McAfee Inc. has released its ‘McAfee Labs Threats Report: September 2017’, which examines the rise of script-based malware, suggests five proven threat hunting best practices, provides an analysis of the recent WannaCry and NotPetya ransomware attacks, assesses reported attacks across industries, and reveals growth trends in malware, ransomware, mobile malware, and other threats in Q2 2017. McAfee Labs saw healthcare surpass public sector to report the greatest number of security incidents in Q2, while the Faceliker Trojan helped drive quarter’s 67% increase in new malware samples from the social media landscape.
The second quarter of 2017 saw Facebook emerge as a notable attack vector, with Faceliker accounting for as much as 8.9% of the quarter’s 52 million newly detected malware samples. This Trojan infects a user’s browser when they visit malicious or compromised websites. It then hijacks their Facebook ‘likes’ and promotes the content without their knowledge or permission. Doing so at scale can earn money for the malicious parties behind Faceliker given the hijacked clicks can make a news article, video, website or ad appear more popular or trusted than it truly is.
“Faceliker leverages and manipulates the social media and app-based communications we increasingly use today,” said Vincent Weafer, Vice President for McAfee Labs. “By making apps or news articles appear more popular, accepted and legitimate among friends, unknown actors can covertly influence the way we perceive value and even truth. As long as there is profit in such efforts, we should expect to see more such schemes in the future.”
McAfee Labs’ quarterly analysis of publicly disclosed security incidents found public sector to be the most impacted North American sector over the last six quarters, but healthcare overtook it in Q2 with 26% of incidents. While overall healthcare data breaches are most likely the result of accidental disclosures and human error, cyberattacks on the sector continue to increase. The trend began the first quarter of 2016 when numerous hospitals around the world sustained ransomware attacks. The attacks paralysed several departments and, in some cases, the hospitals had to transfer patients and postpone surgeries.
“Whether physical or digital, data breaches in healthcare highlight the value of the sensitive personal information organisations in the sector possess,” Weafer continued. “They also reinforce the need for stronger corporate security policies that work to ensure the safe handling of that information.”
Q2 2017 threat activity
In the second quarter of 2017, the McAfee Labs Global Threat Intelligence network registered notable trends in cyber threat growth and cyberattack incidents across industries:
• Security incidents. McAfee Labs counted 311 publicly disclosed security incidents in Q2, an increase of 3% over Q1. 78% of all publicly disclosed security incidents in Q2 took place in the Americas.
• Vertical industry targets. The health, public, and education sectors comprised more than 50% of total incidents in 2016-2017 worldwide.
• Attack vectors. Account hijacking led disclosed attack vectors, followed by DDoS, leaks, targeted attacks, malware, and SQL injections.
• Malware overall. New malware samples leaped up in Q2 to 52 million, a 67% increase. This Q2 rise in new malware is in part due to a significant increase in malware installers and the Faceliker Trojan. The latter accounted for as much as 8.9% of all new malware samples. The total number of malware samples grew 23% in the past four quarters to almost 723 million samples.
• Ransomware. New ransomware samples again increased sharply in Q2, by 54%. The number of total ransomware samples grew 47% in the past four quarters to 10.7 million samples.
• Mobile malware. Total mobile malware grew 61% in the past four quarters to 18.4 million samples. Global infections of mobile devices rose by 8% in Q2, with Asia again leading the regions with 18%.
• Mac malware. With the decline of a glut of adware, Mac OS malware has returned to historical levels, growing by only 27,000 in Q2. Still small compared with Windows threats, the total number of Mac OS malware samples increased by just 4% in Q2.
• Macro malware. New macro malware rose by 35% in Q2. 91,000 new samples raised the total overall sample count to 1.1 million.
• Spam campaigns. The botnet Gamut again claims the top rank in volume during Q2, continuing its trend of spamming job-related junk and phoney pharmaceuticals. The Necurs botnet was the most disruptive, pushing multiple pump-and-dump stock scams during the quarter.
Upon further review: WannaCry and NotPetya
McAfee’s analysis of the WannaCry and NotPetya attacks builds on the organisation’s previous research by providing more insight into how the attacker creatively combined a set of relatively simple tactics, melding a vulnerability exploit, proven ransomware, and familiar worm propagation. McAfee notes that both attack campaigns lacked the payment and decryption capabilities to successfully extort victims’ ransoms and unlock their systems.
“It has been claimed that these ransomware campaigns were unsuccessful due to the amount of money made,” said Raj Samani, Chief Scientist for McAfee. “However, it is just as likely that the motivation of WannaCry and NotPetya was not to make money but something else. If the motive was disruption then both campaigns were incredibly effective. We now live in a world in which the motive behind ransomware includes more than simply making money, welcome to the world of pseudo-ransomware.”
The rise of script-based malware
McAfee researchers also profile the notable increase in script-based malware over the last two years. This Microsoft scripting language is used to automate administration tasks such as running background commands, checking services installed on the system, terminating processes, and managing configurations of systems and servers. Malicious PowerShell scripts usually arrive on a user’s machine through spam emails, gaining a foothold through social engineering rather than software vulnerabilities, and then leveraging the scripts capabilities to compromise the system.
Threat hunting best practices
The September report also suggests techniques to help threat hunters spot the presence of adversaries in their environment. Starting with the principles of what McAfee’s Foundstone group calls the ‘three big knows’ – “know the enemy, know your network, know your tools” – the report offers best practices for hunting for command and control, persistence, privilege escalation, lateral movement, and exfiltration.
“One underlying assumption is that, at every moment, there is at least one compromised system on the network, an attack that has managed to evade the organisation’s preventive security measures,” said Ismael Valenzuela, Principal Engineer, Threat Hunting and Security Analytics at McAfee. “Threat hunters must quickly find artefacts or evidence that could indicate the presence of an adversary in the network, helping to contain and eliminate an attack before it raises an alarm or results in a data breach.”