By Laura H. and Krista V. | Cyber Threat Intelligence Analysts
As we usher in 2018, the NJCCIC analysts reflected on the incidents of the past year and are now providing their insights into what we can all expect in the year ahead with regards to the ever-evolving cyber threat landscape. Many of the same themes we saw in 2017 will more than certainly carry over into 2018, with actors deploying new tactics for continued success.
TARGETED CYBER EXTORTION OPERATIONS
Cyber extortion campaigns, including ransomware, will continue to pose a significant risk to individuals and organizations throughout New Jersey and the US. As the price of cryptocurrency rises, profit-motivated criminals will use both known and new methods of exploitation to gain unauthorized access to networks and convince unprepared victims into submitting ransom payments in the form of Bitcoin and other, more anonymous forms of cryptocurrency. Fortunately, as user awareness of cyber extortion threats such as ransomware has improved, victims have begun to realize that it will persist if ransoms are paid. According to McAfee Labs, while ransomware increased by more than 50% in 2017, the number of ransom payments made by victims actually declined. However, high profile individuals and businesses are anticipated to be increasingly targeted throughout 2018 as the hackers behind these campaigns move from indiscriminate targeting to targeting those with the potential to yield higher individual ransom payment amounts. We also expect threat actors to mimic recent cyber-attacks and to deploy destructive disk-wiping malware that mimics ransomware, such as the Petya/NotPetya and Ordinypt attacks, in an effort to cause permanent damage to companies, organizations, and government entities.
Proactive Defense: Users and administrators are advised to review the NJCCIC ransomware threat analysis and threat profile and employ the recommended mitigation strategies to prevent or minimize the impact of a ransomware infection. These strategies include conducting regular audits of network access, both internally and externally; closing unneeded ports; securing needed remote connections via a multi-factor authentication solution; locking accounts after a set number of failed login attempts; and by applying software patches in a timely manner. Most importantly, back up data and ensure the backups are tested regularly and stored off the network in a separate, secure location.
TARGETING MOBILE DEVICES
Mobile devices will remain an attractive target for threat actors in 2018. Over the past year there has been a notable increase in the number of malicious applications available for download in legitimate app marketplaces. For example, the cryptocurrency miner, Coinhive, was observed targeting Android devices through applications that had previously been available in the Google Play store. Additionally, organizations that adopt Bring-Your-Own-Device (BYOD) policies allowing employees to use personal devices to access corporate data and networks, are at an increased risk of data theft and network compromise as a result of malicious applications installed on personal mobile devices.
Proactive Defense: Users and administrators of mobile devices are advised to review the NJCCIC threat analysis and threat profiles on Android and iOS malware and employ the mitigation strategies provided to minimize their risk. These strategies include using a trusted antivirus application on all devices and only downloading apps available on official app stores, after reading user reviews and ensuring the permissions requested match the app's advertised functionality. Organizations with BYOD policies are encouraged to use a reputable enterprise mobility management platform.
EXPLOITATION OF KNOWN VULNERABILITIES
If the cyber incidents of 2017 are any indication of what’s to come, disclosed and unpatched vulnerabilities will continue to expose businesses and organizations to great risk throughout 2018. As evidenced by the WannaCry cyber-attack, highly coveted “zero-day” vulnerabilities are not the only tools used by threat actors to cause substantial damage. Exploiting known older unpatched vulnerabilities can have just as much, if not more, of an impact, as users and organizations often fail to implement basic cybersecurity best practices, such as the timely updating of hardware and software.
Proactive Defense: Companies are strongly encouraged to employ the following defenses: email gateways, firewalls, and endpoint protection; employ the Principle of Least Privilege on all user accounts; always keep hardware and software updated; and implement a cyber incident response plan.
INCREASE IN ATTACKS AGAINST IOT DEVICES
With the increased incorporation of internet-of-things (IoT) devices into homes and businesses, malicious actors will continue to target poorly-secured devices that often record and contain sensitive information. Many IoT devices lack common cybersecurity safeguards and can be used to create powerful botnets, as we saw with the Mirai botnet. Without established standards that would require safeguards for IoT devices, consumers are solely responsible for ensuring that their devices are properly configured, secured, and updated. We are likely to see more disruptive and damaging distributed denial-of-service (DDoS) attacks this next year via botnets composed of compromised IoT devices.
Proactive Defense: Users and administrators of IoT devices are recommended to review the associated NJCCIC threat analysis, change default passwords and enable multi-factor authentication where available, disable unneeded ports, disable Universal Plug and Play (UPnP) on routers unless necessary for business operations, and always keep device software and firmware up-to-date. Additionally, consider decommissioning vulnerable devices for which no patch or update is expected to be released.
EXPLOITING UNSECURED CLOUD DATABASES
This year, we will see more breaches and data leaks resulting from unsecured or misconfigured cloud databases, particularly involving Amazon Web Services (AWS) Simple Storage Service (S3) buckets and other widely used cloud services. In 2017 alone, Verizon, Dow Jones, Accenture, Time Warner Cable, Voter records, Booz Allen, the Department of Defense, and others suffered data breaches that left sensitive information open to unauthorized access from improperly secured Amazon S3 buckets. When an organization chooses to move their data and operation to the cloud, they need to be aware of specific threats to the cloud environment and address each as necessary to lower their cyber risk.
Proactive Defense: Administrators of Amazon S3 buckets are recommended to review and apply Amazon's instructions for securing S3 databases, including using complex passwords and multi-factor authentication, and restricting access to the database using access control lists. Organizations may also consider maintaining their own remote backups in addition to any backups provided by cloud service providers as an extra precaution.
INCREASE IN CRYPTOCURRENCY MINING ACTIVITY
Cryptocurrency mining is a process by which new cryptocurrency coins or tokens are generated and introduced into the current circulating supply through the use of computer processing power to assist in the verification of transactions conducted over a blockchain, a database maintained by a distributed network of computers. Many miners are legitimate, using their own systems, processors, and resources to mine for cryptocurrency; however, mining activity is increasingly becoming more expensive to conduct, costing miners more money in electricity than they earn by generating cryptocurrency. This has led to an increase in illicit mining activities being conducted by criminal groups and adversarial nation-states, such as North Korea. This illicit activity includes the covert distribution of mining malware designed to steal processing power of unsuspecting system owners and website visitors. Some mining malware infects systems directly and runs in the background, slowing system performance while CPUs are forced to process transactions on the blockchain. Other types of mining malware is embedded in websites, online advertisements, and browser extensions, stealing the processing power of browser users and website visitors. Though a large portion of mining activity observed in early 2017 was designed to mine Bitcoin due to its high price and popularity, we will see more malware designed to mine Monero cryptocurrency this year as its anonymous platform appeals to criminals who do not want to face legal consequences for their actions.
Proactive Defense: Users are recommended to review the NJCCIC threat alerts on cryptocurrency mining, monitor network activity for anomalies that indicate cryptocurrency mining activity, and install a reputable ad-blocking browser extension to help mitigate this threat.
The NJCCIC looks forward to continuing our mission of serving New Jersey as the State's one-stop shop for cybersecurity information sharing, threat analysis, and incident reporting to better equip the citizens and businesses of New Jersey to defend against current cyber threats.