The 77-page report covers information gained from Symantec’s Global Intelligence Network tracking over 700,000 global adversaries and records events from 98 million attack sensors in more than 157 countries. But it also includes Endpoint Protection, Symantec DeepSight Intelligence, Symantec Managed Security Services, Norton consumer products, and other third-party data sources, generating more than nine trillion rows of security data.
For example, its email statistics were gathered from more than two billion emails each day, its website security from over 2.4 billion Web requests each day, and its cloud and apps from Symantec CloudSOC security technology, which in 2016 safeguarded more than 20,000 cloud apps, 176 million cloud documents, and 1.3 billion emails.
Kevin Haley, director, Symantec Security Response, said, “New sophistication and innovation is the nature of the threat landscape, but this year Symantec has identified seismic shifts in motivation and focus. Zero-day vulnerabilities and sophisticated malware are now used sparingly, as nation states shift their attention from espionage to straight sabotage. Meanwhile, cybercriminals caused unprecedented levels of disruption by focusing their exploits on relatively simple IT tools and cloud services.”
- New levels of ambition including a multi-million-dollar bank heist – well planned and executed and aimed at the bank, not its customers.
- Attempts to disrupt the US electoral process by state-sponsored hackers.
- The biggest DDoS attacks in history powered by IoT botnets comprising routers and cameras.
- More emphasis on impact and disruption – making a splash via disk wiping or power outages.
- Increasing use of simple tools but more widely spread e.g. socially engineered spear-phishing emails driven by machine learning, off-the-shelf tools etc. One in every 131 emails sent was malicious
- Less zero-day exploits as these become harder to monetise – the patching message is finally working.
- Ransomware continues to be the biggest threat to consumers and small business. The average ransom demand in 2016 rose to $1077 ($294 a year ago) and 101 new ransomware families were discovered in 2016 (36% increase).
- Enterprise is using 928 cloud apps, up from 841 earlier in the year. However, most chief information officers think their organisations only use around 30 or 40 cloud apps, meaning the level of risk could be underestimated, leaving them open to attack from newly emergent threats.
Mobile operating systems remained the prime target with a new total of 290 vulnerabilities for iOS and 316 for Android. Interestingly, in 2015 iOS had 463 and Android only 89.
Working malware on iOS is still a relatively rare occurrence. However, in August 2016 it was discovered that three zero-day vulnerabilities on iOS, known as Trident, were being exploited in targeted attacks to inject the Pegasus malware onto victims’ phones. Pegasus is spyware that can access messages, calls, and emails. It can also gather information from apps including Gmail, Facebook, Skype, and WhatsApp. The attack worked by sending a link to the victim through a text message. If the victim clicked on the link then the phone was jailbroken and Pegasus could be injected into it and start it’s spy work.
Web threats were found in 76% of scanned websites, and 9% were critical. Symantec blocked an average of 229,000 websites each day in 2016.
Up from 30 families in 2015 to 101 families and average ransom amounts rose to US$1077 from US$294, in part reflecting bitcoin appreciation.
Email and phishing
Business email compromise scams, rather than the mass-mailing phishing campaigns of old, are now favoured by attackers.
Vast armies of bots crawl the net for vulnerable IoT devices – it takes less than two minutes to find a new device and infect it.
Sabotage and subversion
Symantec noted that several, likely nation-state sponsored groups had emerged from the shadows and engaged in more public, politically subversive activities. The ongoing power outage issues in Ukraine, the US election, and the Olympics have all been claimed to be affected by campaigns designed to steal and leak data to influence public opinion, create an atmosphere of distrust, and possibly influence political outcomes.
Due to these recent successes and, with key elections approaching in a number of countries in 2017, it is likely these kinds of activities will continue. Groups have, meanwhile, continually refined their tactics, with several moving away from customised malware and relying more on legitimate software tools to compromise targeted networks.
Cyber crime as a service
The cyber crime economy is thriving and ransomware toolkits can be purchased for as little as US$10 and mailing lists can be rented by the million records.
Symantec noted several significant disruptions, including several high-profile takedowns, helped put a dent in activity and send out a warning signal.