Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10:10 AM
Michael Sentonas
Michael Sentonas
Partner Perspectives

Beware of Emails Bearing Gifts

A security-connected framework can help your organization thwart cybercrime.

Crime gangs are building very legitimate-looking emails as cover for phishing and ransomware, and they are having enough success that the attacks are escalating.

In the first quarter of 2015, McAfee Labs registered a 165% increase in new ransomware driven largely by the new, hard-to-detect CTB-Locker ransomware family, new ransomware families such as Teslacrypt and TOX, and the emergence of new versions of CryptoWall, TorrentLocker, and BandarChor. Dell Secureworks believes the ransomware business truly pays, with CryptoWall reaching at least 1 million victims and collecting about $1.8 million in ransom.

The growth of ransomware is likely to continue to surge given the rise of new “business models,” the growing availability and ease of operation of newer ransomware kits, and the general increase in tactical sophistication. For instance, CTB-Locker possesses clever techniques for evading security software, higher-quality phishing emails, and an “affiliate” program that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages. In the case of TOX, ransomware is going the way of other malware, delivered in turnkey ransomware packages, simplifying the development, launch, and ongoing operation of ransomware campaigns. And where fewer technical skills are required, you have an increase of less-skilled perpetrators getting into a cybercrime business.

Encouraged by their successes, attackers are reusing content and contacts as they cycle through their scams in an attempt to hook people. They have tested and learned the behavior of antivirus, firewalls, and sandboxes, and are using code that is stealthier, more careful, and more difficult to defend against. Malware downloaders are varied frequently to avoid signature-based detection. Ports, IP addresses, and URLs are continuously modified to slip past firewalls. The most advanced code is becoming sandbox-aware and stays out of sight if it suspects it is not on a real endpoint.

Connected Security Is Critical

With the number and sophistication of attacks increasing, what can you do to reduce the threat profile at your organization? What new product can you buy to increase your protection?

The reality is that no single cybersecurity product provides effective coverage for all cyberthreats, just like no one physical security technique defends against all physical threats. As battlefield threats become more sophisticated, frequent communication between the front line, commanders, intelligence officers, and special forces is necessary to detect and counter or correct threats.

Integrating links between antivirus, advanced threat detection, and other connected security tools will provide security pros in the cybertrenches more capable and adaptive defenses for these types of threats. A framework of connected security tools accomplishes this by sharing relevant security data across endpoints, gateways, and other security products, enabling incident response and preventing the compromise of one system from resulting in the compromise of many.

A recent attack campaign in Australia involving ransomware showed the benefits of using such a framework in real time. 

On the back of a legitimate looking parcel notification, a new variant of Cryptolocker was being installed on victims’ machines. The attack would start with a new malware variant that was evading most signature-based antivirus technologies. However, with a connected, adaptive security framework in place, an unknown and suspicious file on the endpoint was proactively sent to an advanced threat defense solution for decompiling and further analysis.

A mix of static code and dynamic analysis (sandboxing) on the suspicious file provided enough clues to detect the bad code and convict it as malicious.

First, the sample had some family classifications similar to other malware. Second, after decompiling we uncovered the capability to bypass proxy settings, search for specific file types, and exfiltrate the data. Finally, monitoring the behavior, we saw that it was using the same infrastructure as a known Trojan called Upatre, which is associated with botnets, ransomware, and banking fraud.

Having identified a new malware variant, the connected, adaptive security framework initiated a number of responses to correct the unwanted behavior. The endpoint systems began scanning to find out where the file had run or was still running, stopping the malicious processes or preventing the convicted file from executing. The first PC to see the ransomware may be in trouble, but the rest of the organization was protected.

Once resolved in one location, the organization’s advanced threat defense provided local threat intelligence on the largely unknown Upatre malware variant to the rest of the global organization. And with up-to-date reputation capabilities, all other systems across the organization were able to deny Upatre based on policy.

Phishing and ransomware attacks are hardly new, but the rapid changes in malware code and the legitimate-looking emails are making it harder for both users and antivirus programs to detect the surprise waiting at the other end of the link. No single security solution provides an adequate defense. When malware can sneak through a network firewall, lie low to trick a sandbox, and evade endpoint antivirus, a thorough defense requires the combined resources of a security-connected framework.

Michael Sentonas is the Chief Technology and Strategy Officer, APAC for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and Chief Technology Officer of Security Connected, VP and CTO for Asia Pacific and, ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Moderator
6/9/2015 | 2:32:48 PM
Not surprising
This isn't that surprising. People need to do much more proactively -- including educating end users. I'd like to hear more about the hows and whys. Is it that IT simply doesn't have enough protection in place or are there some things IT simply can't protect against? 


Karen Bannan, commenting on behalf of IDG and FireEye
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...