STE WILLIAMS

Enterprise cyberattacks mean big bucks for cybercriminals, who targeted businesses with a wave of Trojans and ransomware attacks throughout 2018 into the first quarter of this year.

Trojan detections on business endpoints in the first quarter of 2019 increased more than 200% from the fourth quarter of 2018, and almost 650% from the first quarter of 2018, researchers found in the Malwarebytes Q1 Cybercrime Tactics and Techniques report. The Emotet Trojan has made a “total shift” away from consumers as operators focus on business targets, researchers say, with the exception of a few outlier spikes.

“The biggest takeaway from this report is the continued increase in business detections we see and business-focused attacks we see,” says Adam Kujawa, director of Malwarebytes Labs. Emotet isn’t the only Trojan targeting organizations, researchers found. The spike in Trojan malware can also be attributed to families like TrickBot and other info-stealing malware.

Emotet, first detected in 2014, has proven to be a widespread and pricey global threat. Malwarebytes calls it the most common malware, as well as the most invasive and expensive to remove. And it’s growing: The number of Emotet detections spiked from 800,000 to 4 million year-over-year.

Trend Micro researchers have found Emotet is evolving with new capabilities. Recent samples use a different post-infection traffic compared with earlier versions, and the Trojan is now attempting to use infected connected devices as proxy command-and-control servers to redirect back to the real Emotet command-and-control (C2) servers. While the changes may seem small, experts warn these complexities in C2 traffic indicate Emotet’s authors are working harder to evade detection.

Business threat detections have been increasing overall. While there was only a 7% increase between the fourth quarter of 2018 and the first quarter of 2019, Malwarebytes found detections overall were up 235% year-over-year. The spike is likely because persistent families like Emotet are focusing on businesses.

Ransomware is also back to business, with a 195% increase in enterprise detections between the fourth quarter of 2018 and the first quarter of 2019 and a 500% increase from the first quarter of 2018. Malwarebytes primarily attributes the increase to the Troldesh ransomware attack against US organizations early in the first quarter.

“At the end of the day, it’s all about money,” says Kujawa of the enterprise focus. “It’s always going to be about money.” Cybercriminals are capturing data they can sell for money, and info stealing is predicted to increase as data regulation policies such as GDPR are put into place.

Consumers Have Different Concerns
“[There’s] a decline in efforts on the consumer side, which coincide with the increase in efforts on the business side,” Kujawa explains. But cybercriminals aren’t ignoring consumers entirely — they’re just using different techniques.

For example, consumer detections of ransomware have continued to fall by 10% quarter-over-quarter and by 33% year-over-year. Researchers did detect activity by families like GandCrab, which mostly hit consumers last quarter as it switched to ransomware-as-a-service. Cryptomining against consumers “is essentially extinct” as CoinHive halted operations in March.

Consumers should be more worried about the security of their Macs and mobile devices. Across the board, Mac malware was up 60% between the fourth quarter of 2018 and quarter of 2019; adware was especially pervasive, with an increase of more than 200% from the last quarter. Mobile adware was also up, particularly in the form of malware preinstalled on devices. That said, researchers found, adware detections were down overall in the first quarter compared with the same quarter last year.

The increase in business-focused cyberattacks is making consumers wary. In a 4,000-person study conducted in the first quarter, Malwarebytes found users have deep concerns about the abuse, misuse, and theft of personally identifiable information (PII) — especially from social media companies, which are distrusted among 95% of respondents. Nearly 60% of people avoid sharing contact information, credit card numbers, banking details, and health data.

What’s Coming Next
Kujawa anticipates the rest of 2019 will bring more innovation in the ransomware space as cybercriminals find new ways to target organizations. He’s also concerned about the potential for Trojans to increase, with attackers inspired by the success of Emotet and Trickbot.

“I’m terrified that Emotet and TrickBot are going to inspire copycats — that we’re going to get a lot more malware that does a lot of the same things,” he says. There’s the possibility future forms of malware will adopt Emotet’s techniques for spreading and reaching out to other systems. “It’s a very dangerous, very sophisticated piece of malware,” he says of Emotet.

