Connect with us

Expert Speak

Four Ransomware Trends That Companies Should be Aware Of

Published

on

Written by Mohammed Al-Moneer, Regional Director, Middle East, Turkey & Africa at Infoblox

Trend 1 – Ransomware attacks continue to grow
Ransomware is once again front and center. This year has turned out to be one of the worst years for ransomware. Why? Because that’s where the big money is. The large potential return on investment makes ransomware extortion activities highly compelling for threat actors. Verizon’s 2021 Data Breach Investigations Report notes, “The novel fact is that 10 percent of all breaches now involve ransomware.”

Cybereason’s recent ransomware study of nearly 1,300 security professionals reveals that more than half of organizations have fallen victim to ransomware attacks. In addition, 80 percent of businesses that have paid ransoms have suffered second ransomware attacks, often from the same threat actors.  66 percent of organizations surveyed reported a significant loss of revenue after a ransomware attack, 53 percent of organizations indicated that their brand and reputation were damaged as a result of a successful attack, and 32 percent reported losing C-level talent as a direct result of ransomware attacks. As many as 26 percent of organizations reported that ransomware attacks forced their businesses to close temporarily.

Trend 2 – Ransomware as a Service expands
The ransomware attacks on JBS and Colonial Pipeline are examples of criminal organizations using RaaS platforms. Many potential threat actors lacking the skills to build and launch their own ransomware attacks can buy what they need through the dark web. Nearly two-thirds of ransomware attacks during 2020 came from RaaS-based platforms.

RaaS platforms include support, community forums, documentation, updates, and more. They are closely modelled after the type of support offered with legitimate SaaS products. Some RaaS websites offer supporting marketing literature and user testimonials. The cost is relatively low. In some cases, affiliates can sign up for a one-time fee or for a monthly subscription. Some RaaS platforms are set up without any initial fees and share the fees associated with a successful attack. Other platforms might have charges for special features, such as the view of a status update of active ransom infections, the number of files encrypted, and payment information.

The use of highly targeted RaaS attacks has been lucrative for threat actors. RaaS attacks that target large organizations can, in turn, ask for large ransoms. In these highly targeted cases, threat actors sometimes use carefully researched social-engineering tactics, such as well-crafted emails to entice targets to click dangerous URLs or open malicious attachments. In other cases, threat actors may target a vulnerability that is particular to or commonly used by their target victim group.

Trend 3 – Ransomware leak sites are a new threat actor tactic of choice
Threatening to post a victim’s data on a data-leak site increases the leverage of a ransomware threat actor and is another part of their strategy, in addition to encrypting a victim’s files. The damage of this exposure might be greater than the financial damage of agreeing to pay the ransom the actor has demanded.

Trend 4 – Ransomware distribution methods remain tried and true
Attackers continue to use tried and true ransomware distribution methods – their tactics, techniques, and procedures work well for them and these attack vectors continue to bring them success. The four distribution methods are malicious websites, malspam email, remote desktop protocol, and USB memory sticks. Depending on the report cited, time period, and companies surveyed, the percentages of ransomware attacks that use these distribution methods have varied significantly.

  • A malicious website distributes harmful downloads to users socially engineered to click links to that site. In addition to setting up their own spoofed site, threat actors can find and exploit vulnerabilities in a legitimate website and implant malicious code on it. Alternatively, they may use it to redirect the target to another website under their control. Some of the most well-known media and sports websites in the world have at some point been compromised or hijacked.
  • Threat actors consistently use email campaigns employing social engineering tactics as distribution methods for their malware, downloaders or malicious links. Some attacks are highly targeted against one individual or organization, a technique known as spear-phishing, but others are larger, broader campaigns.
  • RDP has become a highly effective and dangerous attack vector. Several years ago, one study noted that over 10 million online machines were configured with an open port, 3389. It has become a simple matter for threat actors to use search engines, such as Shodan, to locate these devices. Threat actors can gain access to RDP servers by using default passwords on servers that have not been updated. Alternatively, the actors can use brute-force techniques to break in, or they can use open-source password crackers.
  • USB memory sticks have been used to distribute many types of malware, including ransomware and that has not changed over many years. Threat actors leave USB drives in coffee shops, airports, mailboxes, and corporate lounges, for unsuspecting targets to pick up and use. Once a weaponized USB drive is inserted into a computer, the ransomware encrypts files on the device and propagates within the network.

