Malware and cyber threats are constantly evolving. Are you?

Ruth Lanigan

Ruth Lanigan

Malware and cyber threats are constantly evolving. Are you?

As we race to keep up with the pace of new technology and meet the demands of the cyber security industry, it’s becoming clear that organisations need a workforce of passionate, forward-thinking people to face up to the challenge.

While ransomware may be our biggest threat in 2020, security leaders have more to look out for including botnets, worms, keyloggers, spyware, social engineering and loT device attacks which are also prominent cyber threats today. Cybercriminals use many methods to infect devices and networks and mitigating these threats requires both strategic and tactical thinking. Though malware has continued to evolve, its delivery mechanism has remained a constant: According to the Verizon Data Breach Investigations Report, 94% of malware was delivered by email in 2019.

This has only heightened in 2020 with COVID-19 related email attacks. Cyber criminals benefited from fear and uncertainty of their targets, user phishing attacks to bypass email security tools, impersonating as trusted entities, and using spoofed and compromised accounts to trick their targets to steal sensitive data or install malware.

How cyber threats have evolved?

Cyber threats are evolving every day. Hackers are constantly looking for new ways to exploit individuals and organisations alike. And it’s becoming easier for even amateur hackers to access high-level malicious software, with the eruption of “Ransomware as a service” (RaaS). What that means is that highly skilled cyber criminals are creating malware and selling it off to other cyber criminals, making a profit without the risk of deploying this malware themselves.

The first ransomware, known as AIDS, was observed in 1989, spreading through the exchange of floppy disks. In the years to follow, ransomware was not a serious threat. However, this all changed with the introduction of stronger encryption schemes in the ransomware code and especially the availability of cryptocurrency as a payment method difficult to track by law enforcement. Ransomware is now recognised as one of the fastest growing cybercrimes in recent history and the current trend is that businesses are becoming the primary targets. In the wake of the ransomware success, ransomware-as-a-service (RaaS) has become an entry point for criminals with little programming skills to participate and earn money from ransomware. RaaS can have different formats, such as source code that the buyer compiles theselves, pre-compiled binaries or an interface where the buyer inputs information about the victims.

RaaS constitutes a relatively small portion of the inventory for the major darknet markets.

Cyber crime services have become cheaper and easier to obtain on the dark web marketplaces. Trend Micro’s whitepaper research found that $1.5 trillion is reaped from the cyber crime services offered on the dark web marketplaces annually. This paper also reports the fall in prices for cyber crime services on the dark web. United States credit cards fetched about $1 in 2020 compared to $20 in 2015. Russian botnets also became relatively affordable, costing about $200. A generic botnet cost about $5 per day, and developers could get them for about $100.

Despite their diversification, many dark web marketplaces have faced law enforcement crackdown leading to closures. Despite the crackdown, many dark web marketplaces have witnessed a rise in membership. However, trust has been falling, forcing many cybercriminals to accept verified methods of payment, such as ecommerce and PayPal.

Other commonly sold cyber crime services by cyber criminals on the black markets include Mirai and non-Mirai exploit kits for DDoS attacks. The most common botnets are targeted for cryptocurrency mining, IoT device attacks, click-fraud, spamming, and spreading banking trojans. IoT technology has become integral to today’s world. Uncovering IoT threats and future threats facing IoT can help shape how we secure this technology. additionally, important insights can be reaped by understanding current and future threats to the internet.

The rise of DDoS attacks:

Researchers say 2020 has seen the largest number of DDoS attacks ever with campaigns that are more powerful than before. This is true as we have seen a 151% increase in the number of DDoS attacks compared to the same period in 2019. DDoS attacks are also growing in size, with the potency of the strongest attacks up 2,851% since 2017 – providing attackers with the ability to knock out networks much faster than ever before.

Large DDoS attacks are bigger, more intense, and happening in greater numbers than ever before. There has been a noticeable spike in large attacks across the industry, most notably the 2.3 Tbps attack targeting an Amazon Web Services client in February – the largest volumetric DDoS attack on record. The attack was carried out using hijacked CLDAP web servers and caused three days of “elevated threat” for its AWS Shield staff.

CLDAP (Connection-less Lightweight Directory Access Protocol) is an alternative to the older LDAP protocol and is used to connect, search, and modify Internet-shared directories.

The protocol has been abused for DDoS attacks since late 2016, and CLDAP servers are known to amplify DDoS traffic by 56 to 70 times its initial size, making it a highly sought-after protocol and a common option provided by DDoS-for-hire services.

One element that helps the cyberattacks behind botnets for DDoS attacks is that much of the source code for these is available for free. The most notorious case of this is the Mirai botnet, which took out vast swathes of online services (News websites, Spotify, Reddit, Twitter, the PlayStation Network and many other digital service) was the case in 2016. The source code for Mirai was published online and it has served as a popular backbone for building botnets since.

Mirai is an IoT botnet and has changed since its source code became public, and recent analysis of IoT attacks and malware trends show that Mirai has continued its evolution. The result is an increase in attacks, using Mirai variants, as unskilled attackers create malicious botnets with relative ease.

Some more prominent threat actors of 2020

Ryuk

Ryuk has been one of the most proficient ransomware gangs in the past few years, with the FBI claiming $61 million USD having been paid to the group as of February 2020. Earlier in the year, the group grew a little quiet, but that seems to have changed as 2020 progressed, with major incidents like what occurred at UHS hospitals. Unlike common ransomware which is systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored targeted attacks.

Ryuk ransomware mainly targets business giants and government agencies that can pay huge ransoms in return. It recently targeted a US-based Fortune 500 company, EMCOR and took down some of its IT systems.

