2016 was a year in which everything was bigger – bigger breaches, larger attacks, and bigger repercussions. Whether it was the evolution of DDoS attacks into the record-shattering Mirai botnet that disrupted large portions of the internet or insidious commercial banking Trojans available for sale as ready-made malware kits, the tone of cyberattacks darkened in 2016 while illuminating one key fact: many companies are not applying basic security fundamentals to their IT environments.
Attend this webinar to learn:
The top-level security trends from 2016, and what it could mean for 2017, including the political and intellectual property concerns stemming from large-scale data leaks
Why classic attack vectors continue to be a weapon of choice for those seeking to disrupt operations and steal data
Why a lower attack rate for the average security client may not be good news
What steps your organization can take to protect against these attacks
Presentation on how to chat with PDF using ChatGPT code interpreter
Supersized Security Threats – Can You Stop 2016 from Repeating?
1. IBM X-Force Threat
Intelligence Index
Limor Kessem
April 2017
Executive Security Advisor
Michelle Alvarez
Threat Research, IBM Security
2. 2 IBM Security
Key Trends from 2016
Unprecedented
leaks of
comprehensive data
sets
Tried and true
methods stock
the successful
attacker’s
arsenal
The average
security client
experienced
fewer attacks
The continued need for focus
on security fundamentals
3. 3 IBM Security
An unprecedented amount of records and unstructured data leaked
around the global in 2016
2014
1,000,000,000 records
breached, while CISOs cite increasing
risks from external threats
2015
Healthcare mega-breaches
set the trend for high value targets of
sensitive information
Source: IBM X-Force Threat Intelligence Index - 2017
2016
Larger than life breaches
as over four billion records and entire
digital footprints of many companies
were exposed
4. 4 IBM Security
Source: IBM X-Force Threat Intelligence Index - 2017
In addition to PII, much
larger caches of
unstructured data were
also exposed in 2016.
5. 5 IBM Security
Despite a slight rise in security events for monitored security clients in
2016, average attacks were down.
54M
Security
events
up 3%
Attacks
down 12% 1,019
Incidents
down 48% 93
2016 Monitored Security Client Statistics
Source: IBM X-Force Threat Intelligence Index - 2017
7. 7 IBM Security
Spam email volume grew fourfold, with nearly half of spam containing
malicious attachments
Source: IBM X-Force Threat Intelligence Index - 2017
8. 8 IBM Security
Record vulnerabilities disclosures topped 10,000, with new discoveries
up across all classes of software.
Source: IBM X-Force Threat Intelligence Index - 2017
9. 9 IBM Security
The top attack vectors for monitored security clients used malicious input
data, like SQLi or CMDi, or system data structure manipulation.
Source: IBM X-Force Threat Intelligence Index - 2017
11. 11 IBM Security
Information and communications led the pack in most successfully
breached companies
Source: IBM X-Force Threat Intelligence Index - 2017
12. 12 IBM Security
Financial Services
• Financial Services sector moved from the 3rd
most-attacked industry in 2015 to the most
most-attacked industry in 2016.
• SQLi and OS CMDi attacks accounted for
almost half of all FSS attacks.
• The large portion of Inadvertent Actors may
mean these industries having a greater
susceptibility to phishing attacks.
Malicious
Insider,
5%
Inadver-
tent Actor,
53%
Outsiders,
42%
Insider vs Outsiders
To learn more, check out the “Focusing on
financial institutions” paper from IBM X-Force.
Source: IBM X-Force Threat Intelligence Index - 2017
13. 13 IBM Security
Information & Communications
• Information and Communications jumped into the
2nd most-attacked industry in 2016.
• The number one mechanism of attack in this
industry was “Manipulate Data Structures”, like
buffer overflow conditions.
• After Injection attacks, third most common attack
class was the “Indicator” category, largely due to
attempted connections from Tor exit nodes,
which could be attackers disguising their originating
location.
• The overwhelming attacks from Outsiders are
indicative of the data-rich targets in this industry, and
comprised 23% of the breaches, but over 80% of
the total records exposed in 2016.
