Despite another increase in year-over-year malvertising detections, research shows the numbers are trending down.
According to RiskIQ’s Q4 Malvertising Roundup, the company scanned nearly 10% fewer incidents than the quarter before. This decrease has become a pattern: The Q3 report showed a massive decrease in malvertising beginning in the second half of 2017.
Even so, thanks to high numbers of incidents in the first half of the year, overall malvertising in 2017 increased 2.8% against 2016.
“Threat actors perform malvertising in all kinds of ways – phishing, scams, exploit kits, and malware – sometimes even via a drive-by-download, where the target user doesn’t have to click on a malicious link; the ad downloads the infection from the iFrame without their knowledge,” said RiskIQ researchers in a blog. “Sometimes, the ad will download software, which collects information on the user’s computer, or adbots that add to a wide-ranging fraudulent ad network. Ransomware is also a malvertising method, encrypting the unfortunate victim’s files and charging money to get them unencrypted.”
The fluctuation in volume of bad ads detected may indicate a change in attacker tactics. For instance, malvertising incidents containing malware decreased by a notable 67.5% in the fourth quarter, and there was a precipitous drop in advertisements using phishing techniques for the second quarter in a row. There were, however, small increases in scam advertising, which reversed a two-quarter trend.
“Malvertising is so nefarious because it’s a direct attack on the lifeblood of the internet as we know it,” said RiskIQ researchers. “Digital media marketing is what funds the ‘free’ websites we all enjoy online, and the success of the internet and all the people that rely on it is inextricably linked to its success. According to a report compiled by eMarketer, worldwide paid media market, which accelerates every year, is at $542 billion—lower than eMarketer’s previous forecast.”
Yet another new Mirai variant has reared its head, aimed at turning internet of things (IoT) devices into proxy servers.
The FortiGuard Labs team encountered the botnet, which it dubbed OMG. The variant adds and removes some configurations that can be found in the original Mirai code – but it also keeps Mirai’s original modules, including the attack, killer and scanner modules.
“This means that it can also do what the original Mirai could, i.e. kill processes (related to telnet, ssh, http by checking open ports and other processes related to other bots), telnet brute-force login to spread and DOS attack,” FortiGuard researchers said in an analysis.
However, the proxy function is OMG’s main purpose. Cybercriminals use proxies to add anonymity when carrying out hacking and other malicious activities. FortiGuard pointed out in an analysis that one way to earn money with proxy servers is to sell access to them to other cybercriminals, which is what OMG was built for.
For the proxy to work properly, OMG’s authors added a firewall rule to allow traffic on the generated ports; two strings containing the command for adding and removing a firewall rule to enable this were added to the configuration table. After enabling the firewall rule to allow traffic to pass through the randomly generated HTTP and SOCKS ports, it sets up 3proxy with predefined configuration embedded in its code, FortiGuard explained.
Though this is the first time a modified Mirai variant has been spotted to be capable of distributed denial-of-service (DDoS) attacks, as well as setting up proxy servers on vulnerable IoT devices, it’s unlikely that OMG will be the last elaboration on the Mirai theme.
“Since the release of the source code of the Mirai botnet, FortiGuard Labs has seen a number of variations and adaptations written by multiple authors entering the IoT threat landscape,” researchers said. “These modified Mirai-based bots differ by adding new techniques, in addition to the original telnet brute force login, including the use of exploits and the targeting of more architectures. We have also observed that the motivation for many of the modifications to Mirai is to earn more money. Mirai was originally designed for DDoS attack, but later modifications were used to target vulnerable ETH mining rigs to mine cryptocurrency.”
A massive business email compromise (BEC) campaign is targeting Fortune 500 firms, using well-crafted, sophisticated phishing emails.
According to the IBM X-Force Incident Response and Intelligence Services (IRIS), criminals of likely Nigerian origin are behind the widespread credential harvesting, phishing and social engineering initiative designed to steal financial assets.
Beginning in the fall of 2017, X-Force IRIS started seeing a significant increase in clients reporting instances of fraud or attempted fraud via wire transfer payments. Attackers in these cases use stolen email credentials and solid social engineering tactics; there’s no need to infiltrate the corporate network to defraud a company, so the BEC scam involves little to no technical knowledge, malware or special tools.
The “whaling” attempts followed a common pattern: Convince accounts payable personnel at Fortune 500 companies to initiate fraudulent wire transfers into attacker-controlled accounts, resulting in the theft of millions of dollars.
X-Force IRIS said that phishing emails are sent either directly from or spoofed to appear to be from known contacts in the target employee’s address book; the phish is often sent to several hundred contacts at a time and is engineered to look legitimate to the spammed contacts. However, this isn’t a spray-and-pray effort. Researchers said that before engaging with any employee, the attackers likely undertook a reconnaissance phase, looking through activity within the user’s email folders in search of subjects and opportunities to exploit and, eventually, creating or inserting themselves into relevant conversations.
Attackers also mimicked previous conversations or inserted themselves into current conversations between business email users. They then masqueraded as a known contact from a known vendor or associated company and requested that wire payments be sent to an “updated” bank account number or beneficiary. In cases in which additional approval or paperwork was needed, the attackers found and filled out appropriate forms and spoofed supervisor emails to get required approvals.
