Moving to the latest 100 threat reports that specifically target the finance industry we can see that we have captured a Microsoft Office-based campaign. Various office file extensions comprise 62% of the recent file types with the remaining 38% being Portable Executable Files (see Figure 1).
Of the recent file types, 69% are Unclassified in terms of the specific type of malware detected. This means that at time of submission to Lastline they had already been submitted to VirusTotal, but there was no positive detection of maliciousness (see Figure 6). The unclassified rate for Microsoft Office files is 99% in this time frame.
A newly reported botnet named VPNFilter targets SCADA/ICS environments by monitoring MODBUS SCADA protocols and exfiltrating website credentials. This new botnet has already infected over 500,000 routers and network-attached servers. It also includes a bricking component that can render a single targeted device useless, or even render all infected devices useless simultaneously in a mass-scale attack.
The Talos threat research team at Cisco recently reached out to the members of the Cyber Threat Alliance (CTA) to report on their discovery of this botnet. Their responsible “early warning” sharing of this threat intelligence with other leading security researchers is exactly the sort of activity that CTA was created to provide. It allows all participating security vendors to understand a new risk and deploy actionable controls prior to the public release of threat details. It also provides an opportunity for members like Fortinet to look for additional details and context that we can share.
Early research indicates that VPNFilter is likely an advanced, state-sponsored modular malware system that has resulted in the widespread infection of primarily home and small business routers and network attached storage (NAS) devices. Activity from the campaign was initially seen in targeted, specific attacks in Ukraine, but data indicates that devices in over 100 countries are being scanned on ports 23, 80, 2000, and 8080, which are indicative of additional scanning for vulnerable Mikrotik and QNAP NAS devices.
In 2014, Lastline published a blog titled “Web Security for Advanced Malware and Persistent Threats”. Four years later it remains a very popular post—describing how Lastline compliments Secure Web Gateways (SWGs) to dramatically bolster web security—particularly against Advanced Persistent Threats (APTs).
A lot has changed since 2014. Complimenting SWGs with enhanced protection is of course still necessary — even more so today than four years ago. What has changed is that the threat exposure has continued to increase. APTs are more common and dangerous than ever and understanding how these threats have grown in complexity and sophistication is critical for those tasked with keeping their networks safe.
Fortinet has just released its Quarterly Threat Landscape Report for Q1 of 2018, and the numbers are interesting. While some of the most common threat indicators actually dropped during the quarter, the data also shows that attackers may simply be refining their technologies and methodologies.
Another interesting trend was the variety of attack vectors that were targeted. While Meltdown and Spectre dominated the headlines in Q1, and Microsoft continued to be the number one target for exploits, routers took the number two spot in total attack volume. Growing from a tiny risk just a few years ago, over one in five organizations now report mobile malware (up 7%, to 21%). At the same time, Web oriented technologies were also heavily hunted by cybercriminals. Another technology area under attack in Q1 was web Content Management Systems (CMS).
Understanding how malware works, and in particular, the strategies and tactics most often used by malware authors is vitally important for cybersecurity professionals. In other blog posts, Lastline provides a brief history of malware and basic malware types. In this post, we’ll look at some of the common methods that malware authors use to distribute, control, and hide malicious code.
LogRhythm, known as “The Security Intelligence Company,” has just released its annual benchmark survey, Cybersecurity: Perceptions & Practices, which measures cybersecurity perceptions and practices of organizations in the United States, United Kingdom, and Asia-Pacific regions. The impressive 28-page survey report, conducted by Widmeyer, surveyed 751 IT decision makers. It found that fewer than half of all organizations were able to detect a major cybersecurity incident within one hour. The survey also revealed that a majority of organizations are only moderately confident in their ability to protect their companies against hackers.
Adapting to the new digital economy requires organizations to not just retool their networks, but in many cases, core business processes as well. The creation, exchange, and analysis of data – about customers, products, and their usage – enables organizations to gain the insights they need to improve operational efficiency, business agility, and the customer experience.
The three pillars of digital business are automation, agility, and analytics. As the speed of business accelerates, critical processes need to occur at digital speeds, which means that human beings, and human error, need to be removed from many of the basic operations that support the organization. Automation allows critical personnel to be reassigned to higher-order projects that rely on real-time analysis of growing volumes of data in order to enable agile business.
Internet of Things (IoT) botnets have forever changed cyber-security. When an IoT botnet – which is a group of internet-connected computers, appliances or devices that have been co-opted to launch a cyber-attack – is unleashed, the results can be devastating.
Nearly any internet-connected device can be considered an IoT device. With humanity’s growing reliance on the internet, the number of devices capable of being hacked and used as part of a botnet has increased dramatically. By 2020, there will be over three IoT devices for every human on planet earth.
As a result, what was once the storyline for a science fiction movie (household appliances being hacked and turned against humanity) now reality. From fish tanks to dishwashers to automobiles, here are seven of the strangest IoT devices that have been hacked in recent years.
The cybersecurity challenge centers around a fundamentally simple concept: Email keeps businesses running and stores critically important corporate and personal data, but email is also the top vector for cyberattacks. The cyberattack trends and numbers speak volumes:
Mimecast, a leading email and data security company, has helped garner momentum recently by stressing the importance of having a cyber resilience strategy. Cyber resilience involves extending email security beyond a 100 percent prevention-centric approach. Instead, it encourages the adoption of a resilient-centric cyber approach that applies threat prevention and adaptability to new types of threats, while combining built-in durability and rapid response.
In February 2018, several Russian nuclear scientists were arrested for allegedly mining cryptocurrencies using computing resources located at a Russian nuclear warhead facility. Globally, cryptominers are rapidly increasing and spreading for an obvious reason: it’s lucrative. Threat actors are also surfing this wave by using different kind of attacks to compromise not only personal computer but also servers. They are looking for powerful CPU resources to mine cryptocurrencies, such as Monero (XMR), among others, as fast as they can. The more infected machines they can get mining for them, the more money they can make.