Malicious
Insider,
1%
Inadver-
tent Actor,
3%
Outsiders,
96%
Insider vs Outsiders
To learn more, check out the “Indicators of
Compromise” paper from IBM X-Force.
Source: IBM X-Force Threat Intelligence Index - 2017
14. 14 IBM Security
Manufacturing
• Manufacturing kept it’s position in the most
attacked industries as the 3rd most-attacked
industry in 2016.
• SQL Injection accounted for 71% of the
attacks on monitored Security manufacturing
clients.
• The overwhelming attacks from Outsiders in
Manufacturing stem from perceptions that
many systems within the sector are weak
by design as a result of a failure to be held to
compliance standards.
Malicious
Insider,
4%
Inadver-
tent Actor,
5%
Outsiders,
91%
Insider vs Outsiders
To learn more, check out the “Cyber spies target
manufacturers” paper from IBM X-Force.
Source: IBM X-Force Threat Intelligence Index - 2017
15. 15 IBM Security
Retail
• Retail rose to the 4th most-attacked industry
in 2016.
• SQLi and CMDi, which accounted for 50% of
the attacks, are used to target the large
amount of financial records and other PII such
as credit card and Social Security numbers.
• The overwhelming attacks from Outsiders in
Retail stem from the data-rich troves of PII
owned by companies in these industries.
Malicious
Insider,
2%
Inadver-
tent Actor,
7%
Outsiders,
91%
Insider vs Outsiders
To learn more, check out the “Security Trends in
Retail” paper from IBM X-Force.
Source: IBM X-Force Threat Intelligence Index - 2017
16. 16 IBM Security
Healthcare
• Healthcare dropped to the 5th most-attacked
industry in 2016.
• SQLi and CMDi, which accounted for almost
half of the attacks, are used to target the large
amount of personal health records.
• The large portion of attacks from Inadvertent
Actors can be attributed to situations when a
desktop client is compromised via malicious
email attachments, clickjacking, phishing or
vulnerable computer services that have been
attacked from another internal networked
system.
Malicious
Insider,
25%
Inadver-
tent Actor,
46%
Outsiders,
29%
Insider vs Outsiders
To learn more, check out the “Security Trends in
Healthcare” paper from IBM X-Force.
Source: IBM X-Force Threat Intelligence Index - 2017
18. 18 IBM Security
Globally, cybercriminals pursued targets with proven returns in 2016
while exploring new geographies.
Zeus, 28%
Neverquest, 17%
Gozi, 16%
Dridex, 11%
Ramnit, 9%
GozNym, 7%
Tinba, 6%
Gootkit, 3% Qadars, 2%
Rovnix, 1%
Most prevalent financial malware families
Global, 2016
Source: The shifting panorama of global financial cybercrime, IBM X-Force, 2017
19. 19 IBM Security
Attackers are engaging more methodical distribution methods for
malware campaigns
• Less mass-blasting of spam
• Use of lower-end opportunistic malware
like ransomware, IoT bots, and
keyloggers
• Employ anti-security features to avoid
detection
• Create minimal campaigns in a single
country with a smaller target lists of
companies
20. 20 IBM Security
Cybercriminals are sharpening their focus on business accounts
• Organized gangs lean toward business
targets because they can steal more
money at a time than with consumer
accounts
• Gangs are also more likely to have
necessary resources at their disposal to
steal larger amounts of money, such as:
̶ Fraudsters with reconnaissance
experience to plan out the scenario.
̶ Funding to hire professional criminal call
centers to support the fraud process and
manipulate the victim.
̶ Straw companies and straw men to funnel,
cash out, and launder millions in stolen
funds.
50% 52%
42%
Dridex GozNym TrickBot
Portion of Business Account
Targets
Source: IBM X-Force Threat Intelligence Index - 2017
21. 21 IBM Security
Commercial malware is making a comeback
• Android overlay malware replaced banking
Trojans as the “banking malware” commodity
in open and semi-open forums on the
cybercrime underground.