They also created mail filters to ensure that communications were conducted only between the attacker and victim and, in some cases, to monitor a compromised user’s inbox.
The effort also has two separate but connected goals.
“The first is to harvest mass amounts of business user credentials, and the second is to use these credentials to impersonate their rightful owners and ultimately trick employees into diverting fund transfers to bank accounts the attackers control,” said researchers in a blog.
In terms of the size of the threat, the bad actors appear to have used a phishing kit to create spoofed DocuSign login pages on over 100 compromised websites. X-Force IRIS researchers identified targeted companies in the retail, healthcare, financial and professional services industries, among others.
“Without the use of any malware, and with legitimate stakeholders performing the actual transactions, traditional detection tools and spam filters failed to identify evidence of a compromise,” researchers said.
Businesses can avoid getting hooked in a whaling attempt by implementing two-factor authentication (2FA) for account logins, creating banners that identify emails coming from external email addresses and blocking the ability to auto-forward emails outside of the organization.
They can also prevent fraud the old-fashioned way: by picking up the phone to verify transfer requests before initiating them.
The cybersecurity talent gap is greater than for any other digital skills, according to new research from Capgemini, as Brexit begins to take its toll.
The global consultancy polled over 1200 senior executives and front-line employees and analyzed social media sentiment of more than 8000 cybersecurity employees to compile its latest report, Cybersecurity Talent: The Big Gap in Cyber Protection.
It revealed that 68% of organizations reported high demand for cyber-skills in the workforce, versus 61% demanding innovation skills and 64% analytics skills. However, only 43% had “proficient skills already present in the organization” — a 25% point gap between supply and demand.
By comparison, the gap for analytics was just 13% and innovation was 21%.
“The cybersecurity skills gap has a very real effect on organizations in every sector,” said Mike Turner, COO of Capgemini’s Cybersecurity Global Service Line. “Spending months rather than weeks looking for suitable candidates is not only inefficient, it also leaves organizations dangerously exposed to rising incidents of cybercrime. Business leaders must urgently rethink how they recruit and retain talent, particularly if they wish to maximize the benefits from investment in digital transformation.”
What’s more, demand is set to grow, with 72% of respondents predicting high demand for cybersecurity in 2020.
Brexit is clearly having an impact on the UK’s attractiveness as a place to work for skilled EU workers, exacerbating talent shortages, according to experts speaking at the TEISS summit this week.
The figures come as new stats show a record drop in EU net migration to the UK. The number of EU citizens coming to the UK (220,000) decreased by 47,000 over the past year, falling to 2014 levels, while the number leaving the UK (130,000) is the highest recorded level since 2008.
Sophie Barrett-Brown, head of UK practice at immigration law firm Laura Devine Solicitors, argued that “skilled EU nationals choosing to pursue opportunities outside the UK is not a success story for the UK.
“A further fall in net migration may seem to be good news for those with concerns about immigration, but in reality it underlines a growing skills shortage impacting on businesses and public services. Behind every official statistic showing more workers leaving the UK and fewer arriving, the real story is vacancies unfilled and business potential unrealized,” she added.
“The biggest concern is the ongoing uncertainty employers face as the Brexit deadline of March 2019 approaches. With government now not due to publish proposals for the post-Brexit migration system until the end of 2018, employers are having to plan for any scenario and a number of businesses have already begun transferring some of their business functions overseas.”
Global cybercrime now costs nearly $600bn annually, with two-thirds of the world’s netizens having had their personal information stolen or compromised, according to a new McAfee report.
The Economic Impact of Cybercrime – No Slowing Down report was compiled in partnership with non-profit the Centre for Strategic and International Studies (CSIS).
It focuses specifically on cybercrime that occurs when attackers illegally access computer networks to steal IP and personal data, commit fraud and financial crime, and disrupt services. The report estimated costs resulting from securing networks, purchasing cyber-insurance, recovering from incidents, damaged reputation and liability risks.
Although it’s significantly greater than the $445bn estimated in 2014, the $600bn figure could be much higher when other types of cybercrime are considered, and given the fact that under-reporting and inaccuracies are rife in some regions, according to McAfee.
The report also estimated that nearly three billion credentials and other PII have been stolen since 2014, equating to two-thirds of netizens who have had their details compromised.
It also claimed that nation states were the most “dangerous” source of cybercrime, led by Russia and North Korea, but with China pegged as the most active cyber-espionage player.
Ransomware was judged to be the fastest-growing type of cybercrime, fueled by the cybercrime-as-a-service phenomenon and the rise of crypto-currency to help perpetrators maintain anonymity online.
McAfee chief scientist, Raj Samani, warned that this trend is democratizing cybercrime to the massed ranks of less technically gifted attackers.
“Businesses often struggle to remain vigilant against threats because they have too many tools operating in silo at once — and failing to communicate with each other,” he added.
“By making sure that tools can work together and removing siloed security teams, organizations can find the right combination of people, process and technology to effectively protect data, detect threats and, when targeted, rapidly correct systems.”
The report also blamed the rise in cybercrime costs on the increasing sophistication of top-tier cyber-criminals.
The government has proposed increasing the maximum fees organizations will have to pay data protection watchdog the Information Commissioner’s Office (ICO) as it looks to ramp up its activity to regulate the forthcoming GDPR.
