The potential attack surface of organizations continues to expand, and the speed and sophistication of cyberattacks continue to make defending the network ever more challenging. With the help of this blog we are sharing some of our observations about the current cyber threat landscape.
Cyber Threat landscape – Malwares earlier and now
If we look back and recall the history of the Cyber Threat landscape it tells us that the motivation of threat actors has completely changed. In the early years, the primary purpose of viruses were used to disable computers, replace system boot sectors, corrupt executables as well as office documents and delete files. Hacking was more about fame, fun and prestige instead of making money. Leveraging emails to distribute malware was first used decades ago – but is still very effective these days.
What has changed?
Earlier we (organization as well as individuals) were using far less digital assets for business operations and routine lifestyle. And availability as well as usage of the internet was also less. Today we rely much more on our digital gadgets and they are always connected to the internet, which leads to a broader attack surface. Most breaches today are driven by cybercriminals who steal sensitive information to sell on the Dark Web, or encrypt systems and ask for a ransom. The only goal now is to make money. As a result, hacking has become much more sophisticated and lethal. There are proper cybercrime organizations which are well organized.Their new Cybercrime-as-a-Service ecosystem is one of the biggest reasons why the cybercrime industry grows dramatically and generates more than one trillion dollars in revenue every year.
Threats have become more sophisticated
Sophisticated attackers are ahead of the curve. Cybercriminals anticipated the generic behavior of individuals and prepared their campaigns for the events around. The current COVID-19 pandemic is a great example. They send these campaigns with malicious files, and links to infected web pages that target humans when they are in a state of fear, uncertainty, and doubt. Now we have file-less attacks that don’t include a payload and live entirely in memory. This has been a very dramatic paradigm shift, especially for the Anti-Virus or Endpoint Security industry.
Social engineering & Phishing Techniques
It is observed that humans are always & will be the weakest link in any corporate IT security system. Phishing techniques have now evolved dramatically and these messages manage to cross enterprise email security systems. Cybercriminals today do not require any development skills, they can easily purchase sophisticated automated toolkits on the darknet for a modest amount of money. All it requires is one employee to fall for a social engineering attack, and they will easily be able to make a foot in the victim’s network from where they can move laterally to their primary target.
Business Email Compromise (BEC)
Business Email Compromise (BEC) is an exploit in which an attacker obtains access to a business email account and imitates the owner’s identity, in order to defraud the company and its employees, customers or partners. One of these types is CEO Fraud: where attackers pose as the company CEO or any executive and send an spoofed email to employees in finance (such as CFO), requesting them to transfer money to the account they control.
Spear phishing is a personalized phishing attack that targets a specific organization or individual. These attacks are carefully designed to elicit a specific response from a specific target. Attackers invest time in researching their targets and their organizations to craft a personalized message, often impersonating a trusted entity. All this makes the message look trustworthy to the recipient.
This includes a large number of spear-phishing attacks that impersonate a trusted entity such as a well-known company or a commonly used business app such as Office 365, Gmail, or DocuSign. They may also impersonate a trusted colleague or business partner. These attacks typically try to get recipients to give up account credentials or click on malicious links. For example, you might receive an email claiming your account has been frozen and giving you a link to reset your password. If you click, you’ll go to a fake portal and enter your credentials—and now the crooks have unfettered access to your account. They can use that access to steal confidential data, conduct financial fraud using your account, or launch a more targeted attack within your organization.
The Growing Threat – Ransomware
When it comes to malware, the biggest threat today which is experienced by many individuals & businesses is RANSOMWARE. The tactic, known as ransomware, has been around a while but it has just gained traction by evolving into the most profitable type of malware in history. Ransomware is the name given to a class of malware that, once downloaded, encrypts critical data and demands a ransom for releasing it. Attackers deploying ransomware usually attempt to hit as many individual targets as quickly as possible so the payloads are most often delivered through three methods:
- Mass phishing – Emails which rely on unsuspecting users to activate
- Malvertising – Malicious advertising which relies on unsuspecting users to activate
- Exploit kits – Which take advantage of pre-existing software vulnerabilities
Ransomware specifically targets user files and avoids damaging system files so that the user can be notified of what happened. It also provides a viable means for the user to pay the ransom in order to get their files back. Once the files are encrypted, the malware usually self-deletes and leaves behind a message.
This will instruct the victim on how to provide payment and regain access to their files. Some variants display a countdown timer to the victim, threatening to delete the key/decryption tool if payment is not received before the timer reaches zero or, in other cases, may increase the price of the ransom.
Till date there have been many RANSOMWARE variants few are listed below –
- Cryptolocker
- Locky
- WannaCry/WCRY
- PETYA
- CERBER
- NotPetya
- Maze
Increasing Incidents of Server & Workstation Compromise for the purpose of Cryptoming by Using Exploit Kits
Cryptocurrency (digital currency) is now the preferred method of making profits by. There are many incidents where network & individual users’ systems were found compromised by a process (malware) which is programmed to gain access to the compute resources (system processing power).
Lets understand How It Works
Cybercriminals will compromise a website and abuse a legitimate tool (to inject an exploit kit) on that site. Further this automated kit will exploit users’ browser vulnerability to gain access to the system. Using this access, attackers will essentially steal compute resources and exchange them for cryptocurrency credit. This all occurs without the users’ consent or knowledge throughout the duration of their site visits. This malicious activity doesn’t cause any damage to systems however users will experience a noticeable slowdown in system performance. With the increasing value of cryptocurrency, such as bitcoin and Ethereum, and a better business model with higher returns than malware– and exploit-type attacks, it’s no surprise these types of attacks are becoming more commonplace.