State of Security Series: Symantec – Internet Security Threat Report

Symantec™ recently released the 23rd Volume of their Internet Security Threat Report which provides insightful statistics, summaries and in-depth analysis for 2017. 2017 was an eventful year in the security landscape which saw cyber crime wreaking havoc on organizations all across the globe and in every sector. Ransomware, most notably WannaCry made headlines throughout the latter half of the year and cryptocurrency related attacks exploded towards the end of the year as cryptocurrency prices skyrocketed.

The full report can be viewed and downloaded through the Symantec™ website here.

Since 2013 ransomware infections have increased year-over-year, reached an all-time high in 2016 and saw rivalling heights in 2017 with an average 1271 detected incidents per day in 2016 and 1242 in 2017. The main influence in cyber crime remains financial motivation, over the past several years cyber crime has seen some interesting developments that show nefarious actors are seeking to optimize financial gains when attacking. 2017 saw a 50% drop in the average ransomware demand rate after headlines in 2016 featured record high demands. Experts have been urging not to give into paying ransom demands as there is no guarantee data will or can be recovered which could be attributing to attackers lowering demand prices in hopes to increase the number of ransoms paid.

The sudden and drastic increase in cryptocurrency prices saw cyber crime follow the money, with a 34,000% increase in mining activity in 2017 and a staggering 8 million blocked malicious coin-mining events by Symantec in December 2017 alone. In January of 2017 Bitcoin, a cryptocurrency was just shy of $1000 USD per coin and 20,000 malicious mining operations were detected, in December that number had reached 1.7 Million operations, Bitcoin reached an all-time high of just over $19,000 USD per coin. In December mining related attacks accounted for 24% of web attacks.

Crypto mining attacks leverage computing power to mine cryptocurrencies which can later be sold for profit. One increasingly popular way these attacks are performed is hosting mining scripts on websites which utilize the computing power of visiting users when browsers run the code. Crypto mining also takes the form of traditional malware, where a user downloads a malicious document, or a vulnerable server is compromised and used to run the malware.  These attacks can impact organizations in various ways ranging from small increases in user computing resources, increased power consumptions and costs to denial of service through high system usage and increased costs by compromising pay-per-use cloud computing systems.

How are all these attacks happening? Spear phishing was the number one vector of infection, used in 71% of attacks according to the report. The number of phishing URLs monitored in web traffic increased 182% from 2016, phishing URLs in emails increase 10.7% whereas in email phishing attachments continued to drop. The WannaCry ransomware leveraged the EternalBlue vulnerability and its variants to exploit unpatched and/or insecurely configured systems several months after official patches were released and remediation tactics well known. Software update supply chain attacks saw a large increase in 2017, attackers implant malicious code into updates which are often installed with elevated permissions. These attacks can occur a number of ways including third-party update hosting hijacks or interception through infrastructure such as DNS, malicious domains, IP routing and network traffic. Mobile device security issues continue to grow year-over-year with a 54% increase in new mobile malware variants. With more organizations encouraging employees to bring their own devices implementing security policies and practices for mobile devices is continues to grow more important.

The swift pivots by cyber criminals and attackers continues to demonstrate how performing routine maintenance, patching systems and software, and maintaining an active security posture is critical to reducing cyber related risks. Staying ahead of attackers requires expertise of skilled security professionals, recurring training, along with key management planning and support. Staying ahead of the curve is far more advantageous than trying to play catchup.