• Ransomware and ransomware-as-a-service
offerings are low-cost money makers for gangs
that wish to make a minimal up-front
investment.
• New malware variants built on the Zeus v2
source code, leaked in 2011, kept Zeus at the
top of the list of prolific malware.
• A new developer arose in an attempt to sell
brand new banking Trojan NukeBot in the
underground.
Ransom32, a Ransomware as a Service offering
22. 22 IBM Security
In 2016, cybercriminals mimicked traditional organized crime by
diversifying illicit profit sources.
• Dridex banking Trojan partnered with
Locky61 ransomware.
• Ransomware dropper Nymaim had a
Gozi banking Trojan module embedded,
creating a new two-headed beast:
GozNym.
23. 23 IBM Security
Asia continued to attract organized cybercrime groups in 2016
Japan
• The scarcity of attack tools in its
complex language kept Japan
isolated until late 2015 when the
Shifu Trojan emerged, laying the
foundation for further attacks.
• Most active financial malware in
Japan, per attack volume, includes:
1. Gozi
2. URLZone
3. Rovnix
4. Shifu
Australia / New Zealand
• Australia ranks 4th in 2016 most targeted
by banking Trojan attacks, following the UK,
the US and Canada.
• Most active financial malware in in AUS/NZ
includes:
1. Ramnit
2. Gozi
3. Dridex
4. TrickBotSource: The shifting panorama of global financial cybercrime, IBM X-Force, 2017
24. 24 IBM Security
In North America, the US remained a top target and Canada became a
bigger target in 2016, while
Source: The shifting panorama of global financial cybercrime, IBM X-Force, 2017
0
500
1,000
1,500
2,000
2,500
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Gozi and Ramnit Activity in Canada - 2016
Gozi Ramnit
Gozi, 21%
GozNym, 20%
Neverquest, 17%
Zeus varieties, 9%
Dridex, 9%
Tinba, 8%
GootKit, 7%
Kronos, 6%
Ramnit, 2% URLZone, 1%
TrickBot, 1%
Most prevalent financial malware
families
US, 2016
25. 25 IBM Security
In Europe, the UK and Germany remained at the top of the target list for
cybercriminals
Neverquest,
46%
Kronos, 16%
GootKit, 8%
Tinba, 8%
Gozi, 5%
Dridex, 4%
Zeus, 3%
Ramnit, 3%
URLZone, 2% Shifu, 2% GozNym,
1%
Others, 2%
Most prevalent financial malware families
UK, 2016
Source: The shifting panorama of global financial cybercrime, IBM X-Force, 2017
Germany saw the emergence of two sophisticated gangs
operating GozNym and Trickbot. Both emerged in
Germany shortly after their global debut.
26. 26 IBM Security
Growing sophistication changed the malware landscape in Brazil
October of 2016 saw a notably sophisticated
twist on the old phishing attack kit: live,
interactive phishing attacks
1. The attack takes place over a web session
between attacker and victim, on a website
that mimics the look and feel of the original
bank’s site.
2. Attacker uses Ajax-powered screens switch up
messages victims see, asking for critical
identification and transaction authorization
elements.
3. The flow of events is controlled from a web-
based admin interface, where the attacker
automates the screens shown to the victim,
also allowing personalization.
Source: The shifting panorama of global financial cybercrime, IBM X-Force, 2017
Zeus moved into Brazil in time for a large
international sporting event in the summer
New malcode discovered in the wild,
including a proper AV-disabling loader in
driver form
New cryptographic ransomware variants
targeted businesses, including hospitals
Other key trends:
27. 27 IBM Security
Many of the incidents we’ve seen could be avoided with a focus on
security basics
Instrument your environment with
effective detection.
Keep up with threat intelligence.
Maintain a current and accurate
asset inventory.
Maintain identity governance to
audit and enforce access rules &
permissions.
Have a patching solution that covers
your entire infrastructure.
Create and practice a broad incident
response plan.
Implement mitigating controls.
