnerabilities. From an economic standpoint, on one end Amazon is threatening retail as this digital transformation gathers steam, on the other, hackers are focusing on an industry where PII including credit card information provides quick money on the dark web.
As illustrated by these four industry examples, there are a variety of different challenges and risks facing different industries. Different assets, threats, vulnerabilities, and risks make prioritizing security actions a difficult decision – there is no one-size-fits-all approach to preventing a cyber breach, and a strong understanding to the unique risks of each business is key to defending organization assets and networks.
Cyber-attack tactics over the past year leveraged traditional techniques such as injection attacks on websites and phishing attacks on users and employees, but also several new tactics like an Internet-of-Things Botnet.
A common first step in a majority of cyber-attacks is to gain a foothold on the target’s network. Phishing remains the dominant means of doing so – typically, a malicious email with an attachment containing command and control malware. As many as 91% of cyber-attacks begin with a phishing email. Despite sophisticated technical cyber defenses, social engineering or persuading users to open emails and download malicious attachments or click embedded links remains a major problem for security organizations.
Related to phishing, ransomware was a cyber-attack tactic on the rise over the past year. Instead of downloading command and control malware, a malicious email delivered to a target user contained malware that encrypted the target’s files. The target is then extorted to pay a hefty ransom in order to retrieve their encrypted files. The Hollywood Presbyterian Medical Center, for example, paid $17,000 to attackers following a ransomware infection. A shift this year was from targeting users, with smaller ransoms in the hundreds, to targeting vulnerable organizations and executives with spear phishing and whaling attacks requesting ransom payments in the thousands. The San Francisco Municipal Transportation Agency, for example, was hit with a ransomware attack and asked for $73,000. While these businesses often have backup systems in place, it is sometimes less expensive and faster to pay a ransom rather than go through a full system restore.
Finally, a third major tactic of cyber attackers this past year was the Distributed Denial of Service (DDoS) attack. Krebs on Security, for example, was victim of a record attack that directed 665 Gigabits of traffic per second. New to the DDoS tactic was the use of Internet of Things (IoT) devices, most notably by the Mirai Botnet. Mirai compromised IoT devices with default credentials – like CCTV cameras, DVR players, home routers, and modems. The botnet was used in the aforementioned attack on Krebs, as well as an attack on DNS provider Dyn that took down many popular websites in October. Mirai source code was made public – allowing copycat attackers to scan the Internet for IoT systems with factory default passwords and create botnets of their own. This led to further attacks like a 54-hour attack on a U.S. university using CCTV cameras, DVRs, and routers.
The Mirai code was unleashed on the dark web in late 2016 and since has been used in some form in a variety of different attacks against a variety of targets. The code can be manipulated to execute other DDoS attacks and morphed so that defending an attack with traditional security defenses would be difficult.
Cybersecurity is a constant shift in advantage between offense and defense, attacker and defender. Nation-states and criminal organizations execute sophisticated attacks which many businesses and organizations are not fully prepared to defend. This past year saw continued use of traditional attacks – like phishing and POS attacks on retailers and restaurants – but new attacks as well, such as an IoT botnets and large-scale ransomware attacks.
Election interference via hacking made front-page news, an attack that continues to be investigated today. As cyber defenses improve, it is likely that new attack tactics and targets will arise as opportunistic attackers target low-hanging fruit, while traditional attacks like phishing will continue as long as they remain effective.