Researchers anticipate ransomware development and resurgence against businesses will continue, and by the end of this year we may see “an intense campaign” targeting organizations with the goal to generate as much money as possible. They predict consumer ransomware will continue to decline as cybercriminals save their weapons for more valuable targets.

Related Content:

• TA505 Abusing Legit Remote Admin Tool in String of Attacks
• New Twist in the Stuxnet Story
• Google File Cabinet Plays Host to Malware Payloads
• 7 Ways to Get the Most from Your IDS/IPS

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/enterprise-trojan-detections-spike-200--in-q1-2019/d/d-id/1334535?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On November 12, 2018, a small ISP in Nigeria made a mistake while updating its network infrastructure that highlights a critical flaw in the fabric of the Internet. The mistake effectively brought down Google — one of the largest tech companies in the world — for 74 minutes.

To understand what happened, we need to cover the basics of how Internet routing works. When I type, for example, HypotheticalDomain.com into my browser and hit enter, my computer creates a web request and sends it to Hypothtetical.Domain.com servers. These servers likely reside in a different state or country than I do. Therefore, my Internet service provider (ISP) must determine how to route my web browser’s request to the server across the Internet. To maintain their routing tables, ISPs and Internet backbone companies use a protocol called Border Gateway Protocol (BGP).

BGP is a dynamic routing protocol, meaning it automatically updates routing tables as changes occur. The Internet isn’t a single straight line from one point to another. There are generally a few different paths a connection can take from point A to point B. BGP’s job is to decide which path is the “best” path (shortest) to reach any given destination network, and update routers accordingly. This path can change as routers are taken down and brought back up online. BGP handles all of these route changes automatically.

The Internet is broken up into a number of autonomous systems (ASs), exactly 6,3954 at this time of writing. Each AS is assigned an autonomous system number (ASN) by the Internet Assigned Numbers Authority (IANA). Your ISP has at least one ASN, likely even more. Big companies like Google also maintain their own border routing infrastructure and have their own ASN.

Autonomous systems form connections with their neighbors, called peers. Through these peer connections, ASs advertise the routes — or “network prefixes,” as they are called — that they know how to reach. Neighbors forward on these advertisements to their other neighbors to propagate them across the Internet backbone. Eventually, because of these route advertisements, an ISP in Seattle can learn a route all the way to a web server hosted in Sydney.

Ground Zero: Internet Exchange Point, Nigeria
So, what exactly happened on November 12? It all starts with an organization called the Internet Exchange Point of Nigeria (IXPN). Internet exchange points (IXPs) are common, especially in developing countries. They provide a central location for regional ISPs to peer with each other and share data at reduced bandwidth costs. Without IXPs, regional ISPs might not have a direct connection with each other. This means traffic between them may travel an overly long distance, possibly even leaving the country before coming back in.

IXPs also act as a single point of connection for larger remote companies and services. In the case of IXPN, Google maintains a peering connection with participating Nigerian ISPs, allowing direct connections from their networks to Google’s services. To facilitate this, Google announces its network prefixes (routes) to its ISP peers in Nigeria. Think of it like building a highway straight to Google instead of having to take a winding country road up through Europe.

These peering agreements and route advertisements are generally for the benefit of the ISPs and their customers alone, so they use route filters to prevent accidently advertising the prefixes beyond their own networks. Without these route filters, the ISP routers, using BGP, would continue to propagate the routes to their other neighbors across the Internet and risk changing how global Internet traffic routes to Google.

Next Stop China
On November 12, 2018, at around 21:13 UTC, MainOne Cable Company in Nigeria was performing routine maintenance on its routing infrastructure. During this maintenance, it accidently misconfigured its route filters, causing it to announce 212 Google prefixes (and several Cloudflare prefixes) to its other BGP neighbors.

China Telecom, one of MainOne’s BGP peers, accepted the route advertisement and relayed it to its neighbors. Transtelecom, based in Russia, accepted this advertisement and relayed it to its peers. At this point, the advertisement had made it far enough into the Internet that many ASs began accepting it.

