As we race to keep up with the pace of new technology and meet the demands of the cyber security industry, it’s becoming clear that organisations need a workforce of passionate, forward-thinking people to face up to the challenge.
While ransomware may be our biggest threat in 2020, security leaders have more to look out for including botnets, worms, keyloggers, spyware, social engineering and loT device attacks which are also prominent cyber threats today. Cybercriminals use many methods to infect devices and networks and mitigating these threats requires both strategic and tactical thinking. Though malware has continued to evolve, its delivery mechanism has remained a constant: According to the Verizon Data Breach Investigations Report, 94% of malware was delivered by email in 2019.
This has only heightened in 2020 with COVID-19
related email attacks. Cyber criminals benefited from fear and uncertainty of
their targets, user phishing attacks to bypass email security tools,
impersonating as trusted entities, and using spoofed and compromised accounts
to trick their targets to steal sensitive data or install malware.
How cyber threats have evolved?
Cyber threats are evolving every day. Hackers are constantly looking for new ways to exploit individuals and organisations alike. And it’s becoming easier for even amateur hackers to access high-level malicious software, with the eruption of “Ransomware as a service” (RaaS). What that means is that highly skilled cyber criminals are creating malware and selling it off to other cyber criminals, making a profit without the risk of deploying this malware themselves.
The first ransomware, known as AIDS, was observed in 1989, spreading through the exchange of floppy disks. In the years to follow, ransomware was not a serious threat. However, this all changed with the introduction of stronger encryption schemes in the ransomware code and especially the availability of cryptocurrency as a payment method difficult to track by law enforcement. Ransomware is now recognised as one of the fastest growing cybercrimes in recent history and the current trend is that businesses are becoming the primary targets. In the wake of the ransomware success, ransomware-as-a-service (RaaS) has become an entry point for criminals with little programming skills to participate and earn money from ransomware. RaaS can have different formats, such as source code that the buyer compiles theselves, pre-compiled binaries or an interface where the buyer inputs information about the victims.
RaaS constitutes a relatively small portion of the inventory for the major darknet markets.
Cyber crime services have become cheaper and easier to obtain on the dark web marketplaces. Trend Micro’s whitepaper research found that $1.5 trillion is reaped from the cyber crime services offered on the dark web marketplaces annually. This paper also reports the fall in prices for cyber crime services on the dark web. United States credit cards fetched about $1 in 2020 compared to $20 in 2015. Russian botnets also became relatively affordable, costing about $200. A generic botnet cost about $5 per day, and developers could get them for about $100.
Despite their diversification, many dark web marketplaces have faced law enforcement crackdown leading to closures. Despite the crackdown, many dark web marketplaces have witnessed a rise in membership. However, trust has been falling, forcing many cybercriminals to accept verified methods of payment, such as ecommerce and PayPal.
Other commonly sold cyber crime services by cyber criminals
on the black markets include Mirai and non-Mirai exploit kits for DDoS attacks.
The most common botnets are targeted for cryptocurrency mining, IoT device
attacks, click-fraud, spamming, and spreading banking trojans. IoT technology
has become integral to today’s world. Uncovering IoT threats and future threats
facing IoT can help shape how we secure this technology. additionally,
important insights can be reaped by understanding current and future threats to
the internet.
The rise of DDoS attacks:
Researchers say 2020 has seen the largest number of DDoS
attacks ever with campaigns that are more powerful than before. This is true as
we have seen a 151% increase in the number of DDoS attacks compared to the same period
in 2019. DDoS attacks are also growing in size, with the potency of the strongest
attacks up 2,851% since 2017 – providing attackers with the ability to knock
out networks much faster than ever before.
Large DDoS attacks are bigger, more intense, and
happening in greater numbers than ever before. There has been a noticeable
spike in large attacks across the industry, most notably the 2.3 Tbps attack
targeting an Amazon Web Services client in February – the largest volumetric
DDoS attack on record. The attack was carried out using hijacked CLDAP web
servers and caused three days of "elevated threat" for its AWS Shield
staff.
CLDAP (Connection-less Lightweight Directory Access
Protocol) is an alternative to the older LDAP protocol and is used to connect,
search, and modify Internet-shared directories.
The protocol has been abused for DDoS attacks since late
2016, and CLDAP servers are known to amplify DDoS traffic by 56 to 70 times its
initial size, making it a highly sought-after protocol and a common option
provided by DDoS-for-hire services.
One element that helps the cyberattacks behind botnets
for DDoS attacks is that much of the source code for these is available for
free. The most notorious case of this is the Mirai botnet, which took out vast
swathes of online services (News websites, Spotify, Reddit, Twitter, the
PlayStation Network and many other digital service) was the case in 2016. The
source code for Mirai was published online and it has served as a popular
backbone for building botnets since.
Mirai is an IoT botnet and has changed since its source code became
public, and recent analysis of IoT attacks and malware trends show that Mirai
has continued its evolution. The result is an increase in attacks, using Mirai
variants, as unskilled attackers create malicious botnets with relative ease.
Some more prominent threat actors of 2020
Ryuk
Ryuk has been one of the most proficient
ransomware gangs in the past few years, with the FBI claiming $61 million USD
having been paid to the group as of February 2020. Earlier in the year, the
group grew a little quiet, but that seems to have changed as 2020 progressed,
with major incidents like what occurred at UHS hospitals. Unlike common
ransomware which is systematically distributed via massive spam campaigns and
exploit kits, Ryuk is used exclusively for tailored targeted attacks.
Ryuk ransomware mainly targets business giants and government agencies that can pay huge ransoms in return. It recently targeted a US-based Fortune 500 company, EMCOR and took down some of its IT systems.
