Top 5 Security Threats in the First Half of 2018

Ransomware was the biggest threat to both individuals and businesses around the world. However, from the end of 2017, the main Ransomware activity was stagnant, but once its offensiveness seemed to weaken as the cryptocurrency mining or cryptocurrency exchange attack followed. Security experts at AhnLab Security Emergency Response Center (ASEC) analyzed major security breaches that occurred in the first half of the year. The amount of Ransomware has decreased slightly compared to last year, but the number of Ransomware variants has increased. In addition, advanced threats targeting major institutions and businesses have been confirmed, and this trend is expected to continue in the second half.

[Details of Top 5 Security Threats in the First Half of 2018]

1. Cryptojacking Increasing Attack Targets

Cryptojacking (*) is a form of cryptocurrency mining that emerged near the end of last year. This year, cryptojacking saw a huge growth in the number of attacks and the range of its targets. In 2017, the attacks focused mainly on the hardware systems of companies, such as vulnerable web servers and network-attached storage servers. In the first half of 2018, however, an increasing number of attacks infected individual PC users to mine cryptocurrencies without user's knowledge. In one reported incident, cryptocurrency mining used 100% of the infected computer's CPU load.

* Cryptojacking: As the name implies this type of attack "hijacks" an infected computer's resources for the purpose of mining "cryptocurrency."

Users must be aware that they can become targets of cryptojacking if they use vulnerable web services, regardless of which operating system or web browser they use. 

2. Ransomware Advancing Attack Methods 

Magnitude exploit kit, a toolkit used to attack system vulnerabilities, has been delivering the new variant of Magniber ransomware to expressively target South Korea from the second half of last year until the first quarter this year. In addition, since April, attackers have consistently attempting to release new forms of ransomware that cannot be decrypted. A representative example is GandCrab, a rampant threat with many variants that users must be secured against. (As of July 24, 2018, a variant of the version 4.2 was discovered.)

Ransomware distribution methods are also diversifying. Aside from Magniber, which uses malicious advertising—or malvertising—social engineering techniques are also being used to spread malware which disguises spam either work-related emails or copyright infringement related emails. Malicious attachments on the email often have familiar extensions such as .doc or .js. Ransomware in particular continues to spread in the form of compressed files with the extension .egg, which is widely used in South Korea. 

3. Advanced Persistent Threats Continuing the Spread 

In the first half of the year, APT attacks continued to target South Korea’s major public institutions as well as private companies. These attacks are likely to continue in the second half. Supply chain attacks, in which attackers first gains understanding of the targets' IT infrastructure before an attack, are also continuing. In a supply chain attack, hackers insert and distribute malware by gaining access to the targets' trusted development and distribution channels of the software.

To prevent supply chain attacks, software developers need to regularly check their development and distribution systems for security vulnerabilities and build such checks into the development process. Security officers with public institutions and private companies that use commercial software are advised to stay up to date on the latest security threats and monitor their internal security environments at all times. 

4. Vulnerability Exploits Continuing the Attacks

In January 2018, new security vulnerability was discovered in CPUs, or commonly known as brains of the computer, putting virtually all computers at risk. And since then, major software vendors, security companies, and CPU manufacturers around the world have been working to resolve the issue. No attacks have been confirmed to date.

All software is subject to vulnerability due to bugs and for criminals, vulnerable software is a preferred means of attack. Attackers are constantly seeking out unknown zero-day vulnerabilities. When vulnerability is detected and a patch is deployed, attackers target users who have not yet installed the patch. Therefore, all users—individuals, private companies, and public institutions—should develop appropriate security measures and should quickly install the latest security patches for all the software they use.

5. Cyberattacks Focusing on Special Events  

In 2018, there were a number of global sports events such as the PyeongChang Winter Olympic Games at the beginning of the year and the FIFA World Cup in June. Computer criminals took advantage of the public interest in the events to steal personal information or cause financial damage.

In particular, in January, ahead of the PyeongChang Winter Olympics, malware was attached to emails purportedly sent by government agencies about the event, and malware was discovered within fake event programs. The Cyber Emergency Response Team for the PyeongChang Winter Olympic Games responded by cooperating with private companies such as AhnLab immediately after detecting warning signs, and their efforts were successful. This demonstrates how important it is for national agencies and private security companies to join forces to minimize damage from large-scale security incidents, such as national security breaches and sophisticated APT attacks.