Hacker Tracker: New Threats And Old Classics

Cybercriminals certainly had a habit of churning out headline-worthy attacks in 2016 — from the Mirai botnet’s infamous distributed-denial-of-service attacks on domain directory Dyn and the DNC hack to hackers targeting the SWIFT interbank system.

With these and other high-profile cases, the world became acutely aware of vulnerabilities in the digital realm.

As it turns out, while cybercriminals are constantly inventing ways to maliciously compromise the security of private data, they also have a soft spot for the classics.

This coming from the recent research report published by the Threat Lab of digital security hardware and solutions provider WatchGuard.

The team examined the most prevalent network and malware trends in the fourth quarter of 2016 leveraging threat analytics from its globally distributed Firebox product, said WatchGuard CTO Corey Nachreiner.

“We have firsthand, acute insight into the evolution of cyberattacks,” Nachreiner said, “and how threat actors are behaving.”

Tellingly, WatchGuard’s inaugural Internet Security Report found that some 30 percent of malware in Q4 was new, or “zero day.” (Not to be confused with zero-day exploits.) In other words, one-third of malware identified wouldn’t be caught by legacy antivirus solutions.

What this signals is that cybercriminals have managed to outpace the antivirus industry’s ability to detect new threat signatures, WatchGuard said.

But even as new types of attacks threaten to bypass legacy solutions, Nachreiner pointed to another key finding of WatchGuard’s report: Even with the creation of novel malware, classic tactics are still highly prevalent among cybercriminals, albeit with modern twists.

Notably, macro-based malware is still around in the realm of spear phishing. Many will remember it from when the Melissa virus was a major cybersecurity threat back in 1999, Nachreiner said.

He’s not surprised to see it show up in the report. (Despite the fact that 1999 in internet years essentially translates to eons.) WatchGuard has been tracking the resurgence of macro-based malware since 2014.

“I was surprised when macro malware first made its comeback,” he told PYMNTS. “After Melissa, Office products changed their defaults, requiring much more user interaction before you could run macros within documents.”

Along with aggressive user risk training, macro malware became a far less viable tactic, Nachreiner said. As a result, cybercriminals mostly stopped using documents with malicious macros. At least for awhile.

So what’s with the comeback? Office products today retain strong defaults which prevent macros from running automatically.

Nachreiner said it’s all about social engineering.

“Techniques have improved to convince people to enable macros,” he said, noting that more businesses today may also legitimately use macros in their official documents, making them accustomed to enabling them anyway.

On the macro front, cybercriminals have also been using password-protected documents as a technique to evade malware scanning technology, as encryption sometimes renders scanners unable to see within the document.

The rising tide of neo-macro malware attacks isn’t a global phenomenon, however. Nachreiner said that WatchGuard’s data shows that a majority of global attacks of this nature occur in the U.S. and China.

The most prevalent variant was detected some 214,792 times in the U.S., 3,040 times in China but nowhere else. This trend continued across other types macro malware detections.

“The U.S. and China always had the most hits, with the major prevalence being within the U.S.,” Nachreiner said, “with the major prevalence being within the U.S.”

Without more data, WatchGuard can’t be sure of the factors contributing to this distinct global distribution pattern.

“What we do know,” he noted, “is that document-based malware is quite often used in more targeted spear phishing attacks. This tactic has also been associated with sophisticated nation-state attacks (the DNC hack, for instance). Since this malware literally uses a document, the attack must be localized in the right language,” noting this is why it’s unusual to see the same threats in China.

WatchGuard will continue to monitor threats on a quarterly basis from this point onward, adding additional data points to its feed as a means to deepen its insights and analysis into cybersecurity threat trends as they continue to evolve (and in some cases reinvent themselves) worldwide.