This report will cover the top trends and metrics that EclecticIQ Fusion Center analysts identified in 2018. This report is not meant to be an exhaustive account of every incident and threat in 2018, but will serve as a high level overview to identify what the Fusion Center considers to be note worthy from 2018.
Analysts identified several reports predicting trends into 2018 based on what was seen in 2017. This report will also identify where those predictions got it right. An additional section will cover predictions into 2019.
- A FireEye report from 2017 predicted that Iranian intrusion sets, APT33 and APT34, will likely continue to be active in 2018. EclecticIQ Fusion Center analysts predict this activity will continue into 2019, predicting that they will align targets with strategic goals of Iran around sanctions and geopolitical pressure.
- Metrics from top malware types seen in 2018 indicate that RATs, botnets, and ransomware as the most heavily relied upon malware in 2018.
- In 2017, Cryptocurrency miners were predicted to be very significant in 2018. However, while mining activity is still prolific in 2018, tools and browser-plugins may be responsible for users becoming more educated about this threat.
- Analysts identified the MITRE ATT&CK and Mobile ATT&CK Frameworks Attack Patterns that were most represented in 2018.
This report will feature a high level overview of trends and metrics seen in 2018. During the course of this report, analysts looked at three vendor reports from 2017 that featured trends from 2016 - 2017 and their predictions for 2018. These three reports (Booz Allen , FireEye, and Forbes) will act as a guide to help identify what vendors believed were to be the focal threat topics in 2017 and some of their predictions for 2018.
This report will cover the following:
- Predicted trends for 2018: Vendor reports from 2017 to predict trends and activity in 2018
- 2018 Malware in review
- 2018 Attack Patterns/Vectors
- 2019 Predictions and Conclusion
1. Predicted trends for 2018: Vendor reports from 2017 to predict trends and activity in 2018
Analysts looked at three vendor reports from 2017. The reports featured threats seen in 2017 and attempted to predict activity that might be seen in 2018. From these reports, analysts identified where some of these predictions were accurate, and provided additional insights into activity seen in 2018.
Here are some topics the three vendor reports focused on as being threats and trends for 2018:
- New Advanced Persistent Threat (APT) Groups in 2017 and the Uptick in Activity by Iranian Threat Actors
- Attacking Supply Chains through Small Vendors and 3rd Party Software Tools
- Targeting Manufacturers through Industrial Control Systems
- Use of Commodity Malware
- Phishing Activity
Advanced Persistent Threat (APT) Groups
The FireEye report listed the following newly named APT groups in 2017 as being important for 2018:Intrusion Set: APT32 , Intrusion Set: APT33 , Intrusion Set: APT34 , and APT35 aka Intrusion Set: Charming Kitten . For the above APT groups that FireEye tracked as emerging in 2017, APT32, APT33, and APT34 have all continued to be active during 2018, with consistent coverage in campaigns throughout 2018.
APT33 and APT34:
EclecticIQ Fusion Center analysts have identified several links between APT33 and APT34 suggesting possible collusion. In the past, APT33 and APT34 has targeted a lot of organizations in critical infrastructure in the Middle East. Most of the techniques and campaigns previously seen represent opportunities for intelligence collection and reconnaissance. In addition, there could be an alternative use of those intrusions or accesses as possible means for disruption and destruction, especially given the destructive incidents we’ve already seen with other Iranian actors.
Analysts suspect that APT33 and APT34 will continue to be active throughout 2019 using low-barrier exploits in phishing activities. Analysts also suspect that the targeting of critical infrastructure systems and companies will remain relatively the same, but targeting may move to more strategic targets given the attention on Iran sanctions from the West.
In general, there has been a steady uptick in activity by Iranian threat actors in 2017 and in 2018. The only group from the list above that appears to be less active in 2018 than in 2017 was APT35. This is interesting given that APT35 is an Iranian cyber espionage group attributed and related to destructive attacks: Shamoon and Stonedrill. However, the lack of activity from this group may be due to the fact that they have been involved and attributed to rather large and resource-intensive attacks and malware campaigns in the past.
APT32 is a Vietnamese group seen in 2017 and 2018 known to target Southeast Asian entities in Vietnam, Cambodia, and Laos. With the growing awareness and infrastructure expansions of China's BRI (Belt and Road Initiative), Vietnam’s ambivalent reaction to the BRI may lead us to speculate a potential increase in cyber activity from this group due to the complicated economic and strategic relationship between the two countries. No uptick in activity confirming this speculation has been seen at this time.
Additional groups that EclecticIQ Fusion Center analysts consider as prominent or having continued campaigns in 2018 include:
- Intrusion Set: Lazarus Group - Many North Korean groups have been identified as possible operating with shared toolsets with Lazarus groups ( Intrusion Set: APT38 and Intrusion Set: Andariel ), making attribution of specific North Korean actors more difficult.
- Intrusion Set: Turla - This group continues to target high-profile and strategic organizations, usually government or international committees and organizations.
- Intrusion Set: Cobalt Group - This group is notable in 2018 for having switched tactics mid-year. Traditional Cobalt Group campaigns were targeting financial organizations in the CIS countries. Then, adversaries switched to targeting employees of financial institutions, instead of the institutions themselves, at the end of August.
Attacking Supply Chains Through Small Vendors and/or 3rd Party Software
This was a topic mentioned in the vendor reports as a large threat for 2018. By infiltrating software that is used in larger supply chains, adversaries can compromise several enterprise networks simultaneously. Instead of buying or leasing infrastructure, threat actors may compromise legitimate infrastructure and use it for parts or all of their attack cycle.
