It seems like the moment the security industry collectively comes to grips with the latest publicly disclosed data breach, another bigger and badder security incident surfaces to shake it up, prompting many enterprises to worry if the same could happen to them.

Fortunately, by tapping into the overarching themes and patterns of these recent breaches, organizations can unlock insights to help them avoid becoming part of the breach news cycle.

Six Data Breach Trends From 2017 to Monitor in the New Year

IBM X-Force identified six major trends from over 235 publicly disclosed breaches it tracked in 2017. Some are trends that we’ve been highlighting for years, such as phishing attacks and failure to patch. Others are newer, growing trends, such as hijacked thingbots, misconfigured cloud servers and cryptocurrency-targeted attacks.

Figure 1: IBM X-Force tracked over 235 security incidents for 2017, comprising over 2.8 billion records (Source: IBM X-Force).

The security incidents described below represent only a few examples of each attack trend, which are listed in no particular order, and suggested mitigation tips, several of which fall under basic security hygiene. We all have an opportunity to learn from these incidents, and security professionals should pay close attention to notable trends, since they may indicate areas of possible concern in their own environments.

Listen to the podcast: 5 security predictions that will take hold in 2018

1. Bots of Things Attacking Other Things

What happens when millions of systems are exploited by a gaping remote vulnerability and then used as a botnet of zombie devices to launch distributed denial-of-service (DDoS) attacks or infect unsuspecting users with malware?

In August 2017, a consortium of six technology firms came together to take down WireX, a botnet comprised of tens of thousands of compromised Android devices that were being used to launch crippling DDoS attacks against targets in the hospitality industry. These vulnerable systems had been infected by more than 300 seemingly benign apps from the official Google Play store, including video players, file managers and ringtones. All these apps contained hidden code that could be activated for malicious use.

Threat such as the Mirai botnet, which turned hundreds of thousands of connected cameras and DVR devices into DDoS bots in November 2016 and struck again toward the end of 2017, use the ability to commandeer a huge number of systems as a devastatingly effective attack tactic.

In September 2017, Armis Labs disclosed a Bluetooth vulnerability dubbed BlueBorne that could be exploited to silently take over any affected device within proximity of an attacker, potentially exposing billions of systems to compromise.

Malware that launches DDoS attacks or hijacks a device’s CPU to mine cryptocurrencies can actually damage the hardware, since these devices were not made to sustain such high utilization. In December 2017, security researchers discovered that the prolonged execution of the CPU-intensive Loapi malware caused the battery in their test Android phone to bulge out and deform the case.

All devices in your environment have the potential to become bots, including mobile devices. The time to begin identifying which IT assets could potentially be incorporated into botnet is not when a cybergang is actively using your devices to launch DDoS attacks. Organizations should consider managing the life cycle and inventory of assets through an IT asset management (ITAM) program that also includes mobile device management (MDM).

The more these rising numbers of devices and endpoints use common libraries, platforms and operating systems, the more susceptible they are to the exploitation of a single vulnerability. In other words, aggregated risk goes through the roof in this scenario. The availability and growing ease of implementing scalable systems and architecture can lead to other problems as well.

2. Failure to Patch

Near close of business in Europe on Friday, May 12, 2017, a massive malware outbreak dubbed WannaCry dumped ransomware onto Windows endpoints at hospitals, internet service providers (ISPs) and other critical targets. As IT professionals around the world scrambled to ensure that they were protected, it became evident that the worm was propagating via a Server Message Block (SMB) vulnerability, which had been patched by Microsoft (MS17-010) more than two months earlier. Similarly, NotPetya, another worm, used the same SMB vulnerability to propagate.

Widespread worms, such as Blaster and Sasser, were more common in the early 2000s, but seemed to have gone out of style as other types of attacks took form. Still, they illustrate the importance of keeping systems patched. Remediating critical unpatched vulnerabilities is key, so timely patch management is vital to organizations of any size.

