Ghosts and zombies aren’t the only things coming back from the dead this Halloween.
Leading IT security experts are also witnessing a frightening number of viruses and cyber attacks rising from the grave. From Zombie botnets to data security demons, the threat landscape is a dark and dangerous place this Halloween…
Below is a list of the top security threats that organisations should be most aware of, because these are the ones that always come back from the dead…
5 Things That Freak Out IT Security Pros
Fred Touchette, senior security analyst at AppRiver dissects:
Ah, Halloween. A time when people dress up in creepy costumes and enjoy a marathon of classic horror flicks. And while some people may be spooked more easily than others, here are five things that will alarm even the most fearless IT security pro.
Protecting a network without sufficient funds. Whether it’s locating qualified staff or convincing upper management that system updates are necessary expenditures, the lack of funds can seriously impede the health of an organization’s security posture.
A future of unknowns. IT security pros spend a lot of time researching the world of cybercrime so that they can stay out of harm’s way. Happily, White Hats are good at disseminating information to their peers when breach occurs. Vulnerabilities were recently found in Heartbleed SSL and Shellshock Bash, for example, and the community responded by sharing information and patching networks before incident. But what about those unknown exploits? It’s enough to keep IT pros up at night.
The next Zero Day attack. These large-scale attacks often leverage the aforementioned secret vulnerabilities and use them to spread online malaise quickly. Examples include Storm Worm, which targeted an internet-consuming public and Stuxnet or Duqu that was a customized espionage attack. Oftentimes, these attacks are able to operate for quite a long time without anyone ever being the wiser.
Insider threats. Threats can come from careless, lazy or even well-intentioned employees who have intimate knowledge of the company’s network and accounts. In the case of a disgruntled former employee, access can be revoked immediately but with the employee who accidentally falls for a social engineering scam, your network may never be the same.
Falling victim to data breach. We seem to hear about data breaches on daily basis as of late. Not only must IT pros take care of internal damage to systems, but also worry about stolen customer data. This is an expensive problem that can cost millions of dollars due to direct loss and preventative assurances, like paying for victims’ credit monitoring. Then there’s consumer confidence and negative publicity that likely affects bottom line.
No one wants to be the next victim of data theft or deal with unknown attacks, and because of that, sometimes it’s good to be a little afraid as an IT Security Pro. A small dose of fear can be healthy and motivate us to go the extra mile in preventative care. After all, those who remain complacent in their security practice often find themselves to be the next target we’ll read about in tomorrow’s newspaper.
DOC’ing Dead: Word macro exploits return from the dead to spread Dridex
Kevin Epstein, VP of information, security and governance at Proofpoint plays the oracle:
Malicious macro exploits in Microsoft Word documents returned from obscurity in recent months. Proofpoint security researchers recently discovered Word document attachments spreading the Dridex banking Trojan in two separate, rapidly propagating phishing campaigns. In one case, a high-volume phishing campaign featuring Microsoft Office macro exploits (aka VBA viruses) delivered hundreds of thousands of unsolicited emails over a short period of time. Malicious Microsoft Office macros are snippets of code embedded within Office documents (such as Word or Excel). When the document is opened a variety of operations can be executed, including automatically running a malware downloader. Most recently, Proofpoint has seen cybercriminals use macros as a vehicle for installing Dridex malware, which steals login credentials from Google, Yahoo, AOL and Microsoft. Dridex also targets financial institution log-ins. Proofpoint has seen Dridex attempting to take log-ins from Barclay’s Bank, Lloyd’s, Verde, Alliance & Leicester, and Allied Irish Bank (AIB).
In response to the worrying discovery, Kevin Epstein, VP of information, security and governance at Proofpoint, said: “Malicious Microsoft Office macros may seem like something buried in the past, but cybercriminals are adept at bringing long-dead techniques back to life in order to spread new generations of crimeware. This resurgence means it’s working to some extent and criminals are actively stealing login credentials. Be sure to configure Microsoft Office to disable macros by default and without notification company-wide. In addition, we recommend sending an email to your employees specifically warning them about unsolicited email and enabling macros.”
The top two data security demons
Andy Green, technical specialist at Varonis reveals:
Security researchers know something many of us don’t: a small number of attack scenarios account for a disproportionately large number of data exposures. But even more surprising is that these top attacks are relatively simple to defend against.
Each year Verizon’s Data Breach Investigations Report and SANS CWE publish rankings of the most popular threats. There are two data security demons that always make it to the front of the class: weak and poorly protected credentials, and injection attacks, particularly “SQL Injection”. Why hasn’t IT driven a stake through them yet?
