NETSCOUT Threat Intelligence Report: Powered by ATLAS Cybercrime’s Innovation Machine

Findings from 1H 2019

NETSCOUT Threat Intelligence Report: Powered by ATLAS

In the past six months, NETSCOUT Threat Intelligence saw cybercriminal activity evolve into a stunningly efficient machine. Here are a few highlights of the major trends we’re tracking in 2019, which you can read more about in the latest NETSCOUT Threat Report.

Key Findings

Smart phones, smart homes, and even Apple software are prime targets as botmasters discover and quickly exploit new vulnerabilities. IoT devices behind firewalls aren’t as safe as you think given that we’ve reported on proof-of-concept malware built to target those devices. It can take as little as five days from new attack vector discovery to weaponization, widening access to fast, efficient tools for anybody with an axe to grind. Even college students can hire botnets to take down testing platforms, while participants in geopolitical skirmishes increasingly use cyber tactics as part of their toolkit.

The Weaponized Home

A diagram of all the IoT devices in a smart home.

Everything from routers to smart home devices to your own smart phone are at risk, as attackers exploit vulnerabilities in connected devices at a breathtaking clip. Worse, we’ve seen proof-of-concept malware targeting IoT devices behind firewalls, which adds another layer of complexity to organizations’ defense.

5 Days to Firepower

A purple paint blob background.

It can take as few as five days from new attack vector discovery to weaponization, giving attackers fast access to inexpensive and devastating tools for revenge.

Hired Bots vs. Higher Ed

A purple paint splat background.

Even college students can access sophisticated attack tools. The NETSCOUT SOC helped one university successfully thwart targeted local attacks to online test platforms and curriculum.

A graduation mortar board.

Geopolitical Shoot-outs

A map of southern Asia.

Geopolitical adversaries increasingly target one another using cyber tactics ranging from malware and DDoS attacks to social engineering and misinformation.

APT Groups

APT group activity is on the rise. The first half of 2019 brought a significant increase in the use of cyber tactics in geopolitical skirmishes, such as ongoing conflict between India and Pakistan. While APT groups developed new and sophisticated malware, many also used existing and widely available exploitation tools, along with tactics such as social engineering and deception. The threat landscape has gone mainstream.

Cyber Skirmishing

The Patchwork logo.

Patchwork Group

The Tribe logo.

Transparent Tribe


India and Pakistan exemplify the increasing use of cyber tactics as they targeted each other with a series of campaigns in the first half of 2019.

If It Ain’t Broke...

Adversaries continued to make use of widely available exploitation tools such as mimikatz, njRAT, and PsExec, even when APT campaigns appear to otherwise have substantial resources available or the expertise to create custom tools.

mimikatz, njrat, psexec.

You’ve Got Mail

Email folder icon

While bespoke malware continues to make the rounds, many campaigns relied entirely on deception and social engineering, continuing the trend where email remains dominant as the primary intrusion vector.


Cybercriminals know how to get the most bang for the buck with operations that run like well-oiled machines. As IoT devices continue to look like an all-you-can eat buffet for malware operators, we saw an alarming increase in the number and variants of Mirai in the wild and a significant spike in attempted attacks. Just as IoT brute-forcing and exploitation remain potent threats, ransomware and point-of-sale (POS) malware continue to thrive and succeed.

IoT Targets

5 Days

from discovery to weaponization

IoT devices are under attack within minutes. It can take only five days from new attack vector discovery to weaponization, giving attackers fast access to inexpensive and devastating tools for revenge.

The Era of Mirai

A teal paint splat background.

Mirai and its variants continue to dominate the IoT scene, as we see upwards of 20,000 unique samples per month. Widely available source code lets entrepreneurs with little to no skills easily build custom IoT botnets, creating an upsurge of Mirai-based variants in the wild, but the law may be catching up. Device manufacturers like D-Link are facing legal consequences for leaving their hardware open to attacks.

A mirai computer virus image.


Government building icon.

There are still too many reports about local governments and insurance companies making ransom payments for file decryption, and ransomware operators are emboldened by continued success. Danabot, an already efficient crimeware framework that showcases the business model adversaries use, has capitalized on ransomware’s effectiveness by adding a module that encrypts files to bolster revenue.

POS Malware Persists

Despite the advent of chip and EMV technology, we saw POS malware operations continue to persist and steal customer credit card data. Well-known groups such as FIN8 have reemerged, showcasing POS malware’s continued relevance as a money maker.

Credit card icons representing stolen information.


In the first half of 2019, attack frequency jumped 39% compared with 1H 2018. Bad actors feasted on the juicy middle range of attack sizes, resulting in a staggering growth rate of 776% in attacks between 100 Gbps and 400 Gbps. We noted that attackers increasingly targeted wireless and satellite communications. The exception to the overall trend toward growth came at the top end of the attack range, where we saw a 32% decrease in attacks of more than 500 Gbps compared with 1H 2018 – a period that saw the arrival of Memcached attacks. Through collective action, attacks of this magnitude using this vector have been essentially snuffed out.

Frequency on the Rise


compared with 1H 2018. Attack frequency increased 39%.

Feasting on the Middle

A pink paint blob background.
100-400 Gbps

1H 2019 saw explosive global growth in attacks between 100 Gbps and 400 Gbps.

Wireless and Satellite Targeted

A trend to watch: Attackers are increasingly targeting satellite and wireless communications.

Wireless cell phone icon.
From 1H 2018 to 1H 2019
Satellite icon.
From 1H 2018 to 1H 2019

Decrease at the top end


Good News: Attacks larger than 500 Gbps sharply declined.

The Takeaway

2019 ushered in market-ready crimeware. Freely accessible tools can be quickly and easily deployed as new vulnerabilities are continually discovered. Cybercrime entrepreneurs become increasingly innovative and efficient, shepherding in a new era of malware variants, while older, tried-and-true methods continue to thrive. The silver lining? We’re seeing more crackdowns on illicit operations, indictments of cybercriminals, and regulations on IoT device security. These efforts go a long way to making a better, more secure internet.

The ASERT team monitors the threat landscape and reports on new actors, malware under development, and the increasingly sophisticated tools and techniques deployed. For an in-depth summary, download the latest NETSCOUT Threat Intelligence Report for the first half of 2019.

Download the Report