We saw the growth of internet-scale campaigns
that use a vast array of devices related solely by internet connectivity
to strike strategic targets.
When it comes to the global threat landscape, the second half of 2018 revealed the equivalent of attacks on steroids, as attackers bulked up existing tactics, rapidly evolved new ones, and applied smart business techniques to vastly accelerate their growth rate.
Innovative new TTPs combined custom tools and commodity crimeware, including the use of Chrome extensions to enable persistence in the STOLEN PENCIL campaign crimeware.
Many new groups discovered while activity from key actors such as China, Russia, Iran, and North Korea shows no sign of ebbing.
Business practices such as the affiliate model drove rapid global expansion for Danabot crimeware campaign.
IoT devices are under attack 5 minutes after being plugged in and targeted by specific exploits within 24 hours.
ASERT tracked approximately 35 APT groups worldwide. Activity from these groups is accelerating as they continually add additional facets of cyber espionage to their toolkit, including new targeting and new methods.
Massive credential theft across four universities, targeting victims in biomedical research. Campaign notable for the use of Chrome extensions to enable persistence.
Nation-state APT group activity was discovered at an accelerating rate as groups also evolved and expanded their capabilities.
Analysis of APT malware samples found combinations of custom tools and crimeware as well as misuse of legitimate software such as lojax.
New APT capabilities include a few observed zero-day attacks, the use of legitimate bootkit software, and at least one instance of a browser plugin.
For crimeware actors, the key word is more: more groups, more efficient attack monetization, more businesslike methods, and certainly more and better tools.
Once plugged into the internet, IoT devices are attacked within 5 Minutes and targeted by specific exploits in 24 Hours
Increased sophistication and efficiency at monetizing malicious attacks. Modular, persistent crimeware that provides a better ROI than a simple smash-and-grab method.
DanaBot campaign increased distribution efficiency and cut labor costs by using an affiliate model that encourages specialization among threat actors and substantially increases the pool of potential victims across the world.
The overall lifetime of crimeware infections sometimes lasts years, long after infrastructure goes offline.
Cyber threat actors learned from IoT malware, pivoting to add Linux servers to their targets.
The DDoS sector continues to reflect the indefatigable efforts of a busy and ever-more organized community, from state actors trying to influence geopolitical processes to an increasingly businesslike DDoS service-for-hire sector. We see a skyrocketing diversification of attack avenues, methods, and techniques, wiping away traditional expectations around both DDoS attack mechanisms and defense practices.
The number of global attacks increased 26 percent. Global max DDoS attack size increased 19 percent.
186 percent increase in attacks for sub-vertical containing consulates and embassies, indicative of increase in politically motivated attacks.
for sub vertical containing cloud service providers.
More than 15,000 percent increase in size of attacks targeted at scheduled passenger air transportation.
Increasing accessibility of attack vectors that were once the province of sophisticated attackers, such as the large increase in carpet bombing DDoS attacks observed in 2018.
After posting research on MedusaHTTP DDoS, a botnet from a hacker known as stevenkings, the ASERT team was able to assist the FBI during an investigation that ultimately led to charges being filed.
In the second half of 2018, we saw threat actors building crimeware that’s cheaper and easier to deploy—and more persistent once installed. At the same time, many groups applied business best practices that further extend the reach of attacks, while making it even easier for customers to access and leverage malicious software and DDoS attack tools.
The ASERT team continues to monitor the threat landscape and report on new actors, malware under develoment, and increasingly sophisticated techniques deployed. For a detailed summary of the latest trends, download the updated NETSCOUT Threat Intelligence Report for the second half of 2018.