McAfee Labs Report
Sees Cyberattacks Target Healthcare and Social Media Users
Sees Cyberattacks Target Healthcare and Social Media Users
Healthcare Sector
Reports Greatest Number of Security Incidents in 2016 and 2017; Faceliker
Manipulates Facebook Accounts to Promote News Websites and Other Content
Reports Greatest Number of Security Incidents in 2016 and 2017; Faceliker
Manipulates Facebook Accounts to Promote News Websites and Other Content
NEWS HIGHLIGHTS
· McAfee Labs sees healthcare account for 26% of
Q2 2017 security incidents
Q2 2017 security incidents
· New malware samples leaped 67% in Q2, in part
due to surge in Faceliker activity
due to surge in Faceliker activity
· Mobile malware grew 61% over the past four
quarters
quarters
· Global infections of mobile devices rose by
8%, led by Asia with 18%
8%, led by Asia with 18%
· Mac OS malware growth declined to 4% as adware
surge subsides
surge subsides
· New macro malware rose by 35%, while new
ransomware grew 54%
ransomware grew 54%
Singapore, September 26, 2017 – McAfee
Inc. today released its McAfee Labs Threats Report:
September 2017, which examines the rise of
script-based malware, suggests five proven threat hunting best practices, provides
an analysis of the recent WannaCry and NotPetya ransomware attacks, assesses
reported attacks across industries, and reveals growth trends in malware,
ransomware, mobile malware, and other threats in Q2 2017. McAfee Labs saw
healthcare surpass public sector to report the greatest number of security
incidents in Q2, while the Faceliker Trojan helped drive quarter’s 67% increase
in new malware samples from the social media landscape.
Inc. today released its McAfee Labs Threats Report:
September 2017, which examines the rise of
script-based malware, suggests five proven threat hunting best practices, provides
an analysis of the recent WannaCry and NotPetya ransomware attacks, assesses
reported attacks across industries, and reveals growth trends in malware,
ransomware, mobile malware, and other threats in Q2 2017. McAfee Labs saw
healthcare surpass public sector to report the greatest number of security
incidents in Q2, while the Faceliker Trojan helped drive quarter’s 67% increase
in new malware samples from the social media landscape.
The second quarter of 2017 saw Facebook
emerge as a notable attack vector, with Faceliker accounting for as much as
8.9% of the quarter’s 52 million newly detected malware samples. This Trojan
infects a user’s browser when she visits malicious or compromised websites. It
then hijacks her Facebook “likes” and promotes the content without her
knowledge or permission. Doing so at scale can earn money for the malicious
parties behind Faceliker given the hijacked clicks can make a news article,
video, website or ad appear more popular or trusted than it truly is.
emerge as a notable attack vector, with Faceliker accounting for as much as
8.9% of the quarter’s 52 million newly detected malware samples. This Trojan
infects a user’s browser when she visits malicious or compromised websites. It
then hijacks her Facebook “likes” and promotes the content without her
knowledge or permission. Doing so at scale can earn money for the malicious
parties behind Faceliker given the hijacked clicks can make a news article,
video, website or ad appear more popular or trusted than it truly is.
“Faceliker leverages and manipulates the social media and app based
communications we increasingly use today,” said Vincent Weafer, Vice President
for McAfee Labs. “By making apps or news articles appear more popular, accepted
and legitimate among friends, unknown actors can covertly influence the way we
perceive value and even truth. As long as there is profit in such efforts, we
should expect to see more such schemes in the future.”
communications we increasingly use today,” said Vincent Weafer, Vice President
for McAfee Labs. “By making apps or news articles appear more popular, accepted
and legitimate among friends, unknown actors can covertly influence the way we
perceive value and even truth. As long as there is profit in such efforts, we
should expect to see more such schemes in the future.”
McAfee Labs’ quarterly analysis of
publicly disclosed security incidents found public sector to be the most
impacted North American sector over the last six quarters, but healthcare
overtook it in Q2 with 26% of incidents. While overall healthcare data breaches
are most likely the result of accidental disclosures and human error,
cyberattacks on the sector continue to increase. The trend began the first
quarter of 2016 when numerous hospitals around the world sustained ransomware
attacks. The attacks paralyzed several departments and, in some cases, the
hospitals had to transfer patients and postpone surgeries.
publicly disclosed security incidents found public sector to be the most
impacted North American sector over the last six quarters, but healthcare
overtook it in Q2 with 26% of incidents. While overall healthcare data breaches
are most likely the result of accidental disclosures and human error,
cyberattacks on the sector continue to increase. The trend began the first
quarter of 2016 when numerous hospitals around the world sustained ransomware
attacks. The attacks paralyzed several departments and, in some cases, the
hospitals had to transfer patients and postpone surgeries.
