Cyber extortion emerged as a strong trend in 2015, and is expected to continue in 2016, according to the latest threat report by security firm F-Secure.
The most common form of cyber extortion in recent months is the use of malware to encrypt organizations’ files and demand ransom payment in return for the decryption keys.
2015 saw the rise in popularity of several families of so-called ransomware, especially Cryptowall, Crowti and Teslacrypt, the report said.
While the Angler exploit kit delivered Alpha Crypt, Reveton and ransomware, the Nuclear exploit kit delivered CTB-Locker and Troldesh. However, Cryptowall and TeslaCryp was delivered by both, with Cryptowall also delivered by the Magnitude and Fiesta exploit kits.
In the first quarter of 2016, F-Secure said several large organizations had been hit by consumer-type ransomware, including some hospitals and local government authorities, causing “a considerable amount of pain” for those organizations.
Exposing data
However, cyber extortion is being increasingly conducted using the threat of distributed denial-of-service (DDoS) attacks and the threat of exposing sensitive commercial data.
This data typically includes intellectual property and information relating to legal cases or mergers and acquisitions, according to Sean Sullivan, security advisor at F-Secure Labs.
“We expect 2016 to be the year of cyber extortion, with big company database breaches followed up by demands for payment not to publish the data,” he told Computer Weekly.
In the past ten years, said Sullivan, malware as a service has become entrenched as a business model in the hands of organized professionals, moving beyond commoditized malware to hacks of corporate databases.
“If corporations have not started segregating and segmenting their data into isolated zones on the network, that is tantamount to negligence,” he said.
Far too many organizations are keeping mission-critical documents and intellectual property on network shares, said Sullivan. These can be accessed by hackers and even commoditized malware. “Just by moving laterally across a network, sensitive data is often easily accessible to attackers because there are no barriers or controls,” he said.
In 2015, Sullivan said there was plenty of evidence that organizations are not able to prevent intrusions by commoditised malware. “If organizations were not prepared for commoditized malware and dumb bots in the past year, they are unlikely to be prepared for human hackers following the bot in 2016,” he said.
Cyber extortion
F-Secure researchers predict there will be a shift towards intelligent, targeted attacks aimed mainly at extorting money from organizations.
Sullivan believes the attack on Sony Pictures Entertainment in November 2014 fell into this category. It was the first of this kind of attack to make headlines.
Although the attack has been linked to North Korea’s anger over the film The Interview, Sullivan said the initial emails relating to the attack demanded money, which means cyber extortion was more likely the prime motive for the attack.
Similarly, he said the attacker behind the Ashley Madison breach may have disapproved of the company’s business, but the prime motive was extortion and data was dumped only when the company failed to give into demands.
Sullivan suspects there may have been several other similar cases that have not made the headlines because targeted companies elected to pay off the cyber extortionists.
“In 2016, I think we will see an example of a large corporation dealing with customer data facing threats of that data being dumped onto the internet if they fail to make a certain payment,” he said.
Exploit kits
Another key finding of the report is that exploit kits face a disruptive future in the light of the fact that prominent exploit kits such as Angler, Nuclear and others mostly took advantage of vulnerabilities in Adobe Flash.
Sullivan predicts that Google Chrome will kill Flash support in early 2017, and Mozilla Firefox and Microsoft Edge will follow. This could mean that, by early 2017, Flash will no longer bear fruit for exploit kit makers.
Exploits, which have become one of the most common vehicles for malware in the past decade, need out-of-date software to accomplish their goal of getting through security holes. However, that software will become increasingly difficult to find, according to Sullivan.
For example, with HTML 5’s capability to “do it all”, the need for third-party browser plugins has mostly been eliminated. Today’s browsers themselves are auto-updated, without the need for the user to intervene, so users always have the latest version.
Hopefully exploits will die, said Sullivan, with Microsoft’s software being much more secure than it used to be; with Adobe’s other software becoming increasingly cloud based; and with browser developers forcing Java into a restricted place.
Macro malware makes a comeback
However, he said, cyber attackers will move onto something else. This will most probably be, for the short term, falling back on email attachment-based malware schemes. One such scheme is macro malware, which re-emerged in 2015 after lying low since the early 2000s.
Malware authors use the macro feature in Microsoft Office to implant malicious code to documents they email as attachments.
With Office 2003, Microsoft changed default settings to no longer run macros automatically, making attacks much more difficult. But now macro malware attempts to get around Microsoft’s default settings by displaying text in the open document that claims it is a “protected” document that requires the user to enable macros.
“In the past, we have seen attackers revert to older methods, such as when the Blackhole exploit kit was shut down, the attackers behind the GameoverZeus Trojan switched to using zip files and macro documents to distribute the malware,” said Sullivan.
As attackers are less able to exploit browser plugins to install malware on the disk, F-Secure also expects attackers to turn to malware that is resident only in memory and does not require installation on disk. “Cyber extortion through encrypting critical files does not necessarily require persistence, it only has to life long enough to locate and encrypt the targeted data,” said Sullivan.
Greater focus on browsers
As third-party plugins are phased out, F-Secure expects greater focus on using browsers as a way to infect computers.
“Even though there has been a concerted effort to harden browsers, there are probably tricks up attackers’ sleeves that they haven’t used yet,” said Sullivan.
To defend against these tactics, he said organizations should ensure they have usable backups that are not cloud based or connected to the corporate network in any way.
