Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
6/9/2015
10:10 AM
Michael Sentonas
Michael Sentonas
Partner Perspectives
100%
0%

Beware of Emails Bearing Gifts

A security-connected framework can help your organization thwart cybercrime.

Crime gangs are building very legitimate-looking emails as cover for phishing and ransomware, and they are having enough success that the attacks are escalating.

In the first quarter of 2015, McAfee Labs registered a 165% increase in new ransomware driven largely by the new, hard-to-detect CTB-Locker ransomware family, new ransomware families such as Teslacrypt and TOX, and the emergence of new versions of CryptoWall, TorrentLocker, and BandarChor. Dell Secureworks believes the ransomware business truly pays, with CryptoWall reaching at least 1 million victims and collecting about $1.8 million in ransom.

The growth of ransomware is likely to continue to surge given the rise of new “business models,” the growing availability and ease of operation of newer ransomware kits, and the general increase in tactical sophistication. For instance, CTB-Locker possesses clever techniques for evading security software, higher-quality phishing emails, and an “affiliate” program that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages. In the case of TOX, ransomware is going the way of other malware, delivered in turnkey ransomware packages, simplifying the development, launch, and ongoing operation of ransomware campaigns. And where fewer technical skills are required, you have an increase of less-skilled perpetrators getting into a cybercrime business.

Encouraged by their successes, attackers are reusing content and contacts as they cycle through their scams in an attempt to hook people. They have tested and learned the behavior of antivirus, firewalls, and sandboxes, and are using code that is stealthier, more careful, and more difficult to defend against. Malware downloaders are varied frequently to avoid signature-based detection. Ports, IP addresses, and URLs are continuously modified to slip past firewalls. The most advanced code is becoming sandbox-aware and stays out of sight if it suspects it is not on a real endpoint.

Connected Security Is Critical

With the number and sophistication of attacks increasing, what can you do to reduce the threat profile at your organization? What new product can you buy to increase your protection?

The reality is that no single cybersecurity product provides effective coverage for all cyberthreats, just like no one physical security technique defends against all physical threats. As battlefield threats become more sophisticated, frequent communication between the front line, commanders, intelligence officers, and special forces is necessary to detect and counter or correct threats.

Integrating links between antivirus, advanced threat detection, and other connected security tools will provide security pros in the cybertrenches more capable and adaptive defenses for these types of threats. A framework of connected security tools accomplishes this by sharing relevant security data across endpoints, gateways, and other security products, enabling incident response and preventing the compromise of one system from resulting in the compromise of many.

A recent attack campaign in Australia involving ransomware showed the benefits of using such a framework in real time. 

On the back of a legitimate looking parcel notification, a new variant of Cryptolocker was being installed on victims’ machines. The attack would start with a new malware variant that was evading most signature-based antivirus technologies. However, with a connected, adaptive security framework in place, an unknown and suspicious file on the endpoint was proactively sent to an advanced threat defense solution for decompiling and further analysis.

A mix of static code and dynamic analysis (sandboxing) on the suspicious file provided enough clues to detect the bad code and convict it as malicious.

First, the sample had some family classifications similar to other malware. Second, after decompiling we uncovered the capability to bypass proxy settings, search for specific file types, and exfiltrate the data. Finally, monitoring the behavior, we saw that it was using the same infrastructure as a known Trojan called Upatre, which is associated with botnets, ransomware, and banking fraud.

Having identified a new malware variant, the connected, adaptive security framework initiated a number of responses to correct the unwanted behavior. The endpoint systems began scanning to find out where the file had run or was still running, stopping the malicious processes or preventing the convicted file from executing. The first PC to see the ransomware may be in trouble, but the rest of the organization was protected.

Once resolved in one location, the organization’s advanced threat defense provided local threat intelligence on the largely unknown Upatre malware variant to the rest of the global organization. And with up-to-date reputation capabilities, all other systems across the organization were able to deny Upatre based on policy.

Phishing and ransomware attacks are hardly new, but the rapid changes in malware code and the legitimate-looking emails are making it harder for both users and antivirus programs to detect the surprise waiting at the other end of the link. No single security solution provides an adequate defense. When malware can sneak through a network firewall, lie low to trick a sandbox, and evade endpoint antivirus, a thorough defense requires the combined resources of a security-connected framework.

Michael Sentonas is the Chief Technology and Strategy Officer, APAC for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and Chief Technology Officer of Security Connected, VP and CTO for Asia Pacific and, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kbannan100
50%
50%
kbannan100,
User Rank: Moderator
6/9/2015 | 2:32:48 PM
Not surprising
This isn't that surprising. People need to do much more proactively -- including educating end users. I'd like to hear more about the hows and whys. Is it that IT simply doesn't have enough protection in place or are there some things IT simply can't protect against? 

--KB 

Karen Bannan, commenting on behalf of IDG and FireEye
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17452
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
CVE-2020-17451
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
CVE-2020-17447
PUBLISHED: 2020-08-09
MyBB before 1.8.24 allows XSS because the visual editor mishandles [align], [size], [quote], and [font] in MyCode.
CVE-2020-16248
PUBLISHED: 2020-08-09
** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.