Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10:10 AM
Michael Sentonas
Michael Sentonas
Partner Perspectives

Beware of Emails Bearing Gifts

A security-connected framework can help your organization thwart cybercrime.

Crime gangs are building very legitimate-looking emails as cover for phishing and ransomware, and they are having enough success that the attacks are escalating.

In the first quarter of 2015, McAfee Labs registered a 165% increase in new ransomware driven largely by the new, hard-to-detect CTB-Locker ransomware family, new ransomware families such as Teslacrypt and TOX, and the emergence of new versions of CryptoWall, TorrentLocker, and BandarChor. Dell Secureworks believes the ransomware business truly pays, with CryptoWall reaching at least 1 million victims and collecting about $1.8 million in ransom.

The growth of ransomware is likely to continue to surge given the rise of new “business models,” the growing availability and ease of operation of newer ransomware kits, and the general increase in tactical sophistication. For instance, CTB-Locker possesses clever techniques for evading security software, higher-quality phishing emails, and an “affiliate” program that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages. In the case of TOX, ransomware is going the way of other malware, delivered in turnkey ransomware packages, simplifying the development, launch, and ongoing operation of ransomware campaigns. And where fewer technical skills are required, you have an increase of less-skilled perpetrators getting into a cybercrime business.

Encouraged by their successes, attackers are reusing content and contacts as they cycle through their scams in an attempt to hook people. They have tested and learned the behavior of antivirus, firewalls, and sandboxes, and are using code that is stealthier, more careful, and more difficult to defend against. Malware downloaders are varied frequently to avoid signature-based detection. Ports, IP addresses, and URLs are continuously modified to slip past firewalls. The most advanced code is becoming sandbox-aware and stays out of sight if it suspects it is not on a real endpoint.

Connected Security Is Critical

With the number and sophistication of attacks increasing, what can you do to reduce the threat profile at your organization? What new product can you buy to increase your protection?

The reality is that no single cybersecurity product provides effective coverage for all cyberthreats, just like no one physical security technique defends against all physical threats. As battlefield threats become more sophisticated, frequent communication between the front line, commanders, intelligence officers, and special forces is necessary to detect and counter or correct threats.

Integrating links between antivirus, advanced threat detection, and other connected security tools will provide security pros in the cybertrenches more capable and adaptive defenses for these types of threats. A framework of connected security tools accomplishes this by sharing relevant security data across endpoints, gateways, and other security products, enabling incident response and preventing the compromise of one system from resulting in the compromise of many.

A recent attack campaign in Australia involving ransomware showed the benefits of using such a framework in real time. 

On the back of a legitimate looking parcel notification, a new variant of Cryptolocker was being installed on victims’ machines. The attack would start with a new malware variant that was evading most signature-based antivirus technologies. However, with a connected, adaptive security framework in place, an unknown and suspicious file on the endpoint was proactively sent to an advanced threat defense solution for decompiling and further analysis.

A mix of static code and dynamic analysis (sandboxing) on the suspicious file provided enough clues to detect the bad code and convict it as malicious.

First, the sample had some family classifications similar to other malware. Second, after decompiling we uncovered the capability to bypass proxy settings, search for specific file types, and exfiltrate the data. Finally, monitoring the behavior, we saw that it was using the same infrastructure as a known Trojan called Upatre, which is associated with botnets, ransomware, and banking fraud.

Having identified a new malware variant, the connected, adaptive security framework initiated a number of responses to correct the unwanted behavior. The endpoint systems began scanning to find out where the file had run or was still running, stopping the malicious processes or preventing the convicted file from executing. The first PC to see the ransomware may be in trouble, but the rest of the organization was protected.

Once resolved in one location, the organization’s advanced threat defense provided local threat intelligence on the largely unknown Upatre malware variant to the rest of the global organization. And with up-to-date reputation capabilities, all other systems across the organization were able to deny Upatre based on policy.

Phishing and ransomware attacks are hardly new, but the rapid changes in malware code and the legitimate-looking emails are making it harder for both users and antivirus programs to detect the surprise waiting at the other end of the link. No single security solution provides an adequate defense. When malware can sneak through a network firewall, lie low to trick a sandbox, and evade endpoint antivirus, a thorough defense requires the combined resources of a security-connected framework.

Michael Sentonas is the Chief Technology and Strategy Officer, APAC for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and Chief Technology Officer of Security Connected, VP and CTO for Asia Pacific and, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
6/9/2015 | 2:32:48 PM
Not surprising
This isn't that surprising. People need to do much more proactively -- including educating end users. I'd like to hear more about the hows and whys. Is it that IT simply doesn't have enough protection in place or are there some things IT simply can't protect against? 


Karen Bannan, commenting on behalf of IDG and FireEye
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.