For around 74 minutes, most traffic destined for Google and Cloudflare services from around the world was routed through Russia, into China, and on to MainOne in Nigeria. Cloudflare was quick to spot the issue and update its routing topography to mitigate the problem. Many users attempting to access Google services, however, had their connections crash right into the largest system of censorship in the world, China’s Great Firewall. Everyone else suffered extreme latency as their connections were routed across the world to Nigeria before reaching Google.

Why is this a big deal? This accident highlights a critical vulnerability in the fabric of the Internet. BGP relies on the trust system. Peers trust that their neighbors are advertising accurate routes. If a neighbor starts advertising routes to prefixes it doesn’t own, it could start intercepting and man-in-the-middling connections to any connection it wants. A single small ISP from Nigeria managed to disrupt traffic to the largest company on the Internet because of a simple mistake. Now imagine what a malicious, coordinated BGP hijack could accomplish.

The good news is that there is a fix out there. Resource Public Key Infrastructure (RPKI) uses cryptographic signatures to authenticate BGP route advertisements, similar to how websites use certificates. Route origin validation (ROV) confirms that prefix advertisements come from the actual owner. Unfortunately, only 13% of advertised prefixes use RPKI, and less than 1% of ASs validate route advertisements. If our Internet service providers and other participants on the Internet backbone don’t start adopting these standards soon, the next BGP hijack might not be an accident — and will likely be much worse.

Related Content:

• 10 Ways to Protect Protocols That Aren’t DNS
• Google Traffic Temporarily Rerouted via Russia, China
• NIST Releases Draft on BGP Security

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Marc Laliberte is a senior security analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc’s day-to-day responsibilities include researching and reporting on the latest information security threats and … View Full Bio

Article source: https://www.darkreading.com/cloud/how-a-nigerian-isp-accidentally-hijacked-the-internet/a/d-id/1334482?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security experts typically advise against paying for stolen data after ransomware attacks, but 55% of executives at small to midsize businesses say they would do exactly that.

The number jumps to 74% among larger SMBs with 150 to 250 employees, as stated in the AppRiver Cyberthreat Index for Business Survey. Nearly 40% went so far as to say they “definitely” would pay the ransom, at almost any price, to prevent leakage or loss of data.

Some respondents said the opposite. Forty-five percent of SMB leaders polled said they would not give in to attackers regardless of the ransom. Some SMBs in the legal services and nonprofit sector seem willing to pay ransom in exchange for stolen data, with 67% and 60%, respectively, saying they wouldn’t work with cybercriminals regardless of the ransom amount or data value.

Separate research shows attackers are getting greedier with ransom demands: The average ransom amount paid by victims in cases handled by Coverware jumped 89%, from $6,733 in the fourth quarter of 2018 to $12,762 in the first quarter of 2019. Still, companies willing to pay generally get their data back: In 96% of cases, paying victims received a decryption key.

Security pros advise businesses to implement stronger data protection practices, update their systems, conduct regular backups, and educate their users on ransomware tactics instead of putting funds aside to prepare for a ransomware attack.

Read more details here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/55--of-smbs-would-pay-up-post-ransomware-attack/d/d-id/1334539?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The National Collegiate Cyber Defense Competition wrapped up this week with defending champion University of Virginia again winning the title of national champion. UVA was one of ten university teams that gathered at the Rosen Center in Orlando, Fla., for the finals of the competition.

The CCDC features student teams that “protect” a simulated commercial network including users, web servers, email servers, and e-commerce sites. Teams must detect and respond to external threats, keep critical services available to users, and respond to typical business requests for additional or changed services.

A volunteer Red Team member provides automated attacks and challenges, and an automated scoring engine verifies the functionality and availability of each service.

The 15th annual competition began with more than 235 colleges and universities taking part. Regional competitions took the field down to the 10 competitors that met in Orlando, where the University of Central Florida took second place and Rochester Institute of Technology captured third.

For more, read here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/operations/uva-wins-second-consecutive-national-collegiate-cyber-defense-championship/d/d-id/1334541?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new variant of the EternalBlue exploit is hitting hundreds of businesses in China. The cyptojacking campaign, dubbed “Beapy” for one of the principal files used in the attack, uses email for its initial infection vector and then spreads laterally through a network, leaving a cryptominer wherever it goes.

