STE WILLIAMS

When we think of digital extortion, we typically think of ransomware. But cybercriminals now are looking outside ransomware for new ways to shake down organizations.

Cybercriminals have learned that many businesses will pay if a ransomware attack cripples their day-to-day operations. Ransomware drove the spike in digital extortion in 2017 and remains cybercriminals’ weapon of choice, according to a new Trend Micro study “Digital Extortion: A Forward-Looking View.”

But threat actors are exploring new extortion tactics. “Some of the attacks we’ve seen highlight a shift in the model itself,” says Trend Micro chief cybersecurity officer Ed Cabrera. “As we expand our digital footprint, I think it creates an enormous opportunity for attackers to identify areas where they can have immediate impact.”

The criminal extortion framework has been around in the physical world for a long time, he continues. Now, in the digital world, it’s just getting started. Attackers are learning their chances of getting paid increase exponentially if they target certain files, systems, or databases. While ransomware will remain popular, but other types of threats are starting to appear, according to Trend Micro.

Extortion attacks and critical infrastructure

“Going forward, you would be remiss to just focus on files,” says Cabrera. Cybercriminals will begin to leverage the growth of IoT, specifically industrial IoT, to extort money from victims. Businesses that need to be up and running at all times are especially vulnerable.

“Any organization that has real-time services, real-time operations that are impacted, will be targeted,” he continues. Critical manufacturing and healthcare are prime examples, with attacks that target manufacturing plants and robots as well as sensitive files and documents.

These plants and machines typically run on legacy systems and diverse hardware that would be difficult – if not impossible – to patch or upgrade. For attackers seeking old vulnerabilities, these systems are prime targets. Trend Micro’s report highlights supply chain disruption, in which attackers insert logic bombs or Trojans into specific network locations, as one example. Victims will need to pay to find the bugs’ locations so they can disable them.

Digital files, normally targeted in ransomware attacks, are not as well-protected as critical processes. Threat actors want to “peel the onion,” Cabrera says, and get to core infrastructure data that businesses will pay to save. “They’re going to go deeper and deeper into organizations to find those processes … if those are impacted, you know they’re going to pay.”

Social media extortion is another growing threat. One form is the smear campaign, which spreads fake information and demands victims pay in orde to stop it. These campaigns, once more common among celebrities and politicians, have begun to target brands and executives. Once a business’s reputation has been tarnished online, it is difficult to rebuild.

“We live in a reputation economy,” Cabrera points out. “CEOs and board members, especially in this day and age of social, are heightened to the fact that anything they say, good or bad, is taken and can be immediately seen [online].”

Ransomware isn’t going anywhere

“I’d say ransomware isn’t going away; it’s just going to continue to evolve,” says Cabrera.

Security experts across the industry have noted the spike in ransomware, which hit a 90% detection rate for enterprise victims in 2017. More than 50% of businesses were hit with ransomware last year and on average, they were struck twice, reports Sophos.

Ransomware has proven a reliable moneymaker for cybercriminals and financial drain for victims. The median total cost of a ransomware attack was $133,000, Sophos found. This includes ransom, downtime, manpower, device cost, network cost, and opportunity cost. Five percent of the survey’s 2,700 respondents said total ransomware cost ranged from $1.3 million to $6.6 million.

Over the next year, Trend Micro expects ransomware criminals will add new features to their digital weapons by reusing “the old book” of traditional malware techniques. This may include PE (portable executable) infectors and more aggressive delivery tactics to drive the speed and spread of attacks. Analysts also suggest criminals will create systems to minimize their interaction with victims.

The arrival of GDPR will shift cybercriminals’ extortion strategies, Cabrera says. They understand the upcoming changes, and the penalties companies will have to pay if they’re not compliant. He anticipates they’ll use the new rules as leverage to get victims to pay for data.

“They’re just scratching the surface in understanding what motivates organizations,” he explains. “Not only are they fine-tuning the tools they’re using to go after organizations, they’re understanding all the financial aspects … I absolutely believe GDPR will be utilized as a tool to affect the payment of ransom.”

To pay or not to pay?

The question remains: when you’re hit with an extortion attack, should you pay? If your company is at the point where this is your last option, you have failed, Cabrera says.

“Gone are the days where we had ransomware hitting our personal PCs and it was more of a nuisance than an enterprise risk,” he notes. “You should have a pretty robust plan to deal with digital extortion.”

There are many reasons not to pay, but organizations that fail to plan find themselves weighing the pros and cons of payment.

If, or when, they are attacked, businesses need people, processes, and technology in place to mitigate the risk. There is no guarantee you’ll get your data back when it’s taken. Further, even if you do get it back, there is no guarantee it hasn’t been copied or compromised.

“Even if that data has been slightly altered, that could impact operations for weeks or months to come,” Cabrera says.

