Here is the Global Threat Summary reports First Week December 2017 which provides an overview of the current threat landscape from around the world. The report includes a summary of the threats we’ve recently profiled, including:
- Q3 2017 Akamai State of The Internet report
- Bitcoin’s exponential value brings increased threats to cryptocurrency
- Kaspersky boycott crosses into Britain
The Global Threat Summary is designed to provide organizations with an overview of the current threat landscape from across the world. It combines assessment of the strategic picture with a thought leadership approach and is also a collated summary of all the threats that we have profiled each week. The report should be received at a high level within organizations to give an overview of risk and summary of trends.
1. Strategic insight
This section includes a review of significant reports that have been published and provides a strategic viewpoint on identified or high profile trends.
1.1 Q3 2017 Akamai State of The Internet report
Akamai’s State of the Internet Q3 2017 report highlights useful quarterly statistics on threat vector trends. Akamai used data obtained globally from its infrastructure and DDoS solution to detail the current level of network-based attacks. Overall, more attacks were detected, which is expected due to rising technological skill sets, tool availability and sophistication. However, the geographical nature of these threats, as discussed in the report, opens questions about the perceptions of “less risky” cyber security regions.
Comparing Q3 2016 and Q3 2017, several key trends have emerged:
• Web application attacks have increased by 69%
• Attacks sourcing from the US increased by 217% (Q3 2017 Top Source Country)
• The US also bears the brunt of targeting – 11 times as many registered attacks as the second most targeted, Brazil.
Overall, they show that US IP addresses are most likely to be the source of an attack. According to Akamai, 39% of all recorded attacks were attributed to US IP addresses, trumping Russia with 7%. Geographical-based blocking or rule sets may need refining to account for this finding. This is especially prudent for US domestic markets as the report also details a much higher risk of attack. Netherlands, Ukraine and Brazil accounted for 6% each.
The report also detailed that the emerging market for DDoS activity is Germany with “22% (58,746) of the unique IP addresses used in volumetric DDoS attacks” traced to the country. The report does not say what is driving this increase in unique IPs but, on a strategic level, it suggests that Germany’s technology infrastructure is perhaps neglecting cybersecurity.
The report found 86% of DDoS attacks targeted gaming customers. Indeed, the statistic may be viewed as more of a reflection on Akamai’s customer base which has over-represented the gaming industry. The culture around the gaming industry means the sector is more susceptible to DDoS targeting, as the threat vector is used a means of score-settling. However, every sector should still plan and mitigate for a DDoS activity.
2. Threat Reporting
This section provides a summary of the threats that Security Threat Intelligence has profiled over the past week. These are categorised based on modules included in Threat Reporting which is covered in Section 2 whilst Section 3 covers Cybercrime and Hacktivism.
2.1 Malware analysis
|Bitcoin’s exponential value brings increased threats to cryptocurrency
|Target: Web users
|Summary: In the cybersphere, Bitcoin has featured a great deal in reporting due to its incredible year of trading. Introduced in 2009, 2017 has seen it the value greatly increase, with stock rising from $1000 dollars at the start of the year to over $11,000 in November. Investors are willing to pay increasing amounts for the asset due to a fear of missing out on potential profit, similar to the dot-com bubble. In addition, the currency is being used at a growing rate with speculation that it may gain a foothold in the mainstream financial industry. At the moment it cannot be used to pay bills, taxes or settle debts. However, it can be used for a range of online activities, purchasing items on the dark web for example, as well as many everyday activities such as music downloads or gift cards. The digital currency, existing online, is a virtual token and there is no middleman in a transaction. This peer-to-peer characteristic is something that attracts many to the cryptocurrency market.
The rise of Bitcoin has inevitably also brought about a new wave of threat actors across the cryptocurrency spectrum attempting to reap the rewards of the rising stock through the illegal means of spreading malware. In order to obtain cryptocurrency, without actually buying it, they have to be “mined” using a high volume of computer power and resources. It involves solving large amounts of algorithms and, if successful, a user can gain currency. Due to the scale of processing power required, some miners work with several machines together to acquire currency.
This has also resulted in a shortage of affordable graphics cards, with the price of the stock rising far above RRP prices as they are extremely effective for crypto mining. While they have seen a rise in demand for many years, more recently their value has increased exponentially. This is due to certain types of mining cannot be carried out with specialized application-specific integrated chip (ASIC) mining hardware, leaving graphics cards, particularly AMD, as the only viable solution. The demand is so great that Nvidia has announced plans to release graphics cards specially designed for crypto mining.
A result of the increase in the value of cryptocurrency is threat actors infecting websites with coin mining code, designed to run in the background of the machine of any visitor to a targeted website. Once this is done, the threat actor can have hundreds, even thousands, of unsuspecting users helping mine for cryptocurrency on their behalf.
However, Bitcoin is notoriously difficult to mine and requires significant processing power, Other cryptocurrencies have been put at risk instead, with threat actors using victim’s machines to help them in their mining activities.
|Risk Assessment Summary: It should be noted that this attack vector offers scope for a user to have their machine used for activities they are unaware of and undertaken without their permission. Additionally, this activity utilises RAM and CPU of the victims power without permission. Although coin-mining does not perform any malicious activity, it does expend a user’s CPU power and RAM without their permission. There are certain websites (detailed in this report) that have this code injected into their site and this is certainly increasing. Therefore a risk exists here but it is still reasonably low due to mitigations which can be put in place.
3. Cybercrime and hacktivism
3.1 Global geo-political threat analysis
|Kaspersky boycott crosses into Britain
|Target: Businesses using Kaspersky products
||Attack Vector: Supply-chain
|Summary: Since 2015, Russian Anti-Virus software company Kaspersky Lab has allegedly been working with the Russian government to aid interference into the 2016 US Election and pass Intel from the United States government to Moscow. Many professionals within the security industry believe it is probable that Kaspersky software; installed on the machines of NSA employees, helped obtain intelligence for the Russian government. When Israeli hackers breached Kaspersky systems, they uncovered stolen tools belonging to the NSA.
The resulting actions by US Homeland Security caused them to remove all Kaspersky products from all branches of the US Government, damaging the Russian antivirus providers’ market share, along with their reputation. This drastic decision lead to many other Kaspersky customers reviewing their partnership. In December 2017, Kaspersky has begun to lose business on this side of the Atlantic. The UK National Cyber Security Centre advised all government departments against using Kaspersky software for systems related to national security. Following this, all anti-virus products from Russia were effectively banned.
In addition, Barclays, who offer Kaspersky products to over 2 million customers, halted their distribution of Kaspersky as a free product and notified 290,000 customers who had taken up the offer.
|Risk Assessment Summary: It appears the Russian government has already gained access into the NSA they may also be exploring access into other organisations. As the NSA, UK Government and Barclays have all taken steps to limit Kaspersky’s presence in their businesses, this indicates it is considered a tangible threat. Although highly likely, it is not confirmed that the attack vector is via Kaspersky. Since the NSA discovery, Russian government operations have been brought into the spotlight. This mitigates the threat to some degree and affords businesses the opportunity to review their vendors, limiting their attack vectors.