Financial Threat Landscape

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Large corporate breaches make the headlines, but SMBs remain a prime target. A common misconception is that SMBs are not big enough or well-known enough to be targets of cyberattacks. However, Ponemon’s 2018 State of Cybersecurity in Small to Medium Businesses, reports that 61% of SMBs experienced a cyber attack in the last year. There are several factors involved, but most often it’s simply because it’s easier. SMBs are often less prepared and have smaller security budgets. Security through Obscurity? Some organizations try to thwart threat actors and reduce security costs by using more obscure operating systems. But attackers continually expand their attack vectors and exploit new vulnerabilities. For years, macOS users have had a false sense of security through obscurity. While it is true that Windows is victimized far more often, attackers are targeting macOS, along with Linux/Unix platforms more frequently. Since macOS has grown in corporate use, attackers are developing and targeting malware at these systems. SecureList tracked threats to the macOS over the last four years. In 2015, their researchers reported a total of just over 850k attacks. In the first half of 2019, the number of documented macOS attacks increased to around 6 million. Also, they noted 1.6 million phishing attacks/fraudulent schemes against macOS and iOS devices in the first half of 2019. By the Numbers WatchGuard released their Q2 2019 internet security report with some pretty interesting findings:

• Zero-day malware accounted for 38% of all malware detections.
• Malware trended down about 5% compared to Q1 2019; however, malware is still up 64% compared to Q2 2018.
• Network attacks are up over 50% compared to Q1 2019.

Other notable findings from the report include:

• Malware and Phishing attacks are abusing legitimate domains.
  • Several domains hosting malware are subdomains of legitimate Content Delivery Networks (CDN).
  • Kali Linux makes the top 10 list with two modules of Kali Linux appearing on WatchGuard’s list of most common malware.
• Significant year over year increase in overall malware volume.
• Widespread phishing and Office exploit malware increased.
• SQL Injection tops in network attacks.
• Europe and APAC increasingly targeted.

Where Is It All Coming From? September showed the top number of attacks coming from China, followed by the United States, Brazil, North Korea, and Russia. These countries are known for their cyber capabilities and they are getting stronger, better, faster with each passing month. The attackers are working together, leveraging capabilities from other attack groups and malware families to wreak havoc on their victims. For example, Nepalese authorities recently disrupted a complex campaign in which Chinese and Spanish attackers were working together to target banking networks and ATMs in Nepal. North Korean attackers, while not the top attackers in 2019, are also making headlines. The most widely known group out of North Korea is Lazarus Group. In September, the US Treasury Department announced sanctions against three state sponsored threat actors in North Korea who were conducting destructive cyber attacks on critical US infrastructure. The group is also suspected of stealing hundreds of millions of dollars from financial institutions globally. Analysts believe North Korea is using this to fund weapons programs. The three groups include Lazarus and two subgroups, known in the security community as Bluenoroff and Andariel.