EXECUTIVE SUMMARY:
In its mid-year report, Check Point Research provides analysis of the year to date, looking at global attacks, trends in malware overall, ransomware, and both banking and mobile malware. According to the report, the percentage of attacks out of the top three ransomware in all regions almost doubled, increasing from an average of 26% to an average of 48%, compared to the same time period as 2016. The report also stated that many of the most prominent recent attacks–like WannCry and NotPetya–were preventable had organizations used technologies that catch threats before entering the network, versus relying on solutions that detect, post-intrusion. However, 99 percent of organizations do not have proper security mechanisms in place.
Simple malware families are continuing to crop up even as the more sophisticated National Security Agency (NSA) hacking tools leaked by the Shadow Brokers gain greater distribution. With various means for all levels of cyber criminals to create cyber exploits, hackers are upping the ante of their attacks. Ransomware and other types of cyber assaults are targeting public infrastructure and medical facilities worldwide.
Check Point Research identified several key trends emerging for 2017. Below are some highlights.
NATION-STATE CYBER WEAPONS ARE NOW IN THE HANDS OF CRIMINALS
- MARCH: Thousands of documents detailing how the CIA hacks into iPhones, Android devices, and Smart TVs were released.
• APRIL: The Shadow Brokers threat group released a dump containing NSA exploits and hacking tools, considered to be the most damaging release yet. The leaked cache, which contains almost 300 megabytes of material, targets most versions of the Windows operating system, plus code for hacking into EastNets, the largest SWIFT service provider in the Middle East.
• MAY: The WannaCry ransomware was poorly written, was not packed, was not obfuscated, and contained a peculiar ‘Kill Switch.’ And yet, this malware showed great reach, based largely on the Shadow Brokers’ NSA tools leak and more specifically, the EternalBlue exploit for Windows SMB. The leaked code helped upgrade a simple ransomware into a highly influential global attack that impacted numerous public and civil facilities.
• JUNE: The same NSA capabilities that had been evident in the WannaCry attack were reused in NotPetya – an attack focused on Ukrainian organizations that took down entire networks.
THE LINE BETWEEN ADWARE AND MALWARE IS FADING, AND MOBILE ADWARE BOTNETS ARE ON THE RISE
- Fireball malware: A browser-hijacker designed to push advertisements, also capable of executing any arbitrary code on its victim’s machine.
- HummingWhale: A new variant of the infamous HummingBad malware, which was prominent in third-party app stores last year. The new version created a new tactic to steal ad revenues; penetrate Google’s security; and upload dozens of apps to Google Play.
- Judy: An auto-clicking adware that could be the largest malware infection ever on Google Play.
- CopyCat: A mobile malware that infected 14 million Android devices, rooting approximately 8 million of them. Hackers raked in approximately $1.5 million in fake ad revenues in two months.
MAJOR CYBER BREACHES ARE HITTING ALL GEOGRAPHIES
Americas
• February 23, 2017: Researchers found a critical security flaw in the edge servers of the web security company Cloudflare. A buffer overflow bug caused a major leak of sensitive user information from 3,400 websites, including Uber, 1Password, and OKCupid, an online dating site.
• March 7, 2017: WikiLeaks released more than 8,000 files and documents, alleged to belong to the Central Intelligence Agency (CIA). Dubbed “Vault7,” the release included dozens of exploits and vulnerabilities for various platforms, including web browsers, Windows, Android, Apple products, and security products. The leak also detailed information about practices and methods allegedly used by the CIA.
• April 7, 2017: Unknown hackers breached the emergency siren system of Dallas, Texas, repeatedly activating all of the city’s 156 sirens for approximately an hour late Friday night.
• April 14, 2017: The Shadow Brokers group, which had previously released hacking tools allegedly belonging to the NSA, leaked additional tools, exploiting zero-day vulnerabilities for both Windows and the SWIFT banking system. One month later, a global attack took advantage of that release and infected tens of thousands of machines with the WannaCry ransomware, using a vulnerability in the Windows OS SMB EternalBlue communication protocol. The victims included hospitals, telecommunication companies, car manufacturers and others.
• May 11, 2017: Edmodo, a popular educational technology company based in California, lost the personal data for approximately 77 million user accounts belonging to students, parents and teachers. The stolen data included email addresses, usernames and hashed passwords. It was reported that the hacker offered the data for sale on a dark web forum for $1,000.
Europe, the Middle East and Africa (EMEA)
• January 7, 2017: E-Sports Entertainment Association League, a popular video gaming community owned by the Germany-based eSports company Turtle Entertainment GmbH, suffered a breach that may have revealed personal data of 1.5 million users.
• January 12, 2017: Cellebrite, an Israeli company known for developing mobile forensics and hacking tools, was breached, leading to the theft of 900 GB of customer data.
• April 9, 2017: Wonga, a UK-based loan firm, suffered a breach affecting up to 270,000 customers, most of them in the UK. According to Wonga, the leaked data might include e-mail addresses, home addresses, phone numbers, partial credit card numbers and bank account numbers.
Asia-Pacific (APAC)
• February 13, 2017: The McDonald’s India app, McDelivery, leaked the personal data of more than 2.2 million customers, including name, email address, phone number, home address and social profiles. McDelivery acknowledged the issue on February 13. However, as of March 17, it hadn’t been fixed and customer data continued to be exposed.
• March 14, 2017: GMO Payment Gateway, the Japanese provider of payment processing services, confirmed that a security flaw in the company’s systems led to the leak of personal and financial data from the websites of two of its clients: the Tokyo metropolitan government and the Japan Housing Finance Agency.
• April 13, 2017: Some 500,000 Australian websites were rendered inaccessible for an hour and a half, after the DNS servers of an Australian Internet company fell victim to a massive DDoS attack.
• April 24, 2017: An unknown hacker broke into HipChat, a group chat platform owned by the Australia-based enterprise Atlassian. User account information, such as names, email addresses and hashed passwords, mig have been stolen, as well as chat room metadata.