Cryptojacking
Cryptojacking malware is designed to use a
person’s computing power to help “mine” cryptocurrencies, such as Bitcoin.
Mining requires a huge amount of computing power to generate new crypto coins,
which is why hackers are attempting to install cryptojacking malware on
computers and mobile devices to help with the mining process. With Cryptocurrency
rates going up, it would be no surprise to see mining activities, legal and
illegal, increase. As several recent incidents have shown, Cryptojacking is
still a threat to both enterprises and individuals. ybercrime group called
“Blue Mockingbird” has infected more than 1,000 business systems with Monero
mining malware since December 2019. The group’s specialty is exploiting servers
running ASP.NET, obtaining administrator-level access to modify the server
settings and installing the XMRig application to take advantage of the
resources of the infected machines to mine away.
Ramnit
Virus.Ramnit first made its appearance back in 2010 in
the form of a rather simplistic self-replicating worm. Since then, however, the
miscreants behind it have created several new Ramnit variants, with each one
considerably more dangerous than the previous one. In fact, Ramnit has not only
evolved in terms of becoming more sophisticated, it’s also evolved in terms of
its technique and scope. In 2019, Ramnit was among the top malware families
causing financial attacks. The Ramnit malware family steals confidential data
from infected machines or, depending on the variant, includes a botnet
capability. It spreads through .exe, .dll, or HTML files. Always make sure your
software has the most recent security updates and patches so that Ramnit cannot
exploit the software vulnerabilities that would otherwise leave your devices
open to cyber attacks.
Zeus Gameover
Zeus Gameover is part of the “Zeus” family of
malware and viruses. This piece of malware is a Trojan malware disguised as
something legitimate that accesses your
sensitive bank account details and steals all of your funds. The worst thing
about this particular variant of the Zeus malware family is that it doesn’t
require a centralized “Command and Control” server to complete transactions which
is a flaw found in many cyberattacks that authorities can target. Instead, Zeus
Gameover can bypass centralized servers and create independent servers to send
sensitive information. In essence, you cannot trace your stolen data.
Attack Trends Affecting Organisations
Worldwide
Ransomware is one of the most intractable and
common threats facing organisations across all industries around the world.
Incidents of ransomware attacks are continuing to rise. All the while, despite
best efforts from companies - ransomware threat actors are adjusting their
attack model to adapt to improvements that organisations are making to recover
from these attacks.
Since the beginning of 2020, cybercrime
heights have soared and companies are struggling to keep up with the complexity
of evolving cyber threats. Particularly, Ransomware incidents appeared to explode
in June 2020.
Ransom demands are
increasing exponentially. We have seen ransom demands of more than $40 million
this year.Attackers are finding
schools and universities to be an even more attractive target for ransomware
attacks, especially as they begin classes virtually or are experimenting with
hybrid environments due to the pandemic.2020 saw a 2000% increase
in malicious files with ‘zoom’ in the name.The healthcare industry is still the most threatened industry moving
forward.
Prepare for malware attacks
Regular data backups
Up-to-date backups are the most effective way of recovering from a cyber
attack. Check that you know how to restore files from the backup, and regularly
test that it is working as expected. Ensure you create offline backups that are
kept separate, in a different location (ideally offsite), from your network and
systems, or in a cloud service designed for this purpose.
Prepare for an incident
Identify your critical assets and determine the impact to these if they
were affected by a malware attack. Plan for an attack, even if you think it is
unlikely. There are many examples of organisations that have been impacted by
collateral malware, even though they were not the intended target. Most
importantly, exercise your incident management plan.
Regular Penetration Testing
Ransomware attacks feed on the weaker nodes and vulnerable sections of
the network. The best way to prevent a ransomware attack or any cyberattack for
that matter is to completely eliminate these vulnerabilities.
User Awareness
Regular security awareness training is an indispensable precondition for
avoiding big troubles. Before each strain of ransomware to have the opportunity
to gain a foothold on a targeted system, it first has to find its way in. That
happens through social engineering, most likely through phishing emails that
carry attachments loaded with hidden malware or phishing emails that
prompt recipients to click on malicious URLs that will eventually install a
piece of malware in a surreptitious manner.
Patching
Patching is a critical component in defending against ransomware attacks
as cyber-criminals will often look for the latest uncovered exploits in the
patches made available and then target systems that are not yet patched. It is
critical that organisations ensure that all systems have the latest patches
applied to them as this reduces the number of potential vulnerabilities within
the business for an attacker to exploit.
Prevention is key!
Invest in EDR solutions that continually monitor network endpoints like
PCs, laptops and servers to identify and block malicious processes. Deploy
a SIEM solution with 24/7 monitoring. The SIEM collects data from firewalls
that might indicate successful communication with domains or IPs. It also
detects malware associated with these domains and includes antispam software
that identifies files that could damage the internal network — all in real time
and summarized in a single security alert.
What are the impacts of emerging, sophisticated cyber
threats?
A cyber attack on a company (large or small) can be
costly to fix, and can be hugely disruptive to business. On top of this, if
customers’ important details are stolen, the business could risk having its
reputation severely damaged. As a result, people will stop buying their
products or services. There is also the issue of personal safety when a cyber
attack is successful on a business and important data is stolen. How would you
feel knowing that your personal details, bank details, or other important
information were in the hands of cyber criminals?
More and more
of us are working from home, but the sensible steps mentioned above can ensure
company data stays safe, even if you are not actually in the office. Hackers
are adapting to their environment, creating tools and workarounds that both
exploit existing vulnerabilities and leverage new weaknesses to compromise
personal and business networks. Cyber crime isn’t going anywhere so you must be
prepared and maybe it’s time to rethink your active defence.
Find out more