In a blog post by the Security Response Attack Investigation Team at Symantec, researchers note that Beapy is continuing a tactic previously seen in the Bluwimps worm: focusing cyptominer activity at enterprise networks.

The infection chain begins with a weaponized Excel file attached to a phishing email. Once opened by the recipient, the file downloads a DoublePulsar backdoor to the computer. DoublePulsar was one of the exploits leaked in the Shadow Brokers file dump, just like EternalBlue. And this isn’t the first time criminals have turned to this state-developed exploit: It was also used in 2017’s WannaCry ransomware campaign.

Alan Neville, threat intelligence analyst at Symantec, says that once the bogus spreadsheet is launched, “it would then download Beapy onto their machines, and then it would try to spread across the networks, either using EternalBlue or dumping network credentials.” The credential dump is especially dangerous because “… essentially, once you have network credentials, you become a legitimate user,” he says. “That makes it very easy for the likes of Beapy to spread across networks very, very quickly, then download and install this coin-mining software.”

While the Beapy campaign is not currently focused on data exfiltration, Jonathan Bensen, CISO and senior director of product management at Balbix, says it’s still a serious problem. “Cryptojacking should not be viewed as a victimless crime,” he says. “Besides drastically slowing down computers and causing device degradation, Beapy, in particular, leverages open source credential stealing capabilities to aid in its spread throughout an enterprise’s network.”

And even though Beapy isn’t currently exfiltrating data, once the data is captured there’s nothing to prevent the current Beapy controllers from eventually adding stolen credentials to the cryptocurrency they’re taking from the victim’s network.

And there is evidence that Beapy will not be limited to cryptocurrency mining. According to the Symantec report, Beapy has targeted Web servers as one of its hosts, and early versions of the software contained Mimikatz modules for credential theft. These versions targeted Apache Tomcat and Oracle WebLogic servers beginning in early February, with activity continuing to the present time.

Neville says the Beapy attack is very profitable because “the file basically allows cybercriminals to be able to mine cryptocurrencies a lot faster than some of the traditional methods that we’ve seen in the past. It’s just a coin hive, where it was embedded within browsers to be able to generate some revenue by mining cryptocurrencies within a browser just by visiting websites.”

This, Neville says, lets the malware leverage the CPU itself and allows cybercriminals to mine coins much faster. The fast mining is aided by the lack of any “throttle” that the team has seen — Beapy and its miner will take every CPU cycle the system can make available, bringing legitimate enterprise software to a halt.

Protection from Beapy begins behind the keyboard, says Stuart Reed, vice president at Nominet. “The best defense against these attacks combines education — empowering and even rewarding employees for spotting problem emails, then alerting others — with technologies to monitor the network and identify malicious activity before the damage can be done.”

In addition to training, there’s another critical step that organizations should take, Neville says. “It’s very important to have your systems patched. Any systems that aren’t patched against EternalBlue are vulnerable to this attack,” he says.

Organizations beyond China should keep this in mind, as well. “There’s nothing specific that we came across as part of our analysis that would suggest that [Beapy is] targeting specific software or systems within China, and it could definitely be utilized to spread farther,” Neville says.

Related Content:

• Enterprise Cloud Infrastructure a Big Target for Cryptomining Attacks
• When Cryptocurrency Falls, What Happens to Cryptominers?
• Cryptojackers Grow Dramatically on Enterprise Networks
• 10 Ways to Protect Protocols That Aren’t DNS

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-eternalblue-family-member-takes-aim-at-asian-web-servers/d/d-id/1334544?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The time it takes to detect the average cyberattack has shortened, but  cyberattackers are now using more subtle techniques to avoid better defenses, a new study of real incident response engagements shows.

Victim organizations detected attacks in 14 days on average last year, down from 26 days in 2017. Yet, attackers seem to be adapting to evade the greater vigilance: Spam, while up slightly in 2018, continues to account for far less of e-mail volume than during every other year in the past decade, and techniques such as hard-to-detect cryptojacking and low-volume credential spraying are becoming more popular, according to Trustwave’s newly published Global Security Report. 