“In 2016, organizations should really be focusing on protecting their data, because that is what attackers are going after more than ever,” said Sullivan.
The most common form of cyber extortion in recent months is the use of malware to encrypt organizations’ files and demand ransom payment in return for the decryption keys.
2015 saw the rise in popularity of several families of so-called ransomware, especially Cryptowall, Crowti and Teslacrypt, the report said.
While the Angler exploit kit delivered Alpha Crypt, Reveton and ransomware, the Nuclear exploit kit delivered CTB-Locker and Troldesh. However, Cryptowall and TeslaCryp was delivered by both, with Cryptowall also delivered by the Magnitude and Fiesta exploit kits.
In the first quarter of 2016, F-Secure said several large organizations had been hit by consumer-type ransomware, including some hospitals and local government authorities, causing “a considerable amount of pain” for those organizations.
Exposing data
However, cyber extortion is being increasingly conducted using the threat of distributed denial-of-service (DDoS) attacks and the threat of exposing sensitive commercial data.
This data typically includes intellectual property and information relating to legal cases or mergers and acquisitions, according to Sean Sullivan, security advisor at F-Secure Labs.
“We expect 2016 to be the year of cyber extortion, with big company database breaches followed up by demands for payment not to publish the data,” he told Computer Weekly.
In the past ten years, said Sullivan, malware as a service has become entrenched as a business model in the hands of organized professionals, moving beyond commoditized malware to hacks of corporate databases.
“If corporations have not started segregating and segmenting their data into isolated zones on the network, that is tantamount to negligence,” he said.
Far too many organizations are keeping mission-critical documents and intellectual property on network shares, said Sullivan. These can be accessed by hackers and even commoditized malware. “Just by moving laterally across a network, sensitive data is often easily accessible to attackers because there are no barriers or controls,” he said.
In 2015, Sullivan said there was plenty of evidence that organizations are not able to prevent intrusions by commoditised malware. “If organizations were not prepared for commoditized malware and dumb bots in the past year, they are unlikely to be prepared for human hackers following the bot in 2016,” he said.
Cyber extortion
F-Secure researchers predict there will be a shift towards intelligent, targeted attacks aimed mainly at extorting money from organizations.
Sullivan believes the attack on Sony Pictures Entertainment in November 2014 fell into this category. It was the first of this kind of attack to make headlines.
Although the attack has been linked to North Korea’s anger over the film The Interview, Sullivan said the initial emails relating to the attack demanded money, which means cyber extortion was more likely the prime motive for the attack.
Similarly, he said the attacker behind the Ashley Madison breach may have disapproved of the company’s business, but the prime motive was extortion and data was dumped only when the company failed to give into demands.
Sullivan suspects there may have been several other similar cases that have not made the headlines because targeted companies elected to pay off the cyber extortionists.
“In 2016, I think we will see an example of a large corporation dealing with customer data facing threats of that data being dumped onto the internet if they fail to make a certain payment,” he said.
Exploit kits
Another key finding of the report is that exploit kits face a disruptive future in the light of the fact that prominent exploit kits such as Angler, Nuclear and others mostly took advantage of vulnerabilities in Adobe Flash.
Sullivan predicts that Google Chrome will kill Flash support in early 2017, and Mozilla Firefox and Microsoft Edge will follow. This could mean that, by early 2017, Flash will no longer bear fruit for exploit kit makers.
Exploits, which have become one of the most common vehicles for malware in the past decade, need out-of-date software to accomplish their goal of getting through security holes. However, that software will become increasingly difficult to find, according to Sullivan.
For example, with HTML 5’s capability to “do it all”, the need for third-party browser plugins has mostly been eliminated. Today’s browsers themselves are auto-updated, without the need for the user to intervene, so users always have the latest version.
Hopefully exploits will die, said Sullivan, with Microsoft’s software being much more secure than it used to be; with Adobe’s other software becoming increasingly cloud based; and with browser developers forcing Java into a restricted place.
Macro malware makes a comeback
However, he said, cyber attackers will move onto something else. This will most probably be, for the short term, falling back on email attachment-based malware schemes. One such scheme is macro malware, which re-emerged in 2015 after lying low since the early 2000s.
Malware authors use the macro feature in Microsoft Office to implant malicious code to documents they email as attachments.
With Office 2003, Microsoft changed default settings to no longer run macros automatically, making attacks much more difficult. But now macro malware attempts to get around Microsoft’s default settings by displaying text in the open document that claims it is a “protected” document that requires the user to enable macros.
“In the past, we have seen attackers revert to older methods, such as when the Blackhole exploit kit was shut down, the attackers behind the GameoverZeus Trojan switched to using zip files and macro documents to distribute the malware,” said Sullivan.
As attackers are less able to exploit browser plugins to install malware on the disk, F-Secure also expects attackers to turn to malware that is resident only in memory and does not require installation on disk. “Cyber extortion through encrypting critical files does not necessarily require persistence, it only has to life long enough to locate and encrypt the targeted data,” said Sullivan.
Greater focus on browsers
As third-party plugins are phased out, F-Secure expects greater focus on using browsers as a way to infect computers.
“Even though there has been a concerted effort to harden browsers, there are probably tricks up attackers’ sleeves that they haven’t used yet,” said Sullivan.
To defend against these tactics, he said organizations should ensure they have usable backups that are not cloud based or connected to the corporate network in any way.
“In 2016, organizations should really be focusing on protecting their data, because that is what attackers are going after more than ever,” said Sullivan.
Post a Comment