Currently, data controllers are legally required to register with and pay the ICO either £35 or £500 annually depending on their revenue and number of employees.
However, the government is proposing to shift this to a new three-tiered funding model which will take effect when the GDPR lands on May 25.
“The government, which has a statutory duty to ensure the ICO is adequately funded, has proposed the new funding structure based on the relative risk to the data that an organization processes,” the ICO explained. “The model is divided into three tiers and is based on a number of factors including size, turnover and whether an organization is a public authority or charity.”
Micro-organizations of fewer than 10 staff or maximum turnover of £632,000 will be charged £40 — or £35 if they pay by direct debit, making the costs unchanged from the current fees.
However, Tier 2 organizations — SMEs with maximum turnover of £36m or no more than 250 members of staff — will need to pay a £60 fee.
The biggest increase comes for Tier 3 data controllers, large organizations which must fork out £2900 — potentially a £2400 increase on what they currently pay.
“The fee is higher because these organizations are likely to hold and process the largest volumes of data, and therefore represent a greater level of risk,” the ICO claimed.
Charities will be designated as Tier 1 organizations regardless of size or turnover, whilst public authorities can classify according to staff numbers, not turnover, the ICO said in an accompanying guide.
The changes come as the ICO’s already stretched resources are expected to come under even greater pressure with the introduction of the new privacy regulation from Brussels. The government claimed its "income requirements" would increase from around £19m in 2016/17 to £33m in 2020/21.
The city of Allentown, Pennsylvania, is struggling to remediate a malware attack that could cost nearly $1 million to mitigate.
According to local paper The Morning Call, the city’s critical systems have been hit by the malware known as Emotet, impacting both financial and public safety operations, according to Mayor Ed Pawlowski. Allentown’s finance department can’t complete any external banking transactions, the city’s 185 surveillance cameras are impacted and the police department can’t access Pennsylvania State Police databases, Pawlowski said.
Emotet spread like wildfire around the city’s networks, self-replicating (Emotet can spread itself to other systems by stealing an address book from a computer on the network) and harvesting city employees’ credentials along the way. There’s an intimation that phishing was the initial infection vector: Pawlowski warned city residents not to open emails and attachments from city employees. In the past Emotet has been spread via weaponized Microsoft Word documents.
The virus impacted all city systems that run Microsoft, so the city has hired Microsoft engineers to handle emergency response to the crisis for an initial $185,000. Though the virus has now been contained, Pawlowski said it will cost $800,000 to $900,000 to fully remediate the damage.
Further details remain shadowy.
“I’m not trying to in any way shape or form hide anything from the public,” Pawlowski told the city council. “But we just don’t want to divulge how we’re aggressively attacking this because if it is a hacker, they can always modify their attack.”
“Shame on us for doing a disservice to our intelligence community,” said Allentown IT director Matthew Leibert, chastising the council for holding an open hearing on the incident, given that there’s an ongoing criminal investigation into where the virus came from.
Pawlowski also said the virus evaded the city’s “extensive” antivirus and firewall systems.
“This particular virus actually is unlike any other virus,” he said. “It has intelligence built in, so it keeps adapting to our systems, thus evading any firewalls that we have up.”
Emotet first emerged in 2014 as a Trojan designed to steal banking credentials from targets in Austria and Germany. It searches the targeted system for sensitive information that will be exfiltrated to the command-and-control (C2) servers under the attackers’ control. The attacker can then sell the information harvested or log into the account themselves to steal more information.
Starting late last year, the malware began spreading beyond financial targets and into the US and other arenas, while adding new capabilities, including a new dropper, sandbox awareness and anti-analysis capabilities.
Malware sophistication is increasing as adversaries begin to weaponize cloud services and evade detection through encryption, which is being used as a tool to conceal command-and-control activity.
That’s according to the Cisco 2018 Annual Cybersecurity Report (ACR). It also found that while encryption is meant to enhance security, the expanded volume of encrypted web traffic (50% as of October 2017) – both legitimate and malicious – has created more challenges for defenders trying to identify and monitor potential threats. Cisco threat researchers observed more than a threefold increase in encrypted network communication used by inspected malware samples over a 12-month period.
“Last year’s evolution of malware demonstrates that our adversaries continue to learn,” said John Stewart, senior vice president and chief security and trust officer at Cisco. “We have to raise the bar now – top-down leadership, business-led technology investments and practice effective security – there is too much risk, and it is up to us to reduce it.”
The defense side isn’t sitting still, either. To reduce the time that adversaries have to operate, security professionals said they are increasingly leveraging and spending more on tools that use AI and machine learning. Applying machine learning can help enhance network security defenses and, over time, “learn” how to automatically detect unusual patterns in encrypted web traffic, cloud and IoT environments.
However, some of the 3,600 CISOs interviewed for the report said they were reliant and eager to add tools like machine learning and AI but were frustrated by the number of false positives such systems generate.
Security professionals also said that they see value in behavioral analytics tools in locating malicious actors in networks. A full 92% of security professionals said behavioral analytics tools work well. Two-thirds of the healthcare sector, followed by financial services, found behavior analytics to work extremely well to identify malicious actors.
