Tag Archives: Malware

WatchGuard report finds two-thirds of malware to be encrypted

WatchGuard Technologies’ latest Internet Security Report shows that 67% of all malware in Q1 2020 was delivered via encrypted HTTPS connections and that 72% of encrypted malware was classified as zero day, so on that basis would have evaded signature-based anti-virus protection.

These findings show that, without HTTPS inspection of encrypted traffic and advanced behaviour-based threat detection and response, organisations are missing up to two-thirds of incoming threats. The report also highlights the finding that the UK was a top target for cyber criminals in Q1, earning a spot in the Top Three countries for the five most widespread network attacks.

“Some organisations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go uninspected is simply no longer an option,” said Corey Nachreiner, chief technology officer at WatchGuard. “As malware continues to become more advanced and evasive, the only reliable approach towards defence is implementing a set of layered security services, including advanced threat detection methods and HTTPS inspection.”

Malware

Key findings

Other key findings from WatchGuard’s latest Internet Security Report include:

Monero cryptominers surge in popularity Five of the Top Ten domains distributing malware in Q1 (identified by WatchGuard’s DNS filtering service DNSWatch) either hosted or controlled Monero cryptominers. This sudden jump in cryptominer popularity could simply be due to its utility. Adding a cryptomining module to malware is an easy way for online criminals to generate passive income

Flawed-Ammyy and Cryxos malware variants join top lists The Cryxos trojan was third on WatchGuard’s Top Five encrypted malware list and also third on its Top Five most widespread malware detections list, primarily targeting Hong Kong. It’s delivered as an e-mail attachment disguised as an invoice and will ask the user to enter their e-mail and password which it stores. Flawed-Ammyy is a support scam where the attacker uses the Ammyy Admin support software to gain remote access to the victim’s computer

Three-year-old Adobe vulnerability appears in top network attacks An Adobe Acrobat Reader exploit that was patched in August 2017 appeared in WatchGuard’s top network attacks list for the first time in Q1 of this year. This vulnerability resurfacing several years after being discovered and resolved illustrates the importance of regularly patching and updating systems

Mapp Engage, AT&T and Bet365 targeted with spear phishing campaigns Three new domains hosting phishing campaigns appeared on WatchGuard’s Top Ten list in Q1 2020. They impersonated digital marketing and analytics product Mapp Engage, online betting platform Bet365 (this campaign was in Chinese) and an AT&T login page (this campaign is no longer active at the time of the report’s publication)

COVID-19 impact Q1 2020 was only the start of the massive changes to the cyber threat landscape brought on by the COVID-19 pandemic. Even in the first three months of 2020, WatchGuard still saw a massive rise in remote workers and attacks targeting individuals

Malware hits and network attacks decline Overall, there were 6.9% fewer malware hits and 11.6% fewer network attacks in Q1, despite a 9% increase in the number of Fireboxes contributing data. This could be attributed to fewer potential targets operating within the traditional network perimeter with worldwide work-from-home policies in full force during the COVID-19 pandemic

Malware2

Anonymised data

The findings in WatchGuard’s Internet Security Reports are drawn from anonymised Firebox Feed data from active WatchGuard appliances whose owners have opted in to share data to support the Threat Lab’s research efforts. Over 44,000 appliances worldwide contribute threat intelligence data to the report. In Q1 2020, they blocked over 32,148,519 malware variants in total (730 samples per device) and more than 1,660,000 network attacks (38 attacks per device).

The complete report includes key defensive Best Practices that organisations of all sizes can use to protect themselves in today’s threat landscape and a detailed analysis of how the COVID-19 pandemic and associated shift to working from home affected the cyber security landscape.

*To view the full report visit Internet Security Report for Q1 2020

Leave a comment

Filed under Security Matters

Bosch launches new information security services to protect against cyber attacks

The IT Security Expo and Congress 2019 takes place in Nuremberg from 8-10 October and experts from Bosch will be on hand on Stand 506 in Hall 10.1 to outline the company’s latest information security services for defending against cyber attacks.

Cyber criminals pose a threat to building security solutions. Today’s physical security systems are increasingly IP-based and run on the same networks as generic office and production IT systems.

