CYBERTHREATSCAPEREPORT 2018MIDYEAR CYBERSECURITYRISK REVIEW
CONTENTSEXECUTIVE SUMMARYWhat’s inside?WHAT’S HAPPENING?5Iranian threat is a growingforce to be reckoned with12Extended supply chain threats arechallenging the ecosystem27Critical infrastructure is a high-valuetarget for threat actors32Advanced persistent threats arebecoming more financially motivated38Miner malware is creatinga cryptocurrency surge48PROACTIVE DEFENSE59APPENDIX61ABOUT THE REPORT622 CYBER THREATSCAPE REPORT 2018
EXECUTIVE SUMMARYWhen Accenture Security asked CISOs about the risks they face,71 percent of respondents said cyberattacks are still a “bit of ablack box; we do not quite know how or when they will affect ourorganization,” a rise of 5 percent over the year.1 In a more recentstudy, only 13 percent of organizations consider future threatswhen drawing up their security budgets.2 These responses point toa clear need for more effective use of actionable threat intelligence.71% OF RESPONDENTS SAIDCYBERATTACKS ARE STILL A“BIT OF A BLACK BOX; WE DONOT QUITE KNOW HOW ORWHEN THEY WILL AFFECT OURORGANIZATION.”Accenture Security iDefense threat intelligence analysts were notsurprised to learn that 71 percent of organizations are still growing andexpanding their knowledge of cyberattacks, hacktivist activities, cyberespionage, and other cyber threats. Organizations need to enhancetheir threat intelligence capabilities to stay ahead of cyber threats,not just activate their incident response plans when their network isbreached. They need to expand their team’s research capabilities,their ability to provide strategic insights, and grow their use of cyberresearch tools and technologies. Organizations must focus on buildinga data-driven approach fueled by threat intelligence to better anticipatepotential attacks and develop a more proactive security posture for theirbusinesses based on strategic, operational and tactical demands:3 CYBER THREATSCAPE REPORT 2018
Executive summary Strategic—gaining the intelligence that informs decisions onpolicy, executive decisions and plans Operational—creating intelligence that informs decisions onchoosing how to handle and respond on a day-to-day basis Tactical—having the intelligence to inform decisions on how totechnically and specifically execute operationsOrganizations should stay as current as possible on both the broaderthreat landscape and the specific threats that adversaries pose as theyrelate to the enterprise environment (Figure 1).FIGURE 1Strategic, operational and tactical threat intelligence issues and benefits4 CYBER THREATSCAPE REPORT 2018
Executive summaryWhat’s inside?Cyber threat actors and threat groups are continuously networking, researching,and testing out new tactics, techniques, and procedures (TTPs). They are alsoalways looking for new ways to disrupt operations, make money, or spy on theirtargets. iDefense threat intelligence analysts have observed multiple tactical shiftsin terms of victim network targeting, use of attack tools and technologies, and useof up-and-coming monetary vehicles to attain maximum return on investment (ROI).In the 2017 mid-year Cyber Threatscape Report, we discussed the continueddevelopment of Iran’s cyber-espionage programs and influence operations. Theexpectations of growth in Iran’s cyber-espionage activity described in that reporthave been realized. The threats posed by Android malware and ransomwaredeveloped in Iran and used by actors located in Iran are growing and expandingbeyond levels seen prior to the past year. It is not just threat actors located in Iranfrom which iDefense threat intelligence is seeing more activity; threat actors andthreat groups across the globe are broadening their attack scope. They are not justdirectly attacking chosen targets with spear-phishing campaigns and vulnerabilityexploitation; they are looking to reach their targets via the networks of third- orfourth-party supply chain partners by exploiting weaknesses in less moderntechnologies, or by attacking Internet of Things (IoT) and Industrial Internet ofThings (IIoT) technologies—in the oil and natural gas industry, in particular—thatwere not originally designed with cyber defense in mind. The convergence ofinformation technology (IT) and operational technology (OT) is opening doors toadversaries to disrupt operations, deploy crypto-mining malware, or to conductdeep-seated espionage operations.Although the attribution of attacks is improving, and arrests have been made,when one cyber criminal is captured, a new one quickly emerges. Cyberdefenders must continue to be vigilant and pivot their defense patterns quicklyto meet the evolving attack vectors. Our observations, explored in detail in thisreport, identify key areas for concern:5 CYBER THREATSCAPE REPORT 2018
