Virtualization Technology News and Information
Trustwave 2019 Predictions: Exploit Kits and Carbanak/Fin7 activity will rise again

Industry executives and experts share their predictions for 2019.  Read them in this 11th annual series exclusive.

Contributed by Brian Hussey, VP of Cyber Threat Detection and Response, Trustwave SpiderLabs

Exploit Kits and Carbanak/Fin7 activity will rise again

In 2019, hackers will utilize the power of AI to supercharge exploit kits and go after bigger phishing targets. And Carbanak/Fin7, one of the most notorious cyber gangs, will set their sights on the hospitality industry.

1.       The value of cryptocurrencies will drive growing cryptominer activity - We are seeing cryptominers everywhere. These are relatively low-impact events but can cause service disruption, elevated CPU utilization, heat discharge and computation speed reduction. I rate them as a top threat because they are so prevalent right now. Cryptominers are taking attention away from threat actors because of their relatively higher profit margins and lower risk than ransomware, for example. Cryptominers provide a recurring revenue model, versus ransomware, which is a single income event. The escalating value of various cryptocurrencies will have direct impact on driving this threat.

2.       High-profile ransomware events will continue to plague organizations - 2017 was the year of ransomware. It was a massive problem, but it has reduced over time. The ransomware publicity from last year caused many corporations to invest in backup solutions that mitigate the impact of a ransomware event, or a quality Endpoint Detection and Response (EDR) solution, which effectively eliminates the risk. Less companies are susceptible to ransomware and less are paying up. However, there were still several high-profile ransomware events in 2018 - which is why ransomware remains towards the top of my list. Though overall, I predict continued impact reduction of ransomware threats in the coming years, there are enough companies running lax security practices that still makes ransomware profitable.

3.       APTs Will Cause Widespread Disruption and Destruction - As political tensions continue to rise globally, look for an increase in nation-state sponsored advanced persistent threats (APTs) targeting government institutions, large enterprises and critical infrastructure. Highly capable and politically motivated hacking groups largely stemming from the Eastern European and Asia Pacific regions have built their reputations through well publicized attacks, such as NotPetya activity in eastern Europe, and destructive APT38 attacks sourced in Asia and launched across the globe. These attacks are unique in the nation-state sponsored APT world because they focus on mass destruction rather than covert theft of data. What makes these actors especially dangerous is they have the motivation, financial backing, technical ingenuity, and unlimited time to compromise even the most hardened perimeter defense.

4.       Recent updates to exploit kits, such as AI capabilities, will give hackers the power to automate phishing - Phishing (spear-phishing, whaling, vishing) are attacks as old as email. Phishing targets the weakest link in any security infrastructure - the human. This is still the most common attack vector that we see in all investigated attacks, by a wide margin. Of the 60+ threat actor groups that we actively track, nearly all of them use phishing (along with many others) as an infection vector. Recent updates to exploit kits, specifically natural language and artificial intelligence capabilities, has made the automation of highly convincing and unique social engineering emails a very simple process. Meaning, an attacker can upload a file with one million email addresses and can automate the creation of effective and unique phishing messages to send out to victims.

5.       Carbanak/Fin7 activity will continue to rise in 2019, targeting payment card data in the hospitality and retail sectors - In March of 2017 the FBI, along with international law enforcement partners, executed arrests of several Carbanak cyber gang members, whose malicious activity had resulted in over $700 Million in losses. This investigation was started by a whitepaper produced by Trustwave SpiderLabs titled "Operation Grand Mars" and we worked closely with the FBI throughout the investigation. This was great progress by law enforcement and had some impact on Carbanak activity. However, this cyber gang is so prevalent that I do not anticipate a significant change in its operations in 2019. Back in 2015 the Russian FSB arrested 55 of its members, but those arrests resulted in almost no operational impact. At the time, Carbanak was focused on bank theft (i.e. the famous billion-dollar bank heist of 2015), but now they are equally and actively targeting retail and hospitality sectors, specifically for payment card data. We'll see additional targeted activity from them in 2019.


About the Author


Brian Hussey, Vice President of Cyber Threat Detection & Response at Trustwave SpiderLabs

Brian Hussey leads incident response and readiness, forensic investigations, cyber threat hunting, operationalization of cyber threat intelligence, and MDR (Managed Detection and Response) services. Prior to joining Trustwave, Mr. Hussey led an advanced analytical unit within the FBI tasked with computer forensics for major crimes, network intrusions, malware analysis, counter-terror, and counter-intelligence cyber investigations. He has also acted as an expert witness against cyber mafia, and international credit card fraudsters. He was the primary designer of the FBI's advanced technical analysis training for network intrusion and malware analysis. He has delivered this training for special agents in FBI field offices across the United States, as well as internationally for cyber units within police forces in Ukraine, Estonia, Lithuania, Latvia, Japan, Germany, Moldova and others. He is also an adjunct Professor of Computer Forensics for George Mason University in the Master of Computer Forensics Program. He is President of the International Fraternity of Cybercrime Investigators (IFCI)

Published Friday, December 14, 2018 7:45 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<December 2018>