“The growing use of IT, along with greater networks, is also making building security solutions potentially vulnerable to all of the same risks that plague the rest of the IT world, such as hacker attacks and malware,” explained André Heuer, who heads the information security operation at Bosch Building Technologies. “Particularly so in critical infrastructure, this interaction of IT and facility management makes it essential to find new ways in which to ward off cyber attacks. We want to help our customers expand their information security strategies to include physical systems.”

BoschInformationSecurity

On that basis, Bosch is introducing new information security services to address security needs in conventional building security systems by erecting “cyber barriers”. The company’s portfolio now embraces three complementary components:

Information Security Consulting for designing tailored information security concepts to meet customers’ individual protection requirements

Security Operations Centre which manages vulnerabilities and information security incidents to ensure a consistently high level of security while complying with reporting requirements

IT Security Services which implement appropriate measures to protect building security solutions from cyber threats

All of the services are provided in close consultation with customers’ IT security officers. By offering these options, Bosch feels that it’s “raising the standard of information security in buildings to a new level”.

Leave a comment

Filed under Risk Xtra

Dell “reinvents” endpoint security portfolio through strategic collaborations with Secureworks and CrowdStrike

Cyber criminals are continuously shifting their attack techniques to better target endpoints. As more than one-third (39%) of cyber attacks are now non-malware based, adversaries can exploit gaps in traditional anti-malware solutions used in isolation.

Considering that 50% of organisations also have insufficient endpoint or network visibility during incident response engagements, it’s clear many businesses are injecting ineffective security tools into their environments, ultimately adding complexity without directly addressing the problem.

These disconnected solutions require ongoing diligence and expert resources to analyse a multitude of security alerts and identify compromised devices. Yet, with the growing cyber security skills gap, businesses don’t have the resources needed to manage their security infrastructure effectively.

To help organisations in addressing these challenges, Dell is introducing Dell SafeGuard and Response, a portfolio of next generation endpoint security solutions that combines the managed security, incident response expertise and threat behavioural analytics of Secureworks with the unified endpoint protection platform from CrowdStrike.

Dell’s modern and effective approach designed to prevent, detect and respond to the shifting threat landscape makes it easy for organisations to protect their data with the industry’s most secure commercial PCs.

With Artificial Intelligence (AI)-driven and cloud-native endpoint protection powered by CrowdStrike and expert threat intelligence and response management by Secureworks, Dell SafeGuard and Response provides end user customers with the essential capabilities they need to protect their PCs and data. CrowdStrike endpoint security solutions prevent more than 99% of malware and non-malware-based threats, detect 100% of vulnerabilities and respond to sophisticated attacks rapidly.

DellLaptop

Secureworks’ RedCloak behavioural analytics are built into the prevention, detection and response capabilities, so customers benefit from an ever-smarter network effect of protection. When an emerging threat is discovered in one environment, countermeasures are created and deployed to all customers who may be affected. 

Prevent, detect and respond to threats

With Dell SafeGuard and Response, customers no longer need to worry about complex implementation involving numerous agents. Dell’s modern approach to security simplifies the buying process, allowing customers to order these new solutions alongside their new PC. Businesses will receive outstanding prevention combined with the ability to quickly detect compromised devices and remediate cyber incidents.

Customers can select from the following new Dell SafeGuard and Response solutions to meet their unique security needs:

CrowdStrike Falcon Prevent: This next generation anti-virus (NGAV) solution uses AI and machine learning to stop malware and malware-free attacks, offering organisations enhanced protection without requiring signatures and the heavy updates that come with them

CrowdStrike Falcon Prevent and Insight: In addition to the NGAV solution, customers can advance their threat prevention capabilities with Device Control and Falcon Insight, the leading endpoint detection and response solution. This enables full visibility into endpoint threat activity and real-time remediation designed to prevent, detect and investigate incidents and stop threats

Secureworks Managed Endpoint Protection: Combined with CrowdStrike Falcon Prevent and Insight and Device Control, this offer provides customers with 24×7 managed services from Secureworks to monitor the state of endpoints for indications of threat actor activity. Secureworks’ Security Operations Centre and Counter Threat Unit will investigate events to determine severity, accuracy and context to suggest remedial actions, in turn giving organisations peace of mind around the clock

Secureworks Incident Management Retainer: In the event of a serious security incident, Secureworks will deploy its on-demand incident response specialist team who are highly skilled to respond to and mitigate a cyber incident at any time. Now, organisations with and without SOCs can have the support and expertise needed in critical times. This service can also be used to build a proactive response plan for future security incidents.

