It seems like the moment the security industry collectively comes to grips with the latest publicly disclosed data breach, another bigger and badder security incident surfaces to shake it up, prompting many enterprises to worry if the same could happen to them.

Fortunately, by tapping into the overarching themes and patterns of these recent breaches, organizations can unlock insights to help them avoid becoming part of the breach news cycle.

Six Data Breach Trends From 2017 to Monitor in the New Year

IBM X-Force identified six major trends from over 235 publicly disclosed breaches it tracked in 2017. Some are trends that we’ve been highlighting for years, such as phishing attacks and failure to patch. Others are newer, growing trends, such as hijacked thingbots, misconfigured cloud servers and cryptocurrency-targeted attacks.

Figure 1: IBM X-Force tracked over 235 security incidents for 2017, comprising over 2.8 billion records (Source: IBM X-Force).

The security incidents described below represent only a few examples of each attack trend, which are listed in no particular order, and suggested mitigation tips, several of which fall under basic security hygiene. We all have an opportunity to learn from these incidents, and security professionals should pay close attention to notable trends, since they may indicate areas of possible concern in their own environments.

Listen to the podcast: 5 security predictions that will take hold in 2018

1. Bots of Things Attacking Other Things

What happens when millions of systems are exploited by a gaping remote vulnerability and then used as a botnet of zombie devices to launch distributed denial-of-service (DDoS) attacks or infect unsuspecting users with malware?

In August 2017, a consortium of six technology firms came together to take down WireX, a botnet comprised of tens of thousands of compromised Android devices that were being used to launch crippling DDoS attacks against targets in the hospitality industry. These vulnerable systems had been infected by more than 300 seemingly benign apps from the official Google Play store, including video players, file managers and ringtones. All these apps contained hidden code that could be activated for malicious use.

Threat such as the Mirai botnet, which turned hundreds of thousands of connected cameras and DVR devices into DDoS bots in November 2016 and struck again toward the end of 2017, use the ability to commandeer a huge number of systems as a devastatingly effective attack tactic.

In September 2017, Armis Labs disclosed a Bluetooth vulnerability dubbed BlueBorne that could be exploited to silently take over any affected device within proximity of an attacker, potentially exposing billions of systems to compromise.

Malware that launches DDoS attacks or hijacks a device’s CPU to mine cryptocurrencies can actually damage the hardware, since these devices were not made to sustain such high utilization. In December 2017, security researchers discovered that the prolonged execution of the CPU-intensive Loapi malware caused the battery in their test Android phone to bulge out and deform the case.

All devices in your environment have the potential to become bots, including mobile devices. The time to begin identifying which IT assets could potentially be incorporated into botnet is not when a cybergang is actively using your devices to launch DDoS attacks. Organizations should consider managing the life cycle and inventory of assets through an IT asset management (ITAM) program that also includes mobile device management (MDM).

The more these rising numbers of devices and endpoints use common libraries, platforms and operating systems, the more susceptible they are to the exploitation of a single vulnerability. In other words, aggregated risk goes through the roof in this scenario. The availability and growing ease of implementing scalable systems and architecture can lead to other problems as well.

2. Failure to Patch

Near close of business in Europe on Friday, May 12, 2017, a massive malware outbreak dubbed WannaCry dumped ransomware onto Windows endpoints at hospitals, internet service providers (ISPs) and other critical targets. As IT professionals around the world scrambled to ensure that they were protected, it became evident that the worm was propagating via a Server Message Block (SMB) vulnerability, which had been patched by Microsoft (MS17-010) more than two months earlier. Similarly, NotPetya, another worm, used the same SMB vulnerability to propagate.

Widespread worms, such as Blaster and Sasser, were more common in the early 2000s, but seemed to have gone out of style as other types of attacks took form. Still, they illustrate the importance of keeping systems patched. Remediating critical unpatched vulnerabilities is key, so timely patch management is vital to organizations of any size.

