Cyber-Attackers Using Legitimate Tools, Symantec Reports

According to Symantec, attackers are increasingly "living off the land," using email, macros and Powershell to exploit end users.

Symantec ISTR

Symantec released the latest edition of its Internet Security Threat Report (ISTR) on April 26, providing insight into security trends over the course of the past year. Among the big trends noted by Symantec in the 77-page report is a sharp increase in politically motivated attacks as well as an increase in ransomware payouts.

"Traditionally, most of the big attacks in any given year are economic espionage, and this past year they all seem to be politically motivated," Kevin Haley, director of Symantec Security Response, told eWEEK.

Among the political attacks discussed in the report is the Shamoon disk-wiping malware that attacked organizations in the Middle East, as well as attacks against the Democratic National Committee (DNC). 

"Cyber-attacks seem to be politics by other means now," Haley said.

Email is now a primary method for attack delivery, according to Symantec. Haley said that in 2016, Symantec reported a 30 percent year-over-year drop in the volume of web-based attacks, as email attacks have risen. In 2016, one out of every 131 emails had malware in it, up from one in 220 in 2015.

"Attackers are taking advantage of social engineering and the ability to fool people," Haley said. "Email attacks are cheap, easy and they work."

Among the many popular attacks that can be delivered via email is ransomware, which is a 2016 security trend that multiple security vendors have made note of. Security firm SentinelOne claimed in a November 2016 report that 50 percent of organizations have responded to a ransomware campaign. Symantec reported 463,841 ransomware detections in 2016, up from 240,665 in 2015.

Not only has the volume of ransomware detection risen, so too has the average ransomware payout from $294 in 2015 up to $1,077 in 2016.

"We think the ransomware amount rose because so many people are willing to pay the ransom," Halley said. 

Living Off the Land

A big change for Symantec in 2016 was the acquisition of Blue Coat for $4.65 billion, which also brought in new threat research. Haley said that Blue Coat's threat teams added new insights to the ISTR—most notable in the 2016 data is the use of Powershell for malicious attacks. Powershell is a commonly used Microsoft tool for configuration management and task automation; 95 percent of Powershell scripts that Blue Coat looked at were malicious.

"In the report we discuss the notion of living off the land, and it's the idea that attackers this year are using existing IT tools and commonly used programs to attack users," Haley said.

When it comes to Powershell, remediation isn't a simple process, since Powershell is on every Windows machine and is widely used for legitimate purposes. Haley said the same attributes that make Powershell a useful tool for IT users are ones that make it useful to attackers. 

On a similar note, Symantec also observed a return in the use of Microsoft Office macros to attack users. In December 2016, Symantec saw a spike in Office macros, with over 350,000 detections in that month. 

"Macros have come back because the bad guys have figured out how to get end users to turn macros back on," Haley said. 

Symantec has seen a lot of email attacks with Word documents that include some unreadable text in it and is, advising users to enable macros to read the text, he said. As soon as users click to enable the macro, they get infected.

"Better defenses are needed, but the bad guys continue to take advantage of the end users," Haley said.

Haley expects that next year's ISTR will have a greater focus on internet of things (IoT) threats as the risks and attacks continue to rise. "We'll probably be talking in a year about something that none of us anticipated, where attackers have figured out a new way to make money," he said.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.