Devices and data secure 

“Organisations are faced with what may feel like an exponentially expanding threat landscape and a mixed bag of solutions to fix it,” said Brett Hansen, vice-president and general manager of client software and security solutions at Dell. “To meet the evolving needs of our customers and stay ahead of ever-evolving threats, Dell is offering organisations the tools they need to keep their devices and data secure.”

Wendy Thomas, senior vice-president of business and product strategy at Secureworks, added: “Attacker techniques are becoming more sophisticated. Customers need managed solutions that are actively guarding against threat activity. Our modern approach with Dell ensures a co-ordinated defence against cyber threats at the scale and speed required for any customer’s evolving security needs beyond the network.”

Matthew Polly, vice-president of worldwide business development and channels at CrowdStrike, concluded: “Being selected by Dell is a testament to CrowdStrike’s market leadership and the proven value of our platform. Together, we are equipping customers with a unique and compelling solution to deliver an end-to-end approach to endpoint security that effectively stops threats, while also reducing enterprise complexity and modernising threat detection and management.”

*Dell SafeGuard and Response will be available globally in March through Dell and its authorised channel partners. Additionally, the comprehensive CrowdStrike Falcon platform can also be purchased through Dell

Leave a comment

Filed under Risk Xtra, Uncategorized

360 Vision Technology and Visual Management Systems guard against cyber attacks

As more and more security systems and devices become IP networked, it’s important for security installers and end users alike to consider how their systems will be protected against the possibility of cyber attacks. Providing a solution to the concerns around cyber security and hacking, CCTV specialist 360 Vision Technology has partnered with software control provider Visual Management Systems to provide security operators with an effective solution designed to guard against IP surveillance system cyber attacks.

Without the right level of network security measures in place, system users can be left vulnerable, resulting in exposure to the type of hacking and malware attacks that have recently hit the news headlines.

A serious security breach of an IP network can lead to system inoperability and network downtime and, at worst, direct access to corporate networks for the cyber criminals.

To provide IP surveillance system installers and operators with peace of mind, when used together both 360 Vision Technology cameras and Visual Management Systems’ TITAN SECURE Physical Security Information Management system can exceed 802.1x authentication protocols and encryption to provide “the ultimate protection” for surveillance networks via the latest patent pending technology.

360VisionTechnologySSL8022C5A19E

Designed to Centre for the Protection of National Infrastructure standards, this advanced protocol and encryption technology is said to offer a “far higher level” of hacking protection.

Advanced cyber attack protection

Ultimately, security and IT managers have much to gain by implementing the security advantages of a 802.1x authenticated network. Conversely, they also have a lot to lose should they ignore the security risks involved.

“As part of our ongoing development of products and deep integration techniques, we looked closely at the vulnerabilities of current camera systems and found that expert hackers could easily take control of standard network cameras, and even those models with HTTPS certification,” explained John Downie, sales director at Visual Management Systems. “Employing 802.1x authentication at both the camera and control end using 360 Vision Technology cameras and TITAN SECURE in combination is the most effective way in which to fully secure an IP camera network.”

Mark Rees, business development director at 360 Vision Technology, added: “Designed to protect organisations against hacking and ransomware attacks, the latest 360 Vision Technology IP surveillance cameras include advanced 802.1x encryption protection. Designed and built in the UK, our high-performance camera technology offers customers proven reliability, advanced imaging performance and effective cyber security for use within any high or general level camera surveillance application.”