While advanced zero-day attacks can be a formidable threat, they are more often the stuff of fear and legend. In fact, according to the IBM X-Force vulnerability database, less than 1 percent of vulnerabilities in 2016 were considered zero-day vulnerabilities — that is, flaws exploited in the wild for which patches do not exist. Failure to patch existing critical vulnerabilities is most often the cause of havoc on a global scale, particularly when there is a huge number of vulnerable endpoints.

3. Misconfigured Cloud Services

Cloud services enable companies to easily store millions of user data records for websites and apps. While vendors generally do a good job of securing these services, user error, misconfiguration and malicious insiders can publicly expose this data without providing any form of authentication.

This year alone, there have been numerous cases of misconfigured Amazon S3 buckets, Rsync backups, MongoDB databases and other similar services that exposed private, sensitive data. In July 2017, a third-party vendor that provided customer support services to a major telecommunications company exposed data belonging to 14 million customers on a wide-open Amazon S3 cloud server. The data included custom personal identification numbers (PINs), which could be used to authenticate customer accounts.

As consumers, we download apps and services without much consideration for how they use or store our data. In one concerning breach from November, security researchers uncovered a publicly accessible 577 GB MongoDB database from an Israeli company that sells a keyboard app for mobile phones. The data not only contained usernames and emails addresses, but also location-based GPS information for users and transcripts of text that was typed into phones via the keyboard app.

The year closed with a massive leak affecting 123 million Americans after a misconfigured Amazon S3 bucket allowed AWS Authenticated Users — that is, any user that has an Amazon AWS account — to download the stored data. This type of data is valuable to attackers, who can use it to target specific individuals and companies through spear phishing.

Cloud databases leaked over 2 billion records in 2017. According to IBM X-Force, server misconfigurations made up 70 percent of the total number of reported leaked records this past year. It’s important for organizations to conduct proper risk assessments of their cloud deployments. Security professionals should consider periodically engaging a professional penetration testing service to map vulnerabilities and inadvertent access issues.

Leaked data can have immense monetary value, especially when someone is willing to pay to keep it private. As we’ll see in the next trend, attackers have homed in on new targets to exploit and extort to make money.

4. Cyberextortion of High-Value Data

In late April 2017, a popular video streaming service was informed that new episodes of one of its most popular shows had been stolen from a third party that provided postproduction services for the show. The threat actor also stole several other shows that had yet to be released and threatened to leak the files to the public if a ransom was not paid. A similar ransomware scheme emerged later in the year involving the theft of episodes from another popular show.

In addition, several plastic surgery clinics were breached this year, including one in Beverly Hills and one in London, both of which catered to celebrity clients. Given the sensitive nature of photos and patient history, high-profile targets such as these are particularly vulnerable. Whether they’re going after medical records, private dating preferences, intellectual property or hot television series, attackers are targeting high-value data in attempts to earn cash through good old-fashioned extortion.

Imagine that your data has been stolen from a third party with which you do business and is now being held for ransom. What is your game plan? Do you have outside counsel, crisis communications and incident response teams on retainer to provide guidance? Do you have a contact in law enforcement to disclose the breach to? How will you respond to the ransom demands? How will you address your customers and the media? An organization’s response to a breach can potentially be just as damaging as the breach itself.

According to the “2017 Cost of Data Breach Study” sponsored by IBM Security and conducted by Ponemon Institute, “an incident response (IR) team reduced the cost by as much as $19 per compromised record.” Your incident response plan should be a dynamic document that is routinely reviewed, exercised and adjusted according to the results of a breach investigation.

5. Phishing Nets Big Targets

While stealing data and demanding ransoms is a lucrative tactic, some attackers have found that simply asking for money in a certain way can be quite effective.

Business email compromise (BEC) is a threat in which an attacker sends an email asking an employee to wire money or send confidential data, such as W-2 forms. These scams are often carried out by threat actors who impersonate C-suite executives and authority figures at precisely targeted companies.

