More destructive malware imminent
Companies not likely to get off lightly in future, as sophistication and ruthlessness increase
Cisco has warned that purely destructive attacks are on the rise, and that they are increasingly capable of destroying or permanently disabling hardware.
While the average time to detect an intrusion or infection has dropped to less than eight hours, the fact that flashing or corrupting the firmware on internet connected devices can be irreversible is a concerning trend. A trend that was most recently highlighted by the ‘NotPetya’ malware, which wreaked havoc on at least 2,000 individuals and organisations worldwide, including logistics giant TNT, which has recently been reported to be still struggling to deal with the aftermath. TNT’s parent company, FedEx, has warned the New York stock exchange that operations are still being affected, and the financial cost will be ‘material’.
“We cannot estimate when TNT services will be fully restored...it is reasonably possible that TNT will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus”, said FedEx in a stock market filing.
As Ilia Kolochenko, CEO of High-Tech Bridge, said of the preceding WannaCry attack, which targeted the same vulnerability: “The Root causes of WannaCry are the fundamental cybersecurity problems: incomplete or outdated inventory of digital assets (software, hardware, users, data), missing or wrong risk assessment and risk mitigation plan, and lack of continuous security monitoring. These three are aggravated by operational problems such as poor patch management systems or missing security hardening on user machines.”
The Cisco report found that patching is still a significant issue for enterprises, detailing an example where Cisco threat researchers discovered and reported three remote code-execution vulnerabilities in Memcached servers in late 2016. A scan of the Internet a few months later revealed that 79 per cent of the nearly 110,000 exposed Memcached servers previously identified were still vulnerable to the three vulnerabilities because they had not been patched.
The regular Cisco 2017 Midyear Cybersecurity Report continued to highlight a number of other areas of concern, including a decline in the use of exploit kits due to a rise in sophisticated social engineering attempts to compromise business email. Between 2013 and 2016, business email compromises generated $5.3bn for hackers, according to Cisco, while by comparison, ransomware exploits took just $1bn in 2016. By using ingenious combinations of dialog boxes, word documents with linked embedded objects, and password protected archive files, users are consistently being tricked into running malicious files. In short, user interaction can beat almost any automated anti-malware software.
This combined with more ingenious packaging of spyware with otherwise desirable, functional software has seen the challenges for enterprise security increase considerably. Potentially unwanted programs were found on over 20 per cent of Cisco's sample group comprised of 300 companies.
Researchers found that attackers are leveraging open-source codebases, like Hidden Tear and EDA2, which publicly release ransomware code for “educational” purposes. Adversaries tweak the code so it looks different from the original and then deploy the malware, making it a cheap and easy means of attack. Ransomware-as-a-service (RaaS) platforms are also growing fast.
Another example the report cites is of the increase in ‘supply chain’ compromises, in one specific case where a software vendor was compromised, and the adversaries inserted a Trojan into legitimate software typically used by enterprise system administrators to help analyse Windows system event logs. The result was that a shopping list of potential target customers may have been compromised, including four major telcos, over ten military organisations, five major defence contractors and more than 24 banks and financial institutions.
Cisco’s final advice to enterprises? “Invest in automated tools that can help security teams stay on top of alerts, gain visibility into and manage their dynamic networks, and detect and respond swiftly to true threats. They must devote the time and resources to ensure they always know exactly what is in their IT environment, and that everything within it is deployed correctly and securely and kept up to date.” Easier said than done, it seems...