Leave a comment

Filed under Risk UK News

Cyber criminals “exploiting human weaknesses” to make their gains

Cyber attackers are relying more than ever on exploiting people instead of software flaws to install malware, steal credentials or confidential information and transfer funds. A study by Proofpoint found that more than 90% of malicious e-mail messages featuring nefarious URLs led users to credential phishing pages, while almost all (99%) email-based financial fraud attacks relied on human clicks rather than automated exploits to install malware.

The Human Factor Report found that business e-mail compromise (BEC) attack message volumes rose from 1% in 2015 to 42% by the end of 2016 relative to e-mails bearing banking Trojans. BEC attacks, which have cost organisations more than $5 billion worldwide, use malware-free messages to trick recipients into sending confidential information or funds to cyber criminals.

BEC is now the fastest-growing category of email-based attacks.

Clicking

“Accelerating a shift that began in 2015, cyber criminals are aggressively using attacks that depend on clicks by humans rather than vulnerable software exploits, tricking victims into carrying out the attack themselves,” said Kevin Epstein, vice-president of Proofpoint’s Threat Operations Centre.

“It’s critical for organisations to deploy advanced protection that stops attackers before they have a chance to reach potential victims. The earlier in the attack chain you can detect malicious content, the easier it is to block, contain and resolve.”

Nearly 90% of clicks on malicious URLs occur within the first 24 hours of delivery, with 25% of those clicks occurring in just ten minutes and nearly 50% within an hour. The median time-to-click (the time between arrival and click) is shortest during business hours from 8.00 am to 3.00 pm EDT in the US and Canada, a pattern that generally holds for the UK and Europe as well.

Watch your inbox closely on Thursdays. Malicious e-mail attachment message volume spikes more than 38% on Thursdays over the average weekday volume. Ransomware attackers in particular favour sending malicious messages from Tuesday through until Thursday. On the other hand, Wednesday is the peak day for banking Trojans. Point-of-Sale campaigns are sent almost exclusively on Thursday and Friday, while keyloggers and backdoors favour Mondays.

Attackers understand e-mail habits and send most e-mail messages in the four-to-five hours after the start of the business day, peaking around lunchtime. Users in the US, Canada and Australia tend to do most of their clicking during this time period, while French clicking peaks around 1.00 pm.

Swiss and German users don’t wait for lunch to click. Their clicks peak in the first hours of the working day.

UK workers pace their clicking evenly over the course of the day, with a clear drop in activity after 2.00 pm.

Leave a comment

Filed under Risk UK News

“Watering hole-style cyber attacks on the rise” warns High-Tech Bridge

On Sunday 12 February, security firm Symantec released an analysis of a new wave of attacks that has been underway since at least October 2016 and came to light when a bank in Poland discovered previously unknown malware running on a number of its computers.

The bank then shared indicators of compromise with other institutions and a number of those other organisations confirmed that they too had been compromised.

These ‘watering hole’ attacks attempted to infect more than 100 organisations in 31 different countries.

Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico have been blocked, 11 against computers in Uruguay and two against computers in Poland.

wateringholecyberattack

Preliminary investigations suggested that the starting point for the Polish infection could have been located on the web server of Poland’s financial sector regulatory body, namely the Polish Financial Supervision Authority (www.knf.gov.pl).

Commenting on this news, Ilia Kolochenko (CEO of High-Tech Bridge) said: “We should expect that cyber criminals will find more creative and reliable ways to compromise their victims. Trustworthy websites, such as governmental ones, represent great value for cyber criminals, even if they don’t host any sensitive or confidential data.”

Kolochenko continued: “In the past, hackers used one-off or garbage websites to host malware, but as corporate users become more educated and vigilant, attackers need to find more reliable avenues to deliver malware and enter corporate networks. That’s why Gartner, as well as other independent research companies, continuously say that the risk posed to corporate web applications is very high and seriously underestimated. Spear phishing and watering hole attacks against high-profile websites will grow significantly in the near future.”

Leave a comment

Filed under Risk UK News, Uncategorized

30% of NHS Trusts have experienced a ransomware attack” finds SentinelOne

30% of NHS Trusts in the UK have experienced a ransomware attack, potentially placing patient data and lives at risk. One Trust – the Imperial College Healthcare NHS Trust – admitted to being attacked 19 times in just 12 months. These are the findings of a Freedom of Information (FoI) request submitted by SentinelOne.