Executive summaryIRANIAN THREATIS A GROWING FORCE TO BE RECKONED WITHIran-based threat actors and threat groups are likely to continue to growtheir malicious activities and capabilities in the foreseeable future.iDefense threat intelligence analysts have uncovered evidence that thenumber of nation-state-sponsored cyberattacks has grown, and this islikely to continue. iDefense threat intelligence indicates that the Iraniangovernment and hacktivists located in Iran pose a disruptive or destructivecyber threat against the United States, Europe, and the Middle East. Iranwill likely focus much of its attention on other Middle Eastern nations;however, Iran-based threat actors have the potential to pivot their attacksto other nations, consumers, or businesses. Organizations, businesses,and governments should not ignore the Iran-based threat; they shouldproactively build resilience against it, especially against Android-basedmalware and ransomware, as Iran-based threat actors will likely use these astheir cyber weapons of choice.The attack surface for threat actors and threat groups growing andexpanding. iDefense threat intelligence has been closely tracking thegrowth in number and types of Android-platform-specific malware. Threatactors are capitalizing on unofficial or third-party Android applicationmarketplaces as their key destinations for malicious application deliveryusing obfuscation techniques. Threat actors also regularly attempt todisseminate malicious applications through the official Google Play Storeto appear legitimate and reach a larger installation base.The development and use of ransomware from Iran is likely to continue.The increased repurposing of popular malware by Iranian actors couldlead to the use of ransomware for destructive purposes by statesponsored organizations.6 CYBER THREATSCAPE REPORT 2018
Executive summaryEXTENDED SUPPLY CHAIN THREATSARE CHALLENGING THE ECOSYSTEMOrganizations should think beyond the enterprise to the fullecosystem. Future enterprises might conduct business electronicallywith hundreds or even thousands of suppliers and partners aroundthe world, each of which can expose such companies to cyberattacks.Organizations should work with their ecosystem partners to jointlyprotect themselves. Today, however, only 39 percent of companiessay that the data exchanged with strategic partners or third partiesis adequately protected by their cybersecurity strategy.Cyber adversaries have slowly shifted their attack patterns toexploiting third- and fourth-party supply chain partner environments togain entry to target systems, even in verticals with mature cybersecuritystandards, frameworks, and regulations.Organizations operate in a complex and challenging environment.During the past few months, we have collected intelligence on recentcampaigns that highlight the challenges of combatting weaponizedsoftware updates, prepackaged devices, and supplier ecosystems asthese all fall outside the control of victim organizations. iDefense threatintelligence analysts believe cyber criminal, espionage, and hacktivistgroups will continue to target supply chains and the strategic businesspartners that contribute to them for monetary, strategic, and political gain.7 CYBER THREATSCAPE REPORT 2018
Executive summaryCRITICAL INFRASTRUCTUREIS A HIGH-VALUE TARGET FOR THREAT ACTORSNation-state-sponsored, hacktivist-driven, and other adversarydriven attacks on IIoT systems are increasing in the utilities, oil andnatural gas (ONG), and manufacturing industries. iDefense threatintelligence profiled the ONG industry as an example. Adversaries aretaking advantage of the fact that the ONG industry is slowly moving todigitize its IIoT systems. The current cybersecurity procedures do notseem to be fully prepared to meet the rapid convergence rates of IT andOT. In fact, 66 percent of surveyed ONG IT managers said digitizationhas made them more vulnerable to security compromises.3The ONG industry will continue to be an attractive target for threatactors, given the high number of entry points along the value chain,rise of IIoT, and the potential damage or disruption that a cyber incidentcould inflict on the security and economy of a given oil producingcountry. Our analysis indicates that despite the potential increase inthese security vulnerabilities