Related Content:

• Hack Costs Coincheck Cryptocurrency Exchange $530 Million
• DNS Hijacking: The Silent Threat That’s Putting Your Network at Risk
• Former CIA CTO Talks Meltdown and Spectre Cost, Federal Threats
• Endpoint and Mobile Top Security Spending at 57% of Businesses

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/endpoint/digital-extortion-to-expand-beyond-ransomware/d/d-id/1330940?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In its bag of tricks, the recently discovered MaMi malware has the ability to modify the DNS configuration of an infected device. This is a good reminder that DNS hijacking is an ongoing threat that needs to be taken seriously by corporate IT organizations. DNS hijacking is easy to carry out, can be tough to detect, and is surprisingly damaging. Here’s what you ought to know  and what you can do to combat it.

DNS hijacking is simple enough: one only needs to rewrite the configuration of a device on the Internet so that it sends DNS queries to malicious DNS servers. Many species of malware do this, often as just one of many consequences of infecting a device. And virtually any malware can do this — modifying DNS settings generally doesn’t require any special privileges. Perhaps the most famous malware in this category is DNSChanger, which may have infected more than 4 million computers. Although DNSChanger was taken down in 2011, there are likely still hundreds of thousands of infected computers on the Internet.

So why change a device’s DNS configuration? In the case of DNSChanger, it was primarily to substitute advertising on websites with advertising sold by the bad guys running the rogue DNS servers. That perhaps doesn’t sound too alarming, but DNS hijacking can have much more serious effects, too. Take, for instance, the malicious DNS servers David Dagon and company discovered and wrote about in their 2008 study, “Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority.” Dagon discovered a small but significant percentage of open recursive DNS servers on the Internet that, no matter what domain name you looked up, would always lie in the response. Some, for example, would always reply with the same set of IP addresses, none of which were the correct addresses. The address of www.nytimes.com? Addresses A, B, and C. The address of www.bankofamerica.com? That same set of addresses: A, B, and C.

What purpose could that serve? Well, it turned out that the hosts at those IP addresses (A, B and C, in our example) ran open Web proxies. As a result, users whose devices queried those DNS servers would unwittingly have all of their access to the Web directed through those open Web proxies, where their traffic could be snooped. And the DNS servers could just as easily have directed users to websites that looked identical to their bank’s or brokerage’s, where they’d unknowingly enter their authentication credentials and have them captured for the bad guys’ later use.

Fortunately, there’s a simple way to mitigate the threat of these DNS hijacking attacks: don’t allow arbitrary internal IP addresses on your enterprise network to send DNS queries to arbitrary IP addresses on the Internet.

In most DNS architectures, only a subset of your DNS servers (referred to as Internet forwarders) actually need to be able to query DNS servers on the Internet. You should explicitly allow only their IP addresses to exchange DNS messages with IP addresses on the Internet. If some of your internal devices become infected with malware that modifies their DNS configurations, they’ll simply stop resolving domain names, which should alert their users to the fact that something is wrong. Hopefully, that would induce them to take their devices to IT where, with any luck, the infection would be detected.

• Forget the Tax Man: Time for a DNS Security Audit
• Hardware Security: Why Fixing Meltdown Spectre Is So Tough
• How Containers Serverless Computing Transform Attacker Methodologies

Cricket Liu is a leading expert on the Domain Name System (DNS) and EVP and Senior Fellow at Infoblox. With more than 25 years of experience with enterprise-scale DNS infrastructure, technical writing, training, and course development experience, Cricket serves as a liaison … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/dns-hijacking-the-silent-threat-thats-putting-your-network-at-risk/a/d-id/1330922?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In possibly the largest known cryptocurrency hack to date, Japanese exchange Coincheck announced Friday that they had lost 58 billion yen, approximately $530 billion, worth of XEM cryptocurrency. This surpasses the 48 billion yen worth of Bitcoin lost by the Mt. Gox Bitcoin exchange in 2014.  

XEM (or NEM coins), created by the Singapore-based NEM Foundation, is one of the most popular cryptocurrencies in the world, according to Reuters. Coincheck acknowledged its security practices on XEM were insufficient, however. As Money reports: 

Coincheck said it used different security standards for different currencies, and that unlike customers’ Bitcoin holdings, their XEM funds were stored in a “hot wallet” online instead of a “cold wallet” offline—a scenario ripe for hackers.

The company also failed to use multi-signature authentication on XEM funds, which would require at least two people for access.

Although blockchain technology has enabled Coincheck to identify the 11 addresses where the stolen coins ended up, and set up a tool for exchanges to automatically reject purchases made with them, hackers may still be able to use the funds via “tumblers” – exchanges that act like cryptocurrency laundering services. Coincheck has promised to reimburse 90 percent of the losses.

