Is someone at IBM a big comic book fan? The name “X-Force” is popularly associated with a superhero team from Marvel Comics, but IBM has chosen it as a moniker for many of the company’s digital security offerings, such as its penetration testing service, X-Force Red, or its X-Force IRIS incident response team. Mysterious branding decisions aside, last week IBM released the 2019 X-Force Threat Intelligence Index, a summary of the changing trends in cyberattacks, derived from analyzing trillions of individual security events from around the world.
These events range from a simple probing port scan to sophisticated malware attacks. Together, they show a changing trend in attackers’ methods over the course of 2018, driven by their desire to get the most bang for their buck—literally. Even though intrusions by state actors or hacktivists get a lot of attention, most attacks are carried out by criminals simply looking to make money as easily as possible.
Consequently, ransomware attacks—where systems are taken over and rendered inaccessible and inoperable until a ransom is paid—have seen a decline in favor of cryptojacking, where systems are co-opted to quietly mine cryptocurrencies in the background.
“Ransomware had it’s heyday,” says John Kuhn, a senior threat researcher with X-Force IRIS. “These ransomware campaigns weren’t nearly as lucrative as [attackers] hoped.” The very public aftermath of infections, such as those that locked up patient healthcare records, also spurred many organizations to update and secure their systems, reducing the pool of targets.
“I always found ransomware a little bit odd, like why do I want to shut that system down completely and hope to get some sort of monetary gain out of it? … Keeping that system running would benefit me longer,” says Kuhn.
And monetizing running systems is exactly what cryptojackers are doing. “I’m using your system, your electricity, your computing power,” says Kuhn. Cryptojackers are also choosy about the currency they are illicitly mining: “We have seen small cases of Litecoin out there, a little bit of Bitcoin, but a large portion is Monero,” notes Kuhn, explaining that’s because the algorithm used to generate Monero is designed to run on CPUs, rather than the GPUs or custom architectures commonly used to mine, say, Bitcoin, so cryptojackers are more likely to find hardware suited to their needs.
Two other trends in the Threat Intelligence Index are of particular note: changes in how attackers are getting into systems, and who they are targeting.
To get into systems, rather than slipping malware into systems or exploiting bugs such as Heartbleed, attackers are increasingly simply taking advantage of network-enabled administration tools that either haven’t been secured or are misconfigured. Such tools are becoming more and more common as services migrate to the cloud. In effect, attackers are entering through doors that haven’t been closed, rather than having to pick locks.
Online services are often “complex to configure, and they are complex to secure. A lot of organizations just aren’t taking those extra measures and steps to configure those things properly. We see a lot of storage containers online that get compromised quite easily, that’s a big reason that a lot of people’s personal information got leaked in the last few years,” says Kuhn.
Inexperience with dealing with threats is also probably why attackers are increasingly going after airlines and other companies working in the transportation sector. Transportation is now the second most attacked sector, not far behind finance and insurance. But the finance and insurance sector have long been accustomed to such targeting, and as a result their systems and IT staff tend to be battle-hardened. Not so transportation, which last year was at number 10 in the Threat Intelligence Index’s list of targeted sectors.
“I think it’s kind of a weak spot [attackers] are poking at” to get access to personal information about members of the public, says Kuhn. And while these kinds of breaches are worrying in themselves, they could be harbingers of worse things to come. If attackers “can get public records so readily from [for example] the airline industry, what other systems do [airlines] have that might be vulnerable as well?” says Kuhn.