SYMANTEC INTELLIGENCE REPORT NOVEMBER 2014 P
Total Page:16
File Type:pdf, Size:1020Kb
SYMANTEC INTELLIGENCE REPORT NOVEMBER 2014 p. 2 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 CONTENTS 3 Summary 15 SOCIAL MEDIA + MOBILE THREATS 4 TARGETED ATTACKS + DATA BREACHES 16 Mobile 5 Targeted Attacks 16 Mobile Malware Families by Month, Android 5 Attachments Used in Spear-Phishing Emails 17 Mobile Threat Classifications 5 Spear-Phishing Attacks by Size of 18 Social Media Targeted Organization 18 Social Media 5 Average Number of Spear-Phishing Attacks Per Day 6 Top-Ten Industries Targeted 19 PHISHING, SPAM + EMAIL THREATS in Spear-Phishing Attacks 20 Phishing and Spam 7 Data Breaches 20 Phishing Rate 7 Timeline of Data Breaches 20 Global Spam Rate 8 Total Identities Exposed 8 Top Causes of Data Breaches 21 Email Threats 8 Total Data Breaches 21 Proportion of Email Traffic Containing URL Malware 9 Top-Ten Types of Information Breached 21 Proportion of Email Traffic in Which Virus Was Detected 10 MALWARE TACTICS 22 About Symantec 11 Malware Tactics 22 More Information 11 Top-Ten Malware 11 Top-Ten Mac OSX Malware Blocked on OSX Endpoints 12 Ransomware Over Time 12 Top-Ten Botnets 13 Vulnerabilities 13 Number of Vulnerabilities 13 Zero-Day Vulnerabilities 14 Browser Vulnerabilities 14 Plug-in Vulnerabilities p. 3 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Summary Welcome to the November edition of the There was a significant jump in emails containing malicious URLs during the month of November, where 41 percent of email- Symantec Intelligence report. Symantec borne malware contained a link to a malicious or compromised Intelligence aims to provide the latest website. The last time we saw this level of activity was back in analysis of cyber security threats, trends, August of 2013. Since then, URL malware had been present in 3 to 16 percent of malicious emails each month, until this recent and insights concerning malware, spam, and surge. other potentially harmful business risks. We have reason to believe that the Cutwail botnet is responsible for some of this increase. However, this botnet only makes up Symantec has established the most 3.7 percent of total botnet activity tracked in November. Kelihos and Gamut appear to be in the number one and two positions, comprehensive source of Internet threat comprising 19.2 and 18.8 percent respectively. data in the world through the Symantec™ The topics in the campaigns we’ve seen so far include fake Global Intelligence Network, which is made telecom billing notices, as well as fax and voicemail spam, and up of more than 41.5 million attack sensors government levied fines. The URLs in the first two campaigns appear to be downloaders that will install further malware on a and records thousands of events per second. compromised computer, while the third campaign leads to fake This network monitors threat activity in captcha sites hosting crypto-ransomware. over 157 countries and territories through Ransomware as a whole continues to decline as the year progresses. However, the amount of crypto-ransomware seen a combination of Symantec products and continues to comprise a larger portion of this type of malware. services such as Symantec DeepSight™ This particularly aggressive form of ransomware made up 38 Threat Management System, Symantec™ percent of all ransomware in the month of November. We hope that you enjoy this month’s report and feel free to Managed Security Services, Norton™ contact us with any comments or feedback. consumer products, and other third-party data sources. Ben Nahorney, Cyber Security Threat Analyst [email protected] p. 4 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 + DATA BREACHES + DATA TARGETED ATTACKS p. 5 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Targeted Attacks Average Number of Spear-Phishing At a Glance Attacks Per Day • The average number of Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014 spear-phishing attacks 250 dropped to 43 per day in 225 November, down from 45 in October. 200 • The .doc file type was the 175 165 most common attachment type used in spear-phishing 150 141 attacks. The .exe file type came in second. 125 • Organizations with 2500+ 100 84 84 88 employees were the most 75 likely to be targeted in 54 54 54 53 November. 