Windows XP - The Zombie OS that won't die
Enter, Dr David Chismon, senior security researcher at MWR:
Although most organisations have moved on to supported operating systems, a number retain a number of XP desktop machines on their network. These are typically retained to support specific software packages for which upgrades are either not available or are prohibitively expensive. As such, the XP machines exist as zombies and a constant risk of an outbreak.
Where XP machines must be retained, selecting third party software is important as a number of key vendors are no longer supporting XP for their products, which can be a key attack surface. Anti-Virus, office packages and browsers are examples of areas that will need to be considered.
Password faux pas that keep coming back to haunt us
Itsik Mantin, security researcher at Imperva observes:
With 500 most common passwords estimated to cover one out of nine internet users (!!!), weak passwords continue to provide an excellent surface for dictionary attacks, and together they continue to co-exist throughout the digital era, keeping their respectable share in hacking stories and data breaches. The recent incident known as "Celebgate" – the iCloud breach from the last summer, where numerous private pictures of celebrities had leaked to the Internet, is believed to be the result of dictionary attack on account passwords of the attacked users. The most disturbing fact with weak passwords is that they are probably here to stay, with no practical way to avoid them.
Top 5 Scariest Zombie Botnets
Lisa Myers, security researcher at ESET writes:
An army of the undead, wreaking havoc on the Internet – it’s a nightmare scenario that has played out time and again as the world’s online population has exploded. But time and again protectors of the worldwide web have come together to stop these malicious hordes, yet it has not been easy. There are some zombie botnets plagues that have been particularly troubling, and we will take a look at the worst of the worst.
Conficker
Malware is a tricky thing to predict. Sometimes a threat that does not seem, on its surface, particularly advanced or novel can end up mounting an overwhelming attack. At its height, Conficker had infected many millions of Windows machines: some figures say as many as 15 million.
Zeus
Zeus had not only a successful botnet on Windows machines, but it had a component that stole online banking codes from a variety of infected mobile devices (Symbian, Windows Mobile, Android and Blackberry). In 2012, the US Marshals and their tech-industry partners took down the botnet. But the original authors took pieces of their original creation and brought it back to life as Gameover Zeus, which the FBI and its partners took down this summer.
Flashback
For folks who thoughts “Macs don’t get viruses”, Flashback was a bit of a shock. But Macs can and do get malware – infected machines became part of a massive botnet. Flashback infected a huge percentage of the total number of Apple machines worldwide, with over 600,000 infected at its peak.
Windigo
On the surface, this bot appears like so many others: it steals credentials from infected machines, or it uses their processing power to send spam. And with only a few tens of thousands of infected machines at its worst, this threat would hardly seem to qualify with the likes of the rest of the botnets on this list. But on the other hand, the authors of this malware seem to have grown their zombie army very slowly, such that they managed to stay under the radar for quite some time. And those tens of thousands of machines are Linux machines, mostly servers, and many of these infected machines host websites that millions of people visit.
Storm
This is the oldest malware on our list. It had some of the first early successes in using some of the tactics that would later be used by other botnets on this list. It was massive, gaining as many as ten million Windows machines at its zenith. It was also one of the first incredibly large botnets that was used for the financial gain of its authors. The massive size of this network allowed the authors to partition it off to be sold to various different parties, for various malicious uses. And because this was such a lucrative endeavor, the malware’s creators designed it to fight back against anti-malware researchers: it would turn its zombie forces against anyone who would try to join its command and control channel, from which the authors gave the bots orders, knocking the researchers offline.
The Next Level of Cybercrime: Click to Compromise
TK Keanini, CTO at Lancope writes:
Consider a SaaS service that helped a person compute their cybercrime – Cybercrime as a Service.
The power of big data analytics and machine learning can compute amazing insight for businesses, and it can do the same for criminals. A criminal could log in to a website and declare their objective, and the service would compute several attack plans that the criminal could choose from. This would work in the same way that a user is presented with multiple routes to reach a destination when getting directions online.
This Cybercrime as a Service would have social networks mapped, personal information on each individual, language analysis that yields a level of trust between individuals, mapping to various accounts (some of which may have been compromised), etc. All of this would be creating a corpus of data that can lead the criminal through a directed graph leading to the objective (exfiltration of a file, ransomware, etc.).
Remember, cybercrime is a business and profitable businesses only get smarter and more effective. These are things that keep me up at night because in our current state, there is nothing that makes these types of attacks hard to execute for cybercriminals, and they could easily turn from nightmare to reality.