While advanced zero-day attacks can be a formidable threat, they are more often the stuff of fear and legend. In fact, according to the IBM X-Force vulnerability database, less than 1 percent of vulnerabilities in 2016 were considered zero-day vulnerabilities — that is, flaws exploited in the wild for which patches do not exist. Failure to patch existing critical vulnerabilities is most often the cause of havoc on a global scale, particularly when there is a huge number of vulnerable endpoints.

3. Misconfigured Cloud Services

Cloud services enable companies to easily store millions of user data records for websites and apps. While vendors generally do a good job of securing these services, user error, misconfiguration and malicious insiders can publicly expose this data without providing any form of authentication.

This year alone, there have been numerous cases of misconfigured Amazon S3 buckets, Rsync backups, MongoDB databases and other similar services that exposed private, sensitive data. In July 2017, a third-party vendor that provided customer support services to a major telecommunications company exposed data belonging to 14 million customers on a wide-open Amazon S3 cloud server. The data included custom personal identification numbers (PINs), which could be used to authenticate customer accounts.

As consumers, we download apps and services without much consideration for how they use or store our data. In one concerning breach from November, security researchers uncovered a publicly accessible 577 GB MongoDB database from an Israeli company that sells a keyboard app for mobile phones. The data not only contained usernames and emails addresses, but also location-based GPS information for users and transcripts of text that was typed into phones via the keyboard app.

The year closed with a massive leak affecting 123 million Americans after a misconfigured Amazon S3 bucket allowed AWS Authenticated Users — that is, any user that has an Amazon AWS account — to download the stored data. This type of data is valuable to attackers, who can use it to target specific individuals and companies through spear phishing.

Cloud databases leaked over 2 billion records in 2017. According to IBM X-Force, server misconfigurations made up 70 percent of the total number of reported leaked records this past year. It’s important for organizations to conduct proper risk assessments of their cloud deployments. Security professionals should consider periodically engaging a professional penetration testing service to map vulnerabilities and inadvertent access issues.

Leaked data can have immense monetary value, especially when someone is willing to pay to keep it private. As we’ll see in the next trend, attackers have homed in on new targets to exploit and extort to make money.

4. Cyberextortion of High-Value Data

In late April 2017, a popular video streaming service was informed that new episodes of one of its most popular shows had been stolen from a third party that provided postproduction services for the show. The threat actor also stole several other shows that had yet to be released and threatened to leak the files to the public if a ransom was not paid. A similar ransomware scheme emerged later in the year involving the theft of episodes from another popular show.

In addition, several plastic surgery clinics were breached this year, including one in Beverly Hills and one in London, both of which catered to celebrity clients. Given the sensitive nature of photos and patient history, high-profile targets such as these are particularly vulnerable. Whether they’re going after medical records, private dating preferences, intellectual property or hot television series, attackers are targeting high-value data in attempts to earn cash through good old-fashioned extortion.

Imagine that your data has been stolen from a third party with which you do business and is now being held for ransom. What is your game plan? Do you have outside counsel, crisis communications and incident response teams on retainer to provide guidance? Do you have a contact in law enforcement to disclose the breach to? How will you respond to the ransom demands? How will you address your customers and the media? An organization’s response to a breach can potentially be just as damaging as the breach itself.

According to the “2017 Cost of Data Breach Study” sponsored by IBM Security and conducted by Ponemon Institute, “an incident response (IR) team reduced the cost by as much as $19 per compromised record.” Your incident response plan should be a dynamic document that is routinely reviewed, exercised and adjusted according to the results of a breach investigation.

5. Phishing Nets Big Targets

While stealing data and demanding ransoms is a lucrative tactic, some attackers have found that simply asking for money in a certain way can be quite effective.

Business email compromise (BEC) is a threat in which an attacker sends an email asking an employee to wire money or send confidential data, such as W-2 forms. These scams are often carried out by threat actors who impersonate C-suite executives and authority figures at precisely targeted companies.

Savvy attackers spoof these leaders’ email accounts and mimic their writing styles to trick victims. Fraudsters netted more than $5 billion in stolen funds between 2013 and 2016 via BEC attacks. In 2017, tracked more than 200 companies that were tricked into sending employee W-2 forms to a malicious outsider. While phishing is often used in combination with other attacks, these BEC attacks illustrate how phishing alone can be highly lucrative for criminals.