Cyber Security

It’s Time to Debunk XDR Misconceptions Floating Around

Published

on

Written by Yossi Naar, Chief Visionary Officer, and Cofounder, Cybereason

Extended Detection and Response (XDR) is everywhere today, and it seems that every company is rolling out a strategy and products to meet the growing demand. According to the industry analyst firm Gartner, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”

Notwithstanding XDR’s tremendous growth in adoption, more than a few misconceptions about XDR remain, so let’s debunk three of those myths here:

Myth 1: XDR is all about Endpoint Security
No, that’s what Endpoint Detection and Response (EDR) does, which is just one aspect of what XDR delivers. EDR solutions focus solely on the endpoint, and they don’t correlate intelligence from the cloud and other parts of an organization’s infrastructure.

In fact, most EDR platforms are not even capable of ingesting all of the relevant endpoint telemetry and are forced to “filter out” intelligence without even knowing if that information is critical to making a detection because the solutions cannot handle the volumes of data generated.

Indeed, there are vendors that simply cannot ingest all available telemetry for EDR, yet they profess to be able to deliver an XDR solution that ingests endpoint data plus an array of telemetry from numerous other sources on the network and in the cloud.

Data filtering negatively impacts the ability to proactively thwart attacks because it omits telemetry that could allow for earlier detection of malicious activity. When broadened to include non-endpoint sources, data filtering can further distort an organization’s visibility into the threats confronting them.

XDR does not suffer from these limitations. It extends continuous threat detection and monitoring as well as an automated response to endpoints, applications, cloud workloads, and the network…all without data filtering. This helps to ensure the high fidelity of a threat detection yielded by XDR.

Myth 2: XDR Should be Augmented by a SIEM
It’s true that XDR delivers some of the same functionality as SIEM (Security Information and Event Management) tools. Chief among their similarities is the ability to aggregate and correlate data from a variety of sources spread across an organization’s infrastructure, thereby providing the required visibility for threat detection, investigation and response.

But there are several key factors that hold SIEMs back: SIEMs are nothing without the data lake structure and cloud analytics they need to centralize security events. Those resources vary in the types and quality of data to which they have access, a reality that affects the value and effectiveness of a SIEM.

There are also the costs, time, and other resources involved with building, tuning, and maintaining a SIEM. Tuning is an especially common pain point with SIEMs. Indeed, these tools frequently generate false positives and an overwhelming volume of alerts.

Such noise contributes to “alert fatigue” in the organization, motivating infosec personnel to overlook the deluge of alerts coming in and miss opportunities to launch investigations at the earliest signs of an incursion. Simultaneously, SIEMs don’t do much to help security teams with executing a response beyond generating a lot of alerts that need to be manually triaged.

XDR, by contrast, doesn’t require any data lake structure. It correlates alerts across disparate network assets to deliver actionable intelligence that works to reduce alert fatigue. What’s more, XDR enables security teams to build automated playbooks using the platform itself, thereby streamlining response.

Myth 3: All XDR Platforms Are Created Equal
No. Consider the fact that there’s hybrid/open vs. native XDR. The latter only offers integrations to other security tools developed by the same vendor. This can lock customers into an agreement with a vendor that might not offer the security capabilities they need to protect their systems and data. It also means existing investments in solutions from other vendors cannot be fully realized.

In contrast, Open (or hybrid) XDR takes a collective approach that leverages multiple security tools, vendors, and telemetry types to meet organizations’ needs from within a single detection and response platform. There’s no vendor lock-in here. Security teams are free to choose the vendors and tools they want, allowing them to get the most out of their XDR platform, and the DevOps and API integrations enable personnel to bring these tools and telemetry sources together.

There’s also an argument to be made about what defines a truly mature XDR offering versus pseudo-XDR solutions that are basically nothing more than an EDR tool with cloud integration. All XDR platforms integrate with threat intelligence to spot known Indicators of Compromise (IOCs), but only an advanced XDR solution can detect them based on Indicators of Behavior (IOBs).

IOBs are the more subtle signs of an attack in progress which include otherwise benign activity one would expect to see occurring on a network. When these “legitimate” behaviors are chained in certain sequences, they produce conditions that are either exceedingly rare or represent a distinct advantage for an attacker.

This is where the context-rich correlations across endpoints, the cloud, application suites, and user identities that a mature XDR solution delivers are critical for detecting malicious activity at the earliest stages of an attack. Take ransomware attacks for example – most security solutions are focused on detecting the exploit and blocking the ransomware payload, or rolling back the encryption after the attack was successful. But the detonation of the ransomware executable is the tail end of what is actually a much longer attack sequence, with weeks or even months of detectable activity from initial ingress, to lateral movement, to credential abuse and privilege escalation, to name a few.

An AI-driven XDR solution can make the necessary correlations to detect that activity long before the ransomware payload is delivered, reducing a potentially devastating attack to the level of an intrusion attempt or similar. Additionally, the ability to leverage AI/ML to correlate telemetry from across an organization’s infrastructure is a key aspect of a mature XDR solution. The application of AI/ML allows Defenders to move from a detect and respond mode to a more proactive “predictive response” posture where the next steps an attack can and would take are instantly anticipated and blocked, eliminating the opportunity to progress the attack to the next stage.

