Under Attack: Malware Roundup from Security Pros
The weekend brought no respite for anxious chief security officers, CIOs, and other professionals involved in the never-ending quest to protect data, networks, and accounts from the onslaught of new and old attacks and attackers seeking to steal, access, or share private information for their own varied reasons.
No matter the motive, most attacks use yesterday's technologies to capture today's data. In its "2015 Data Breach Investigations Report," Verizon found 70 percent of attacks use a mix of phishing and hacking – and involve a secondary victim. Frighteningly, many of these vulnerabilities exist because – despite widespread availability of patches – they have not been updated; some of these weaknesses date back almost eight years, Verizon found.
Source: Verizon "2015 Data Breach Investigations Report"
Adultery site Ashley Madison was attacked and hackers threatened to expose users' data, including the very fact they visited the website. CVS photo site was a victim, Australia's Base Body Babes' Instagram account was hacked, and Anonymous claimed to hack the Royal Canadian Mounted Police site.
EnterpriseTech spoke to several security vendors about the attack forms they have seen over the past few months and what IT professionals should be alert to and warn business users about.
Here is a roundup:
Third-party cloud services
The rise of third-party cloud services like Dropbox gives attackers an interesting new method to deliver nasty stuff through your network, said Ronnie Tokazowski, senior researcher at PhishMe. In a round of emails last June , PhishMe received phishing emails that linked to a supposed invoice on Dropbox. The Dropbox link itself was legitimate, only it led to a .zip file containing an .scr, not an invoice. The security developer also encountered attackers using Dropbox to deliver Cryptowall ransomware. Dropbox has been quick to shut down this type of abuse, but it’s proven to be a great method for attackers to get past spam filters. Dropbox use is so pervasive that most organizations won’t block its links. A few weeks later PhishMe found Dropbox links abused in targeted attacks against the Taiwanese government and saw attackers exploit a file-sharing service called Cubby to deliver the malware that led to the developer's discovery of Dyre in June of 2014.
MS Office macros
Recently, PhishMe observed a number of attacks that deliver malware through a Microsoft Office macro. By stashing malicious code in an MS Office or Excel macro, attackers can evade most anti-virus technologies. We’ve seen this technique used to deliver Dyre and Dridex malware samples.
Bypassed sandboxing technologies
Sandboxing is one of the latest and greatest detection technologies; however attackers have found a way around this by coding malware to detect whether it’s being run on a virtual machine, said Tokazowski. This Dridex sample PhishMe analyzed back in March featured sandboxing detection, and would stop running if it detected a VM.
Cloud-based chat programs
A few weeks ago a PhishMe user received some strange Skype messages that turned out to be a botnet serving adware. Cloud-based chat programs such as Skype offer attackers a low-cost platform to use to use to run botnets.
Return of NJRat
NJRat
In spring PhishMe noticed a resurgence of the NJRat Trojan. This sample was delivered via an .exe file and was written in .NET 4.0, which was interesting because most malware today is written in C/C++. Malware written in .NET is more difficult to decode, making dynamic analysis more effective than regular analysis techniques.
Real-Time bidding
For its part, Malwarebytes Labs has seen exploit kit makers abusing Real Time Bidding (RTB) advertising networks to leverage their ability to reach highly targeted recipients, Jean Taggart, senior security researcher at the research arm of the anti-malware company, told Enterprise Technology. This makes replays difficult for researchers, as they have to meet all the conditions in order to trigger the exploit. This technique also allows attackers to leverage RTBs' granular geo targeting -- for example, visitor must be from a specific region, with indicators of a specific configuration before the exploit kit fires. The threats they deliver vary, but the delivery mechanism is getting more and more refined.
Faster zero days
Cybercriminals are adding zero-days at a faster and faster rate. As an example, someone using a version of Adobe Flash Player that’s only one update away from the latest will almost surely get infected should they visit a site that’s serving an exploit kit payload, Taggart said. For brief periods, users with the latest version of Flash are vulnerable as well. Whereas in the past, exploit kit makers would take time to deconstruct and understand proof of concept code from exploits to weaponize them, we now see deployment in a matter of hours, not days or weeks.
Macs included
Mac users have reached critical mass and are now starting to be targeted by PUP (Potentially Unwanted Program) makers, cautioned Malwarebytes Labs' Taggart. Mac users cannot afford to go unprotected.
Encrypted for evil
Threats that encrypt the user’s personal documents and hold them ransom are another growing threat, Taggart noted. With the emergence of crypto currencies like Bitcoin providing a modicum of anonymity to the attackers, we see an increase in threats using this technique. The encryption used by these threats is bona fide, meaning that once the documents are encrypted, decrypting them is very difficult. As a result, victims' only option often is to deal with the attackers and actually pay the ransom.
