Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/11/2017
03:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

Ransomware, BEC, ICS Top Midyear Security Concerns

Business email compromise, ransomware, and industrial control attacks were among top security concerns in the first half of 2017.

Business email compromise (BEC) attacks and SCADA vulnerabilities are two top concerns among security experts thinking back on the first half of 2017. Threat actors have begun to rely on time-tested strategies to launch simple attacks and trick businesses out of billions, according to a report released today by Trend Micro.

BEC attacks caused $5.3 billion in global losses from 2013 to 2017, cites Trend Micro in its 2017 midyear roundup, "The Cost of Compromise." The report reviews data and trends from security events to give a recent picture of the threat landscape.

Experts noticed a resurgence of old BEC techniques as attackers turn to social engineering to trick their victims. The most frequently spoofed executive in these attacks is the CEO, followed by the managing director. Fraudulent emails typically go to heads of finance.

"The typical fake email comes from the CEO and the typical forged recipient is the CFO," says William Malik, VP of infrastructure strategies at Trend Micro. These emails are tricky because they bypass automated tools installed to trap BEC attacks, he adds. They don't watch for rogue processes on systems or rely on knowledge of unpatched vulnerabilities.

"It's good old social engineering," Malik adds. The "statistically most likely" scenario involves a fake email from the CEO to the CFO requesting a favor, which usually involves the transfer of funds. Common words and phrases associated with BEC emails include "acquisition," "contract," "instructions," "invoice," "request," and "swift response needed."

BEC attachments have traditionally been executable files but these are usually flagged and recipients are discouraged from clicking them, diminishing the likelihood of a successful attack. Cybercriminals are working around this by using HTML pages for phishing attachments.

Industrial threats and ransomware  

Malik says it's "somewhat worrying" to see attackers more frequently targeting supervisory control and data acquisition (SCADA) systems. Researchers found SCADA vulnerabilities increased from 34 in the second half of 2016 to 54 in 2017.

In a research paper "Rogue Robots: Testing the Limits of an Industrial Robot’s Security," experts saw more than 83,000 exposed industrial routers and 28 exposed industrial robots via search engines including Shodan, ZoomEye, and Censys. Researchers found attacks on industrial robots in smart factories can cause the robot to move inaccurately and lead to workplace defects.

Financial motivation is the primary driver for these attacks. Threats to SCADA and industrial control systems put major entities, like power plants, at risk and the cybercriminals behind them are usually seeking ransom from large organizations, says Malik.

Monetary gain will drive attacks outside industrial systems. When asked about his top concern for the end of 2017 and beginning of 2018, he answers "ransomware" without hesitation.

"The successes the bad guys have achieved using ransomware to date are so staggering, I just see that continuing in an upward trajectory," he says. "Business email compromise is, in its nature, a single transaction - one company, one executive, one crime. Ransomware is the one that's going to have large numbers of people concerned; large numbers of enterprises potentially harmed."

Given the success of WannaCry and NotPetya, Malik expects more incidents of this volume. "The people doing this are in for the money and if they have an effective weapon that hasn't been countered, they're going to fire it again," he says. Attackers will continue to exploit old vulnerabilities, as recently seen in the "catastrophic" Equifax breach.

How to prepare your team

Malik advises conducting a security assessment to check how your employees might respond to an incident. He poses the following situation: if a member of your security team noticed someone making a security error, how would they answer the following questions:

  • Would they know if it was wrong?
  • Would they report it?
  • If they picked up the phone, would they know who to call?

"If the answers are 'yes,' 'yes,' and 'yes,' you're in good shape," he says. It's the "tone at the top" that sets the stage for how security incidents are properly logged. If people aren't aware of what might be considered risky behavior, or hesitate to report it, the business is in trouble.

"Technology has never in human history been able to correct an organizational or management failure," Malik adds.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.