By Rajesh Maurya
The third quarter of 2019 saw a number of new cyber-threat trends emerge or expand, and organisations need to be aware of these trends if they wish to stay ahead of cybercriminal strategies. One of the most effective attacks strategies does not require cybercriminals to build new malware, but simply change their tactics.
Cybercriminals are focusing on vulnerable edge services
Phishing attacks are top of mind across all industries. That’s because over 90% of all malware is still delivered using compromised email attachments. As a result, organisations are aggressively training users on how to identify malicious email, report them to the Help Desk team, and never click on unexpected email attachments. But over-rotating on a single attack vector can leave an organisation exposed to threats targeting other systems.
To that point, according to the latest Threat Landscape Report from FortiGuard Labs, remote code execution attacks targeting vulnerable edge services, publicly available services to customers and/or employees – topped the list of identified threats across all geographic regions during the third quarter. Attack trends tend to be focused on one, or at most, a handful of geographic regions. Seeing attacks consistently showing up at the top of every list globally is a trend that strongly indicates that these attack vectors are getting the attention of cybercriminals.
These publicly-facing services and systems, provide similar opportunities for breaching the perimeter of the network as phishing does. And unlike efforts to shore up protections against phishing, many of these edge services are vulnerable to a wide range of attacks, usually due to inconsistent patching and updating of the operating systems and applications running on these servers.
In fact, FortiGuard Labs saw more attempts to target system vulnerabilities that were more than a decade old than those that had been identified in 2018 and 2019 combined. And targeted vulnerabilities from every year between 2007 also equalled 2018/19 levels. The vast majority of these vulnerabilities have patches available that simply have not been applied.
Once criminals establish a foothold at the edge, they can then use that attack vector to begin delivering their malware to targets inside the network, with the same result as having used phishing to deliver those same payloads. Although this attack tactic is not new, it does show that cybercriminals are paying attention to the cybersecurity trends, such as organisational awareness of phishing and more pervasive use of email security tools. And it also demonstrates that changing tactics by exploiting systems where defenders may not be watching as closely can be a successful way to catch organisations off guard and increase chances for success.
It’s a common refrain, but the reality is that the majority of network and device compromises are the direct result of a failure to patch, upgrade, or replace vulnerable systems or implement adequate proximity controls. Of course, patching is hard – especially when dealing with thousands of devices, or embedded systems that can’t be easily updated without taking down essential systems. As mentioned previously, using the FortiGuard Security Rating Service allows IT teams to prioritise the patching and upgrading of vulnerable systems.
Malware-as-a-Service continues to grow
In addition to redoubling efforts on additional attack vectors to breach networks, the volume of attacks is also likely to increase over the next several quarters. One of the gating factors for many wannabe cybercriminals is that they simply don’t have the technical skills necessary to develop the tools needed to successfully identify and exploit a victim.
That all changed when criminal malware developers began offering Malware-as-a-Service (MaaS) on the dark web. For a share of the profits, criminals had access to tools that were not only designed to help them overcome their lack of technical skills, but that had ongoing development teams behind them to ensure those tools remained effective.
The GandCrab Ransomware Ransomware-as-a-Service (RaaS), for example, netted its developers as much as $2 billion before they retired last year. And now it appears that more cybercriminal organisations are jumping on the bandwagon.
Last quarter, FortiGuard Labs identified two additional ransomware families – Sodinokibi and Nemty – being made available on the dark web as ransomware-as-a-service offerings. By using this RaaS model, the authors of these malware tools are significantly lowering the bar, both in terms of overhead and expertise, for launching such attacks.
MaaS continues to evolve
Cybercriminals aren’t content to just move traditional malware to a service model. Emotet, a highly successful and lucrative banking Trojan, just launched a new kind of MaaS service that rents criminals access to devices already infected with the Emotet Trojan.
This tactic is especially malicious because its developers have added the ability for Emotet to deliver malicious payloads. This allows attackers to attack previously compromised networks with additional malware, such as the Trickbot Trojan and Ryuk ransomware, through a device previously compromised with Emotet.
And this isn’t the only new trick up Emotet’s sleeve. They have also raised the bar on phishing itself. In addition to changing tactics, as was outlined above, another strategy is to simply significantly increase the efficiency of distributing malware through phishing.
Cybercriminals naturally want to deliver phishing emails that will be opened. But with heightened awareness by end users, phishing success is more difficult to achieve. This new Emotet phishing strategy addresses this challenge by stealing active email threads, not just passive email addresses, from infected devices. It then inserts an infected reply into the thread disguised as coming from one of the participants. This strategic shift has proven to not only be exponentially more effective than traditional phishing attempt, but even targeted spearphishing tactics as well.
Addressing new challenges starts with resilience
While there are many valuable approaches to addressing evolving security challenges, there are a handful of strategies that every organisation needs to adopt that will remain effective even as the threat landscape continues to evolve.
First, organisations cannot afford to over-focus on the latest threat trends. As shown with the increased targeting of edge services, it is essential that organisations adopt a holistic approach to securing their entire distributed networked. That begins with a comprehensive security fabric that includes integrated security devices, a centralised, single-pane-of-glass monitoring, management, and configuration system, and the integration of real-time threat intelligence to ensure that the network is constantly tuned to the latest threat landscape.
In addition, many new attacks and exploits are successful because vulnerable systems are not being adequately patched or updated. Exploits targeting older vulnerabilities can be successfully stopped by conducting a risk assessment, using a rating service to prioritise at-risk devices and systems, and then either applying patches and upgrades or replacing vulnerable systems.
Finally, organisations should also consider implementing intent-based network segmentation and zero trust access strategies to prevent critical devices and vulnerable systems from being exploited. Segmentation also minimises the risks of a successful intrusion by shrinking the available attack surface. By starting with these basic strategies, organisations can build resilience into their security systems that enable them to weather the shifting storms of today’s cybercriminal organisations.
(The writer is Regional Vice President, India & SAARC, Fortinet.)