Symantec Warns of Shifting Threat Landscape as Formjacking Risk Grows

eWEEK DATA POINTS: Attackers are constantly adjusting tactics in order to gain the upper hand and exploit users and organizations, but what were the key threats and trends of the past year?

Symantec ISTR

Cyber-security threats are not static and change from year to year as both attackers and defenders shift tactics.

Symantec released its latest Internet Security Threat Report (ISTR) on Feb. 19, providing an overview of the threat landscape. The 61-page report reveals a number of changes in the threat landscape, including a move toward an attack known as formjacking, where hackers take over online forms and steal user information, including payment card details. The report also outlines the changing landscape for ransomware attacks, which are on the decline overall, though ransomware attacks against enterprises are on the rise.

"The increase in ransomware attacks against businesses was a surprise," Kevin Haley, director, Symantec Security Response, told eWEEK. "We were aware of the overall downward trend in ransomware attacks, but this increase flies in the face of that trend but highlights that attackers go where the money is."

In this eWEEK Data Points article, we take a look at some of the key trends identified in the Symantec ISTR Volume 24 report.

Data Point No. 1: Ransomware attackers are shifting focus.

Overall, Symantec found a 20 percent decline in the volume of ransomware detections in 2018. The decline in infections is the first time since 2013 that Symantec has reported a yearly downturn in the volume of ransomware. 

Ransomware infections found in enterprises however grew by 12 percent in 2018 as attackers have taken aim at organizations rather than just individuals. Prior to 2017, individuals accounted for the majority of ransomware infections, while in 2018, organizations accounted for 81 percent of all ransomware infections. Symantec attributes part of the shift in ransomware to the decline of exploit kit activity, which was an important delivery mechanism for ransomware.

"During 2018, the chief ransomware distribution method was email campaigns," the report states. "Enterprises tend to be more affected by email-based attacks since email remains the primary communication tool for organizations."

Data Point No. 2: Cryptojacking attacks continuing to grow.

Unauthorized cryptocurrency mining software, known as "cryptojacking," was one of the breakout threats of 2017, but it's a trend that continued into 2018.

Symantec reported that it blocked nearly 69 million cryptojacking attempts in 2018, which is a 400 percent increase over 2017. That said, as the value of cryptocurrency declined precipitously over the course of 2018, so too did the volume of attacks. There was a 52 percent drop in the overall number of cryptojacking events between January and December 2018 as the value of the Monero cryptocurrency declined by 90 percent.

Data Point No. 3: Formjacking was the breakthrough threat of 2018.

While cryptojacking and ransomware attacks have been ongoing for multiple years, the big breakthrough threat of 2018, according to Symantec, came from formjacking.

With formjacking attacks, malicious code is injected into a form that enables an attacker to siphon payment card and other information. Symantec found that in 2018, an average of 4,800 websites were compromised every month with formjacking attacks. Large formjacking attacks during the year were often attributed to Magecart, including attacks against British Airways and Ticketmaster.

"Magecart is an actor or group of actors who have figured out how to make money with this attack," Haley said. "They will be a model for those to follow."

Data Point No. 4: Living off the land attacks are here to stay.

The concept known as "living off the land" for attackers involves the use of regular tools, such as Microsoft PowerShell, to exploit users and systems.

In 2018, Symantec reported that it blocked 115,000 malicious PowerShell scripts every month, representing a 1,000 percent year-over-year increase. Additionally, Symantec found that Microsoft Office files account for 48 percent of all malicious email attachments, up from only 5 percent in 2017.

Data Point No. 5: Cloud storage security is a real weakness for many organizations.

While attackers actively attempt to exploit users, another key risk comes from organizations that leave cloud storage assets unprotected.

Symantec reported that over 70 million records were leaked or stolen in 2018 due to misconfigured cloud storage buckets on Amazon's S3 service.

"There are numerous tools widely available which allow potential attackers to identify misconfigured cloud resources on the internet," Symantec's report states. "Unless organizations take action to properly secure their cloud resources, such as following the advice provided by Amazon for securing S3 buckets, they are leaving themselves open to attack." 

Data Point No. 6: Looking forward to 2020, expect more IoT attacks.

One of the things that Symantec expects will change in the coming year is a shift in internet of things (IoT) attacks. Haley said Symantec expects that among the changes will be the types of devices that are infected. 

"As 5G becomes adopted, it takes IoT devices out from behind the router and makes them directly attackable by the bad guys," Haley said.

Additionally, given the precedent set by the VPNfilter attack in 2018 that infected over 500,000 devices, Symantec expects that more sophisticated attacks against IoT will emerge, both in terms of how devices are exploited and what the attacks can do.  

"It’s time for people managing operational systems and industrial control systems to really start paying attention to security," Haley said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.