Manufacturing BEC Victims: Report

Monday, May 13, 2019 @ 04:05 PM gHale

Top five targeted industries.
Source: Palo Alto Networks Unit 42

Business Email Compromise (BEC) schemes continue to remain one of the most profitable and widespread activities among cyber criminals and the manufacturing sector is one of the growing areas.

This rapid rise has sparked alarm, recognition, and a call to action across law enforcement communities on a global basis.

RELATED STORIES
C-Suite a Big Attack Target: Report
Manufacturing Report: Financial Attacks on Rise
Siemens, TÜV SÜD Partner on Safety-Security
Security Spotlight: Triton Fallout, Securing Supply Chain

In 2016, the Internet Crime Complaint Center (IC3) said BEC accounted for single year losses estimated at $360 million. A year later, it was estimated BEC grew to $670 million in annual losses. With rising public awareness and improved reporting mechanisms, law enforcement subsequently reported a 136 percent increase in losses between December 2016 and May 2018. Of greatest concern, global losses exceeded $12.5 billion and ended up felt in 150 countries in the five-year period from 2013-2018.

In a related path, Palo Alto Networks Unit 42 has monitored the evolution of this threat with a focus on Nigerian cybercrime.

While BEC is a global threat, Unit 42’s focus on Nigerian actors provides insights into one of the largest subcultures participating in this type of attack.

In 2016, there was big growth in malware adoption and Unit 42 assigned the code name “SilverTerrier” to these actors. In 2017, Unit 42 observed the threat expand to hundreds of actors participating in BEC schemes.

Over the past year, the number of SilverTerrier actors surpassed 400. Combined, these actors are now attributed to over 51,000 malware samples and 1.1 million attacks over the past four years.

Leveraging this wealth of data, this Unit 42 blog outlines the most recent SilverTerrier malware trends:

Collectively, Nigerian cyber actors continued to prove their ability to deliver sizable year-over-year growth in attacks. In 2017, we observed an average of 18,294 attacks per month, representing a 23 percent increase from 2016. This period also included a new single month’s record of 41,000 attacks in August 2017. In 2018, average attacks grew to 28,227 per month with surges in March and April surpassing previous records. This growth represents an a 54 percent annual increase and signifies the quantity and pace of attacks is increasing. Moreover, one should note these numbers only reflect attacks against our customer base. Thus, while we assess our metrics are representative of the global trends associated with this activity, it is very likely the actual number of global attacks far exceeds our numbers.

Manufacturing Third
In addition to the growth, Nigerian actors continue to launch their attacks against the breadth of all industry segments. Our data shows the high-tech industry received the greatest number of attacks, climbing from 46k to 120k over the past year. The wholesale industry advanced to secure its place as the second most targeted industry, witnessing a 400 percent growth in attacks from 2017. Manufacturing also observed a sizeable increase in attacks from 32k to 57k but dropped one position to become the third most targeted industry in 2018. Finally, education and professional/legal services both witnessed growth in attacks as the fourth and fifth most targeted industries, respectively.

Analyzing the delivery vectors used in these attacks produced a consistent ranking of the top five applications between 2017 and 2018. Email applications topped the list with SMTP, POP3, and IMAP securing the first, second, and fourth most common delivery applications, respectively.

In terms of metrics, we observed malware in 219k SMTP sessions, 46k POP3 sessions, and 8.4k IMAP sessions. Web browsing remained the third most common delivery application with malware detected in 20k sessions while FTP ranked fifth with only 654 sessions. Comparatively, these metrics provide valuable insights for network administrators, informing the need for email-based detection capabilities in order to adequately defend against this threat.

SilverTerrier actors are gaining experience quickly as they adopt new technologies, techniques, and malware to advance their schemes.

Malware Tools
Over the course of the past four years, we tracked their adoption and use of 20 different commodity malware tools. Procured for nominal costs, these tools require minimal setup, and come preloaded with a variety of capabilities that enable actors to achieve their desired outcomes. Given the antivirus community is often quick to identify and signature these tools, Nigerian actors frequently leverage a variety of constantly evolving “crypters” as a means to obfuscate the tools and circumvent signature-based detection capabilities. Comparing 14,694 SilverTerrier samples collected in 2018 against VirusTotal demonstrated an average detection rate of 53 percent across vendor solutions at the time of discovery. By the end of the year, subsequent measurements taken in early 2019 revealed detection rates improved over time, but only by five percentage points, achieving 58 percent across all vendors. This low number lends credence to, and highlights the significance of, the threat that this malware employment technique poses to organizations relying on traditional signature-based detection capabilities.

Despite the continued growth in attacks and $12.5 billion in global loses attributed to BEC schemes over the past five years, there were also a series of positive actions that took place cementing 2018 as an important milestone in the battle against this threat. Arguably, the most noteworthy of these activities was the mobilization and unprecedented level of collaboration between law enforcement and private industry partners from the cybersecurity, technology, and financial sectors.

One such dividend was realized in January 2018 when the Federal Bureau of Investigation (FBI) launched its first large-scale, coordinated effort to dismantle BEC operations globally. Over the course of six months, law enforcement officers participating Operation Wirewire arrested 74 individuals. Among them were 29 Nigerians arrested as a result of the FBI’s close collaboration with the Nigerian Electronic Federal Crimes Commission (EFCC).



Leave a Reply

You must be logged in to post a comment.