The following are large incidents from 2018 that analysts identified as falling under these parameters:
- Typeform Breach - An attacker managed to download a backup file from one of Typeform's servers and was able to see information submitted by users through Typeform forms. A variety of companies across many sectors were impacted.
- Magecart site compromises - The Intrusion Set: Magecart group which specializes in e-commerce attacks and have used suspicious scripts across several websites to collected data from visitors. One large aspect of these activities is the lack of visibility into third-party code running on most e-commerce sites. In this case, Magecart actors are compromising the third-party code on e-commerce checkout pages into which customers are entering payment information.
- Operation Red Signature - Another good example of an unidentified adversary who targeted a range of organisations in South Korea by compromising the update process of a remote support solutions provider.
Targeting Manufacturers through Industrial Control Systems (ICS)
Attacks on these systems can cause delays in production, physical damage, and can jeopardize the safety of employees and customers. This year, analysts have observed some trends regarding malware and attacks against ICS. Two ICS malware campaigns are worth mentioning under this section:
- Malware: Triton - This malware was identified in mid-late 2017, but it demonstrates a few interesting trends. First trend being the availability of Triton components offered and discussed on forums. Another being attribution: although it was previously clear that only an actor with the backing of government resources could have developed Triton, this is the first time attribution has been made to a particular nation-state. Russian actors have now been responsible for the development and use of Havex, BlackEnergy, Industroyer, Triton and VPNFilter, all of which are either capable of communicating with ICS components or protocols or have reported ICS-tailored plugins.
- Malware: GreyEnergy - The emergence of GreyEnergy represents another significant concern for organisations in the energy and transportation sectors, particularly as the threat actor has demonstrated a widened regional scope beyond Ukraine. No ICS-tailored module has been observed, but this is keeping with BlackEnergy, which allowed its operators to disrupt power grid operations by providing them with remote access to employee workstations hosting HMI applications.
2. Malware in Review
Top 3 types of malware which analysts from the Fusion Center have identified by volume seen in 2018 include:
- Remote Access Trojans (Rats)
One of the vendor reports discussed projected trends into 2018 and identified that commodity malware will continue to be distributed. Analysts note that Malware: GandCrab (just like other commodity malware) will usually affect organization and individuals with no or poor security practices.
It is also important to note that in 2017, cryptocurrency miners were heavily discussed as a large issue as they were very resource-heavy for many companies to endure. While this was not the most dangerous threat in 2017, it was very prolific and was expected as demand in cryptocurrency (especially Bitcoin) increased.
For 2018, analysts identified that cryptomining malware was still popular, whether it was being dropped by commodity malware or being used by certain groups to self-finance their operations. However, due to the emergence of browser applications and tools to identify mining processes running, this threat has appeared to move toward the status of most commodity malware. It is still a threat, but people are more educated now than they were in 2017.
3. Attack Patterns and Attack Vectors
Analysts identified the most reoccurring attack vectors / attack patterns used by groups in 2018.
MITRE ATT&CK Framework Attack Patterns most represented in 2018:
- Spearphishing Attachment
- User Execution
- Exploitation for Client Execution
The above attack patterns are expected since adversaries relying on low-barrier phishing attacks can make use of a Microsoft Office vulnerability, often enabling malicious macros after clicking on an embedded link and executed by the victim. One of the vendor reports predicted phishing activity as a notable attack vector for 2018, and the above attack patterns would confirm this.
MITRE ATT&CK Framework Attack Patterns related to Malware TTPs that were most represented in 2018:
- System Information Discovery
- Modify Registry
- Standard Application Layer Protocol
- Registry Run Keys/Start Folder
MITRE Mobile ATT&CK Framework Attack Patters most represented in 2018:
- Capture SMS Messages
- Access Contact List
- Access Call Log
- Location Tracking
4. 2019 Predictions and Conclusion
Aside from the predictions around the Iranian based intrusion sets discussed above, here are some additional predictions for 2019:
- Using open and publicly available tools as malware platforms for operations: Groups like Intrusion Set: FruityArmor are a bit unusual due to the fact the group leverages an attack platform that is built entirely around PowerShell and the main malware implant is written in PowerShell. This is likely a way in which the actors attempt to remain more anonymous and harder to attribute.
- Increased political instability leading to more nation-state attacks: Topics pertaining to sociopolitical events have proven to be used by nation-state actors as lures in targeted phishing attacks. Upcoming events surrounding sanctions spearheaded by President Trump, Brexit, and the expansion of the Belt and Road Initiative (BRI) may bring with it a resurgence of nation-state actors aligning to represent national strategic goals.
- Attribution may become more difficult and thus should not be the largest priority: Difficulties in identifying between certain regional-based threat actors will continue to be a problem into 2019. Analysts assess that many nation-state actors coming from the same region appear to be split between two main tiers with shared toolsets and methodologies, but with distinct functions: tier one groups that target high-profile institutions with a strategic agenda; and the second tier that focuses on the lower-level financially motivated attacks that act as a way to financially bolster tier one operations. North Korean and Iranian groups tend to represent this model, where there are multiple groups coming from the same region that appear to be colluding and sharing the same malware and tools, but with different strategic aims.
Analysts chose the three different vendor reports (discussed above) as a way to gauge what predictions from 2017 were true, and to see what predictions may have deviated to what was actually seen in 2018. The uptick in Iranian APT activity, 3rd party and supply chain compromises, phishing as a low-barrier attack vector, and the continued use of commodity malware were the most overlapping trends and predictions that all three reports shared.
Analysts will continue to monitor trends and patterns into the coming year. Until then, we would like to wish you a happy and secure 2019!
We hope you enjoyed this post. Follow us here for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.