It's time again for another quarterly trek into the wilds of the cyber-threat landscape. As security practitioners work to put themselves in the shoes of hackers to better anticipate where attacks will be coming from, these malicious actors are starting to think more like developers to evade detection.
And lately, they are more precise in their targeting, relying less on blanket attempts to find exploitable victims. How can IT security teams keep pace with the agile development cybercriminals are employing and pinpoint the recycled vulnerabilities being used? Fortinet's latest Global Threat Landscape Report sheds light on current criminal activity and suggests how organizations can stay a step ahead.
Malware authors have long relied on polymorphism — the ability of malware to constantly change its own code as it propagates — to evade detection, but over time, network defense systems have made improvements that make them more difficult to circumvent. Never ones to rest on their laurels, malware authors recently have turned to agile development to make their malware more difficult to detect and to quickly counter the latest tactics of anti-malware products. Addressing these emerging polymorphic swarm attacks requires a hive defense, where all of your deployed security components can see and communicate with each other, and then work in a cooperative fashion to defend the network.
Cybercriminals are using not only agile development but automation to advance their attacks. Malware is on the rise that is completely written by machines based on automated vulnerability detection, complex data analysis, and automated development of the best possible exploit based on the unique characteristics of that weakness. Organizations must counter with automation of their own, using machine learning to understand and even predict bad actors' latest exploits so they can stay ahead of these advanced threats.
A prime example of malicious agile development is the 4.0 version of GandCrab.
The actors behind GandCrab are the first group to accept Dash cryptocurrency. It appears that they use the agile development approach to beat competitors to market and deal with issues and bugs when they arise. Another unique aspect to GandCrab is its ransomware-as-a-service model, which is based on a 60/40 profit-sharing model between the developers and criminals wishing to use their services. And lastly, GandCrab uses .BIT, a top-level domain unrecognized by ICANN, which is served via the Namecoin cryptocurrency infrastructure and uses various name servers to help resolve DNS and redirect traffic to it. GandCrab 2.x versions were most prevalent during the second quarter, but by the quarter's close, v3 was in the wild, and the v4 series followed in early July.
We noticed that when a <8hex-chars>.lock file in the system's COMMON APPDATA folder is present, the files will not be locked. This usually occurs after the malware determines the keyboard layout is in the Russian language, along with other techniques to determine computers in Russian-speaking countries. We speculate that adding this file could be a temporary solution. Based on our analysis, industry researchers created a tool that prevents files from being encrypted by the ransomware. Unfortunately, GandCrab 4.1.2 was released a day or two later, rendering the lock file useless.
Cybercriminals are becoming smarter and faster in how they leverage exploits. In addition to using dark net services such as malware-as-a-service, they are honing their targeting techniques to focus on exploits (e.g., severe exploits) that will generate the biggest bang for the buck. The reality is that no organization can patch vulnerabilities fast enough. Rather, they must become strategic and focus on the ones that matter using threat intelligence.
To keep pace with the agile development methods cybercriminals are using, organizations need advanced threat protection and detection capabilities that help them pinpoint these currently targeted vulnerabilities. With exploits examined from the lens of prevalence and volume of related exploit detections, only 5.7% of known vulnerabilities were exploited in the wild, according to our research. If the vast majority of vulnerabilities won't be exploited, organizations should consider taking a much more proactive and strategic approach to vulnerability remediation.
Painting a New Security Landscape
This requires advanced threat intelligence that is shared at speed and scale across all of the security elements, and sandboxing that provides layered, integrated intelligence. This approach shrinks the necessary windows of detection and provides the automated remediation required for the multivector exploits of today. The Cyber Threat Alliance, a group of security companies that shares advanced threat information, was created for this reason.
While many organizations are working hard to collect as much data as they can from a variety of sources — including their own — much of the work in processing, correlating, and converting it into policy is still done manually. This makes it very difficult to respond to an active threat quickly. Ideally, the processing and correlation of threat intelligence that results in effective policy needs to be automated.
Effective cybersecurity also requires diligence in patching. With the data on which vulnerabilities are currently being exploited, IT security teams can be strategic with their time and harden, hide, isolate or secure vulnerable systems and devices. If they are too old to patch, replace them.
Network segmentation — and micro-segmentation — is a must, as well. These steps ensure that any damage caused by a breach remains localized. In addition to this passive form of segmentation, deploy macro-segmentation for dynamic and adaptive defense against the never-ending onslaught of new, intelligent attacks.
Cybercriminals are relentless, making use of and adapting the latest technology to ply their trade. IT security teams can beat them at their own game by using the information and recommendations outlined above.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.