The report noted that defenders are implementing a complex mix of products from a cross-section of vendors to protect against breaches. This complexity and growth in breaches has many downstream effects on an organization’s ability to defend against attacks, such as increased risk of losses. In 2017, 25% of security professionals said they used products from 11 to 20 vendors, compared with 18% of security professionals in 2016. Security professionals also said 32% of breaches affected more than half of their systems, compared with 15% in 2016.
Meanwhile, the financial cost of attacks is no longer a hypothetical number: More than half of all attacks resulted in financial damages of more than half a million dollars, including, but not limited to, lost revenue, customers, opportunities and out-of-pocket costs.
The use of cloud is growing too, and the report suggests that attackers are taking advantage of this. In this year’s study, 27% of security professionals said they are using off-premises private clouds, compared with 20% in 2016. Among them, 57% said they host networks in the cloud because of better data security, 48% because of scalability and 46% because of ease of use.
While cloud offers better data security, attackers are taking advantage of the fact that security teams are having difficulty defending evolving and expanding cloud environments. The combination of best practices, advanced security technologies like machine learning and first-line-of-defense tools like cloud security platforms can help protect this environment.
Erik Westhovens, enterprise architect at Insight, believes that its findings reveal the importance of both detection technology and employee education to organizations looking to combat the ever-evolving cybersecurity threat.
"What’s clear from Cisco’s latest research is that the cybersecurity environment is moving at an unprecedented speed, with malignant actors and defenders engaged in an arms race that would make Cold War strategists blush,” he said. “The past few months has seen the focus shift once again, from ransomware to malware, resulting in new requirements for defending against cyber-attacks…[and] the inventiveness of cyber-attackers means that the threat is always evolving.”
He added that while AI and machine learning are key to detecting novel methods quickly and finding ways to contain and neutralize them, “people should remain the first line of any cyber-defense strategy. Consider the modern flexible employee – accessing company information on the move and working with sensitive data every day, regardless of job function. Because malware frequently takes advantage of employee's ignorance, organizations need to focus their security strategy both on detection technology and on educating their workforce on how to avoid becoming an easy route in."
Managing the impact of a data breach is the top priority in risk management, yet respondents in a recent survey also reported that they lack the budget and resources to do that effectively.
Collectively, organizations today face an unprecedented volume and variety of information risks that have enterprise-wide impact, including increasingly sophisticated cybersecurity incidents, information leaks, aggressive regulatory sanctions and the proliferation of communication channels outside the control of IT or security.
According to a survey of 150 IT, compliance and security professionals conducted by communications compliance company Actiance and IDG Research, personnel are seeing more and more risks with corporate-wide impact, which has led to greater overlap in duties in fighting these threats. As a result, the majority of survey respondents highlighted the greater need for collaboration in the planning and execution of defense, monitoring and recovery strategies across IT, security and compliance. However, they require more resources across all functions. Interestingly, respondents ranked adding personnel low on the list as a solution: The addition of staff was mentioned the least as a strategy for managing risk moving forward.
On a positive note, collaboration between the three functions in the evaluation and selection of risk management solutions appears to be very high: 75% reported that their function collaborates with at least one or both of the other two departments in evaluating and selecting risk management solutions, whereas only 5% say their function alone is responsible for those tasks. Moreover, these functions want to stay on the same page moving forward – all ranked sharing common control processes as a high priority in collaborating with other departments to address information risk. Respondents across all functions overwhelmingly pointed toward clearly defined policies as an area that is working well today. Risk/compliance titles differed from others in highlighting monitoring and alerting process controls as an area that is also working well.
In terms of other priorities, managing the risk and impact of a data breach was ranked highest across all functions, with the only exception being risk/compliance titles, who ranked the loss of sensitive customer information slightly higher.
“Although the legacy technologies, buying processes, and functionally driven priorities of the last 15 to 20 years have left some organizations with redundant and ineffective risk management processes and solutions, many companies have successfully bridged the resulting informational and organizational silos,” said Robert Cruz, senior director of information governance at Actiance. “Firms are evolving toward a more holistic, collaborative model that incorporates the priorities of IT, security and compliance stakeholders.”
At The European Information Security Summit (TEISS) 2018 Lesley Marjoribanks, head of ethical phishing, Royal Bank of Scotland, reflected on the key phishing trends observed in the last year and their impact on phishing risks for the future.
The first notable phishing pattern of last year was impactful ransomware, Marjoribanks said, with attacks like WannaCry and NotPetya making mainstream media. “What we will see going into 2018 is attackers really going after the end-user to have the most impact, so you’re talking about hospitals, air traffic control” etc. The big news for ransomware is that it’s not going anywhere, she added; it’s going to get slicker and “we will see ransomware delivered by ‘smishing’ in the very near future.”
Another pattern is that of changing subject matter, she continued, explaining that successful phishing relies on current, timely subject matters to catch the target's attention. “For the last couple of years they [phishing subjects] were fairly innocuous (invoice attached, DHL delivery) but in the last quarter of last year we saw a real influx of more ‘grizzly’ subject matters.”
Marjoribanks then referred to the trend of distraction and its emerging use in phishing techniques. “I guarantee that at some point this year there will be a large-scale ransomware attack on our bank that will act as a distraction” to the SOC, she said, with another attack coming in through the back door.
Next was what Marjoribanks called ‘long-term phishing’, which describes the time and effort fraudsters go to to gather as much information on a target as possible to maximize their attack. “Phishing is going to explode in this way,” she warned, “and we’ve already seen phishing cases that have had a lapse time of four months.”
