Compliance Management, Threat Management, Threat Management, Incident Response, Malware, Privacy, Ransomware, TDR

2018 Top Cyberthreats

It was clear it was going to be an intense year the cybersecurity industry when, just days after ringing in 2018, researchers announced a vulnerability found in essentially all CPU processors made over the previous two decades. From there, things only got busier, with news of Russian exploits, new ransomware families and much, much more.

Spectre and Meltdown: A mere three days into 2018, multiple groups of researchers publicly disclosed Spectre and Meltdown, a trio of CPU chip vulnerabilities representing an entirely new classification of bugs. Found in Intel, IBM, ARM and AMD chips powering an enormous spectrum of hardware products, these vulnerabilities were found to result from a flaw in the processor optimization functionality known as speculative execution. Researchers warned that the bugs could be exploited via side channel attack to access and steal sensitive information from devices by tricking programs into either leaking their secrets or accessing another application’s memory. Spectre and Meltdown’s public disclosure came after months of secretive, painstaking and unprecedented cross-industry collaboration to create patches and modifications, resulting in complex changes to many layers of the software stack. In some cases, these repairs regrettably slowed down the performance of affected processors. In the ensuing months, scientists found additional, new-generation variants of Spectre and Meltdown, as well as another family of speculative execution bugs called Foreshadow and Foreshadow-NG. In response to ongoing concerns, Intel said that its next-generation of chips would be designed with built-in defenses for Spectre-like attacks.

GandCrab: Debuting last January, the malicious cryptor GandCrab quickly became the breakthrough ransomware of 2018. In a departure from conventional ransomware tactics, GandCrab’s developers have chiefly relied on exploit kits such as RIG, GrandSoft and Fallout to distribute their malware. Typically, these kits are served up in malvertising campaigns. Adding to its quirkiness, GandCrab also demands payment using the cryptocurrency Dash, and its C2 servers are generally hosted on the Namecoin TLD domain .bit. GandCrab has so far evolved into five major versions; decryptors are available for several of them, including the original and versions four and five. Last October, Bitdefender estimated that GandCrab’s developers may have made at least $300 million in the prior couple of months, noting that the customized ransom demands ranged anywhere from $600 to $700,000. All things considered, it’s no wonder that GandCrab has left its victims feeling pretty crabby.

Dishonorable mention: SamSam ransomware, which ratcheted up its targeting of healthcare and government institutions this past year, including the city of Atlanta. An August report from Sophos estimated that SamSam has so far earned its creator roughly $6 million.

VPNFilter: A potentially destructive attack may have been averted after the stunning discovery of hundreds of thousands of global networking devices infected with VPNFilter, a modular malware program attributed to Russia’s Fancy Bear APT group. Secretly residing on a wide array of routers and Network Attached Storage devices since 2016, VPNFilter is capable of DDoS attacks, device bricking, data exfiltration and cyber espionage. Additional third-stage modules also help it more easily propagate from network devices to other endpoints, perform data filtering, and obfuscate or encrypt its malicious traffic. The first stage of VPNFilter, which establishes persistence, is unique among IoT malwares in that it can survive a reboot. Infection levels were especially heavy in Ukraine, leading officials to suspect Russia could have been preparing to execute a large-scale attack against its neighbor. In May, the FBI announced that it seized the domain linked to the VPNFilter botnet, recommending that network device owners reboot their devices to kill off any second- or third-stage malware. In July, the Ukraine announced that a Russian attempt to attack a chlorine distillation plant using VPNFilter was thwarted.

Coinhive: The value of Bitcoin and other popular digital currencies may be dropping of late, but the popularity of cryptominers among the cybercriminal community has steadily soared. King of the 2018 cryptojackers was Coinhive, thanks in part to its focus on Monero, an anonymous currency whose transactions are highly difficult to trace. Coinhive is offered as a legitimate service for website owners seeking a money-making alternative to advertisements, but that doesn’t stop malicious actors from secretly injecting its code into compromised sites in order to siphon processing power from their visitors. For example, a report published last May by security researcher Troy Mursch revealed one Coinhive campaign that compromised 391 Drupal sites, including those operated by the San Diego Zoo, Lenovo, UCLA, the National Labor Relations Board, the government of Chihuahua, Mexico and more.

Magecart: The e-commerce card-skimming malware threat collectively known as Magecart isn’t actually attributed to one single actor. There are at least six major groups plus additional smaller perpetrators that all use versions of the same toolset. In a typical case, the attacker secretly embeds compromised webpages with a JavaScript-based tool that copies data entered into online forms and sends it to a malicious drop server. While this threat dates as far back as 2014, two of the most recent groups to emerge vaulted Magecart to new heights of infamy in 2018, after conducting highly prominent and lucrative campaigns against major online players. A November 2018 research report from Flashpoint and RiskIQ refers to most high-profile Magecart group as “Group 6,” noting this was the actor appears to exclusively focus on top-tier targets – successfully breaching both British Airways and Newegg earlier this year. Meanwhile, a separate Magecart group has taken a different approach, compromising potentially thousands of companies at once by initially infecting their third-party service providers in a supply chain attack. It is this group that successfully breached Ticketmaster this year as part of a campaign targeting more than 800 e-commerce sites, RiskIQ reported.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.