“Whether physical or digital, data
breaches in healthcare highlight the value of the sensitive personal
information organizations in the sector possess,” Weafer continued. “They also
reinforce the need for stronger corporate security policies that work to ensure
the safe handling of that information.”
breaches in healthcare highlight the value of the sensitive personal
information organizations in the sector possess,” Weafer continued. “They also
reinforce the need for stronger corporate security policies that work to ensure
the safe handling of that information.”
Q2 2017 Threat Activity
In the second quarter of 2017, the
McAfee Labs Global Threat Intelligence network registered notable trends in
cyber threat growth and cyberattack incidents across industries:
McAfee Labs Global Threat Intelligence network registered notable trends in
cyber threat growth and cyberattack incidents across industries:
· Security incidents. McAfee Labs counted 311 publicly disclosed security incidents in
Q2, an increase of 3% over Q1. 78% of all publicly disclosed security incidents
in Q2 took place in the Americas.
Q2, an increase of 3% over Q1. 78% of all publicly disclosed security incidents
in Q2 took place in the Americas.
· Vertical industry targets. The health, public, and education
sectors comprised more than 50% of total incidents in 2016-2017 worldwide.
sectors comprised more than 50% of total incidents in 2016-2017 worldwide.
o North America. Health sector attacks led vertical
sectors in Q2 security incidents in the Americas.
sectors in Q2 security incidents in the Americas.
o Asia Pacific. In Asia, the public sector led in
reported Q2 incidents, followed by financial services and technology.
reported Q2 incidents, followed by financial services and technology.
o Europe, Middle East and Africa. In Europe, the public sector led the
sectors substantially in Q2, followed by entertainment, health, finance, and
technology.
sectors substantially in Q2, followed by entertainment, health, finance, and
technology.
· Attack vectors. Account hijacking led disclosed attack
vectors, followed by DDoS, leaks, targeted attacks, malware, and SQL injections.
vectors, followed by DDoS, leaks, targeted attacks, malware, and SQL injections.
· Malware overall. New malware samples leaped up in Q2 to
52 million, a 67% increase. This Q2 rise in new malware is in part due to a
significant increase in malware installers and the Faceliker Trojan. The latter
accounted for as much as 8.9% of all new malware samples. The total number of
malware samples grew 23% in the past four quarters to almost 723 million
samples.
52 million, a 67% increase. This Q2 rise in new malware is in part due to a
significant increase in malware installers and the Faceliker Trojan. The latter
accounted for as much as 8.9% of all new malware samples. The total number of
malware samples grew 23% in the past four quarters to almost 723 million
samples.
· Ransomware. New ransomware samples again increased sharply in Q2, by
54%. The number of total ransomware samples grew 47% in the past four quarters
to 10.7 million samples.
54%. The number of total ransomware samples grew 47% in the past four quarters
to 10.7 million samples.
· Mobile malware. Total mobile malware grew 61% in the
past four quarters to 18.4 million samples. Global infections of mobile devices
rose by 8% in Q2, with Asia again leading the regions with 18%.
past four quarters to 18.4 million samples. Global infections of mobile devices
rose by 8% in Q2, with Asia again leading the regions with 18%.
· Mac malware. With the decline of a glut of adware, Mac OS malware has
returned to historical levels, growing by only 27,000 in Q2. Still small
compared with Windows threats, the total number of Mac OS malware samples
increased by just 4% in Q2.
returned to historical levels, growing by only 27,000 in Q2. Still small
compared with Windows threats, the total number of Mac OS malware samples
increased by just 4% in Q2.
· Macro malware. New macro malware rose by 35% in Q2.
91,000 new samples raised the total overall sample count to 1.1 million.
91,000 new samples raised the total overall sample count to 1.1 million.
· Spam campaigns. The botnet Gamut again claims the top
rank in volume during Q2, continuing its trend of spamming job-related junk and
phony pharmaceuticals. The Necurs botnet was the most disruptive, pushing
multiple pump-and-dump stock scams during the quarter.
rank in volume during Q2, continuing its trend of spamming job-related junk and
phony pharmaceuticals. The Necurs botnet was the most disruptive, pushing
multiple pump-and-dump stock scams during the quarter.
For more information on these threat
trends and statistics, please visit www.mcafee.com for
the full report and infographic.
trends and statistics, please visit www.mcafee.com for
the full report and infographic.
Upon Further Review: WannaCry and NotPetya
McAfee’s analysis of the WannaCry and NotPetya attacks builds on the
organization’s previous research by providing more insight into how the
attacker creatively combined a set of relatively simple tactics, melding a
vulnerability exploit, proven ransomware, and familiar worm propagation. McAfee
notes that both attack campaigns lacked the payment and decryption capabilities
to successfully extort victims’ ransoms and unlock their systems.
organization’s previous research by providing more insight into how the
attacker creatively combined a set of relatively simple tactics, melding a
vulnerability exploit, proven ransomware, and familiar worm propagation. McAfee
notes that both attack campaigns lacked the payment and decryption capabilities
to successfully extort victims’ ransoms and unlock their systems.
