Ringing in a More Secure 2017
Time marches on, and so does the state of cyber security. In 2016 we’ve seen cybercriminals continue to innovate. But we’ve also seen defenders continue to advance in the way they detect and mitigate attacks. As the year comes to a close, let’s take a look at five examples that demonstrate this ongoing tug of war between adversaries and defenders. The lessons we’ve learned can help us ring in a safer new year.
1. Data is being monetized in multiple ways in the same attack.
For many financially motivated cybercriminals, one of the most valuable commodities is data. However, cybercriminals can’t predict with certainty the type of data they’ll be able to access and exfiltrate. Once they have invested the time and resources to execute an attack, they want to maximize their returns. To do this, attackers are increasingly turning to blended threats, for example combining malware and ransomware, to create multiple revenue streams based on the type of data uncovered. One of the first examples was a banking Trojan called GameOver Zeus that could install CryptoLocker so that if the data uncovered couldn’t be used for fraud, the attackers could turn to extortion. A more recent example is the Pony credential-harvesting malware used in concert with the “RAA” ransomware. Other ransomware variants, such as “CryptXXX” and “Crysis,” reportedly also possess credential-stealing capabilities. Cyber hygiene practices like password and patch management along with secure, remote data backups can go a long way to thwarting these types of attacks.
2. Cybercriminals don’t act with impunity.
Capitalizing on weak attacker OPSEC, security researchers, law enforcement agencies and intelligence agencies are working together to detect, identify, observe, analyze and report on cybercriminals – ultimately leading to arrests. In September 2016, the FBI arrested two alleged members of a hacking group called “Crackas with Attitude” charged with hacking the personal Internet accounts of senior U.S. government officials as well as U.S. government systems. More recently, federal investigators in the U.S., U.K. and Europe collaborated to take down “Avalanche” – a distributed, cloud-hosting network comprised of up to 600 servers worldwide, that was rented by criminals to launch malware and phishing attacks. The agencies worked side by side with other organizations over the course of four years to understand the complex, global network, culminating in the arrest of five individuals and seizure of systems used for digital fraud.
3. Flash remains a popular vulnerability.
Exploit kits, pre-packaged software that uses vulnerabilities in software applications to spread malware, are not new to the information security community. But they remain successful in part because they exploit a large number of vulnerabilities quickly – in some cases within days of being written up in the National Vulnerability Database. Adobe Flash is the most commonly exploited software by exploit kits, accounting for one third of the identified vulnerabilities exploited in the most popular exploit kits. Patches are available for these vulnerabilities and organizations should prioritize keeping their Adobe Flash software up to date.
4. Incident response capabilities are advancing.
Although data breaches are becoming more common, our response capabilities are improving. Consider the recent example of Camelot, the company that operates the U.K.’s National Lottery. The firm became aware of suspicious activity on a small portion of accounts. While cyber criminals were not been able to access core systems and did not gain access to customers’ financial data, personal details in some customers’ accounts had been changed. Camelot quickly identified the unauthorized access; suspended the compromised accounts; contacted and is working closely with law enforcement on the investigation; and communicated clearly with customers to educate them on the potential breach and corrective action. This type of responsiveness, collaboration and communication demonstrates a level of maturity and sophistication in how organizations handle incidents when they occur.
5. IoT devices – a new vulnerability. The Mirai malware has launched some of the largest distributed denial of service (DDoS) attacks measured to date. The malware exploits weak default passwords in IoT devices (cameras, DVRs, routers, or other internet-connected devices) to gain control of such devices and create botnets. The SSHowDowN Proxy attack is another recent example of IoT devices being used for malicious purposes. This attack exploits a 12-year-old vulnerability in OpenSSH to compromise devices (satellite antenna equipment, routers, hotspots, modems, and internet-connected Network Attached Storage devices) and route bad traffic. Device manufacturers and users can both take action to mitigate such attacks including changing passwords, patching known vulnerabilities and/or disabling SSH entirely.
As these observations from 2016 reveal, attacks are evolving and advancing but organizations are as well. It pays dividends to reflect on the past so we can see how far we’ve come and what we can learn to help make 2017 a happy new year for defenders.