Security vendor Trend Micro has issued its H1/2016 report and it’s not good news. It says there are three main threats to IT security, ransomware, BEC scams and vulnerabilities. These are not three unconnected threats. The tools used by Cybercriminals to exploit vulnerabilities are now delivering ransomware as their payload. This is making it very profitable for everyone involved in developing the components of an attack.
Raimund Genes, chief technology officer for Trend Micro said: “Ransomware is capable of crippling organizations who face it, and the cybercriminals spearheading these attacks are creatively evolving on a continuous basis to keep enterprises guessing. It has dominated the threat landscape so far in 2016, causing immense losses to businesses across multiple industries. Enterprises must adopt multi-layered security solutions to optimally combat these threats that could attempt to penetrate corporate networks at any time.”
Ransomware makes hundreds of millions of dollars every year. This is nothing compared to the success of Business Email Compromise (BEC) scams. The FBI claims that BEC scams have netted at least $3 billion so far. This figure is probably underestimated as well. Also, scams are not reported by many companies.
Ransomware growth continues to surprise
There is a boom in new ransomware families. Jan-Jun 2016 saw 79 new pieces of ransomware up from 29 for the whole of 2015 an increase of over 2.7x. Trend Micro blocked over 80 million attacks on its customers in that same period. The majority of attacks come through infected email attachments. Downloads from URLs hosting ransomware and exploit kits made up almost all the remaining attacks.
There has also been an evolution in target selection and pricing. Targeting consumers kept the price of a ransom low. By moving to attack businesses and in particular healthcare the price has increased. The latest evolution of ransomware targets is enterprise IT and in particular servers. This will see more pressure on victims to pay up as the impact on the business increases.
Attacking servers also changes the way ransomware is spread. Malware already finds new victims on the corporate network and now ransomware is doing the same. This makes the attack far more devastating to a business and increases the likelihood of them paying. With so many computers now taken in and out of the office there is a secondary infection problem. Users get infected in the office, go home and infect other machines there. Staff will visit customers and partners and spread the ransomware if local security is weak.
Paying up is always a risk. Not all ransomware works as it should. There are ransomware families that cannot be unlocked due to poor coding. Errors by developers has also meant security vendors have discovered how to unlock them. The majority of victims are not affected by these. In addition, ransomware authors have upgraded their products to make them much tougher. Victims often cannot wait for a security vendor to come up with a solution. This is why they pay so quickly.
BEC relies on social engineering and poor controls
The success of BEC scams has been a surprise to the entire security industry. They are not a security threat per se but do rely on compromise to be effective. Criminals do significant research on their victims and then compromise their email account. They then rely on social engineering techniques and poor company controls to effectively bully staff into transferring monies as an emergency payment.
These emails are hard for security tools to detect. This is because malware is rarely attached to the email. It also originates within the corporate email server. This makes them very hard to spot. The problems continue after the attack. Police lack the expertise to trace the initial email server breach and the jurisdiction to chase the payment. Banks see this as a voluntary action. One major UK bank recently told delegates at an event that they would not refund BEC victims. Their rationale was that they had willingly transferred the monies.
It is not just money that is lost. The CEO of an Austrian aerospace firm recently lost his job as a result of a successful BEC scam. The only solution here is better corporate controls and a change to company culture. The latter is difficult as few people will question an email from a senior director demanding something is actioned. The trend towards increasing business automation in software solutions may just defer the problem. Hackers will no doubt aim to exploit weaknesses in ERP solutions as well in time.
Software vulnerabilities continue to emerge
The discovery of a software vulnerability is no longer news. Every month brings armfuls of patches for operating systems and applications. What has become more worrying is the commercialisation of exploits by specialist security vendors. These companies do not report exploits to vendors. Instead they weaponise them and sell them on to governments and large enterprises.
Last year Italian company Hacking Team suffered a major breach which exposed xero-day exploits and weaponised code. These are now available through several sites. Hackers are already using them in attacks and exploit kits. The breach of Equation Group has seen more weaponised zero-day exploits made available. All of this gives hackers a head start and they are exploiting all these leaks.
Vendors are beginning to respond. The amount of money paid to researchers when they report a vulnerability is increasing. This is often far less than criminal gangs on the dark net will spend to acquire the same vulnerability. This is something that has to be resolved by companies increasing their spend to researchers.
Trend Micro also reports that companies are still failing to patch software. By not patching, companies are contributing to their own problems. Part of the issue is internal processes and part of it is manpower. This is not just a problem for small and mid-sized enterprises. Many large businesses have a lack of visibility into their software assets and their patch status.
Internet of Things an emerging security problem
The interest in the Internet of Things is increasing the pressure on companies to resolve their patching and asset management issues. Hardware and software vendors are also aware that they have to become more responsive to security issues. Consumer goods manufacturers work to tight margins. They have little to no experience of cybersecurity so installing Internet connectivity into their goods is risky. Few have the ability to patch consumer owned devices such as fridges, washing machines and TVs. It will be interesting to see how they resolve their part in attack on consumer devices.
Despite all of this doom and gloom there is some good news. Detected attacks might be up on 2015 but are still below 2014 levels. This shows that the security infrastructure inside and outside the enterprise is working. The next step is to focus on the current attacks and improve overall processes and training inside enterprises.