“Unprecedented leaks”: From a single leak of 1.4 billion records to gigabytes worth of a company’s entire digital footprint, the amount of leaked structured and unstructured data continues to expand around the globe
“Tried and true”: Classic attack vectors like SQL injection and O/S command injection, the re-packaging of malware code, and even old school attacks like spam with malicious attachments continue to be used to target and wreak havoc on networks and data.
“Fewer attacks don’t mean less danger”: If our average IBM monitored security client is any example, companies are experiencing fewer attacks (a 12% decrease for our monitored clients compared to 2015). HOWEVER, the reduction in attacks could mean attackers are relying more and more on proven attacks, thus requiring fewer attempts.
Notes on 2016:
2016 saw world-changing leaks affecting the political landscape of multiple countries.
The year 2016 was somewhat unusual, however, as several “historical hacks” from breaches occurring in earlier years surfaced publicly, with revelations that billions of previously unreleased records were being sold on the Dark Web.
Large amounts of unstructured data like company emails and intellectual property were leaked, resulting in the exposure of gigabytes worth of data.
New and troubling attack vectors led to high-volume hijacks resulting in extensive DDoS campaigns and weaponized IoT devices.
In 2016, there were many notable examples of leaks involving hundreds of gigabytes of email archives, documents, intellectual property and source code, exposing companies’ complete digital footprints to the public
In our monitored client environments, IBM® X-Force® saw that the average client organization experienced more than 54 million security events in 2016—only three percent more events than 2015. At the same time, client organizations monitored by X-Force experienced an average 12 percent decrease in attacks in 2016 compared to 2015 (1,019 attacks in 2016 compared to 1,157 attacks in 2015).
Most notably, the average monitored client was found to have experienced 93 security incidents in 2016, down 48 percent from the 178 discovered in 2015.
Among malicious attachments to spam, ransomware accounted for the vast majority—85 percent. Ransomware continues to be one of the most profitable forms of malware in terms of effort versus earnings. While these attacks were already established and profitable, the February 2016 case of a California hospital that paid a ransom of 40 Bitcoins (approximately USD17,000 at the time) to unlock encrypted files foreshadowed a renewed campaign of similar attacks against the healthcare industry in several countries. Given that disruptions of hospital operations can be both financially damaging and literally matters of life and death—exacerbated by outdated security processes and infrastructure—the healthcare sector became a lucrative worldwide target throughout the year.
The X-Force vulnerability database has been tracking public disclosures of software vulnerabilities since 1997. In 2016, the 20th year of documenting these threats, X-Force recorded the highest single-year number in its history: 10,197 vulnerabilities.
Web application vulnerability disclosures made up 22 percent of the total vulnerability disclosures in 2016. A large majority of those were cross-site scripting and SQLi vulnerabilities, which could be leveraged by attackers to target vulnerable systems.
To assist in analyzing and describing threats to its monitored security clients, X-Force has grouped 2016 observed attack types according to the standard set by the MITRE Corporation’s CAPEC effort. This system, as described by MITRE, “organizes attack patterns hierarchically based on mechanisms that are frequently employed in exploiting a vulnerability.” The only exception is the “Indicator” category, which describes conditions and context of threats and attack patterns.
According to the X-Force analysis of 2016 data, the number one attack vector targeting X-Force-monitored clients—at 42% - using malicious input data to attempt to control or disrupt the target system. Command injection, which includes operating system command injection (OS CMDi) and SQLi, belongs in this category. OS CMDi is also known as “shell command injection,” for which the now infamous and widely prevalent Shellshock vulnerability is named. Shellshock activity surged across all industries before its two-year anniversary in September 2016 and made up just over one-third of all attacks targeting healthcare in 2016.
In a publicly reported breach during the summer of 2016, a SQLi attack using the software vBulletin29 was used to steal millions of user records from gaming forums and other sites with large user bases. Even though a patch had been issued earlier, there were still many sites running older or unpatched versions, and it is often easy for attackers to scan the web for potential targets running this software.
