Two decades ago the movie Jerry McGuire premiered and the phrase “show me the money” was launched into the popular lexicon. Today, nimble cyber criminals are motivated by those same words, continually looking for ways to boost profits with the most efficient methods they can devise. In the latest round of attacks, they are hijacking legitimate online resources to launch campaigns that ultimately show them the money. Here are just a few examples of how adversaries are going about this.
The Angler exploit kit is one of the largest and most effective exploit kits on the market. It has been linked to several high-profile malvertising and ransomware campaigns, and has been a major factor in the overall explosion of ransomware activity over for the last several years. Angler uses proxy servers located on servers of service providers as a conduit to malicious payloads, with one of the main perpetrators targeting up to 90,000 victims a day and generating more than $30M annually.
SSHPsychos (also called Group 93) was one of the largest DDoS networks ever observed. Before it was detected and stopped, it had enlisted tens of thousands of machines distributed across the Internet to launch attacks that could not be addressed on a device-by-device basis. The brute-force attacks involved SSH (secure shell) traffic and, at times, accounted for more than 35 percent of all global Internet SSH traffic.
Attackers are increasingly using browser add-ons as a way to distribute malware. Users inherently trust add-ons and security teams often view these add-ons as a low-severity threat. In reality, malicious browser extensions can steal information and can be a major source of data leakage for businesses. Every time a user opens a new web page with a compromised browser, malicious browser extensions collect data which can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Adversaries also incorporate the Domain Name Service (DNS) into sophisticated campaigns to help their malware succeed in three ways: to gain command and control, to exfiltrate data, or to redirect. They use DNS to connect to sites that are known bad or suspicious, yet few companies monitor DNS for security purposes.
And, finally, the Internet is filled with abandoned sites created with WordPress that are not maintained from a security perspective. As new security issues surface these sites become easy targets for bad actors who take advantage of these compromised websites to conduct criminal activities efficiently. Marshalling server resources, they create an infrastructure that supports ransomware, bank fraud, or phishing attacks.
As defenders, we need to do a better job of collaboration, communication, and coordination to increase our resilience to these types of attacks.
For example, the security industry must explore ways to partner when faced with a threat such as the Angler exploit kit or SSHPsychos. Top-level domain providers, ISPs, hosting providers, DNS resolvers, and security vendors can no longer sit on the sidelines when online criminals launch their exploits on networks or servers that are intended only for legitimate use. In other words, when criminals use this infrastructure in more or less plain sight, the industry must remove access.
Within companies, different IT groups must work together to eliminate blind spots that attackers are using to evade detection. For example, security teams and DNS experts should begin to interact more frequently. Monitoring DNS is essential for identifying and containing malware infections that are using DNS to execute their mission. This information can also help further investigations and uncover the money trail by determining the type and source of infrastructure supporting the attack.
Finally, organizations should move toward an integrated threat defense architecture. Such an architecture provides visibility, control, intelligence, and context across many security solutions. It can collect information from deployed infrastructure in an automated and efficient manner. Instead of just alerting security teams to suspicious events and policy violations, it can paint a clear picture of the network and what’s happening on it. Not only does such a solution block more threats, but also reduces time to detection, containment, and remediation of known and emerging, multi-vector attacks.
In their quest to find the money cybercriminals are using increasingly brazen and efficient methods to conduct attacks. As defenders, there’s a lot we can do to combat these threats but it requires collaboration, communication, and coordination – across the industry, among internal IT groups, and between security technologies.