The second half of 2017 was busy in terms of digital security events. In September, consumer reporting agency Equifax announced a breach that potentially compromised the Social Security Numbers and other personal information of 143 million U.S. consumers.Less than two months later, organizations in Russia and Ukraine suffered infections at the hands of BadRabbit, the third international ransomware outbreak of the year. 2017 ended with Check Point’s announcement that a cryptocurrency miner had, for the first time, topped its monthly Global Threat Index.These are just some of the security incidents that shaped H2 2017. To get a more comprehensive view of those six months, Check Point drew data from its ThreatCloud collaborative intelligence network to produce the H2 2017 Global Threat Intelligence Trends Report.This report synthesizes information yielded from 250 million addresses analyzed for bot discovery, 11 million malware signatures, and 5.5 million infected websites to shed light on some of the most prevalent malware families and other digital threats that defined the second half of the year.Here are some of the report’s major findings.Global TrendsSeveral notable trends emerged from Check Point’s ThreatCloud data collected during the second half of 2017. One of the most significant developments was the rise of cryptocurrency miners. Maya Horowitz, threat intelligence group manager at Check Point, comments on this movement:The second half of 2017 has seen crypto-miners take the world by storm to become a favorite monetizing attack vector. While this is not an entirely new malware type, the increasing popularity and value of cryptocurrency has led to a significant increase in the distribution of crypto-mining malware.Indeed, what made cryptocurrency miners stand out in H2 2017 was the injection of these tools (knowingly or unknowingly) into websites without notifying users. Some organizations might have embraced this practice to replace web advertisements in the age of ad-blockers. In so doing, however, they oftentimes consumed more than half of the CPU on unsuspecting visitors’ machines. Check Point estimates that one in five organizations were victims (or adopters) of cryptocurrency miner injection in December 2017.While cryptocurrency miners surged over the course of the second half of the year, exploit kits decreased in use. Various factors drove this decline, including new security mechanisms introduced by web browsers and the increasing difficulty of discovering zero-day vulnerabilities before they’re sold on the dark web. Many exploit kits therefore resorted to using older security flaws already patched by software vendors, a response which decreased both the number of drive-by attacks and the development of new kits.Cryptocurrency minders weren’t the only digital threat to have a better six months than exploit kits. So too did spam operations and malspam. Indeed, 62% of infections leveraged SMTP in H2 2017, which paved the way for more skilled threat actors using high-quality campaigns consisting of new vulnerabilities and file types like .xlam and .xlb.Here’s a breakdown of malicious file type activity in the second half of the year:
Check Point’s H2 2017 Global Threat Intelligence Trends Report page 5Last but not least, multiple malware families emerged in H2 2017 that reuse code from already successful digital threats. For example, two Internet of Things (IoT) botnets called IoTroop and Satori borrowed code from Mirai to stake their claim in the digital threat landscape. IoTroop, in particular, uses vulnerability scanning instead of Mirai’s brute force password cracker to compromise vulnerable smart devices.The Most Prevalent FamiliesCheck Point’s report also reveals the most prevalent malware families in several different categories. Those rankings are presented below:Top Malware Families (Overall)Roughted (15.3%) – A large-scale malvertising campaign that spiked in May and peaked in June, affecting organizations located in over 150 countries. The threat fell by a third from 28% of all corporate networks affected to just 18% a month later.CoinHive (8.3%) – A crypto-miner of Monero cryptocurrency. CoinHive launched in September 2017 but quickly grew in popularity, becoming the “most wanted” malware on Check Point’s Global Threat Index for December 2017.Locky (7.9%) – A crypto-ransomware family that first emerged in February 2016. It’s since climbed back to into the top malware ranks after dropping in H1 2017.Top Ransomware FamiliesLocky (30%) – It spreads mainly via spam emails containing a downloader that’s disguised as a Word or Zip attachment. The downloader, in turn, drops Locky crypto-malware that encrypts the user files.Globeimposter (26%) – A ransomware family that first emerged in May 2017. It relies on spam campaigns, malvertising, and exploit kits for distribution. Upon encryption, the threat appends the .crypt extension to each encrypted file.WannaCry (15%) – Ransomware that enjoyed a global outbreak in May 2017. It spreads by exploiting a Windows SMB vulnerability, allowing it to move laterally within and between corporate networks.