Read more about the incident here.  

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/hack-costs-coincheck-cryptocurrency-exchange-$530-million/d/d-id/1330937?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The massive data breaches that have hit the headlines in recent years, including Yahoo, Verizon, and particularly Equifax, have taken a toll on breach victims, consumers, and corporations. We’ve seen stocks drop precipitously, class-action lawsuits filed, CEOs shown the door, and executives called before Congress. This year, breaches could be even more costly for companies once the European Union’s General Data Protection Regulation (GDPR) rules are in place come May 25.  

The rules require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states, and also regulate the exportation of personal data of those consumers outside the EU. Penalties include fines of more than $27 million, or 4% of revenue, whichever is greater. For Equifax, which reported $3.14 billion in 2016 revenue, that could mean fines of $125.7 million. The company has already incurred $87.5 million in expenses so far in dealing with the breach and its aftermath. For a company the size of Apple, at $229.2 billion in revenue, the fines could reach as high as $9.17 billion. GDPR will apply to any company that processes the data of EU citizens, regardless of where the company is based. Given the global nature of Internet commerce, its impact will be far reaching.   

Organizations are under the gun to get systems in place now to ensure that they are in compliance with the regulations, before it’s too late. Here are six key measures for enterprises to prioritize over the next few months:

1. Protect data beyond your perimeter. Corporate networks continue to expand with increased use of the cloud. The average enterprise has over 1,000 cloud services on average in use, 92% of which are not enterprise-ready, according to a report last year from cloud security company Netskope. (Full disclosure: Netskope is among a number of companies that provide cloud security services.) Companies need to expand security practices to cover all the new ways in which users are interacting with technology. Expanding use of enterprise security controls is crucial, but end-to-end data protection is one of the most potent safeguards.
2. Make privacy awareness mandatory. By requiring every employee to participate in cybersecurity awareness training and conducting training on an ongoing basis, organizations can foster a culture of security awareness. Security team leads are responsible for identifying risks of noncompliance with GDPR, and managing those risks by implementing controls, policies, and procedures, and then communicating these and other security best practices to their employees. Employees need to hold themselves accountable for doing their part in helping the company comply with the GDPR — just as much as leadership does.
3. Ensure secure transmission of data in the cloud. As cloud adoption expands and data increasingly crosses physical boundaries, it becomes that much more important to vet and manage cloud providers where transmission and controls for data are monitored. With email, cloud storage, or collaboration apps like Slack, security teams need to keep a close eye on the many channels being used to communicate and share data. Rather than blocking use of those channels, security leads need to have the right guardrails in place to ensure employees aren’t intentionally or inadvertently exposing the data to the outside world, and in turn exposing the company to fines.
4. Check the terms and conditions. Nearly 40% of cloud services provide terms and conditions that lack specifics around data ownership. In some cases, the user owns the data, but in others the cloud service provider owns it. Security teams need to increase employee awareness about this and encourage them to steer clear of services that want to own the data.
5. Know your data well. When I say get to know your data, I mean really know the data — what information is being collected, who’s collecting it, and who’s sharing it throughout the organization. Also, don’t assume that your understanding of protected health information (known as PHI), personally identifiable information (PII), and other data profiles will directly map to the GDPR rules, because the scope of the regulations are different and can include things such as hobbies, political affiliations, and sexual orientation.
6. Follow your data. You need to know where your data travels — especially if it crosses geopolitical boundaries. In fact, 80.3% of the time, cloud data gets backed up to another geographic area. That is, after all, a deliberate design specification and a strength of the cloud for enabling high availability and disaster recovery. If that data includes regulated data under the GDPR, you’ll need to talk to your cloud service provider about restricting backups to certain geographies. If your cloud service provider can’t do that, look to third-party controls to take necessary precautions.

The GDPR may be a European Union regulation, but its reach covers businesses the world over. It will force companies to strengthen their protections for customer data or face fines. The regulations may not prevent breaches from happening, but they will help minimize the amount and severity of the data that gets exposed, and thus reduce the harm to consumers. Organizations need to hasten their efforts to put measures in place to comply with the new regulations. Doing so won’t just save them money; it’s good for business in general to have strong data protections in place.

Related Content:

• GDPR Compliance: 5 Early Steps to Get Laggards Going
• GDPR: Ready or Not, Here It Comes
• We’re Still Not Ready for GDPR? What is Wrong With Us?

Sanjay Beri brings nearly two decades of innovation, experience, and success in networking and security technology, and a unique business sense, to his role as founder and CEO of Netskope. He has held leadership positions at Juniper Networks, Ingrian Networks, McAfee, and … View Full Bio

Article source: https://www.darkreading.com/cloud/breach-proofing-your-data-in-a-gdpr-world/a/d-id/1330917?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple