By
Vincent Weafer, Vice President, Intel Security’s McAfee Labs
The
cyber threat landscape often combines something old, something new, something
blundered, and something ‘you’. The third quarter provides examples of old
threats repackaged with social engineering, new fileless malware replacing
rootkits, mobile app coding blunders, and the exploit of the weakest link in
any ecosystem: you the user.
Today’s
release of Intel Security’s McAfee Labs
Threats Report: November 2015 complements our usual quarterly
assessment of cyber threats with new developments combining each of these
elements:
·
McAfee Labs researchers
illustrate how poor mobile app coding
practices, including the failure to follow back-end service provider
guidance, can lead to the exposure of user data in the cloud. This analysis
also demonstrates how mobile banking customers have been compromised through
such a scenario.
·
The report investigates macro malware using social engineering
to gain traction within enterprises – a development fueling the resurgence of
macro malware, from a multi-year decline, to a six-year high in the last
several months. Macro malware increased from less than 10,000 new attacks in Q3
2015 to almost 45,000 this past quarter, a level we have not seen since 2009.
·
Finally, the report details how
new platform capabilities and threat development innovation have created a new breed of fileless malware that
trumps traditional threat detection. These fileless attacks appear to be taking
the place of rootkit attacks.
If
nothing else, the third quarter of 2015 reminded us that while we must always
innovate to stay ahead of the threat technology curve, we must never neglect
common sense solutions such as best practices for secure app coding, and user
education to counter ever-present tactics such as spearphishing.
Back-end mobile
app coding practices
A
two-month analysis of nearly 300,000 mobile apps led McAfee Labs to the
discovery of two mobile banking Trojans responsible for taking advantage of
thousands of mobile banking accounts across Eastern Europe. Known to the
industry as “Android/OpFake” and “Android/Marry”, the two malware strains were
designed to take advantage of poor mobile app coding connecting mobile apps to
back-end service providers managing app data.
Mobile
apps often rely on back-end services for secure data storage and communications.
That said, mobile app developers are responsible for implementing and
configuring the integration of their mobile apps with these back-end services.
User data could be exposed if app developers fail to follow the back-end
providers’ security guidelines – a possibility more likely purely based on the
increasing amount of personal and professional business conducted in the mobile
cloud.
While
the two cybercriminal campaigns using the two mobile banking Trojans have been
shut down, McAfee Labs found evidence that they exploited such back-end coding,
abused root privileges to silently install malicious code, and enabled an SMS
message scheme to steal credit card numbers and execute fraudulent
transactions. The two mobile banking Trojans intercepted and exposed the
171,256 SMS messages of 13,842 banking customers, and remotely executed
commands on 1,645 impacted mobile devices.
Intel Security asserts that developers must pay
greater attention to back-end coding best practices and the secure coding
guidance provided by their service providers. We also recommend users only
download mobile apps from well-known sources, and following rooting best
practices for their devices.
Macro malware
rides spearphishing to six-year high
McAfee
Labs also registered a fourfold increase in macro detection over the last year,
reaching the category’s highest growth rate since 2009. The return to
prominence has been enabled by spearphishing campaigns designed to fool
enterprise users into opening malware-bearing email attachments. These new macros
also exhibit an ability to remain hidden even after they have downloaded their malicious
payloads.
Such
malicious macros were the bane of users in the 1990s, but declined in number
after platform providers such as Microsoft took action to reprogram default
settings stopping automatic macro execution.
While
earlier macro campaigns focused on users of every description, the new macro
malware activity is primarily focused on large organizations accustomed to
using macros as easy-to-build programs for repetitive needs. Today, emails are socially
engineered to appear legitimate to the context of the organization’s business so
that users will thoughtlessly enable the macro to run.
In
addition to improving user awareness of spearphishing, Intel Security
recommends organizations adjust product macro security settings to “high” and
configure email gateways to specifically filter for attachments containing
macros.
Fileless malware
innovations
McAfee
Labs captured 74,471 samples of fileless attacks in the first three quarters of
2015. The three most common fileless malware types load their infection
directly into the legitimate memory space of a platform function, hide behind a
kernel-level API, or hide within the operating system’s registry.
Most
malicious infections leave some type of file on a system, which can be
detected, analyzed, and convicted. Newer
attacks, such as Kovter, Powelike, and XswKit, have been designed to take
advantage of OS platform services to get into memory without leaving a trace on
the disk.
Intel
Security recommends safe browsing and email practices, combined with email and
web protections to block the attack vectors.
Q3 2015 Threat
Statistics
·
Overall
threat activity.
McAfee Labs’ Global Threat Intelligence (GTI) network detected an average of 327
new threats every minute, or more than 5 every second. The network also
detected:
o More
than 7.4 million attempts to entice users into connecting to risky URLs (via
emails, browser searches, etc.).
o More
than 3.5 million infected files targeted at our customers’ networks
o An
additional 7.4 million Potentially Unwanted Programs attempting to install or
launch.
·
Mobile malware. The total
number of mobile malware samples grew 16% from Q2 to Q3. The total number of
mobile malware samples grew 81% over the past year. New mobile malware has
risen for five consecutive quarters, but infections haven’t kept pace, likely
due to improvements in OS defenses.
·
MacOS Malware. Malware authors
have increasingly turned their attention to the Mac platform. Four times as
much Mac OS malware was registered in Q3 than in Q2. Most of the increase came
from a single threat.
·
Ransomware. The number of
new ransomware samples grew 18% from Q2 to Q3. The total number of ransomware
samples in McAfee Labs’ malware “zoo” grew 155% over the past year.
·
Rootkits decline. New rootkit malware
dropped 65%, the category’s lowest rate since 2008. The decline is likely due to
diminished returns for attackers. With 64-bit Windows, Microsoft enforces
driver signing and includes Patch Guard, which makes kernel hooking
significantly more challenging for attackers.
·
Malicious signed binaries. New malicious
signed binaries have trended down for 3 quarters.
·
Botnet activity. The Kelihos
botnet reclaimed the top rank for spam-sending botnets in Q3. The botnet
powering campaigns for counterfeit consumer goods and phony pharmaceuticals had
been somewhat dormant for the previous two quarters.
For
more information on these focus topics, or more threat landscape statistics for
Q3 2015, please visit http://www.mcafee.com/November2015ThreatsReport for the full
report.