Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/16/2015
05:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

IBM Report: Ransomware, Malicious Insiders On The Rise

X-Force's top four cyber threat trends also names upper management's increasing interest in infosec.

Ransomware and malicious insiders are on the rise, upper management is showing greater interest in infosec, and organizations actually have a reason to be grateful to script kiddies, according to a new threat intelligence report from IBM X-Force.

Ransomware rising

Ransomware like CryptoWall has become one of the top mobile threats, in addition to desktop threats. It's been found wrapped into a variety of exploit kits -- the Angler EK alone generated $60 million from ransomware -- and has been seen spreading through malvertising campaigns.

IBM X-Force, however, states the top infection vector was simply unpatched vulnerabilities. "A well-known infection vector of ransomware can exploit unpatched operating system vulnerabilities to give attackers access to the system resources they want to lock or the data they want to encrypt," according to the report. After unpatched vulnerabilities, drive-by downloads and spearphishing, respectively, were the leading attack vectors. 

To defend against, recover from, and mitigate the effects of ransomware, X-Force recommends creating and testing back-ups thoroughly; conducting better user training; using "software designed to catch anomalies related to binaries, processes and connections" which "can also help identify many kinds of malware, ransomware included;" and using file recovery software, professional services, or Microsoft Windows Volume Shadow Copy Service to try to recover files that the ransomware has copied/deleted or encrypted.

'Onion-layered' incidents

By "onion-layered incidents" IBM X-Force is not referring at all to onion routing. It is referring to detected security incidents that lead forensic investigators to discover evidence of hitherto undetected attacks.

X-Force witnessed a new trend in which stealthy, sophisticated attacks were discovered during forensic investigations into simple, unsophisticated attacks. Attackers who'd been lurking within a network for months were not detected until investigators stumbled across them while investigating an attack by a script kiddie.

"Were it not for the disruptive event caused by the script kiddies, the client might never have noticed anything wrong," the report said.

The common trait in scenarios like this, said researchers, is that the compromised organizations were running old operating system versions that hadn't been patched in a long time.

Malicious insiders

Malicious insiders are abusing remote administration tools and organizations are making those attackers' work easier by following bad password policies, conducting insufficient logging, and failing to revoke employees' credentials immediately after they leave the company.

"The common thread is that accountability was not enforced. ... Knowledge can’t be stripped from an employee leaving an organization, but there are ways to minimize the risk of that knowledge being used for malicious purposes," the report said.

X-Force found that in the organizations most prone to insider attacks, passwords were "routinely" set to never expire, password sharing between team members was not discouraged, admin accounts were shared, and user credentials were not immediately revoked when an employee was terminated or left the company.

"As a result, ex-employees with ill will toward former employers held powerful weapons they could use to express their resentment. They simply needed a way to get back into the network."

The most common method, according to IBM: "In most malicious insider attacks we’ve seen, the disgruntled employee typically 'prepared for departure' by installing remote administration tools  such as LogMeIn or TeamViewer for access to the employer’s network."

X-Force recommends that security teams that suspect or detect the unauthorized use of remote administration tools block access for the master servers of these tools.

Upper management interest

The average cost of a data breach in the United States was $6.53 million, according to a study by the Ponemon Institute and sponsored by IBM. Numbers like this have gotten the attention of upper management, say researchers. 

What is management asking their security teams for more? Enterprise risk assessment, incident response, and tabletop exercises like stress tests and cross-functional reviews are top of the list.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ashu001
50%
50%
Ashu001,
User Rank: Apprentice
11/17/2015 | 12:28:08 AM
Why do I get the feeling that the Policestate is now after TOR?
Sara,

This is the 3rd Report from a Security/IT Vendor I have seen in the last month or so which tries to blame TOR for Cyber-crime /Terrorism.

I remember there was one from Akamai also on similar lines.

But the most important thing folks need to be wary of All-pervasive Privacy Invasions conducted by the Government online in the name of ""Keeping us safe" suppposedly.

I was recently sent this very interesting chart from the Independent Newspaper which showed where the Top 10 Supporters for ISIS/ISIL come from(in terms of Tweets).

Guess whos at No.1?

Our Supposed Ally-Saudi Arabia.

Guess who else is in the Top 10?

America , the UK and our closest allies(On whom we spend Billions in Militiary Aid every year)-Egypt and Turkey!!

What's stopping the Police-state from taking action against these people?Nothing.

But still they don't.

Sad But true reality.

This is why TOR will continue to be immensely popular going ahead.

 
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I've never actually seen the corporate ladder before.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18898
PUBLISHED: 2020-01-23
UNIX Symbolic Link (Symlink) Following vulnerability in the trousers package of SUSE SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allowed local attackers escalate privileges from user tss to root. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP1 trousers versions prior to 0.3.14...
CVE-2019-19837
PUBLISHED: 2020-01-23
Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote information disclosure of bin/web.conf via HTTP requests.
CVE-2020-7210
PUBLISHED: 2020-01-23
Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts.
CVE-2019-19835
PUBLISHED: 2020-01-23
SSRF in AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote denial of service via the server attribute to the tools/_rcmdstat.jsp URI.
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...