Monthly Archives: February 2018

Fortiguard releases latest IT security threat report

2018-02-27T14:28:56+12:00

 

 

 

 

 

FortiGuard Labs just released our latest Quarterly Threat Landscape report for Q4 of 2017. As usual, there are a lot of take-aways for CISOs, but a few items stood out. In particular, attacks were up per firm by 82% and swarm cyber attacks targeted the Internet of Things (IoT) with growing intensity.

 

Cyberattacks are being launched at an unprecedented rate. In fact, over Q4 of 2017 we detected an average of 274 attacks per firm, which is a staggering 82% increase over the previous quarter. The number of existing malware families also increased by 25%, to 3,317, and unique malware variants grew 19%, to 17,671, which not only indicates a dramatic growth in volume, but in the evolution of malware itself.

A deeper analysis of this trend shows that this dramatic increase in volume is probably intentional. In order to hit the maximum number of vulnerable targets before countermeasures, such as updated AV or IPS signatures can be put in place, a high volume of malware is necessary to accelerate its ability to spread more rapidly to other organizations.

But it’s not just about volume. According to our CISO Phil Quade, “The volume, sophistication, and variety of cyber threats continue to accelerate with the digital transformation of our global economy. Cybercriminals have become emboldened in their attack methods as they undergo a similar transformation, and their tools are now in the hands of many.” These increasingly sophisticated attacks are catching far too many organizations unprepared. For example, we are seeing new IoT-based attack swarms that span across malware families with new, harder to combat multi-vector attacks, along with the rapid development and propagation of new variants.

Here are just a few takeaways from this quarter’s report:

IoT Botnets

Three of the top twenty attacks identified in Q4 were IoT botnets. But unlike previous attacks, which focused on exploiting a single vulnerability, new IoT botnets such as Reaper and Hajime target multiple vulnerabilities simultaneously. This multi-vector approach is much harder to combat. In addition, Reaper was built using a flexible Lua engine and scripts to run its attacks. This framework means that rather than being limited to the static, pre-programmed attacks of previous IoT exploits, Reaper’s code can be easily updated on the fly to run new and more malicious attacks as they become available.

Devices like Wi-Fi cameras in particular were targeted by cybercriminals, with over four times the number of exploit attempts detected over Q3. The challenge is that none of these detections is associated with a known or named CVE, which is one of the more troubling aspects of the myriad of vulnerable devices that make up the IoT.

These issues are being compounded by a number of critical challenges that are slowing down the IoT industry’s ability to address this alarming growth in attacks. The first is that few IoT manufacturers have a Product Security and Incident Response Teams (PSIRT) in place that can respond quickly to new vulnerabilities. This means that after we or other researchers detect device vulnerabilities, getting that information to the right team inside their organization is often a complicated process. And second, the lack of regulations around IoT security means getting some of these manufacturers to prioritize a known threat can be even more frustrating, as evidenced by the number of exploits that have been successfully targeting known vulnerabilities for months that still don’t have an official CVE attached to them.

Cryptojacking

Cybercriminals are clearly motivated to exploit the growing interest in digital currencies. As a result, we have documented a significant spike in attacks targeted at this trend. Cryptojacking takes many different forms, and a malicious infection can result in everything from browser hang ups, system crashes, and degraded network performance to data theft and ransomware. There are three primary trends in this area, and each of them is unique in its approach.

The first is the injection of JavaScript into vulnerable websites, or delivering malicious JavaScript-based malware attached to email, that hijacks the CPU processing power of devices and uses it to perform cryptomining on behalf of the attacker. The crudest of these attacks simply utilize all available CPU, causing machines to become virtually unusable. Of course, this sort of approach has a very short shelf life, as users quickly turn off their machines and look for ways to remove the attack. New, more sophisticated attacks actually monitor device CPU and rate limit the amount of processing power they steal, often using 50% or less of available CPU power at any given moment.

Second, with the growing number of cryptocurrencies on the rise, and the dramatic growth in value of many of these making the news around the world, cybercriminals are looking for ways to exploit those individuals looking to cash in on a new opportunity. Which explains why we have detected a new social engineering-based attack that gets users to download malware by posing a link or attachment as a new crypto-currency wallet. This “wallet” then gets users to provide personal information during a fake registration process, while simultaneously downloading malicious malware, such as ransomware, onto their device. Ironically, criminals use a fake digital currency to gain access to a device and then demand payment with another, legitimate cryptocurrency to unlock it.

Finally, we are seeing a shift on the Darknet from only accepting Bitcoin for payment, the value of which has become unpredictable, to other forms of digital currency, including ransomware demands for payment such as Monero.

Ransomware

The growth in volume and sophistication of ransomware is a common thread across all of our threat reports to date. Several strains of ransomware topped the list of malware variants. Locky was the most widespread malware variant and GlobeImposter followed as the second. A new strain of Locky emerged, tricking recipients with spam before requesting a ransom. Ransomware continues to morph and leverage new delivery channels such as social engineering (e.g., cryptomining). It is also much easier for criminals to access with the emergence of Ransomware-as-a-Service models.

Steganography

Steganography is an attack that embeds malicious code in images. It’s an attack vector that has not had much visibility over the past several years, but appears to be on the resurgence. The Sundown exploit kit uses steganography to steal information, and while it has been around for some time, it was reported by more organizations than any other exploit kit. It was found
dropping multiple ransomware variants. As a result, it is a threat vector that we will be watching closely in the coming quarters.