This predictive capability is the key to the future of security, enabling organizations to “defend forward” by understanding attacks from an operation-centric approach, where analysts are freed from chasing alerts that point to individual elements of an attack in favor of a holistic view of the entire attack story from root cause to every affected device, system and user. And only an AI-driven XDR solution can deliver this “predictive response” capability that will shorten detection and remediation periods from days or weeks down to minutes.

The AI-Driven XDR Advantage
An AI-driven XDR solution enables organizations to embrace an operation-centric approach to security that delivers the visibility organizations require to be confident in their security posture across all network assets, and the automated responses to halt attack progressions at the earliest stages. This approach also provides defenders with the ability to predict, detect and respond to cyberattacks across the entire enterprise, including endpoints, networks, identities, cloud, application workspaces, and more.

Continue Reading

Expert Speak

Finding Patterns in the Chaos With User and Entity Behaviour Analytics (UEBA)

Published

on

Written by Sundaram Lakshmanan, CTO of SASE products at Lookout

There’s a great scene in the 1997 film “Contact” where the protagonist Dr. Eleanor Arroway, played by Jodie Foster, is informed that her lab’s funding has just been revoked. Arroway’s lab partner explained that the government lost faith in the project due to concerns about her engaging in questionable activities, such as watching static on TV for hours. To this, she responds angrily: “I was looking for patterns in the chaos, come on!”

This is a great analogy to what User and Entity Behaviour Analytics (UEBA) does automatically for you, so you don’t have to. While Arroway may have been looking for signs of life on different planets, spotting abnormal or malicious patterns in user and entity behaviour can be just as difficult with the bare eye.

On any given day, your employees will log into the cloud or on-premises applications, download, and upload files and respond to authentication requests. Tracking these behaviours can be data-intensive, especially when considering all the different devices and apps your employees use to stay productive, what their location is and what times they typically interact with apps.

This is where UEBA comes in. Instead of relying on static security checks or staring continuously at the static, you can use automated security to look at user behaviours to detect both insider and external threats, and prevent data leakage or ransomware attacks.

How UEBA works
To put it simply, UEBA is a cybersecurity process that monitors normal user behaviour and flags deviations from established patterns. While a perpetrator can easily steal an employee’s username and password, it’s much harder to imitate that person’s normal behaviour on the network connecting to apps and data. UEBA also helps detect unintentional or intentional insider threats, where an authorized user does something that is harmful to your organization.

In many ways, UEBA is like a credit card fraud detection engine. UEBA uses machine learning and data analytics to determine when there is anomalous behaviour that could result in a potential security threat. For example, if I normally only download megabytes of files every day but suddenly download gigabytes of files, a UEBA system would detect this anomaly and alert the enterprise security team to respond.

Geo-anomalies are also tell-tale signs for anomalous or malicious behaviour: if someone signs into a work account from Dubai, but minutes later an account login is observed across the world in the San Francisco, the UEBA system would automatically detect this anomaly and enable an automated response to protect data available to the account.

I remember an incident with one of our customers where UEBA ended up detecting and halting a ransomware attack. This customer gave their partners access to their Box cloud content management system. Having UEBA in place, their security team received an automated detection of a large volume of files that were deleted and replaced by encrypted files, which were quickly uploaded and renamed. Due to early detection, the security team was able to quarantine the account and restore the files.

UEBA vs. Security Information and Event Management (SIEM)
SIEMs enable security teams to aggregate large volumes of disparate data sets, security alerts and events from multiple sources into a single console for processing and analysis. They have workflows and rule engines that make sense from the processed datasets that further enable administrators to prioritize and manage incidents and alerts better.

With powerful searches, queries, dashboards and rule-based engines, most SIEMs give a full 360° view of the enterprise systems and enable admins to manage incidents in a timely manner. In some cases, they also do spot trends and create correlation rules to trigger appropriate mitigation steps.

Although at first glance, UEBA and SIEM may appear to do the same thing, there are a few key differences. Unlike a SIEM, UEBA does not track security events or monitor devices. Instead, UEBA tracks the behaviours of users and entities within your environment — such as devices, applications and data — for anomalies that may indicate a threat. While UEBA also analyzes a lot of data, it uses machine intelligence to automate and scale its analysis of patterns instead of just relying on human intelligence.

UEBA works best when paired with a holistic platform
While I hope this article has given you a good understanding of UEBA and why it’s important, I want to stress that this is just one piece of a modern cybersecurity architecture. There are two other major elements to consider: continuously monitoring the risk posture of endpoint devices and the sensitivity of the apps and data accessed by users and endpoints.