to the OT environment, IT-OT convergencewill continue to grow within the ONG sector.Threats to the ONG industry will continue to broaden. Organizationsneed to adopt a corporate cybersecurity culture that consists ofcontinuous security awareness and training for all employees, IT teams,and OT teams. The IT and OT teams need to build strong collaborativeprocesses and procedures to reduce or prevent future cyber incidents.ONG industry organizations need to hire new talent to manageand support emerging technologies, including artificial intelligence(AI)-based technologies at the upstream level, and should make surethe IT-OT convergence aligns with the priorities and concerns of bothIT and OT departments.8 CYBER THREATSCAPE REPORT 2018
Executive summaryADVANCED PERSISTENT THREATSARE BECOMING MORE FINANCIALLY MOTIVATEDFinancially motivated cyber criminals are stepping up their game.Much reporting on advanced persistent threat (APT) cyberattacksindicates financial attacks are motivated by espionage. Using TTPsakin to their espionage counterparts, groups such as Cobalt Groupand FIN7 have allegedly been targeting large financial institutions andrestaurant chains successfully.FIN7 continues to innovate, with analysts having observed a newversion of the Bateleur malware, version 1.1.0, in April 2018. iDefensethreat intelligence finds that FIN7 has been less active in 2018 than in theprevious year, but this decreased activity does not mean this threat isnot present. The FIN7 malware did not include major upgrades from theprevious version (1.0.8) but instead included only minor changes, such asthe addition of a new network traffic encoding prototype function.Other threat groups have been less active and even dormant. Theleader of the Carbanak and the Cobalt Group was arrested by theSpanish National Police on March 26, 2018. The Cobalt Group becamedormant in March and April 2018 but renewed attacks in May. This mightindicate new threat group leadership. iDefense threat intelligence willcontinue to monitor these groups closely to see how their attacks mightevolve. They might pivot their attention to other industries or other highROI cyberattacks.9 CYBER THREATSCAPE REPORT 2018
Executive summaryMINER MALWAREIS CREATING A CRYPTOCURRENCY SURGECyber criminals have grown their use of cryptocurrency minermalware. It has been one of the largest growth areas in malware in2018, and its growth is likely to continue into 2019. Miner malwarerewards its operators with the cryptocurrency mined on infected hosts,with those victim systems potentially benefiting from rapid fluctuationsin price. Such fluctuations are caused by rampant speculation.Traditionally, miners have sought Bitcoins due to the currency’s wideadoption among cyber criminals and legitimate businesses. iDefensethreat intelligence has documented a radical shift toward miningalternative cryptocurrencies, most notably Monero. Monero can bemore easily and efficiently mined. Tracking Monero transactions is moredifficult than tracking Bitcoin transactions.GDPR can unleash serious risks for businesses acrossthe globe. GDPR has had significant effects on the risk calculationsof organizations holding EU subjects’ data. The risk of data theft andmanipulation from external actors remains high, despite the increasedregulatory burden. iDefense threat intelligence analysts assess it islikely that cyber criminals will try to leverage the threat of GDPRnon-compliance in attempts to extort organizations, especially inthe immediate aftermath of GDPR implementation in May 2018.iDefense threat intelligence analysts have already identified actorsdiscussing how to leverage GDPR as a social engineering lure whencommunicating with target organizations.10 CYBER THREATSCAPE REPORT 2018
Executive summaryRansomware continues to be the most prevalent attack vector forextortion operations, with attacks against organizations doublingfrom 2016 to 2017, rising from 13 percent to 27 percent of all reportedincidents targeting corporations.4 Cyber criminals are innovating theirattack methods and diversifying toward the use of multi-functionalransom malware—encompassing secondary functionality such asminer malware or data exfiltration—to ensure a second layer of possibleprofitability. iDefense threat intelligence analysts predict that targetedattack groups will continue to use ransomware, with threat actorsrepurposing malware advertised on the criminal underground to deflectattribution efforts away from APT groups’ use of destructive malware.Our threat intelligence