Critical Takeaways

Traditional threat detection tools and signature-based antivirus are simply unable to keep pace with the volume, variety, and velocity of today’s malware. According to Phil Quade, “The stark reality is that traditional security strategies and architectures simply are no longer sufficient for a digital-dependent organization. There is incredible urgency to counter today’s attacks with a security transformation that mirrors digital transformation efforts. Yesterday’s solutions, working individually, are not adequate. Point products and static defenses must give way to integrated and automated solutions that operate at speed and scale.”

To address the challenges facing organizations today, security teams need to take a more proactive approach that includes the following:

Managing vulnerabilities. Organizations need to prioritize patching based on malware volume. At the same time, they need to implement advanced threat protection capabilities such as sandboxing to detect and respond to unknown threats before they can impact the network.

Being prepared. As attacks like cryptojacking gain momentum, organizations need to prioritize cybersecurity awareness programs, including educating users on how to recognize social engineering attacks. In addition, as new digital currencies grow in popularity among cybercriminals, organizations may want to stay informed of cryptocurrency trends as much as possible.

Fighting fire with fire. Malware continues to evolve, with new IoT-based attacks that swarm together to target multiple vulnerabilities and devices simultaneously across multiple access points. These new multi-vector threats must be met with integrated, collaborative, and automated security approaches that can pit swarm versus swarm. The Fortinet Security Fabric, for example, provides a swarm-like defense deployed across the entire distributed network. It leverages integrated security technologies and automation to identify and share events and notifications, correlate threat intelligence, and orchestrate a response that uses the combined resources of the entire security infrastructure to repel attacks anywhere across the extended and highly elastic attack surface.

Fortiguard releases latest IT security threat report2018-02-27T14:28:56+12:00

24 ways to protect against Ransomware / Cyber Attacks

2018-05-08T15:07:45+12:00

How can a small/medium sized business protect against ransomware and Cyber-attacks? I believe that’s by reducing your exposure through limiting your IT ‘surface area’. Small adjustments to your IT infrastructure can make your systems significantly more secure. No system is completely safe though, so plan for the worst and hope for the best!

A few years ago, malware was usually just an inconvenience, but it now has the ability to cause serious data loss and major business down time

A brief outline of some security considerations:

1.      Have a formal business process in place should you receive any communications from a supplier asking you to change bank account details for making payments so that the request can be verified as legitimate

2.      Ensure you have a good quality monitored backup solution in place which covers all business data you wouldn’t want to lose

3.      Have a disaster recovery plan that has been tested and updated every 6 to 12 months, think business continuity. Ensure responsibilities are clear and that all aspects of your IT/Comms environment are covered

4.      Have a documented process in place so that when staff leave the business all their various accounts are disabled/deleted immediately

5.      Ask your employees to take extra care, and only use their computers for business usage. Create an internal IT policy which clearly defines acceptable use. Update this document as technology changes

6.      Staff opening suspect emails is still a prime route into your PCs. Train staff and consider using a free third-party service like https://www.knowbe4.com/phishing-security-test-offer to see how prone they are to phishing emails

7.      Ensure your IT systems are updated often with the latest security patches and firmware

8.      Spread your IT risk, use a mixture of cloud services and onsite IT solutions

9.      Change over to a firewall with integrated security services, have your existing firewall policies reviewed. Don’t use a normal ISP supplied router which has next to no protection

10.   Retire old vulnerable software and hardware from your business

11.   Ensure your staff are aware of the risk of inserting an unknown USB drive

12.   Implement Mobile Management policy for your company laptops, tablets and mobile devices

13.   Upgrade to latest wireless security protocols, get rid of WEP protocols, ensure you separate your wifi networks so that any guest’s devices are completely isolated on a separate network

14.   Look at 2 Factor authentication (2FA) for protecting access to critical parts of your IT systems

15.   Add additional layers of security to email, even if it already comes with security built in. Standard filtering is often not good enough

16.   Change your passwords every couple of months, ensure you use complex passwords and don’t recycle passwords or share them!

17.   Would your business benefit from DDoS protection for critical internet connections or websites?

18.   Is your data 100% safe in the cloud, think about backing up your cloud services such as Office 365, Dropbox, Google etc

19.   Allow only authorised devices on your network using network access controls solutions where appropriate

20.   Think about Encryption for laptops, tablets and removable storage devices, consider a Data Loss Protection solution

21.   Run Security audits or independent Vulnerability Scans against your computer systems

22.   Ensure you have a relationship with a professional IT Services Auckland company that can improve your IT security and help if the unfortunate happens

23.   Desktops and Laptops should be protected by anti-malware not just antivirus

24. Did I mention backups?

24 ways to protect against Ransomware / Cyber Attacks2018-05-08T15:07:45+12:00

More international bandwidth is coming to NZ

2018-02-16T10:43:33+12:00

More International internet bandwidth coming to NZ! The construction of the $500 million fibre cable between NZ, Australia and USA is 50% done, and should be completed by June. The ship Responder docked in Auckland last week prior to laying the NZ segment of the cable which will land near Mangawhai Heads. Total capacity of the fibre link will be 43 Terabits, which is nearly 10 times the current bandwidth used by Australia and NZ! The cable will compete with the existing Southern Cross Cable which is part owned by Spark. Last year Microsoft and Facebook teamed up to connect Virginia Beach in the USA with Spain through over 4000 miles of cable, and Google has recently joined the undersea cable business and announced that it will circle the world three times over not to be left behind

More international bandwidth is coming to NZ2018-02-16T10:43:33+12:00