Whether you realize it or not, every one of your employees is using some form of personal devices to work from anywhere. This means you need to track the fluctuating risk posture of both the managed and unmanaged devices to protect your data at all times. By enforcing policies based on user behaviour, endpoint risk posture as well as data sensitivity, you can protect your data without hindering productivity.

Continue Reading

Expert Speak

How Scammers Subscribe Mobile Users to Unwanted Paid Services

Published

on

With an ever growing number of smartphone users, the development of mobile applications has become a booming industry. Today there are millions of apps, helping users with almost every c of their everyday life – from entertainment to banking and billing. With this in mind, cybercriminals are working hard to develop their own apps and benefit from unsuspecting users.

Kaspersky researchers have observed fraudsters actively spreading Trojans, which secretly subscribe users to paid services, disguised as various different mobile apps, including popular games, healthcare apps and photo editors. Most of these Trojans request access to the user’s notifications and messages, so that the fraudsters can then intercept messages containing confirmation codes.

Users aren’t knowingly subscribing to these services but are, rather, falling victim to carelessness. For instance, a user fails to read the fine print and, before they know it, they’re paying for a horoscope app. These victims often don’t realize these subscriptions exist until their mobile phone account runs dry earlier than expected.

According to Kaspersky researchers, the most widely spread Trojans that sign users up to unwanted subscriptions are:

Jocker
Trojans from the Trojan.AndroidOS.Jocker family can intercept codes sent in text messages and bypass anti-fraud solutions. They’re usually spread on Google Play, where scammers download a legitimate app from the store, add malicious code to it and then re-upload it under a different name. In most cases, these trojanized apps fulfill their purpose and the user never suspects that they’re a source of threat.

So far in 2022, Jocker has most frequently attacked users in Saudi Arabia (21.20%), Poland, (8.98%) and Germany (6.01%).

MobOk
MobOk is considered the most active of the subscription Trojans with more than 70% of mobile users encountering these threats. MobOk Trojan is particularly notable for an additional capability that, in addition to reading the codes from messages, enables it to bypass CAPTCHA. MobOK does this by automatically sending the image to a service designed to decipher the code shown .

Since the beginning of the year, MobOk Trojan has most frequently attacked users in Russia (31.01%), India (11.17%) and Indonesia (11.02%).

Vesub
Vesub Trojan is spread through unofficial sources and imitates popular games and apps, such as GameBeyond, Tubemate, Minecraft, GTA5 and Vidmate. This malware opens an invisible window, requests a subscription and then enters the code it intercepts from the victim’s received text messages. After that the user is subscribed to a service without their knowledge or consent.

Most of these apps lack any legitimate functionality. They subscribe users as soon as they are launched while victims just see a loading window. However, there are some examples, such as a fake GameBeyond app, where the detected malware is actually accompanied by a random set of functional games.

Two out of five users who encountered Vesub were in Egypt (40.27%). This Trojan family has also been active in Thailand (25.88%) and Malaysia (15.85%).

GriftHorse.l
Unlike the Trojans mentioned above, this one does not subscribe victims to a third-party service – instead it uses its own. Users end up subscribing to one of these services by simply not reading the user agreement carefully. For example, there are apps that have recently spread intensively on Google Play, offering to tailor personal weight-loss plans for a token fee. Such apps contain small print mentioning a subscription fee with automatic billing. This means money will be deducted from the user’s bank account on a regular basis without needing any further confirmation from the user.

“Apps can help us stay connected, fit, entertained and generally make our lives easier. There are multiple mobile apps appearing every day, for every taste and purpose – unfortunately, cybercriminals are using this to their advantage. Some of the apps are designed to steal money by subscribing users to unwanted services. These threats are preventable, which is why it’s important to be aware of the signs that give away Trojanized apps. Even if you trust an app, you should avoid granting it too many permissions. Only allow access to notifications for apps that need it to perform their intended purposes, for example, to transfer notifications to wearable devices. Apps for something like themed wallpapers or photo editing don’t need access to your notifications,” explains Igor Golovin, security expert at Kaspersky.

Here’s what you need to do, to stay protected:

  • Keeping your guard up when installing apps from Google Play. Read the reviews, research the developer, terms of use and payment details. For messaging, choose a well-known app with positive reviews.
  • Checking the permissions of the apps you’re using and thinking carefully before granting additional permissions.
  • Using a reliable security solution to help detect malicious apps and adware before they achieve their goals.
  • Updating your operating system and any important apps as and when updates become available. Many safety issues can be solved by installing the updated versions of software.
Continue Reading
Advertisement


Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.