The European Union Agency for Network and Information Security (ENISA), tasked with developing best practices for the cyber security of member states, issues an annual report that covers leading and emerging cyber threats as observed over the previous year. Though the top threats have not changed since 2017, last year saw a dramatic rise in the risk of data breaches and “denial of service” attacks in the threat landscape. It was also the year in which “cryptojacking” emerged as a new and serious threat to any resources that can effectively be used for cryptocurrency mining.
The Current Threat Landscape
The top four items in the threat landscape remained unchanged from 2017: malware, web-based attacks, web application attacks, and denial of service attacks.
The remaining list of the top 15 items in the threat landscape was rounded out by:
- Data Breaches
- Insider Threats
- Physical Manipulation / Theft
- Information Leakage
- Identity Theft
- Cyber Espionage
Most of these global threat items remain from the 2017 list, changing position only slightly. The one big exception is that data breaches moved well up the list. Cryptojacking also makes its first appearance ever, the term having been coined last year to describe the surreptitious use of target resources to run cryptomining software in the background.
The 2018 ENISA threat landscape report also identifies the leading trends in the cyber crime world. Phishing messages sent by email and DM / PM have become the main vector for malware attacks. State-sponsored hacking is also sharply on the rise, particularly for the purposes of targeting banks and large retailers for financial theft, but the favored method has switched from deployment of malware to various social engineering approaches. Cyber criminals have shifted from ransomware to cryptomining as their main means of illicit funding, and the lack of security in the Internet of Things (IoT) is quickly becoming a major issue.
Malware: Still on Top
Though state-sponsored entities showed more interest in social engineering in 2018, cyber criminals as a whole still prefer to deploy malware as their bread-and-butter approach.
Though there was no global outbreak comparable to the WannaCry ransomware attacks of 2017, malware was used in 30% of all data breach incidents reported in 2018. Malware is especially prevalent in attacks on IoT devices. A relatively minor outbreak of the VPNFilter malware program hit about half a million devices worldwide, mostly lower-level devices that do not have proper security options.
Mobile malware also continued to grow in the threat landscape, as it has every year since smartphones and tablets entered the market. A central problem with mobile malware is the nature of Android updates. Due to manufacturers frequently abandoning updates within one or two years of the release of the device, many Android users are on older versions of the operating system that cannot be updated in order to be properly secured. Mobile malware cyber attacks are increasingly zeroing in on these outdated Android devices, for which exploits are numerous and well-known.
The most interesting (and dangerous) shift in malware trends in 2018 was the normalization of fileless attacks. Criminals now largely do not attempt to use traditional executable files to pass malware. They instead use PDF files containing malicious scripts, word processing files with attack macros, and “living-off-the-land” attacks. ENISA reported that 77% of the attacks they documented used some sort of a fileless attack.
Interestingly, the most common form of web attack in the threat landscape is still the SQL injection. ENISA found that 51% of successful web attacks in their study were perpetrated this way. These attacks have been around for over a decade now and though a vulnerability to them is a serious lapse in an organization’s cybersecurity at this point, nevertheless it appears that many networks out there are still not properly secured against them.
Phishing also remains strong and is currently on the rise, particularly among nation-state hackers. ENISA’s threat landscape report listed the top 10 targets as follows:
- Financial institutions
- Generic email credentials
- Microsoft OWA
- Office 365
- Google Drive
The Emergence of Cryptojacking
The surge in cryptocurrency prices created a dramatic increase in the interest in turning hacked assets into coin miners. Though prices have cooled off as of late, interest appears to remain strong in this method in the threat landscape as it is seen as easier and safer than deploying ransomware.
Cryptojacking is basically theft of the target CPU resources. An executable or script is designed to run in the background on target devices, funneling mined cryptocurrency back to the hackers. These scripts can be voracious, directing up to 80-90% of the target’s processing power to mining crypto for the attacker. The more clever of these scripts use a smaller amount, say 50 to 70%, enough to potentially escape notice and prevent the target system from being pulled offline for service.
Cryptojacking has been good to cyber criminals, netting them an estimated $2.5 billion in the first half of 2018 alone. The average compromised system only earns about 25 cents per day for hackers, so the scheme relies on casting a wide net and infecting as many systems as possible. However, this is relatively easy as the code is small and simple and is easy for even non-technical actors to deploy.
Perhaps the most concerning aspect of cryptojacking is the appearance of attacks targeting industrial resources, including public utilities. A cryptominer was found embedded in the SCADA system of a water utility in Europe in February of 2018.
One last important takeaway from the threat landscape report is that ENISA noticed a definite correlation in the current value of major cryptocurrencies and the amount of cryptominers in use. A self-evident point, perhaps, but the data did confirm that as the value of cryptocurrencies goes up so too do criminals ramp up their efforts.
An ENISA 2018 Threat Landscape Overview
The annual ENISA threat landscape report is one of the most helpful tools for keeping a finger on the pulse of current hacking trends, and the full document is easily worth a read. The organization also makes an interactive web-based application available that helps in navigating quickly to particular points of interest.