One out of five computer users were subject to at least one malware-class web attack in 2019. This past year cities such as New Orleans were under ransomware siege by the likes of malware Ryuk. Zero-day vulnerabilities were also in no short supply with targets such as Google Chrome and Operation WizardOpium. Here is a look back and links to Threatpost coverage.
Remote desktop protocol vulnerabilities BlueKeep, and then DejaBlue, allowed unauthenticated, remote attackers to exploit and take complete control of targeted endpoints. The fear of BlueKeep and its wormable potential to mimic the WannaCry forced Microsoft’s hand to patch systems as old as Windows XP and Windows 2000.
This past year had its fair share of zero-day vulnerabilities. One of the most prominent of the zero days was Urgent/11, impacting 11 remote code execution vulnerabilities in the real-time OS VxWorks. Because of VxWorks use in so many critical infrastructure devices, the U.S. Food and Drug Administration took the unusual step and released a warning, urging admins to patch.
We were warned last year when mitigating against Meltdown and Spectre that we would face more side-channel related CPU flaws in the future. And this year we did, with variants ranging from ZombieLoad to Bounds Check Bypass Store, Netspectre and NetCAT. For 2020? Expect even more variants, say experts.
2019 was the year ransomware criminals turned their attention away from consumers and started focusing on big targets such as hospitals, municipalities and schools. There was the Ryuk attack against New Orleans, Maze ransomware behind Pensacola attack and rash of attacks against hospitals that resulted in some care facilities turning patients away.
Botnets continued to be a key tool in cyberattacks in 2019. This past year saw the return of the notorious Emotet botnet. Crooks behind Trickbot partnered with bank trojan cybercriminals from IcedID and Ursif. Lastly, Echobot, an IoT botnet, casts a wider net in 2019 with raft of exploit additions.
Perhaps the highest-profile cryptominer attack occurred in May when researchers found 50,000 servers were infected for over four months as part of a high-profile cryptojacking campaign featuring the malware Nansh0u. The past year also saw a new XMRig-based cryptominer called Norman emerge, which stood apart because of its clever ability to go undetected.
Even though the target is smaller, mobile devices offer criminals top-tier data. Not only are APTs shifting focus on mobile, but so are garden-variety crooks. Take, for example, the Anubis mobile banking trojan that only goes into action after it senses the targeted device is in motion. Then there was the Instagram-initiated campaign using the Gustuff Android mobile banking trojan that rolled out in October.
Google’s Project Zero, in August, found 14 iOS vulnerabilities in the wild since September 2016. According to Google's Threat Analysis Group (TAG) the flaws could allow malware easily steal messages, photos and GPS coordinates. These flaws highlighted five exploit chains in a watering hole attack that has lasted years. Google said malware payload used in the attack is a custom job, built for monitoring.
In May, researchers uncovered a unique Linux-based malware dubbed HiddenWasp that targeted systems to remotely control them. The malware is believed to be used as part of a second-stage attack against already-compromised systems and is composed of a rootkit, trojan and deployment script.
Discussing malware without touching on business email compromise-based attacks would be like talking about the New England Patriots without mentioning Tom Brady. Fake Greta Thunberg emails used to lure victims to download Emotet malware. Of course the Swedish climate-change activist was just one of the lures that in 2018 contributed to 351,000 scams with losses exceeding $2.7 billion.
