It was clear it was going to be an intense year the cybersecurity industry when, just days after ringing in 2018, researchers announced a vulnerability found in essentially all CPU processors made over the previous two decades. From there, things only got busier, with news of Russian exploits, new ransomware families and much, much more.
Spectre and Meltdown: A mere three days into 2018, multiple groups of researchers publicly disclosed Spectre and Meltdown, a trio of CPU chip vulnerabilities representing an entirely new classification of bugs. Found in Intel, IBM, ARM and AMD chips powering an enormous spectrum of hardware products, these vulnerabilities were found to result from a flaw in the processor optimization functionality known as speculative execution. Researchers warned that the bugs could be exploited via side channel attack to access and steal sensitive information from devices by tricking programs into either leaking their secrets or accessing another application’s memory. Spectre and Meltdown’s public disclosure came after months of secretive, painstaking and unprecedented cross-industry collaboration to create patches and modifications, resulting in complex changes to many layers of the software stack. In some cases, these repairs regrettably slowed down the performance of affected processors. In the ensuing months, scientists found additional, new-generation variants of Spectre and Meltdown, as well as another family of speculative execution bugs called Foreshadow and Foreshadow-NG. In response to ongoing concerns, Intel said that its next-generation of chips would be designed with built-in defenses for Spectre-like attacks.
GandCrab: Debuting last January, the malicious cryptor GandCrab quickly became the breakthrough ransomware of 2018. In a departure from conventional ransomware tactics, GandCrab’s developers have chiefly relied on exploit kits such as RIG, GrandSoft and Fallout to distribute their malware. Typically, these kits are served up in malvertising campaigns. Adding to its quirkiness, GandCrab also demands payment using the cryptocurrency Dash, and its C2 servers are generally hosted on the Namecoin TLD domain .bit. GandCrab has so far evolved into five major versions; decryptors are available for several of them, including the original and versions four and five. Last October, Bitdefender estimated that GandCrab’s developers may have made at least $300 million in the prior couple of months, noting that the customized ransom demands ranged anywhere from $600 to $700,000. All things considered, it’s no wonder that GandCrab has left its victims feeling pretty crabby.
Dishonorable mention: SamSam ransomware, which ratcheted up its targeting of healthcare and government institutions this past year, including the city of Atlanta. An August report from Sophos estimated that SamSam has so far earned its creator roughly $6 million.
VPNFilter: A potentially destructive attack may have been averted after the stunning discovery of hundreds of thousands of global networking devices infected with VPNFilter, a modular malware program attributed to Russia’s Fancy Bear APT group. Secretly residing on a wide array of routers and Network Attached Storage devices since 2016, VPNFilter is capable of DDoS attacks, device bricking, data exfiltration and cyber espionage. Additional third-stage modules also help it more easily propagate from network devices to other endpoints, perform data filtering, and obfuscate or encrypt its malicious traffic. The first stage of VPNFilter, which establishes persistence, is unique among IoT malwares in that it can survive a reboot. Infection levels were especially heavy in Ukraine, leading officials to suspect Russia could have been preparing to execute a large-scale attack against its neighbor. In May, the FBI announced that it seized the domain linked to the VPNFilter botnet, recommending that network device owners reboot their devices to kill off any second- or third-stage malware. In July, the Ukraine announced that a Russian attempt to attack a chlorine distillation plant using VPNFilter was thwarted.
Coinhive: The value of Bitcoin and other popular digital currencies may be dropping of late, but the popularity of cryptominers among the cybercriminal community has steadily soared. King of the 2018 cryptojackers was Coinhive, thanks in part to its focus on Monero, an anonymous currency whose transactions are highly difficult to trace. Coinhive is offered as a legitimate service for website owners seeking a money-making alternative to advertisements, but that doesn’t stop malicious actors from secretly injecting its code into compromised sites in order to siphon processing power from their visitors. For example, a report published last May by security researcher Troy Mursch revealed one Coinhive campaign that compromised 391 Drupal sites, including those operated by the San Diego Zoo, Lenovo, UCLA, the National Labor Relations Board, the government of Chihuahua, Mexico and more.