LinkedIn is also something that is causing companies problems when it comes to phishing, Marjoribanks added, as “if there’s a rich stream of information out there – such as LinkedIn – you can bet that’s the first place fraudsters will go to mine information.”
Lastly is the growth of mobile malware in phishing attacks, something that Marjoribanks warned was likely to explode with more and more businesses offering mobile services to their customers. “It’s almost like a disaster waiting to happen, and fraudsters are clever, clever people; they always surprise us.”
To conclude, Marjoribanks said that for best phishing defense, a layered security approach is imperative and must include:
- Awareness and education
- Secure internal processes: 2FA, patching and social media guidelines
- Malware software
Most UK C-level executives that have suffered a breach care about the associated costs more than losing customers, according to new research from Centrify.
The identity security vendor polled 800 CEOs, CFOs, CTOs, CIOs, and CISOs in US and UK organizations to compile its latest report, CEO Disconnect is Weakening Cybersecurity.
In the UK, 63% of respondents rated investigation, remediation and legal costs as the most important factor stemming from a breach, followed by disruption to operations (47%) and loss of intellectual property (32%).
On the one hand, the findings should mean that senior executives are ready to buy-in to GDPR initiatives, given the huge new fines that could result from non-compliance.
However, it also indicates an overly narrow focus on the potential repercussions of a successful cyber-attack, resulting in security investments that continue to be piecemeal and reactive. Just 16% said loss of customers was the most important factor to consider post-breach, whilst 11% cited damage to the company’s reputation.
Yet both of these less immediately quantifiable factors can have a major long-term impact on a breached organization.
It’s claimed, for example, that TalkTalk lost over 100,000 customers after the breach in 2015.
Centrify also identified a damaging disconnect between CEOs in the UK and US and their technical C-level colleagues — with the former seeming to be heavily influenced by sensational headline-grabbing malware threats such as WannaCry.
Nearly two-thirds (65%) of CEOs claimed malware was the biggest threat to the company, compared to just 35% of CIOs, CTOs and CISOs. In fact, the technical C-level were more likely to point to identity compromise (42%) as the primary threat to their organization.
The findings are borne out by the fact that 68% of executives from companies that already experienced a breach with serious consequences said it could have been prevented by either privileged user identity and access management or user identity assurance. Just 8% said the same about anti-malware endpoint controls.
"Building a secure defense against the very real risk that data breaches pose requires investment and just like any other major cost to an organization the CEO needs to be convinced of the merits in doing so,” Centrify CTO, Barry Scott, told Infosecurity.
“This is more about educating CEOs in a language they understand about the need to invest in a comprehensive protection plan that guards against the primary threat to cybersecurity today, that is identity-related attacks, rather than reacting to the sensational headlines that malware generates."
Speaking at The European Information Security Summit (TEISS) 2018 in West London today Sumin Tchen, principal & founder, Belarc, explored some of the myths that surround information security and highlighted how they do not always reflect the realities of cyber-risks.
The first myth is the notion that you should prioritize securing high-value assets. The reality, Tchen explained, is that “the high-value asset is not the one that is attacked typically,” and often attackers target devices with no direct access to high-value data and then escalate privileges or find admin accounts to allow them access.
Second, he continued, is the myth that the latest endpoint protection will stop breaches, which is something that is yet to be proven, and third is the belief that IDS/IPS will halt most attacks. “There’s a lot of new technology going on with IDS, but a lot of it is still dependent on signatures, and signatures are always behind new technology. It’s not the wisest thing to be totally dependent on IDS.”
Next are the separate notions that you should focus on critical vulnerabilities and new vulnerabilities. The problem with the first, Tchen said, is that “the majority of attacks do not use critical value vulnerabilities” and regarding the second, “92% of vulnerabilities are greater than a year old. If a breach is still working, why stop a good thing? Attackers will keep using the same things that work.”
The last myth that Tchen discussed is that focusing on isolated systems is un-productive. He argued the reality is that most systems considered to be ‘isolated’ are “not quite as isolated as everyone thinks.”
To conclude, Tchen advised organizations to build cybersecurity around standards, pointing to the Center for Internet Security (CIS) Top 5 controls:
- Identify authorized and unauthorized devices
- Identify authorized and authorized software
- Secure configuration for all devices
- Continuous vulnerability assessment & remediation
- Controlled use of admin privileges
More than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks, according to the latest report from Akamai.
The cloud delivery provider’s latest State of the Internet/Security report for Q4 2017 comprised analysis from over 7.3 trillion bot requests per month.
It claimed that such requests account for over 30% of all web traffic across its platform per day, excluding video streaming. However, malicious activity has seen a sharp increase, as cyber-criminals look to switch botnets from DDoS attacks to using stolen credentials to try to access online accounts.
Of the 17 billion login requests Akamai tracked in November and December, over two-fifths (43%) were used for credential abuse. The figure rose to a staggering 82% for the hospitality industry.
The stats chime with similar data from fraud prevention specialist ThreatMetrix, which claimed in its latest Cybercrime report for Q4 2017 that there were 34 million bot attacks during the peak festive shopping period, rising to 800 million for the quarter.
It said that for some businesses bot activity can make up as much as 90% of their daily traffic.
