SophosLabs Uncut
Threat Research

Sophos Threat Report 2019

Links to our 2019 Threat Report and related articles

As 2018 comes to a close, we take a look back on the attack, malware, and exploit trends our SophosLabs researchers have observed during the past year.

Key links:

The SophosLabs 2019 Threat Report

 

Coverage of the 2019 Threat Report on Naked Security

 

The report surveys three overall themes of cyberattack trends that seem to have gained wider acceptance: The use of manual attack techniques, as opposed to other delivery mechanisms, to install ransomware; The wider adoption of so-called living off the land techniques by a broad segment of the malware distribution networks; And the growing threat of cryptocurrency mining and botnets that affect “non traditional” technology platforms such as mobile devices or networked hardware, like routers.

Targeted, manual attacks

Our SamSam report, published earlier this year, was the result of nearly three years of observation, analysis, and support work by a cross-departmental team within Sophos. The research highlighted what was, then, a unique reliance on the skill set of an experienced systems administrator and red team penetration tester to, first, break into an enterprise network, sniff administrator credentials, and then use those privileged controls to manipulate the internal security controls of that network. The attack methodology meant that, while fewer attacks took place each week, the results were far more devastating, and the threat actor could demand a markedly higher ransom. Successive generations of the malware also gradually evolved to become more efficient and destructive over time.

Following the release of that report, the threat actor behind SamSam seemed to slow down the attacks, but a number of copycats adopted these same techniques and continued to target large networks for attack. The one common thread: Each attack group started the break-in by finding, and brute-forcing their way into a single Windows computer that was left accessible to the internet, using the Remote Desktop Protocol.

Using available Windows tools

For some time, we’ve been aware of the use by certain malware attackers of techniques that invoke features common to all modern Windows computers as a stepping stone to the eventual delivery of malware, but in 2018 threat actors who send victims malicioous spam email have all but abandoned the practice of just emailing the malware to victims in the form of the actual malicious executable program, and switched to using a series of interlinked, nonexecutable scripts, exploitable Microsoft Office document vulnerabilities, and Office document macros to build chained attacks whose complexity and variability makes it challenging to identify and halt an attack in progress.

Attacks now commonly use some combination of PowerShell, the Windows Script Host, and “mal-docs” to build a killchain that is designed to thwart retrospective analysis and evade the most common methods by which attacks can be intercepted or halted in-progress.

Mobile and IoT platforms as low-grade cryptojackers

The value of cryptocurrency, such as Bitcoin or Monero, fluctuates wildly, but criminals still want the money if they can get it at your expense, so we’ve seen a rise in the volume of malware payloads that will hijack the victim device to use its computing power — however slight it may be — to slowly perform the advanced math that is used to “mine” cryptocurrency. The industry has adopted the name “cryptojacking” for this practice of hijacking systems for this purpose, and we’ve observed a trend where cryptojacking affects nontraditional devices such as home routers, network attached storage, and networked cameras or DVRs.

Mobile phones are of particular concern because the cryptojacking code adversely reduces the battery life and performance of mobile devices, which is something that the users of those phones are likely to notice but not attribute to this type of attack. Overall, cryptojacking transfers the costs of mining (in terms of both performance, and wear and tear) to the victims and provides no benefit to anyone other than the cryptojacker, whose bank account ever-so-slowly accumulates the result of the miners’ work.