“It has been claimed that these
ransomware campaigns were unsuccessful due to the amount of money made,” said
Raj Samani, Chief Scientist for McAfee. “However, it is just as likely that the
motivation of WannaCry and NotPetya was not to make money but something else.
If the motive was disruption then both campaigns were incredibly
effective. We now live in a world in which the motive behind ransomware
includes more than simply making money, welcome to the world of
pseudo-ransomware.”
ransomware campaigns were unsuccessful due to the amount of money made,” said
Raj Samani, Chief Scientist for McAfee. “However, it is just as likely that the
motivation of WannaCry and NotPetya was not to make money but something else.
If the motive was disruption then both campaigns were incredibly
effective. We now live in a world in which the motive behind ransomware
includes more than simply making money, welcome to the world of
pseudo-ransomware.”
For more on these takeaways, please visit our blog
titled “More Effective at Destruction than
Ransomware.”
titled “More Effective at Destruction than
Ransomware.”
The Rise of Script-Based Malware
McAfee researchers also profile the
notable increase in script-based malware over the last two years. This
Microsoft scripting language is used to automate administration tasks such as
running background commands, checking services installed on the system,
terminating processes, and managing configurations of systems and servers.
Malicious PowerShell scripts usually arrive on a user’s machine through spam
emails, gaining a foothold through social engineering rather than software
vulnerabilities, and then leveraging the scripts capabilities to compromise the
system.
notable increase in script-based malware over the last two years. This
Microsoft scripting language is used to automate administration tasks such as
running background commands, checking services installed on the system,
terminating processes, and managing configurations of systems and servers.
Malicious PowerShell scripts usually arrive on a user’s machine through spam
emails, gaining a foothold through social engineering rather than software
vulnerabilities, and then leveraging the scripts capabilities to compromise the
system.
The script-based malware trend also
includes the weaponization of JavaScript, VBScript, and other types of
non-executable modules using .doc, PDF, .xls, HTML, and other benign standards
of personal computing.
includes the weaponization of JavaScript, VBScript, and other types of
non-executable modules using .doc, PDF, .xls, HTML, and other benign standards
of personal computing.
Threat Hunting Best Practices
The September report also suggests techniques to help threat hunters spot the
presence of adversaries in their environment. Starting with the principles of
what McAfee’s Foundstone group calls the “three big knows”—“know the enemy,
know your network, know your tools”—the report offers best practices for
hunting for command and control, persistence, privilege escalation, lateral
movement, and exfiltration.
presence of adversaries in their environment. Starting with the principles of
what McAfee’s Foundstone group calls the “three big knows”—“know the enemy,
know your network, know your tools”—the report offers best practices for
hunting for command and control, persistence, privilege escalation, lateral
movement, and exfiltration.
“One underlying assumption is that, at
every moment, there is at least one compromised system on the network, an
attack that has managed to evade the organization’s preventive security
measures,” said Ismael Valenzuela, Principal
Engineer, Threat Hunting and Security Analytics at McAfee. “Threat
hunters must quickly find artifacts or evidence that could indicate the
presence of an adversary in the network, helping to contain and eliminate an
attack before it raises an alarm or results in a data breach.”
every moment, there is at least one compromised system on the network, an
attack that has managed to evade the organization’s preventive security
measures,” said Ismael Valenzuela, Principal
Engineer, Threat Hunting and Security Analytics at McAfee. “Threat
hunters must quickly find artifacts or evidence that could indicate the
presence of an adversary in the network, helping to contain and eliminate an
attack before it raises an alarm or results in a data breach.”
For guidance on how organizations can
better protect their enterprises from the threats detailed in this quarter’s
report, visit Enterprise Blog.
better protect their enterprises from the threats detailed in this quarter’s
report, visit Enterprise Blog.
About McAfee Labs
McAfee Labs is one of the world’s
leading sources for threat research, threat intelligence, and cybersecurity
thought leadership. With data from millions of sensors across key threats
vectors—file, web, and network—McAfee Labs delivers real-time threat
intelligence, critical analysis, and expert thinking to improve protection and
reduce risks. McAfee Labs also develops core threat detection technologies that
are incorporated into the broadest security product portfolio in the industry.
leading sources for threat research, threat intelligence, and cybersecurity
thought leadership. With data from millions of sensors across key threats
vectors—file, web, and network—McAfee Labs delivers real-time threat
intelligence, critical analysis, and expert thinking to improve protection and
reduce risks. McAfee Labs also develops core threat detection technologies that
are incorporated into the broadest security product portfolio in the industry.
About McAfee
McAfee is one of the world’s leading independent cybersecurity companies.
Inspired by the power of working together, McAfee creates business and consumer
solutions that make the world a safer place. www.mcafee.com
Inspired by the power of working together, McAfee creates business and consumer
solutions that make the world a safer place. www.mcafee.com
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
