History Tends to Repeat Itself – Attackers Repurpose Tried and Tested Methods to Launch Attacks
Research by The Radicati Group shows that email remains the most ubiquitous form of business communications, with the total number of business and consumer emails sent and received per day reaching 280 billion in 2018 and projected to grow to over 333 billion by the end of 2022. It should come as no surprise then that email remains the number one vector used by threat actors to launch attacks. Two of the top three types of incidents the nearly 3,000 participants in the Cisco 2019 CISO Benchmark Study report facing last year were due to issues with email security: malicious spam and phishing. If you look back at 2018, you’ll find threats like Emotet and cryptomining used email as the preferred delivery method. It’s also highly likely that other threats, such as unauthorized Mobile Device Management (MDM) profiles, used email as well.
We all know that history tends to repeat itself and that attackers repurpose tried and tested methods to launch attacks, which is why one of the keys to creating a safer future is to study the past. Let’s look at how these three types of attacks unfold so that we can protect ourselves more effectively.
1. Emotet. Starting out as a banking trojan, Emotet used invoice- or payment-themed spam emails to deliver malware. Typically, the malware was attached as a document or file or included in the email as a malicious link. Emotet has since transformed into a modular platform, capable of carrying out a variety of attacks via email. It offers tools for a range of functions including stealing email credentials, stealing user names and passwords stored in browsers, providing distributed denial-of-service (DDos) capabilities, and distributing malware. Particularly concerning, the group behind Emotet is now cooperating with other groups, allowing them to use the platform to deliver other trojans and ransomware. Emotet infections can cost up to $1 million per incident to remediate according to US-CERT and there appears to be no end to the ways in which it can use email to wreak havoc on a widening swath of unsuspecting organizations.
2. Cryptomining. Here, the objective is to steal computing power to mine cryptocurrencies and generate revenue. One of the ways cryptomining software gets into an environment is through spam emails with malicious attachments. Users are tricked into downloading the software onto their devices where it continues to run in the background without the owner’s knowledge. Cryptomining software can slow down system performance and increase power costs, which can quickly add up when multiplied over the number of endpoints in an organization. Cryptomining can also have regulatory implications for sectors such as financial services, where strict rules apply to revenue generated using corporate resources. Also worrisome for security professionals are the other types of threats the organization may be exposed to if other attackers exploit the same security vulnerabilities. Even though the value of cryptocurrencies has been dropping, cryptomining will continue to be a threat because it provides recurring revenue at relatively little risk and overhead to the threat actor.
3. Unauthorized MDM profiles. While this threat is only just emerging, we are seeing examples of devices that use open source MDM systems being compromised. The attackers manage to get malicious profiles onto the devices and push out applications with the purpose of intercepting data, stealing SMS messages, downloading photos and contacts, and tracking the location of the devices, among other things. One of the ways devices may be subjected to the attack could be through a malicious email designed to fool the user into thinking they are required to install a profile that is actually bogus. Fortunately, these attacks require the target complete multiple steps so they are difficult to carry out, but we can expect that threat actors will hone their methods over time.
Understanding the latest attacks and how attackers innovate and operate can help security professionals identify and close gaps in email security. In addition, these measures can improve protection and mitigate damage.
• Ongoing education on the various types of email threats can help reduce the risk of employees clicking on malicious emails and attachments.
• Defenses that block bad IP addresses can help protect against malware and phishing.
• If something does get in, malware protection can detect malicious behavior and stop and remove threats before damage can be done.
• Segmentation dramatically curtails the ability of threat actors to move across the environment, limiting the spread of destructive activity and helping to keep critical assets safe.
Given the popularity and projected growth in email, it’s safe to assume that these attacks and similar ones will continue to appear. Fortunately, by learning from the past there are many steps we can take to strength our approach to security as attackers continue to turn to email to help accomplish their mission.