Manipulate data structures
The number two attack vector, accounting for 32% of attacks, was the attempt to gain unauthorized access through the manipulation of system data structures. As CAPEC states, “Often, vulnerabilities [such as buffer overflow vulnerabilities], and therefore exploitability of these data structures, exist due to ambiguity and assumption in their design and prescribed handling.”
Breaking out publicly disclosed security events in 2016, X-Force sees that the industries experiencing the highest number of incidents and reported records breached were information and communication and government.
It is worth noting, however, that the healthcare industry dropped out of the top five position, but continued to be beleaguered by a high number of incidents, although attackers focused on smaller targets resulting in a lower number of leaked records.
According to figures compiled by IBM Managed Security Services, the financial services sector moved from the third most-attacked industry in 2015 (behind healthcare and manufacturing) to the first most-attacked in 2016, due primarily to a large rise in SQLi and OS CMDi attacks. In this year, these attacks alone were responsible for almost half of all attacks among the financial sector of IBM Managed Security Services customers. SQLi and OS CMDi are perhaps the most popular attack vectors within this sector because successful exploitation of these vulnerabilities provides attackers with the ability to read, modify and destroy sensitive data. And there’s a large amount of PII contained within the databases of financial institutions.
In 2016, there was a notable rise in publicly reported Society for Worldwide Interbank Financial Telecommunication (SWIFT) attacks against the messaging system used by thousands of banks and companies to move money around the world. The result was that millions of US dollars were stolen and illegally transferred from various global banks using custom malware and SQLi attacks. In 2017, SQLi and OS CMDi are positioned to continue to be the primary methods of attacking data stores.
The biggest risk to Financial Services is via the 3rd parties with which they engage, who may not have the same budgets or rigor for security defenses; these partners are frequently within the Information & Communications segment, who hold notable positions in both the most breached and most attacked industry list.
The information and communications technology sector moved up into the top five attacked sectors, taking second place among monitored industries in 2016. IBM-monitored security client data shows the number one mechanism of attack in this industry was “Manipulate Data Structures.” Buffer overflow conditions, which fall under this attack category, were exploited in many of these attacks, which accounted for 51 percent of all attacks seen in this sector. SQLi and OS CMDi were the second most frequent attack types detected in this sector during 2016, accounting for 30 percent of the total attacks, confirming X-Force predictions that these attacks would not wane anytime in the near future.
Ranking as the third most prevalent attack type targeting the information and communications technology sector was the “Indicator” category, which was due largely to attempted connections from Tor software exit nodes. Tor (an abbreviation of the original project name, “The Onion Router”) is designed to allow full anonymity to the end user. Although not all traffic coming from the Tor network is indicative of an attack, by using a Tor client, a cybercriminal can disguise the attack’s originating network location and its path to the target, making identification virtually impossible.
In 2016, SQLi accounted for the majority of all attacks—more than 71%—in manufacturing. This industry is a tempting target, as many systems within the sector are perceived to be weak by design as a result of a failure to be held to compliance standards.
The second most popular attack mechanism in manufacturing was “Abuse Existing Functionality,” which accounted for about 7% of all attacks detected. Many of these attacks involved flooding a target system with a large number of requests, to create a state of denial of service. “Collect and Analyze Information” was in position number three at 6%.
The retail industry remains at risk from any threat that targets credit card or gift card data. Retailers maintain an extremely large amount of financial records and other personal information such as credit card and Social Security numbers, and SQLi and CMDi attacks are often used to steal this information. These attacks accounted for 50 percent of all attacks against the industry in 2016.
Buffer manipulation and brute force attacks took second and third place during 2016, and collectively represent 28% of the total attacks on retailers. One notable publicly disclosed breach against a retailer occurred late in the year, when attackers targeted accounts at a UK food delivery service by using brute force authentication details gleaned from other public data breaches. Customers who reused passwords discovered that unauthorized food purchases had been made via their hijacked accounts.