Other stealth tactics—such as code obfuscation and “living off the land,” where attackers use system tools for their malicious aims—are also coming into greater use, showing that attackers are changing their strategies to avoid detection, says Karl Sigler, threat intelligence manager at Trustwave’s SpiderLabs. 

“Companies’ basic best practices are stopping the previous strategies, where attackers cast a wide-spread net, so (attackers) are becoming more targeted in their methods,” he says. 

The report, based on data from Trustwave engagements that had been anonymized and analyzed, covers a wide swath of threats and security issues. Social engineering continued to be the most popular way to compromised companies, with 60% the cases resulting from a successul social engineering attack.

“If an attacker induced a user to give away their credentials, then any attacker actions likely will look similar to legitimate actions,” the report says.

Brute-force password attacks, self-propagating malware, and other obvious attacks declined in 2018, in favor of more subtle approaches.

Attacks that use e-mail demonstrate the trend. Back in 2008, 87% of all e-mail consisted of spam messages, a brute-force approach to deliver attacks. That generation of spam dropped to 36% and 45% in 2017 and 2018, respectively, as e-mail fraud became more targeted. 

In addition, fewer malicious e-mails contained actual malware, with only 6% of spam messages carrying malware in 2018, down from 26% in 2017, according to the report. 

Perhaps the most brutish e-mail attack involved attempts to turn credential information into money by extorting users with claims that their sexual activity would be exposed—so-called sextortion. While nonexistent at the beginning of 2018, by end of the year, sextortion made up 10% of all spam messages.

“It hit really hard in December of last year,” Sigler says. “It almost totally relies on leaked credentials. It just shows that passwords are always valuable—if you can’t immediately monetize compromised credentials, you can use them in some other way.”

Cryptojacking

While the decline in the value of cryptocurrency has caused a decline in cryptomining in general, attackers continued to use the computationally heavy approach as a quick way to turn a compromise into cash. Cryptojacking, which uses JavaScript to run cryptomining software on a person’s computer through their browser, allows attackers to eke out small profits after compromising websites.

Eighty-four percent of coin-miner installations had signs that they incorporated cryptojacked browsers as part of their infrastructure, Trustwave found.

“It’s easy to see what makes cryptojacking attractive to the same cybercriminals who once relied heavily on exploit kits,” the company stated in the report. “Whereas exploits are platform-specific and require the presence of an unpatched vulnerability to work, web miners can run in any browser – on PCs, Macs even mobile devices – that has JavaScript enabled.”

While firms more quickly detected intrusions in 2018 compared to the previous year, it mattered significantly whether an intrusion was detected internally or by a third party. In 2018, the average attack was detected by a company within a single day, a significant drop from the nearly two weeks it took in 2017.

For more subtle attacks that the victim failed to catch, however, it took a third party more than a month and a half—47 days—to notify the company.

Trustwave still found cases where attackers had access to compromised environments for long periods of times, sometimes more than a year, so security professionals still need to seek out signs of attacks, says Sigler. 

“The longer that an attacker is on your network and has access to your data, the more widespread the intrusion tends to be, and the more they get their tentacles into other systems and other servers using their initial breach as a foothold,” he says. “So it takes a lot longer to address the compromise, the longer it goes on before detection.”

AppSec Problems

Companies also have numerous other issues. For the past two years, every application tested by Trustwave had vulnerabilities. In addition, the median number of vulnerabilities per application increased in 2018 to 15 – up from a low of 11 in 2016 and 2017.

“Not all vulnerable applications are likely to be attacked, of course, but understanding what an application’s vulnerabilities are is vital to assessing its security state and determining which areas to address first,” the report states.

Related Content

• In 2019, Cryptomining Just Might Have an Even Better Year
• Cryptojacking, Mobile Malware Growing Threats to the Enterprise
• Accidental Cryptojackers: A Tale of Two Sites
• The Return of Email Flooding
• New, Improved BEC Campaigns Target HR and Finance

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/cyberattackers-focus-on-more-subtle-techniques/d/d-id/1334545?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple