AI reveals 2018’s biggest cyber-threats: Part two — to err is human

Max Heinemeyer, Director of Threat Hunting | Friday February 8, 2019

For security professionals around the world, it is hardly a secret that cyber-attacks are becoming ever more difficult to detect — incorporating stealthier tactics and even automated elements to breach the network perimeter. Yet despite the increasing sophistication of these threats, the greatest security risk confronting today’s businesses, governments, and nonprofits continues to be their own employees.

Such credentialed network users present a relatively easy avenue into the digital estate for cyber-criminals who manage to deceive them. From banking trojans that are spread using social engineering to cryptocurrency mining carried out by disgruntled workers, the past year witnessed a significant upswing in threats that either exploited the fallibility of employees or which were authored by employees themselves.

By monitoring and analyzing raw traffic from all our clients’ users, internet-connected devices, and cloud deployments, we saw a number of trends emerge in 2018. As the second installment of a two-part series, this article will review specifically those attack trends that involve trickery, subtlety, and the art of deception. Because, as organizations deploy the latest technologies and tools to improve their cyber defenses, the weakest link in our network security is not a machine — it is human.

Banking trojan attacks increased by 239%

Named after the legendary act of Grecian subterfuge, today a trojan horse refers to a malicious computer program that misleads its user of its actual purpose, taking advantage of the fundamental weakness of human error inherent to any security posture. Over the last 12 months, the incidence of banking trojans in particular — which harvest the credentials of online banking customers from infected machines — has increased by a staggering 239% across our customer base.

This dramatic increase may be a consequence of the declining popularity of ransomware for monetary gain: it seems that banking trojans are, at least at present, a more profitable tool for cyber-criminals. Unlike ransomware, banking trojans do not rely on a victim’s conscious willingness to pay; rather, they use deception to perform transactions without the victim’s knowledge. And as the number of ransomware incidents declined in 2018, it seems that subtler attacks have become the weapons of choice for cyber-crime.

The proliferation of banking trojans has been accompanied by a growing sophistication in the malware itself, with many banking trojans having expanded beyond their original target of online banking access. Indeed, advanced trojans like Emotet now deliver other forms of malware as payloads, after using fraudulent emails, online advertisements, and other forms of social engineering to breach the perimeter.

Cryptocurrency-related incidents up 78%

Figure 1: Cryptocurrency values declined precipitously in 2018 after rapid growth.

Alongside the increase in banking trojans, Darktrace detected 78% growth in the frequency of another under-the-radar threat: crypto-jacking. Defined as the secret usage of computing power to mine cryptocurrency, crypto-jacking operates by the opposite logic of ransomware, acting as a parasite on an organization’s computing systems or injecting hidden code into an organization’s web pages. Whereas ransomware attackers demand payment immediately, cryptocurrency miners seek to go unnoticed for as long as possible.

Deceptive threats like banking trojans and crypto-jacking are particularly elusive when they originate from insiders. In one Fortune 500 e-commerce company this year, Darktrace discovered a privileged access user — a disgruntled systems administrator — hijacking power sources from the company’s infrastructure for his own monetary gain. The employee co-opted other users’ credentials and service accounts to stealthily take over multiple machines for the purpose of crypto-mining.

At the same time, the growth rate of cryptocurrency-related threats is less than in the previous year, likely as a result of the dramatic fall in the value of most cryptocurrencies (see Figure 1). But with many experts anticipating these values to bounce back, we expect crypto-jacking to become far more common in the years to come. The cyber-criminal ecosystem still responds to macroeconomic factors, and as payment systems continue to evolve, so too will attackers’ revenue streams.

The weakest link: still people

The rapid escalation of deceptive and subtle threats — from banking trojans that gain access with social engineering to crypto-jacking carried out by insiders to targeted spear phishing emails — is the product of a fundamental flaw with the traditional approach to cyber defense, which entails securing the perimeter against known threats. Indeed, once an employee, maliciously or inadvertently, compromises the network from the inside, protecting the perimeter does little good. And as we look ahead to 2019, a year likely to be even more dominated by deceptive attacks and internal threats, organizations must seek to better understand their own networks to recognize whenever something is, ever so slightly, amiss.

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.