Akamai claimed that credential stuffing can cost businesses up to $2.7m annually.
“Increased automation and data mining have caused a massive flood of bot traffic to impact websites and internet services. Although most of that traffic is useful for internet businesses, cyber-criminals are looking to manipulate the powerful volume of bots for nefarious gains,” said Akamai senior security advocate, Martin McKeay.
“Enterprises need to watch who is accessing their sites to differentiate actual humans from both legitimate and malicious bots. Not all web traffic and not all bots are created equal.”
Elsewhere in the report, the firm revealed a major increase in the volume of DDoS attacks on financial services firms: 37 organizations experienced 298 attacks during the quarter.
The UK is now the third most targeted country for web app attacks, up one place from the previous quarter, and the ninth biggest attack source.
A GCHQ-backed ethical hacking competition for university students is set to return in March, as the government launches a new fund designed to address the cybersecurity skills crisis.
Now in its third year, the Inter-ACE competition is touted as the largest of its kind in the UK, featuring over 130 students from 18 of the UK’s top universities.
Over the course of two days, the 34 teams will face over 20 challenges set by experts from the University of Cambridge and sponsors including Context IS and Palo Alto Networks.
Competitors will be required to hone their pen testing skills — including binary reverse engineering of malware, breaking into a web application, decoding secure communications and piecing together intercepted data — in a number of simulated scenarios.
These include working to prevent a cyber-attack on the infrastructure of a fictional city, and the tapping of an undersea data cable.
Those that succeed in the competition, to be held on March 17 and 18, will receive £10,000 in cash prizes and the chance to compete against their American counterparts in a 'Cambridge2Cambridge' competition later in the year.
“Inter-ACE gives future cybersecurity professionals the opportunity to test their skills against the best and meet others in their field and future employers. This is about engaging with the next generation of cybersecurity talent, and raising awareness of this vital, interesting and exciting career choice,” said Inter-ACE founder, Frank Stajano.
“It’s also about making the good work of cybersecurity professionals much more visible. Like other initiatives such as NCSC’s CyberFirst program, the interesting experiences of the university students taking part in this year’s event will help to inspire those currently at school to consider a rewarding career in this field.”
The Cyber Skills Immediate Impact Fund (CSIIF) pilot is designed to incentivize organizations like charities and training providers to “develop, scale up, or refocus cybersecurity training initiatives."
Andy Kays, CTO at UK-based cybersecurity company, Redscan, welcomed the initiative.
“Too many organizations seem to think that their cybersecurity problems can be solved with technology, and while utilizing the latest tools is important, there is no replacement for well-trained staff and the expertise of experienced cybersecurity professionals,” he argued.
“For many businesses, identifying and training the right talent needed to defend against sophisticated adversaries has become too difficult and costly.”
Telsa, the green-car, solar and satellite company headed by Elon Musk, has fallen victim to hackers and crypto-jackers.
RedLock CSI researchers found that bad actors intruded into Tesla’s public cloud environment to gain unauthorized access to nonpublic Tesla data like vehicle telemetry and steal compute resources within Tesla’s Amazon Web Services (AWS) environment to mine cryptocurrencies.
At issue was Tesla’s Kubernetes administrative console, which exposed access credentials to Tesla’s AWS environment. Those credentials provided unfettered access to Tesla's Amazon Simple Storage Service (S3) buckets.
The cyber-thieves also performed crypto-jacking using Tesla’s cloud compute resources and employed specific techniques to evade detection. For example, instead of the more familiar public “mining pool,” they installed mining pool software and configured the malicious script to connect to an unlisted endpoint. That makes it harder for standard IP/domain-based threat intelligence feeds to detect malicious activity.
Other tricks included hiding the true IP address of the mining pool server behind Cloudflare and likely keeping CPU usage low to further evade detection.
The issue is not an isolated one: The CSI team has, over time, found hundreds of Kubernetes administration consoles left accessible over the internet without password protection, which leak credentials to other critical applications. In this case, the researchers immediately informed Tesla of its findings, and the misconfiguration was addressed.
RedLock’s latest Cloud Security Trends research report, released this week, found that 83% of vulnerable hosts in the cloud are receiving suspicious traffic, suggesting attempted exploitation, and 15% of these hosts are exhibiting activity patterns associated with instance compromise or reconnaissance by attackers. It also found that 8% of organizations have crypto-jacking activity within their cloud environments. The RedLock CSI team anticipates this will rapidly increase in the near future.
Account compromises also keep rising: Poor user and API access hygiene, combined with ineffective visibility and user activity monitoring, are causing organizations to be more vulnerable to breaches. For example, 73% of organizations allow the root user account to be used to perform activities – behavior that goes against security best practices. Furthermore, 16% of organizations have user accounts that have potentially been compromised.
All of this means that many businesses are still a long way from compliance: The General Data Policy Regulation (GDPR) goes into effect in a few months, but the analysis shows that 66% of databases are not encrypted.
“The message from this research is loud and clear – the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities,” said Gaurav Kumar, CTO of RedLock and head of the CSI team. “In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence. However, security is a shared responsibility: Organizations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic and host vulnerabilities. Without that, anything the providers do will never be enough.”
The North Korean–linked hacking group known as Reaper is expanding its operations in both scope and sophistication, and it has now graduated to the level of an advanced persistent threat.
