Cyber threat actors are preparing new malware threats utilizing tested web application attack vectors aimed at disrupting the U.S. private sector, including aerospace and defense industries, according to reports released Tuesday.
New research from cyber companies Akamai [AKAM] and FireEye [FEYE] shows an urgent need for Industry IT officials to focus on implementing new system defense capabilities to push back against stronger botnet attacks in 2018.
“In contrast to DDoS attacks, web application attacks rose dramatically in 2017, and there is no reason to believe this will change in 2018. The vast majority of web application attacks are the result of untargeted scans looking for any vulnerable system, but a few are directed attempts to compromise a specific target,” wrote Martin McKeay, Akamai senior security advocate, in his company’s Q4 2017 report on internet security.
U.S. businesses saw an increase in DDoS and web application attacks in 2017, with actors often using previously known attack vectors to disrupt business functions. DDoS attacks in Q4 2017 rose 14 percent from Q4 2016, and application-layer attacks went up by 22 percent, according to Akamai’s report.
The most common attacks vectors included UDP fragment floods, DNS attacks and CLDAP attack traffic.
Akamai officials are pushing industry IT leaders to adopt new tools for web application firewalls that have previously failed against known DDoS attack vectors.
“Funding and budgets are available for offensive and defensive research, but reactionary attitudes based on fear, uncertainty, and doubt are prevalent. We find ourselves repeating the same mistakes again and again: weak components, default settings, and poor password and key management are just a small sample of the problems we face. Time and effort are continually wasted on putting out fires instead of being directed toward a more holistic and proactive approach,” wrote Chris Kubecka, Akamai associate and CEO of cyber consulting firm HypaSec, wrote in Tuesday’s report.
The Mirai botnet code will return in 2018 as a main force for disrupting private sector activity, according to the Akamai report. Mirai infects networks turning them into remotely controlled bots which can then be used to carry out larger network attacks.
“It is safe to say that we will see more variants of Mirai in 2018,” Akamai officials wrote in their report.
North Korea-based hacking group APT37, also known as Reaper, has previously utilized the Mirai botnet as well. A new FireEye report detailed the group’s interest in growing its attack to scope beyond South Korea and the Middle East to include U.S. businesses, including the aerospace & defense industry.
“This threat actor has carried out long term targeting of North Korea’s interests and has now graduated to the level of an advanced persistent threat, putting North Korea’s cyber capabilities in an exclusive club,” FireEye officials wrote in their report. “Our analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware. We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests.”
FireEye believes APT37’s mission is to gather covert intelligence for North Korean military and economic interests using spear phishing and malware tactics to gain access to critical networks.
Imminent threats from APT37 include compromising servers and leveraging access to cloud service providers to deliver second stage malware payloads aimed at stealing sensitive information.
The group has previously targeted aerospace and defense industry verticals in South Korea, Japan, Vietnam and the Middle East to exploit zero-day vulnerabilities, and FireEye officials expect their scope to soon extend to the U.S. private sector.
“APT37 is an additional tool available to the [North Korean] regime, perhaps even desirable for its relative obscurity. We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor,” FireEye officials report.