SQLi and OS CMDi attacks represented the majority of attacks within healthcare in 2016, at a combined 48%. Healthcare records are always a top prize for cybercriminals and, as X-Force has seen in the retail industry, are widely for sale on the Dark Web.
Attack methods categorized as “Manipulate Data Structures” account for the second most popular attack type within the industry and “Manipulate System Resources” is third. These attacks focus on known vulnerabilities within an application, which, when successful, can lead to full system compromise.
The category “Image File Attacks,” in which malicious code is hidden within a variety of image file types, were the third most prevalent type of attempted attacks seen in healthcare, at 28%. Brute force attacks, which are part of a CAPEC mechanism of attack named “Employ Probabilistic Techniques,” used against authentication mechanisms, round out the top attacks in position four, at 6%.
The fifth ranked sector, healthcare, also has a greater percentage (71%) of insiders (inadvertent at 46% and malicious at 25%) versus outsiders (29%). It can be useful to think of inadvertent actors as compromised systems carrying out attacks without the user being aware of it as is the case with the “Subvert Access Control” attack type. This often happens when a desktop client is compromised via malicious email attachments, clickjacking, phishing or vulnerable computer services that have been attacked from another internal networked system.
In the global panorama of financial cybercrime, one year might bring little change, with the same types of malware continuing to target the same geographies, while the next can be very active. That was certainly the case 2016, with some countries seeing a marked rise in the attention of cybercriminals.
Spreading malware via mass spam blasts can draw unwanted attention and detection by security solutions. As a result, attackers are using more evasion detection techniques like anti-security/anti-sandbox detection and minimal campaigns.
Cyber gangs sharpen the focus on business accounts to reap more reward for the effort; Dridex malware target list has at least 50% business banking services.
Attackers are taking advantage of ready-made toolkits for malware-as-a-service, Android overlay malware, and new variants built on the Zeus v2 source code.
Cybercriminals are branching out, as in the case of the Dridex crime gang expanding in ransomware using Locky.
Online banking fraud facilitated by Dridex is one of the most sophisticated malware operations in the cybercrime arena, and not only is ransomware technically inferior, operating ransomware demands much less knowledge and skill, which has attracted lower-level criminals to it in the past decade. But there is a connection now between them, and it appears that Locky adds a new profit source to the Dridex gang.
In virtually no time, the evidently well-funded joint GozNym gang abandoned the ransomware business, for the most part, and began launching financial fraud attacks on banks in the US. GozNym then expanded its attack scope into Europe, launching redirection attacks on Polish, English and German banks. Before long, its aggressive debut garnered GozNym some attention from law enforcement and saw some of its operators arrested and indicted before the end of 2016.
Two of the most prominent threats relevant to Asian countries are Dridex and TrickBot, both of which are operated by organized cyber gangs. Singapore is especially heavily targeted, but it’s not the only country where these Trojans seek to attack; X-Force research analysis of configuration data shows that most malware families have targets in other parts of Asia such as Indonesia, India and Malaysia.
Singapore and the United Arab Emirates are growing in popularity as cybercrime targets.
UAE
Another geography increasingly present on Trojan configurations is the United Arab Emirates (UAE). X-Force data shows that organized gangs like the Dridex and the TrickBot crews are including more UAE banks on their target lists, as did Dyre before them.
This is notable because the UAE resembles Singapore in a sense: it is a global center of business, and its population is considered to have above average wealth. Also, businesses and individuals in the region tend to operate in both English and their local languages, allowing malware operators to employ their existing English-language attack tools.
Most attacks in Brazil are the work of local criminals using tools adapted into the Portuguese language and sold on Brazilian forums and social networking pages. In the past, the malware employed by Brazilian cybercriminals has tended to operate at lower sophistication levels than most malware made in Eastern Europe, but on that front 2016 saw a shift toward greater technical savvy. The shift gained momentum towards year’s end, bringing the Brazilian threat landscape more closely into line with other parts of the world. Behind it are local criminals increasingly collaborating with Russian-speaking cybercrime actors to buy and market malware or plan more effective attacks.