Savvy attackers spoof these leaders’ email accounts and mimic their writing styles to trick victims. Fraudsters netted more than $5 billion in stolen funds between 2013 and 2016 via BEC attacks. In 2017, DataBreaches.net tracked more than 200 companies that were tricked into sending employee W-2 forms to a malicious outsider. While phishing is often used in combination with other attacks, these BEC attacks illustrate how phishing alone can be highly lucrative for criminals.

Another BEC technique observed over the past year involved attackers registering domains that closely resembled those of vendors, such as construction firms, that were engaged in multimillion-dollar projects. For example, a Canadian university was tricked into sending nearly $12 million to a cybergang posing as a trusted construction vendor.

These attacks are effective because defenses are often lowered when people mistake the attacker for a person inside their circle of trust. When a user sees an email coming from an authority figure or what looks like a trusted vendor, he or she might not think to double-check the sender’s identity. This may be especially true in cases where there are fewer rungs on the corporate ladder, since it may not be unusual to receive an email from the CEO or CFO in a small or midsized company.

Phishing techniques such as BEC scams continue to plague users because they are highly successful. User education programs need to continuously change to keep up with the rapidly evolving threat landscape. For example, it is no longer sufficient to simply scan an email for misspellings or grammatical errors. The phishing lures are so convincing these days that even a seasoned security professional might have difficulty spotting a fraud. Users should alert the security team of suspicious emails and only open attachments they expect to receive.

Unfortunately, users tend to take a similar approach to installing software on their systems, putting their trust in vendors to deliver a secure product and legitimate updates.

6. Cryptocurrency Targets on the Rise

With the ever-rising valuation of bitcoin and other cryptocurrencies, these are quickly becoming a choice target for attackers. But stealing crypto coins is not new in 2017. In fact, some historic thefts over the years are even more significant today, given the exponential increase in price.

Consider the theft in 2016 of 119,756 BTC from a Hong Kong bitcoin exchange, which, at the time, equated to $77 million. Today, that haul would be valued at over $1.5 billion. Similarly, a Slovenian Bitcoin exchange was robbed in 2017 of 4,700 BTC, which, within a week of the theft, fluctuated in value by almost $20 million.

Initial coin offerings (ICO) are becoming popular vehicles to quickly fund an enterprising business through the sale of digital currency tokens while offering investors the potential for huge returns on their investment. ICOs have unsurprisingly become top targets for cybercriminals who, throughout 2017, devised creative ways to siphon funds and trick investors into wiring millions of dollars worth of cryptocurrency. Attackers hijacked the website of an Israeli company in the midst of its ICO and changed the wallet address, which is similar to a long bank account number, to receive funds. In under three minutes, more than $7 million worth of Ethereum cryptocurrency was routed to the attackers.

Crafty criminals are targeting end users with some additional crypto-stealing malware techniques, such as intercepting and changing payment addresses in the clipboard to hijack payments and combing user files for crypto wallets and private keys, which could be used to steal funds.

Safe computing standards should be applied to the emerging world of digital money. Crypto veterans and new users alike should employ some basic practices to help protect their digital investments. At the very least, users should employ two-factor authentication (2FA) at crypto exchanges and websites. When trading or making payments, double- and triple-check the recipient address before sending to ensure that it wasn’t changed or manipulated. For endpoint wallet attacks, consider using a hardware wallet, such as Trezor or Ledger, to keep private keys on external devices that are protected by PINs.

Don’t Wait to Address These Data Breach Trends

While many of these data breach trends have remained the same over the years, it’s always helpful to take a step back and evaluate your own risk personally and professionally. Don’t wait to implement these simple security best practices. Failure to do so could be disastrous, while a focus on boosting enterprisewide security hygiene just might keep your organization out of the latest batch of doom-and-gloom news headlines.

Listen to the podcast: 5 security predictions that will take hold in 2018

More from Threat Intelligence

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today