Ryuk

Cryptojacking

Cryptojacking malware is designed to use a person’s computing power to help “mine” cryptocurrencies, such as Bitcoin. Mining requires a huge amount of computing power to generate new crypto coins, which is why hackers are attempting to install cryptojacking malware on computers and mobile devices to help with the mining process. With Cryptocurrency rates going up, it would be no surprise to see mining activities, legal and illegal, increase. As several recent incidents have shown, Cryptojacking is still a threat to both enterprises and individuals. ybercrime group called “Blue Mockingbird” has infected more than 1,000 business systems with Monero mining malware since December 2019. The group’s specialty is exploiting servers running ASP.NET, obtaining administrator-level access to modify the server settings and installing the XMRig application to take advantage of the resources of the infected machines to mine away.

Ramnit

Virus.Ramnit first made its appearance back in 2010 in the form of a rather simplistic self-replicating worm. Since then, however, the miscreants behind it have created several new Ramnit variants, with each one considerably more dangerous than the previous one. In fact, Ramnit has not only evolved in terms of becoming more sophisticated, it’s also evolved in terms of its technique and scope. In 2019, Ramnit was among the top malware families causing financial attacks. The Ramnit malware family steals confidential data from infected machines or, depending on the variant, includes a botnet capability. It spreads through .exe, .dll, or HTML files. Always make sure your software has the most recent security updates and patches so that Ramnit cannot exploit the software vulnerabilities that would otherwise leave your devices open to cyber attacks.

Zeus Gameover

Zeus Gameover is part of the “Zeus” family of malware and viruses. This piece of malware is a Trojan malware disguised as something legitimate  that accesses your sensitive bank account details and steals all of your funds. The worst thing about this particular variant of the Zeus malware family is that it doesn’t require a centralized “Command and Control” server to complete transactions which is a flaw found in many cyberattacks that authorities can target. Instead, Zeus Gameover can bypass centralized servers and create independent servers to send sensitive information. In essence, you cannot trace your stolen data.

Attack Trends Affecting Organisations Worldwide

Ransomware is one of the most intractable and common threats facing organisations across all industries around the world. Incidents of ransomware attacks are continuing to rise. All the while, despite best efforts from companies – ransomware threat actors are adjusting their attack model to adapt to improvements that organisations are making to recover from these attacks.

Since the beginning of 2020, cybercrime heights have soared and companies are struggling to keep up with the complexity of evolving cyber threats. Particularly, Ransomware incidents appeared to explode in June 2020.

  • Ransom demands are increasing exponentially. We have seen ransom demands of more than $40 million this year.
  • Attackers are finding schools and universities to be an even more attractive target for ransomware attacks, especially as they begin classes virtually or are experimenting with hybrid environments due to the pandemic.
  • 2020 saw a 2000% increase in malicious files with ‘zoom’ in the name.
  • The healthcare industry is still the most threatened industry moving forward.

Prepare for malware attacks

  • Regular data backups

Up-to-date backups are the most effective way of recovering from a cyber attack. Check that you know how to restore files from the backup, and regularly test that it is working as expected. Ensure you create offline backups that are kept separate, in a different location (ideally offsite), from your network and systems, or in a cloud service designed for this purpose.

  • Prepare for an incident

Identify your critical assets and determine the impact to these if they were affected by a malware attack. Plan for an attack, even if you think it is unlikely. There are many examples of organisations that have been impacted by collateral malware, even though they were not the intended target. Most importantly, exercise your incident management plan.

  • Regular Penetration Testing

Ransomware attacks feed on the weaker nodes and vulnerable sections of the network. The best way to prevent a ransomware attack or any cyberattack for that matter is to completely eliminate these vulnerabilities. 

  • User Awareness

Regular security awareness training is an indispensable precondition for avoiding big troubles. Before each strain of ransomware to have the opportunity to gain a foothold on a targeted system, it first has to find its way in. That happens through social engineering, most likely through phishing emails that carry attachments loaded with hidden malware or phishing emails that prompt recipients to click on malicious URLs that will eventually install a piece of malware in a surreptitious manner. 

  • Patching

Patching is a critical component in defending against ransomware attacks as cyber-criminals will often look for the latest uncovered exploits in the patches made available and then target systems that are not yet patched. It is critical that organisations ensure that all systems have the latest patches applied to them as this reduces the number of potential vulnerabilities within the business for an attacker to exploit.

  • Prevention is key!

Invest in EDR solutions that continually monitor network endpoints like PCs, laptops and servers to identify and block malicious processes. Deploy a SIEM solution with 24/7 monitoring. The SIEM collects data from firewalls that might indicate successful communication with domains or IPs. It also detects malware associated with these domains and includes antispam software that identifies files that could damage the internal network — all in real time and summarized in a single security alert.

What are the impacts of emerging, sophisticated cyber threats?

A cyber attack on a company (large or small) can be costly to fix, and can be hugely disruptive to business. On top of this, if customers’ important details are stolen, the business could risk having its reputation severely damaged. As a result, people will stop buying their products or services. There is also the issue of personal safety when a cyber attack is successful on a business and important data is stolen. How would you feel knowing that your personal details, bank details, or other important information were in the hands of cyber criminals?

More and more of us are working from home, but the sensible steps mentioned above can ensure company data stays safe, even if you are not actually in the office. Hackers are adapting to their environment, creating tools and workarounds that both exploit existing vulnerabilities and leverage new weaknesses to compromise personal and business networks. Cyber crime isn’t going anywhere so you must be prepared and maybe it’s time to rethink your active defence.

Ruth Lanigan

Ruth Lanigan