According to FireEye, the threat actor has carried out long-term targeting of North Korea’s interests in South Korea since 2013, but it’s now focusing on multinational campaigns using advanced capabilities. For instance, the group recently exploited a zero-day vulnerability in Abode Flash Player, CVE-2018-4878, which represents a concerning level of technical sophistication.
“The slow transformation of regional actors into global threats is well established,” the firm said in a report on the group, which has added a new moniker to its name: APT37. “Minor incidents in Ukraine, the Middle East and South Korea have heralded the threats, which are now impossible to ignore. In some cases, the global economy connects organizations to aggressive regional actors. In other cases, a growing mandate draws the actor on to the international stage. Ignored, these threats enjoy the benefit of surprise, allowing them to extract significant losses on their victims, many of whom have never previously heard of the actor.”
Reaper has set its sights primarily on corporations in vertical industries, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare – and has been seen recently targeting Japan, Vietnam and the Middle East. It uses social engineering tactics tailored specifically to desired targets, strategic web compromises and torrent file-sharing sites to distribute malware more indiscriminately.
That malware represents a diverse bag of tricks to be used for both initial intrusion and data exfiltration, including custom malware used for espionage purposes. Its tool set includes access to zero-day vulnerabilities and destructive wiper malware, FireEye said.
The firm also noted that it’s possible that APT37’s distribution of malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service (DDoS) attacks, or for other activity such as financially motivated campaigns or disruptive operations.
As far as attribution, “disruptive and destructive cyber-threat activity (including the use of wiper malware, public leaks of proprietary materials by false hacktivist personas, DDoS attacks and electronic warfare tactics such as GPS signal jamming) is consistent with past behavior by other North Korean actors,” the firm said. FireEye also detected malware development artifacts that points to Pyongyang, and the targeting aligns with North Korean state interests.
“North Korea has repeatedly demonstrated a willingness to leverage its cyber capabilities for a variety of purposes, undeterred by notional redlines and international norms,” FireEye noted. “Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions, APT37 is an additional tool available to the regime, perhaps even desirable for its relative obscurity. We anticipate APT37 will be leveraged more and more in previously unfamiliar roles and regions, especially as pressure mounts on their sponsor.
Adult entertainment-themed Twitter bots – known as pornbots – have emerged as the most recent scourge on the social media service, creating big headaches for companies that use Twitter for outreach.
Analysts at Flashpoint found that the bot accounts (a mix of compromised accounts and accounts specifically created to advertise pornography) post tweets with hashtags containing trending topics or popular brand names, alongside random risqué terms with links to porn sites, escort services or video websites featuring online "cam girls.”
The effort is a high-volume one: Each of the observed pornbots posted tweets at a rapid cadence, with some posting more than 50 times per day. Most of the observed pornbot accounts boasted more than 10,000 tweets.
The unfortunate brands being mentioned in the bots’ ad campaigns suffer in at least two ways: potential reputational damage and distorted social media engagement campaign metrics.
“Companies often use hashtags to monitor the spread and reception of marketing campaigns and sponsored events,” said Rob Cook, senior analyst at Flashpoint. “More crucially, emergency services may use hashtag tracking to gain real-time insight into current situations during natural disasters and other crises. In a worst-case scenario, pornbots or other spambots could identify a trending hashtag and distort the conversation by sharing unrelated or false information.”
Multiple accounts were found to share similar bios and pinned tweets, which also contain links to adult content sites. Despite sending out high volumes of tweets, these accounts typically had fewer than 200 followers. The profile pictures were all obtained from public profiles on open-source websites, primarily Instagram and Pinterest. Reverse searches using Google Images indicated these stolen images were reused by multiple pornbots.
Flashpoint analysts identified three distinct sets of pornbots using identical hashtags, indicating that they were likely part of the same organized campaign. While similar in appearance and often using a common set of profile pictures across the groups, each promoted a different adult website. However, the three adult websites linked the profiles were hosted on one of two common servers, which may indicate the pornbots share a common origin.
“Related sets of pornbots systematically coordinated their tweets,” Cook explained. “One pornbot would post a tweet containing a hashtag, and other pornbots within its group would subsequently post tweets containing the same hashtag, followed by random and unrelated terms.”
In the positive column, Flashpoint analysts did not detect any malicious files on the servers hosting the websites advertised by the pornbots.
"This report was done when I started seeing a Twitter bot development. I was coming across a lot of accounts,” said Cook. “Additionally, clients were asking why their brand was being hashtagged; it was causing them unnecessary work researching it. Twitter bots are a profitable business: think of the ability to sell followers, influence trends and so forth. Think Russia and Twitter bots. All of these bots work in the same way, but the content being pushed is different.”
Cook said that brands can reduce the number of false detections and aid in validating social media metrics by asking their social media teams to identify and block pornbots and spambots following company social media accounts; this impacts the bots' ability to capture and retweet relevant and branded tweets. These accounts should also be reported through Twitter's abuse function. Additionally, social media teams and companies’ cyber-teams should notify each other when this kind of activity is detected.
Brexit is discouraging people from coming to the UK, and that is making hiring more challenging.
In a panel at the TEISS conference in London, speakers from Barclays, Publicis Groupe, Global Cyber Alliance and the National Cyber Crime Unit, gathered to discuss the subject of Brexit in terms of sharing intelligence.