50 45 43 • Non-Traditional Services 25 20 narrowly lead the Top- Ten Industries targeted, followed by Manufacturing. D J F M A M J J A S O N The difference between the 2014 two industries was 0.07 percentage points. Attachments Used in Spear-Phishing Spear-Phishing Attacks by Size Emails of Targeted Organization Source: Symantec :: NOVEMBER 2014 Source: Symantec :: NOVEMBER 2014 Executable type November October Organization Size November October .doc 25.9% 62.5% 1-250 34.4% 27.1% .exe 16.4% 14.4% .au3 8.6% – 251-500 8.4% 6.6% .scr 5.3% 0.1% .jpg 4.8% 0.2% 501-1000 8.8% 8.9% .class 2.2% – 1001-1500 3.2% 2.9% .pdf 1.6% 4.4% .bin 1.6% – 1501-2500 4.5% 11.2% .txt 1.3% 11.2% 2500+ 40.7% 43.3% .dmp 1.0% 0.1% p. 6 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Top-Ten Industries Targeted in Spear-Phishing Attacks Source: Symantec :: NOVEMBER 2014 Services - Non Traditional 20% Manufacturing 20 Finance, insurance & Real Estate 17 Services - Professional 11 Wholesale 10 Transportation, communications, electric 7 Public Administration 5 Retail 3 Mining 1 Construction 1 p. 7 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Data Breaches Timeline of Data Breaches Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014 40 160 147 35 130 140 30 30 27 27 120 25 25 24 100 78 20 22 80 21 20 19 15 59 60 NUMBER OF INCIDENTS 15 16 10 31.5 12 40 IDENTITIESEXPOSED (MILLIONS) 5 20 8.1 10 6.4 2.6 1.7 1 1 D J F M A M J J A S O N 2014 INCIDENTS IDENTITIES EXPOSED (Millions) At a Glance • The two largest data breaches reported to have occurred in November resulted in the exposure of 3.6 million and 2.7 million identities each. • Hackers have been responsible for 57 percent of data breach- es in the last 12 months. • Real names, government ID numbers, such as Social Security numbers, and home addresses were the top three types of data exposed in data breaches. p. 8 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Total Data Total Identities Breaches Exposed DECEMBER 2013 — NOVEMBER 2014 DECEMBER 2013 — NOVEMBER 2014 258 476 Million Top Causes of Data Breaches Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014 Number of Incidents Hackers 57% 147 Accidentally % Made Public 18 46 Theft or Loss of Computer % 46 or Drive 18 Insider Theft 7% 19 TOTAL 258 p. 9 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Top-Ten Types of Information Breached Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014 01 Real Names 67% 02 Gov ID numbers (Soc Sec) 43% 03 Home Address 42% 04 Birth Dates 38% 05 Financial Information 35% 06 Medical Records 28% 07 Email Addresses 21% 08 Phone Numbers 19% 09 Usernames & Passwords 16% 10 Insurance 9% Methodology This data is procured from the Norton Cybercrime Index (CCI). The Norton CCI is a statistical model that measures the levels of threats, including malicious software, fraud, identity theft, spam, phishing, and social engineering daily. The data breach section of the Norton CCI is derived from data breaches that have been reported by legitimate media sources and have exposed personal information. In some cases a data breach is not publicly reported during the same month the incident occurred, or an adjustment is made in the number of identities reportedly exposed. In these cases, the data in the Norton CCI is updated. This causes fluctuations in the numbers reported for previous months when a new report is released. p. 10 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 MALWARE TACTICS MALWARE p. 11 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Malware Tactics Top-Ten Malware At a Glance Source: Symantec :: NOVEMBER 2014 Rank Name November October • W32.Ramnit variants continue to dominate the top-ten malware list. 1 W32.Sality.AE 4.8% 4.1% • The most common 2 W32.Almanahe.B!inf 4.5% 3.7% OSX threat seen on OSX was OSX.Flashback.K, 3 W32.Ramnit!html 4.4% 4.0% making up 15.7 percent of all OSX malware found 4 W32.Ramnit.B 2.7% 2.7% on OSX Endpoints. 5 W32.Downadup.B 3.0% 2.5% • Overall ransomware activity has remained low 6 W32.Ramnit.B!inf 2.3% 2.1% since March of this year. However, crypto-style 7 W32.SillyFDC.BDP!lnk 1.6% 1.4% ransomware continues to make up a larger percent- 8 W32.Virut.CF 1.5% 1.3% age of ransomware, comprising 38 percent in 9 Trojan.Zbot 1.5% 1.3% November. • Kelihos and Gamut are 10 Trojan.Swifi 1.4% – the two most commonly encountered botnets, making up 19.2 and 18.8 percent of botnet traffic Top-Ten Mac OSX Malware Blocked respectively. on OSX Endpoints Source: Symantec :: NOVEMBER 2014 Rank Malware Name November October 1 OSX.Flashback.K 15.7% 5.4% 2 OSX.Okaz 13.4% 28.8% 3 OSX.Keylogger 11.8% 9.3% 4 OSX.RSPlug.A 11.0% 14.0% 5 OSX.Klog.A 8.4% 5.2% 6 OSX.Stealbit.B 7.6% 4.7% 7 OSX.Crisis 3.7% 4.8% 8 OSX.Netweird 3.7% 3.7% 9 OSX.Flashback 3.3% 4.0% 10 OSX.Imuler 2.5% – p. 12 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Ransomware Over Time Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014 800 700 660 600 500 465 425 400 THOUSANDS 342 300 200 230 183 156 143 149 100 95 80 77 D J F M A M J J A S O N 2014 Top-Ten Botnets Source: Symantec :: NOVEMBER 2014 Rank Botnet name Percent 1 Kelihos 19.2% 2 Gamut 18.8% 3 Snowshoe 8.0% 4 Cutwail 3.7% 5 Darkmailer 1.0% 6 Asprox 0.7% 7 Grum 0.03% 8 Festi 0.0165% 9 Esxvaql 0.0162% 10 Darkmailer2 0.0151% p.