Business email compromise (BEC) attacks and SCADA vulnerabilities are two top concerns among security experts thinking back on the first half of 2017. Threat actors have begun to rely on time-tested strategies to launch simple attacks and trick businesses out of billions, according to a report released today by Trend Micro.
BEC attacks caused $5.3 billion in global losses from 2013 to 2017, cites Trend Micro in its 2017 midyear roundup, "The Cost of Compromise." The report reviews data and trends from security events to give a recent picture of the threat landscape.
Experts noticed a resurgence of old BEC techniques as attackers turn to social engineering to trick their victims. The most frequently spoofed executive in these attacks is the CEO, followed by the managing director. Fraudulent emails typically go to heads of finance.
"The typical fake email comes from the CEO and the typical forged recipient is the CFO," says William Malik, VP of infrastructure strategies at Trend Micro. These emails are tricky because they bypass automated tools installed to trap BEC attacks, he adds. They don't watch for rogue processes on systems or rely on knowledge of unpatched vulnerabilities.
"It's good old social engineering," Malik adds. The "statistically most likely" scenario involves a fake email from the CEO to the CFO requesting a favor, which usually involves the transfer of funds. Common words and phrases associated with BEC emails include "acquisition," "contract," "instructions," "invoice," "request," and "swift response needed."
BEC attachments have traditionally been executable files but these are usually flagged and recipients are discouraged from clicking them, diminishing the likelihood of a successful attack. Cybercriminals are working around this by using HTML pages for phishing attachments.
Industrial threats and ransomware
Malik says it's "somewhat worrying" to see attackers more frequently targeting supervisory control and data acquisition (SCADA) systems. Researchers found SCADA vulnerabilities increased from 34 in the second half of 2016 to 54 in 2017.
In a research paper "Rogue Robots: Testing the Limits of an Industrial Robot’s Security," experts saw more than 83,000 exposed industrial routers and 28 exposed industrial robots via search engines including Shodan, ZoomEye, and Censys. Researchers found attacks on industrial robots in smart factories can cause the robot to move inaccurately and lead to workplace defects.
Financial motivation is the primary driver for these attacks. Threats to SCADA and industrial control systems put major entities, like power plants, at risk and the cybercriminals behind them are usually seeking ransom from large organizations, says Malik.
Monetary gain will drive attacks outside industrial systems. When asked about his top concern for the end of 2017 and beginning of 2018, he answers "ransomware" without hesitation.
"The successes the bad guys have achieved using ransomware to date are so staggering, I just see that continuing in an upward trajectory," he says. "Business email compromise is, in its nature, a single transaction - one company, one executive, one crime. Ransomware is the one that's going to have large numbers of people concerned; large numbers of enterprises potentially harmed."
Given the success of WannaCry and NotPetya, Malik expects more incidents of this volume. "The people doing this are in for the money and if they have an effective weapon that hasn't been countered, they're going to fire it again," he says. Attackers will continue to exploit old vulnerabilities, as recently seen in the "catastrophic" Equifax breach.
How to prepare your team
Malik advises conducting a security assessment to check how your employees might respond to an incident. He poses the following situation: if a member of your security team noticed someone making a security error, how would they answer the following questions:
- Would they know if it was wrong?
- Would they report it?
- If they picked up the phone, would they know who to call?
"If the answers are 'yes,' 'yes,' and 'yes,' you're in good shape," he says. It's the "tone at the top" that sets the stage for how security incidents are properly logged. If people aren't aware of what might be considered risky behavior, or hesitate to report it, the business is in trouble.
"Technology has never in human history been able to correct an organizational or management failure," Malik adds.