Old Attacks, New Attackers

In our recent Q1’2015 Security Roundup report the threat researchers at Trend Micro highlighted many of the latest threats that are affecting our world. Threat actors are aggressively looking for new ways to compromise their victims as well as identifying new targets to focus on. Let’s look at some of the most recent trends that we’re seeing today and how you can improve your protection against them.

Threat Actors Growing Worldwide

In our investigations of the underground activities, where we identify many of the new tools and techniques used by cybercriminals, we’re seeing more and more non-traditional regions becoming more active. China and Russia still dominate the landscape, but we’re now seeing actors from Brazil and Africa getting into the game. A lot of this has to do with the ease of getting into cybercrime as all you need is a computer and Internet access. Also, the ease and low prices within the deep web for all the tools you need to start your hacking career makes it very simple for newbies to become cybercriminals. This year Trend Micro will continue to publish new data on China, Russia, Brazil undergrounds as well as two new ones, USA and Japan to give our readers a deep understanding of how these undergrounds work. We use this information to develop new technologies within our solutions to protect customers from the latest threats affecting them.

New Tactics used in Attacks

We saw a number of new tactics used in Q1 which allowed threat actors to ensure their victims would be compromised fairly easily. Some key ones I’d like to highlight here:

Malvertisements: These threats are challenging as the threat actors infect websites or ad networks, which in turn leads victims to malicious sites that infect them. Users are typically unaware since the infection comes from the ads served up by the site. In some cases users don’t even need to click on the ads to become infected. Actors also are using 0-day exploits to improve infection numbers. The best protection from this threat is to ensure you’ve enabled web/domain reputation as Trend Micro blocks many of these ads or malicious sites before they can infect the user. The new exploit prevention available within our endpoint solutions will also actively block sites serving up exploits, even 0-day exploits. Ransomware and Crypto-ransomware: This threat has made resurgence since the arrest of Paunch who authored the Blackhole Exploit kit which was used to distribute this threat. We’re seeing many new variants and families of crypto-ransomware as it works, but also seeing cybercriminals targeting commercial organizations (SMB & Enterprise) now. Victims tend to pay the ransom as the encryption technology used is unbreakable and threat actors will send the key once payment is made. We don’t endorse this practice and recommend users have a good backup solution to rebuild their systems if infected. The best protection is preventing the threat from getting in. Almost all ransomware is delivered via email, whether as an attachment or an embedded link.  Good email practices are encouraged but we also have developed new technologies to improve detection. Email sandbox (Deep Discovery Email Inspector, InterScan Messaging, ScanMail) can identify attachments before being delivered to the user. OfficeScan 11, SP1 has new ransomware detection technologies built in. InterScan Messaging has Socially Engineered Attack Protection to identify phishing emails used in the attacks.

Mobile Apps used in Attacks

Threat actors are looking for new ways to obtain information from their victims and our mobile devices are an excellent source. Operation Pawn Storm which we detailed in a report and recently updated in a blog post, has found the actors using iOS spyware apps to get this data.  In the past, espionage was performed by bugging a room where people congregated and record the conversations. Today, mobile phones are these bugs as criminals can get apps installed via social engineering and these apps will turn on the microphone and record any conversation. But they can also steal the data on the phone including email content. Users need to realize that mobile phones and tablets are not safe just because they are running a certain OS or just because they are mobile devices. Cybercriminals are targeting these more and more. As we reported in the Q1 report, we just surpassed 5M high-risk and malicious Android apps within our Mobile App Reputation service. Protection for mobile devices can be from a specifically built security app like Trend Micro Mobile Security as well as using some best practices in using your device.

Shift in Victims of Targeted Attacks

The actors behind targeted attacks are realizing that penetrating a large corporate network is getting harder and harder as these organizations are adding more breach detection systems, like Deep Discovery, as well as improved incident response processes. This change has prompted criminals to shift how they get access to their primary target.  We’re seeing smaller, less security aware organizations that have access to the larger target accounts network being compromised in what we call the Island Hopping technique. Organizations need to review who has access to their network, but also whose networks they have access to and do Pen testing to ensure these links are secure. VPN and two-factor authentication should also be implemented to ensure access and communications are secure.  Besides this, a breach detection system as mentioned before can help identify a breach and the lateral movement associated with it to minimize and mitigate the attack.

Targeted Attack Tactics

One of the tactics we’ve seen in use over the past year is destructive threats introduced in a targeted attack. Whether used in the maintenance phase where the actors will use it to hide their tracks, or because the actors simply want to use this tactic against their intended victim. In our survey of Critical Infrastructure within the Americas we did in partnership with the Organization of American States, 44 percent of respondents said they’ve experience destructive attacks and 40 percent said they’ve experience shutdown attempts. This trend is showing us that threat actors are becoming more bolden in their attack strategies to wreak havoc within their victim’s networks. If you find systems within your account that in explicitly stop working, this may signal a need to investigate more thoroughly that a breach has not occurred. Prevention is the key to protecting against these kind of attacks and many of the newer technologies we’ve introduced can help you. Custom Defense along with the new Connected Threat Defense within OfficeScan can work together to improve your layered defense strategy.

In my 19 years working within the cyber security industry, I’ve found that the threat actors who are truly our only competitors will innovate as much as we innovate to combat them. Many times it feels as though we are always a step behind, but I know our R&D engineers, along with our threat researchers and data scientists will continue to improve and evolve new technologies to provide the best protection available anywhere. Our Trend Micro™ Smart Protection Network™ collects 100TB of data daily, identifies 500,000 new, unique threats every day, and blocks 250,000,000 threats trying to infect our customers every day and powers all of our products and services is a key differentiator in our defense against these threat actors.

Please add your thoughts in the comments below or follow me on Twitter; @jonlclay.

from Trend Micro Simply Security http://ift.tt/1Q3gsMp
via IFTTT