Although it may seem that data breaches and leaks were frequent and plentiful in the year 2017, researchers said the number of records breached actually dropped by nearly 25% in 2017. According to IBM X-Force’s annual Threat Intelligence Index, cybercriminals have instead been shifting towards the use of ransomware and worms to lock or destruct data and blackmail victims into paying up.
In 2017, over 2.9 billion records were reported breached, down from the 4 billion disclosed in 2016. Although this figure is significant, the drop does highlight attackers new penchant for locking down access to data and demanding ransom from the owners directly rather than compromising large swathes of data at a go and selling them on the Dark Web.
Ransomware attacks were rampant over the past year with major global attacks such as WannaCry, NotPetya and Bad Rabbit ensnaring hundreds of thousands of systems and wreaking havoc across industries around the world such as healthcare, transportation and logistics among others.
In cases of encrypted data, the cost for an individual hit by ransomware could amount to a few hundred dollars. For organizations, however, losing massive amounts of critical data is often not an option with many willing to shell out significant amounts of money to retrieve it, despite the advice of law enforcement and security experts not to do so.
In terms of higher profits, ransomware attacks targeted businesses that can’t afford to lose sensitive data is deemed more lucrative than compromising a cache of data and selling it on the underground market.
In 2017, the downtime, operations disruptions, lost revenue and ransom payments in ransomware attacks cost companies more than $8 billion in damages. By 2019, ransomware attack costs are expected to soar to over $11.5 billion.
The significant shift from encrypting bulk data for sale to the use of ransomworms against larger entities also increases the pressure and importance for organizations to ensure they employ and accurately implement the right prevention, detection and response controls against attacks.
“More than employing security basics, and even more important than having detection capabilities, those who had response plans in place and had trained staff to execute those plans were able to respond sooner and recover from attacks with lesser impact, enjoying shorter downtimes and smaller related financial losses,” the report noted.
The weak link in the chain
Still, human error remains a key issue and ripe opportunity for threat actors to exploit.
“Some of the most common scenarios included basic misjudgment,” IBM X-Force stated. “These include employees storing intellectual property on their own insecure personal devices and end systems and employees and insiders falling for phishing emails that resulted in account takeover or access to sensitive data. In addition, erroneous permission-level attribution on cloud services and networked backups exposed sensitive data through weak or non-existent authentication.”
More than 2 billion records - nearly 70% of the total number of compromised records were exposed in 2017 - were due to misconfigured cloud infrastructure, networked backup incidents and other misconfigured systems. Between 2016 and 2017, 424% more records were compromised as a result of these kinds of incidents.
This marked increase can be attributed to the growing awareness among the hacking community about the existence of such misconfigured cloud databases that are often publicly-accessible and not password-protected. As researchers use new tools and techniques to uncover misconfigurations such as the Shodan search engine, threat actors are also lurking to target the same open and vulnerable systems in order to lock down data and demand payment from the owner.
In many cases, the data targeted is often highly sensitive data. In one incident, the personal information, political donations and views and detailed marketing data of 198 million registered US voters was exposed. In another, a jobs database for military contractors containing confidential data about individuals with US Special Forces backgrounds were left exposed.
Another startling case saw a detailed cache of corporate virtual private network (VPN) passwords, usernames and operational details of a global accounting firm publicly exposed in an unprotected Github-hosted repository.
“Click here for more info” and other lures
Besides misconfigured cloud infrastructure, duping employees through specially-crafted phishing attacks laced with malicious links and attachments or mass spam campaigns remains one of the most popular successful methods of exploitation by hackers. In just 4 days, hackers managed to send 22 million emails using the massive, infamous Necurs botnet, IBM reports.
Account takeovers, business email compromise (BEC) and compromised corporate credentials allow the attackers further access to network resources and the opportunity to compromise other users within the organization.
Once a pattern of successful compromise has been established, it is further likely that the attackers will use the same methods on multiple victims and utilize the harvested information in more advanced attacks.
As expected, the notorious use of weak passwords that can be easily deciphered using password-cracking tools and the use of employees’ unsecured personal devices containing copies of the company’s intellectual property present other possible and exploitable gateways for attackers to gain access.
While 38% of exploitation activity involved spear-phishing techniques and 27% involved misconfigured servers, another 35% featured attempted man-in-the-middle attacks. The remaining 27% revolved around hackers attempts to compromise misconfigured servers through SQLi.
Who is being targeted?
According to X-Force’s report, the financial services sector was formerly the most frequently attacked industry. In 2017, the industry fell to third place behind IT & communications and manufacturing. The most commonly used attack vector targeting these industries was injection attacks.
Although heavily targeted industries such as financial services organizations do heavily invest in cybersecurity technologies and measures to protect themselves, hackers have specifically deployed banking Trojans such as the Gozi banking malware and its variants that target unsuspecting consumers and end users across the industry.
What to expect in 2018
Financially-motivated attacks and digital extortion of businesses and related individuals are only bound to rise in 2018 as hackers indiscriminately hit companies of any size within key sectors that are forced and willing to pay to recover. The victims targeted by hackers depend on how lucrative they payout will be. In this case, compromised business accounts would seem more profitable for cybercriminals than small-scale consumer accounts.
Researchers also expect to see more banking heists and attacks exploiting financial organizations’ internal systems and processes such as automated payment relays. Advanced financial malware and activities that feature sophisticated source codes, high-value targets and expanded grand-larceny capabilities will likely be leveraged.
On a larger scale, sophisticated and organized threat groups that develop and leverage complex operations to exploit the entire supply chain within a targeted industry or enterprise are likely to emerge and illicitly thrive. As a result, ransomware attacks akin to WannaCry and NotPetya are likely to become more destructive as widespread vulnerabilities and exploits targeting the public and private sector increase.
Regardless, smaller scale hackers and groups are not about to stop exploiting consumers within the growing mobile banking, online shopping and mobile payments sector. According to IBM, fraud cases through mobile malware are expected to rise over the coming year as well.