experts and cyber defenders take greatpride in uncovering cyber adversaries and their tactics, techniquesand procedures (TTPs). We aim to build tactical and strategic threatintelligence for our clients to better defend their networks and makedata-driven business decisions to stay ahead of relevant threats totheir business.The Cyber Threatscape Report 2018 relies on iDefense intelligencecollection, research, and analysis including research using primary andsecondary open-source materials. It covers the increased prevalenceof destructive attacks; the aggressive use of information operationsby nation-states; growth in the numbers and diversity of threat actors;as well as the greater availability of exploits, tools, encryption, andanonymous payment systems available to malicious actors.11 CYBER THREATSCAPE REPORT 2018
WHAT’S HAPPENING?IRANIAN THREAT IS A GROWINGFORCE TO BE RECKONED WITHTopline assessment: Post the Joint Comprehensive Plan of Action (JCPOA)annulment, the Iranian government’s behavior has beendefensive. Unless the country is placed under extremeeconomic pressure, it is unlikely to pose a disruptive ordestructive threat against the United States or Europe.However, Saudi Arabia, the United Arab Emirates, Bahrain,and Israel are more likely to face cyberattacks emanatingfrom Iran. The attack surface pertaining to Android devices, specificallyin Iran and other countries where update adoption is low,will continue to expand. Unofficial and third-party Androidapplication marketplaces continue to be used broadly and willincrease in availability and utilization. This increased use will leadto more opportunity for malicious application delivery usingobfuscation techniques through the official Google Play Store inan effort to appear legitimate and reach a larger installation base. iDefense threat intelligence analysts predict that actors in Iranwill continue to develop and deploy ransomware that theyhave repurposed from popular malware. State-sponsoredorganizations such as the Islamic Revolutionary Guard Corps(IRGC) Cyber Command could use such ransomware.12 CYBER THREATSCAPE REPORT 2018
What’s happening?Iran’s geopolitical trendsiDefense threat intelligence has seen a high increase in the numberof cyberattacks, types and uses of ransomware, and malware tradeand usage by threat actors based in Iran; hence, iDefense threatintelligence is carefully tracking Iranian cyber threats to ensure clientsare adequately protected from this growing and expanding cyber threat.iDefense threat intelligence analysts predicted that based on the UnitedStates President Donald Trump’s removal of Secretary of State RexTillerson from his position, the nomination of former US CIA DirectorMike Pompeo as the secretary of state, and the appointment of formerUS Ambassador to the United Nations (UN) John Bolton as the NationalSecurity Advisor, the Obama-era Iran nuclear agreement better knownas “JCPOA” would end.5 Consequently, the annulment of the JCPOA bythe current United States president has put Iran in a defensive position,which has led Iran’s supreme leader Ayatollah Ali Khamenei (a hardlinecleric) to use harsh rhetoric against the United States president andthe United States as a whole and to threaten to resume Iran’s nuclearactivities, especially if talks with European counterparts fail.6 Althoughbased on current Iranian policy, the feud may not lead to any disruptiveor destructive cyberattack against the United States or Europeancounterparts in the near future. The Iranian government is likely tocontinue its cyber espionage activities and develop its cyber capabilitiesfor political and strategic influence; however, it might also take a moreaggressive posture against its neighboring rivals and regional enemies,such as Saudi Arabia, the United Arab Emirates, Bahrain, and Israel,for encouraging and supporting the United States decision on theannulment of the JCPOA agreement.13 CYBER THREATSCAPE REPORT 2018
