The first quarter of 2018 was dominated by growth in illicit cryptocurrency mining, known as cryptojacking, according to the latest cyber threats report from security firm McAfee.
Researchers saw an average of five new threat samples every second in the first three months of the year and notable campaigns demonstrating a deliberate drive to technically improve upon the most sophisticated established attacks of 2017, the report said.
“There were new revelations this quarter concerning complex nation-state cyber-attack campaigns targeting users and enterprise systems worldwide,” said Raj Samani, chief scientist at McAfee. “Bad actors demonstrated a remarkable level of technical agility and innovation in tools and tactics. Criminals continued to adopt cryptocurrency mining to easily monetise their criminal activity.”
Data analysis shows that cyber criminals extended their operations in cryptojacking and other cryptocurrency mining schemes, where perpetrators hijack victims’ browsers or infect their systems to secretly use them to mine for legitimate cryptocurrencies such as Bitcoin.
The category of coin miner malware grew 629% in the first quarter of 2018, up from around 400,000 total known samples in Q4 2017 to more than 2.9 million the next quarter. This suggests that cyber criminals are continuing to warm to the prospect of simply infecting users’ systems and collecting payments without having to rely on third parties to monetise their crimes, the report said.
“Cyber criminals will gravitate to criminal activity that maximises their profit,” said Steve Grobman, chief technology officer at McAfee. “In recent quarters we have seen a shift to ransomware from data theft, as ransomware is a more efficient crime. With the rise in value of cryptocurrencies, market forces are driving criminals to cryptojacking and the theft of cryptocurrency. Cyber crime is a business, and market forces will continue to shape where adversaries focus their efforts.”
The North Korean Lazarus cyber crime ring launched a highly sophisticated Bitcoin-stealing phishing campaign – HaoBao – which targeted global financial organisations and Bitcoin users. When recipients open malicious email attachments, an implant would scan for Bitcoin activity and establishes an implant for persistent data gathering and crypto mining, the report said.
In January, McAfee Advanced Threat Research unit reported an attack targeting organisations involved in the Pyeongchang Winter Olympics in South Korea. The attack was executed via a malicious Microsoft Word attachment containing a hidden PowerShell implant script. The script was embedded within an image file and executed from a remote server.
Dubbed Gold Dragon, the resulting fileless implant encrypted stolen data, sent the data to the attackers’ command and control servers, performed reconnaissance functions, and monitored anti-malware solutions to evade them.
Also in the first quarter, Operation GhostSecret targeted the healthcare, finance, entertainment, and telecommunications sectors. Operation GhostSecret is believed to be associated with the international cyber crime group known as Hidden Cobra.
The campaign, which employs a series of implants to appropriate data from infected systems, is also characterised by its ability to evade detection and throw forensic investigators off its trail. The latest Bankshot variation of GhostSecret uses an embedded Adobe Flash exploit to enable the execution of implants.
It also incorporates elements of the Destover malware, which was used in the 2014 Sony Pictures attack, and the Proxysvc implant, a previously undocumented implant that has operated undetected since mid-2017.
Publicly disclosed security incidents
McAfee Labs counted 313 publicly disclosed security incidents in Q1 2018, a 41% increase over Q4. Incidents involving multiple sectors (37) and those targeting multiple regions (120) were the leading types of incidents in Q1.
The report shows that disclosed incidents in healthcare rose 47%, with cyber criminals continuing to target the sector with the Samsa ransomware, and there were numerous cases in which hospitals were compelled to pay the criminals.
Incidents of attacks on the education sector rose 40%, with ransomware being a notable culprit in attacks on schools and related institutions, while disclosed incidents in the finance sector increased by 39%, which included continuous attacks on the SWIFT banking system.
These attacks were not always region-specific, as was the case in previous years, but McAfee identified activity in Russia, and related reconnaissance efforts in Turkey and South America.
In Q1 2018, McAfee Labs recorded threats showing notable technical developments improving upon the latest successful technologies and tactics to outmanoeuvre their targets’ defences. And while PowerShell attacks slowed from its 2017 surge, cyber criminals saw increases in exploits of other benign technologies. For example, the total count of malware that exploits LNK capabilities surged 59% compared with the previous quarter.
Although the growth in new ransomware slowed by 32% in Q1 2018, the Gandcrab strain infected around 50,000 systems in the first three weeks of the quarter, supplanting Locky ransomware variants as the quarter’s ransomware leader. Gandcrab uses new criminal methodologies, such as transacting ransom payments through the Dash cryptocurrency rather than through Bitcoin
According to the report, the total number of malware samples grew 37% in the past four quarters to more than 734 million samples, while the total known malware samples grew 42%.