Endpoint

9/11/2017
03:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

Ransomware, BEC, ICS Top Midyear Security Concerns

Business email compromise, ransomware, and industrial control attacks were among top security concerns in the first half of 2017.

Business email compromise (BEC) attacks and SCADA vulnerabilities are two top concerns among security experts thinking back on the first half of 2017. Threat actors have begun to rely on time-tested strategies to launch simple attacks and trick businesses out of billions, according to a report released today by Trend Micro.

BEC attacks caused $5.3 billion in global losses from 2013 to 2017, cites Trend Micro in its 2017 midyear roundup, "The Cost of Compromise." The report reviews data and trends from security events to give a recent picture of the threat landscape.

Experts noticed a resurgence of old BEC techniques as attackers turn to social engineering to trick their victims. The most frequently spoofed executive in these attacks is the CEO, followed by the managing director. Fraudulent emails typically go to heads of finance.

"The typical fake email comes from the CEO and the typical forged recipient is the CFO," says William Malik, VP of infrastructure strategies at Trend Micro. These emails are tricky because they bypass automated tools installed to trap BEC attacks, he adds. They don't watch for rogue processes on systems or rely on knowledge of unpatched vulnerabilities.

"It's good old social engineering," Malik adds. The "statistically most likely" scenario involves a fake email from the CEO to the CFO requesting a favor, which usually involves the transfer of funds. Common words and phrases associated with BEC emails include "acquisition," "contract," "instructions," "invoice," "request," and "swift response needed."

BEC attachments have traditionally been executable files but these are usually flagged and recipients are discouraged from clicking them, diminishing the likelihood of a successful attack. Cybercriminals are working around this by using HTML pages for phishing attachments.

Industrial threats and ransomware  

Malik says it's "somewhat worrying" to see attackers more frequently targeting supervisory control and data acquisition (SCADA) systems. Researchers found SCADA vulnerabilities increased from 34 in the second half of 2016 to 54 in 2017.

In a research paper "Rogue Robots: Testing the Limits of an Industrial Robot’s Security," experts saw more than 83,000 exposed industrial routers and 28 exposed industrial robots via search engines including Shodan, ZoomEye, and Censys. Researchers found attacks on industrial robots in smart factories can cause the robot to move inaccurately and lead to workplace defects.

Financial motivation is the primary driver for these attacks. Threats to SCADA and industrial control systems put major entities, like power plants, at risk and the cybercriminals behind them are usually seeking ransom from large organizations, says Malik.

Monetary gain will drive attacks outside industrial systems. When asked about his top concern for the end of 2017 and beginning of 2018, he answers "ransomware" without hesitation.

"The successes the bad guys have achieved using ransomware to date are so staggering, I just see that continuing in an upward trajectory," he says. "Business email compromise is, in its nature, a single transaction - one company, one executive, one crime. Ransomware is the one that's going to have large numbers of people concerned; large numbers of enterprises potentially harmed."

Given the success of WannaCry and NotPetya, Malik expects more incidents of this volume. "The people doing this are in for the money and if they have an effective weapon that hasn't been countered, they're going to fire it again," he says. Attackers will continue to exploit old vulnerabilities, as recently seen in the "catastrophic" Equifax breach.

How to prepare your team

Malik advises conducting a security assessment to check how your employees might respond to an incident. He poses the following situation: if a member of your security team noticed someone making a security error, how would they answer the following questions:

  • Would they know if it was wrong?
  • Would they report it?
  • If they picked up the phone, would they know who to call?

"If the answers are 'yes,' 'yes,' and 'yes,' you're in good shape," he says. It's the "tone at the top" that sets the stage for how security incidents are properly logged. If people aren't aware of what might be considered risky behavior, or hesitate to report it, the business is in trouble.

"Technology has never in human history been able to correct an organizational or management failure," Malik adds.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.