What’s happening?On September 14, 2017, the Director ofNational Intelligence, the Honorable DanCoats, provided his remarks at the BillingtonCybersecurity Summit, stating, “Iran andNorth Korea are improving their capabilities tolaunch disruptive or destructive cyberattacksto support their political objectives.” Officeof the Director of National Intelligence.iDefense threat intelligence analysts believe that a result of politicaltensions stemming from the possible abolishment of the JCPOAagreement will be that the IRGC Cyber Command is highly likely toresurrect its cyber threat activity against organizations in multipleindustry sectors such as the financial, critical infrastructure, healthcare,government, and military, and energy sectors; consequently, iDefensethreat intelligence assesses operational and economic risks to theseorganizations are likely to increase.7Iran’s cyber espionageGrowing POWERSTATS malware family activityiDefense observed that the POWERSTATS malware family activity ison the rise and continuing to evolve, as seen in targeted attacks thatPalo Alto Networks has dubbed “Muddy Water.”8 POWERSTATS is aPowerShell-based first-stage backdoor that uses and drops scripts tocontact a command-and-control (C2) server. The malware performs14 CYBER THREATSCAPE REPORT 2018
What’s happening?reconnaissance on a victim system, lowers its Microsoft Office securitysettings, and can execute any PowerShell command the threat actor usingit sends. This threat activity was first observed and disclosed by iDefensethreat intelligence in 2017; however, it has continued to blossom in 2018.The first generation of POWERSTATS malware used basic PowerShell andVBScript and has grown in complexity and sophistication, mainly dueto the public reporting of its activities. This evolution has included moresophisticated and more advanced infection and evasion techniques,such as AppLocker bypass methods, malware analysis tool detection, antisandbox checks, extended C2 proxy lists, base64 encoding, and PowerShellobfuscation that is more layered. In addition, new infection vectors havebeen observed; they include infection via a Java-based version coupledwith a BurpSuite-KeyGen and a malicious Microsoft Help file.In initial reporting from October 2017, iDefense t
Cyber threat actors and threat groups are continuously networking, researching, and testing out new tactics, techniques, and procedures (TTPs). They are also always looking for new ways to disrupt operations, make money, or spy on their targets. iDefense threat intelligence analysts have observed multiple tactical shifts
8 2019 CYBER THREATSCAPE REPORT EXECUTIVE SUMMARY WHAT’S INSIDE? The 2018 Cyber Threatscape report noted the clear need for more effective use of actionable threat intelligence. With state-sponsored activities a growing force to be reckoned with, extended supply chain threats, targets
Accenture Wealth Management firstname.lastname@example.org With over 17 years of broker dealer and advisory industry experience, Kendra is focused on wealth management strategy. Based in Toronto, she leads Accenture Wealth Management globally. Edward Blomquist Research Lead Accenture Wealth and Asset Management email@example.com
Cyber Vigilance Cyber Security Cyber Strategy Foreword Next Three fundamental drivers that drive growth and create cyber risks: Managing cyber risk to grow and protect business value The Deloitte CSF is a business-driven, threat-based approach to conducting cyber assessments based on an organization's specific business, threats, and capabilities.
Accenture Products & Platforms (APP) Accenture Health & Public Services Accenture Human Services Suite . Another option is mobile that opens the browser in the emulator mode and is only enabled for the chrome browser. This means if you want to t
the 1st Edition of Botswana Cyber Security Report. This report contains content from a variety of sources and covers highly critical topics in cyber intelligence, cyber security trends, industry risk ranking and Cyber security skills gap. Over the last 6 years, we have consistently strived to demystify the state of Cyber security in Africa.
risks for cyber incidents and cyber attacks.” Substantial: “a level which aims to minimise known cyber risks, cyber incidents and cyber attacks carried out by actors with limited skills and resources.” High: “level which aims to minimise the risk of state-of-the-art cyber attacks carried out by actors with significant skills and .
Cyber Security Training For School Staff. Agenda School cyber resilience in numbers Who is behind school cyber attacks? Cyber threats from outside the school Cyber threats from inside the school 4 key ways to defend yourself. of schools experienced some form of cyber
ANSI A300 standards are intended to guide work practices for the care of trees, palms, shrubs, and other woody landscape plants. They apply to arborists, horticulturists, landscape architects, and other professionals who provide for or supervise the management of these plants for property owners, property managers, businesses, government agencies, utilities, and others who use these services .