Andy Bates, executive director UK & Europe at the Global Cyber Alliance, said that data sharing has to continue, and “we do not want Brexit to distract us,” while Thom Langford, CISO of Publicis Groupe, said that if you do not have a mature threat intelligence program, Brexit will make no difference.
Paul Edmunds, head of technology at the National Cyber Crime Unit, added that data can be shared “in a consistent manner” and with GDPR offering a new regulatory environment, there will be different data and different approaches.
As the conversation moved on to the skills shortage, Laura Jones, senior cyber intelligence analyst at Barclays, said as over a million unfilled vacancies are predicted for cybersecurity, the UK “needs all of the advantages it can give.”
She called on the industry to invest more in a diverse workforce, including hiring women and ethnic minorities, and the solution is to invest in people “who are not in this room and not in this industry” and address the gaps that are brought by Brexit.
Jones said: “I bought a one-way ticket to London the day before Brexit, but don’t know if I would have done it the day after and the perception is of the country becoming less welcoming than Paris [for example]. We need to widen the scope of people that we are trying to recruit, as there are lots of reservoirs of groups of people who are not being brought in.”
Langford said that with regards to the skills shortage, an issue that needs to be addressed is generic descriptions being sent to HR, who are filtering based on certifications “and if they [candidates] don’t have CISSP or CISMV” they can be overlooked.
“That has got to change and there are agencies that we need to use. I fill most jobs through LinkedIn and Twitter and the people we interact with,” he said.
“More importantly, we want to find someone to fit a round-shaped hole: the army recruiters don’t go into the field and ask someone if they have good sniper skills, they search for aptitudes and invest and we need to do this far, far more.”
Langford gave examples of three people he hired who were a supermarket night manager, a PA and someone with a pharmaceutical background. He recommended finding people who are passionate about security and it should be more about how they culturally fit into the organization and less about their qualifications.
“Find them and invest in them, and they become the best people, and we look for the short-term all of the time,” he added. “We could halve the million roles if we invest in people and have a long-term plan for their careers in cybersecurity.”
The forthcoming GDPR could offer cyber-criminals new opportunities to extort money from their victims, according to Trend Micro.
The security vendor claimed that we could see hackers breach a company and then threaten to go public unless paid off – first determining the possible GDPR penalty and then demanding a ransom slightly less, which bosses are more likely to pay.
The warning was made as part of the vendor’s 2017 roundup report, The Paradox of Cyberthreats, which claimed that hackers are increasingly abandoning exploit kits and spray-and-pray tactics in favor of more strategic attacks.
“The 2017 roundup report reveals a threat landscape as volatile as anything we’ve seen, with cyber-criminals increasingly finding they’re able to gain more – whether it’s money or data or reputation damage – by strategically targeting companies’ most valuable assets,” said Jon Clay, Trend Micro’s director of global threat communications.
“It confirms our view that there is no silver bullet when it comes to the sheer range of cyber-threats facing organizations.”
The report revealed a 32% increase in new ransomware families between 2016 and 2017, a doubling of BEC attempts between the first and second half of 2017 and a sharp increase in cryptocurrency mining malware, peaking at 100,000 detections in October.
Vulnerable IoT devices represented a major opportunity for crypto-currency mining last year.
Trend Micro observed more than 45.6 million mining events during 2017, representing nearly half (49%) of all IoT events it recorded.
As for 2018, the firm predicted that BEC losses will reach $8bn this year, IoT devices will increasingly be targeted for enterprise data rather than conduct outbound attacks and the impact of data breaches will be worse than ever before for companies processing EU data.
Build a cybersecurity culture, but consider how easily your perimeter can be breached.
Speaking in the opening session of TEISS 2018, which was working under the theme of ‘Building an agile cybersecurity culture’, ethical hacker, social engineer and co-founder of Redacted Firm Freaky Clown (FC) highlighted common failings in what should be highly secure environments.
These include banks, he said, which do not have security gates inside, have CCTV cameras pointing the wrong way and fences that can be easily climbed. FC reflected on one case he had experienced in which a pass was required to be scanned to gain entry to a revolving door. However, he realized that the door operation system was left in ‘engineering mode’, which meant that it did a rotation every 15 minutes. As a result, he was able to gain entry by simply correctly timing his walking.
He also demonstrated that once inside, he was able to get access to open office spaces and photograph desktops, with unlocked PCs, and walk into company meetings unchallenged, including one where “they said how great they had been at security and had no breaches.”
FC added: “Make sure security as a whole works; it has to do everything or it all goes horribly wrong.”
In giving advice, he recommended enabling staff, and ensuring that security is built in and doesn’t become a blocker to their work. He also recommended encouraging the locking of computers when users move away, keeping desks clear and offering help to people.
“One thing that the British are really bad at is confronting people: we’ll never say ‘you shouldn’t be in here’ as they may be someone really important so you help them and show them somewhere to sit.”
He closed by recommending users find a company that will help you take an attacker's eye view on networks, as an attacker's mindset is very different to that of a defender.
Asked for his recommendations on how to change mindsets, FC said that a lot of work can be done on changing cultural behavior, something that is very hard to drive unless it is driven from the top of a company.
“Security has to be treated the same across the board and not only enforced on staff,” he concluded.