Another BEC technique observed over the past year involved attackers registering domains that closely resembled those of vendors, such as construction firms, that were engaged in multimillion-dollar projects. For example, a Canadian university was tricked into sending nearly $12 million to a cybergang posing as a trusted construction vendor.

These attacks are effective because defenses are often lowered when people mistake the attacker for a person inside their circle of trust. When a user sees an email coming from an authority figure or what looks like a trusted vendor, he or she might not think to double-check the sender’s identity. This may be especially true in cases where there are fewer rungs on the corporate ladder, since it may not be unusual to receive an email from the CEO or CFO in a small or midsized company.

Phishing techniques such as BEC scams continue to plague users because they are highly successful. User education programs need to continuously change to keep up with the rapidly evolving threat landscape. For example, it is no longer sufficient to simply scan an email for misspellings or grammatical errors. The phishing lures are so convincing these days that even a seasoned security professional might have difficulty spotting a fraud. Users should alert the security team of suspicious emails and only open attachments they expect to receive.

Unfortunately, users tend to take a similar approach to installing software on their systems, putting their trust in vendors to deliver a secure product and legitimate updates.

6. Cryptocurrency Targets on the Rise

With the ever-rising valuation of bitcoin and other cryptocurrencies, these are quickly becoming a choice target for attackers. But stealing crypto coins is not new in 2017. In fact, some historic thefts over the years are even more significant today, given the exponential increase in price.

Consider the theft in 2016 of 119,756 BTC from a Hong Kong bitcoin exchange, which, at the time, equated to $77 million. Today, that haul would be valued at over $1.5 billion. Similarly, a Slovenian Bitcoin exchange was robbed in 2017 of 4,700 BTC, which, within a week of the theft, fluctuated in value by almost $20 million.

Initial coin offerings (ICO) are becoming popular vehicles to quickly fund an enterprising business through the sale of digital currency tokens while offering investors the potential for huge returns on their investment. ICOs have unsurprisingly become top targets for cybercriminals who, throughout 2017, devised creative ways to siphon funds and trick investors into wiring millions of dollars worth of cryptocurrency. Attackers hijacked the website of an Israeli company in the midst of its ICO and changed the wallet address, which is similar to a long bank account number, to receive funds. In under three minutes, more than $7 million worth of Ethereum cryptocurrency was routed to the attackers.

Crafty criminals are targeting end users with some additional crypto-stealing malware techniques, such as intercepting and changing payment addresses in the clipboard to hijack payments and combing user files for crypto wallets and private keys, which could be used to steal funds.

Safe computing standards should be applied to the emerging world of digital money. Crypto veterans and new users alike should employ some basic practices to help protect their digital investments. At the very least, users should employ two-factor authentication (2FA) at crypto exchanges and websites. When trading or making payments, double- and triple-check the recipient address before sending to ensure that it wasn’t changed or manipulated. For endpoint wallet attacks, consider using a hardware wallet, such as Trezor or Ledger, to keep private keys on external devices that are protected by PINs.

Don’t Wait to Address These Data Breach Trends

While many of these data breach trends have remained the same over the years, it’s always helpful to take a step back and evaluate your own risk personally and professionally. Don’t wait to implement these simple security best practices. Failure to do so could be disastrous, while a focus on boosting enterprisewide security hygiene just might keep your organization out of the latest batch of doom-and-gloom news headlines.

Listen to the podcast: 5 security predictions that will take hold in 2018

More from Threat Intelligence

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Threat intelligence to protect vulnerable communities

2 min read - Key members of civil society—including journalists, political activists and human rights advocates—have long been in the cyber crosshairs of well-resourced nation-state threat actors but have scarce resources to protect themselves from cyber threats. On May 14, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a High-Risk Communities Protection (HRCP) report developed through the Joint Cyber Defense Collaborative that addresses the threat to these vulnerable groups, with findings contributed by the X-Force Threat Intelligence team.Cyber criminals seek stolen credentialsThe HRCP…

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today