The Ransomware Research Data Summary explains that SentinelOne made FoI requests to 129 NHS Trusts, of which 94 responded. Three Trusts refused to answer, claiming their response could damage commercial interests. All but two Trusts – Surrey and Sussex and University College London Hospitals – have invested in anti-virus security software on their endpoint devices to protect them from malware.

Despite installing a McAfee solution, Leeds Teaching Hospital has apparently suffered five attacks in the past year.

No Trusts reported paying a ransom or informed law enforcement of the attacks: all preferred to deal with the attacks internally.

Ransomware which encrypts data and demands a ransom to decrypt it has been affecting US hospitals for a while now. The Hollywood Presbyterian Medical Center in Los Angeles notoriously paid cyber criminals £12,000 last February after being infected by Locky, one of the most prolific ransomware variants.

nhstrustsransomware

With the infected computers or networks becoming unusable until a ransom has been paid* or the data has been recovered, it’s clear to see why these types of attack can be a concern for business continuity professionals, with the latest Horizon Scan Report published by the Business Continuity Institute highlighting cyber attacks as the prime concern. This is a very good reason why cyber resilience has been chosen as the theme for Business Continuity Awareness Week in 2017.

“These results are far from surprising,” said Tony Rowan, chief security consultant at SentinelOne. “Public sector organisations make a soft target for fraudsters because budget and resource shortages frequently leave hospitals short changed when it comes to security basics like regular software patching. The results highlight the fact that old school AV technology is powerless to halt virulent, mutating forms of malware like ransomware. A new and more dynamic approach to endpoint protection is needed.”

Rowan continued: “In the past, some NHS Trusts have been singled out by the Information Commissioner’s Office for their poor record on data breaches. With the growth of connected devices like kidney dialysis machines and heart monitors, there’s even a chance that poor security practices could put lives at risk.”

*Note that the data isn’t always recovered even after a ransom has been paid

Leave a comment

Filed under Risk UK News, Uncategorized

Serco invests in cyber security technology for global network

Serco has invested in a new network security system from Chemring Technology Solutions. Perception will be rolled out across Serco’s operations in the UK, the USA, the Middle East and Australia.

 

Originally developed for the UK Government back in 2011, Perception is the world’s first bio-inspired network security solution, which will complement Serco’s existing computer network security systems by identifying the potential threats they cannot.

 

Mark Henshaw, head of information security for Serco Group, explained: “I’m extremely impressed with Perception as it very effectively fills the gap that has developed between traditional network security tools and the expanding threat landscape as we see increasingly sophisticated malware and blended advanced threats.”

 

Henshaw added: “Perception sold itself as it’s a powerful tool that identifies apparently benign events which could seriously impact Serco. It’s proving to be simple to implement and has demonstrated value in a very short time by identifying malware, policy violation, suspicious data movement, device configuration issues and pointers to areas where awareness training should be increased. Many of the issues identified were subtle in nature and not picked up by our current network security systems.”

PerceptionSensor

 

Unlike other cyber security solutions, Perception is behavioural with no rigid rules-based architecture. Perception adapts to the network’s changing profile, automatically identifying malicious activity and making it more difficult for malware to evade detection. It will also detect the slow, unauthorised exfiltration of business information even when obfuscation techniques are used to evade traditional rule-based security defences.

 

Perception runs at high data rates at the core of a network rather than at the perimeter. Targeted, complex logic performs in-depth analysis and classification, avoiding the high false alarm rates usually experienced with anomaly detection systems.

 

“Serco supported Chemring Technology Solutions during Beta tests of Perception,” concluded Henshaw, “and we were particularly impressed by how different it is from traditional network security systems that rely on pattern matching. Perception collects and analyses information in a different way by looking for the unusual and linking apparently non-threatening network activity to identify hidden malware.”

Leave a comment

Filed under Risk UK News, Uncategorized

“Faster response times needed to combat cyber threat” finds BCI survey

Two thirds of respondents to a global survey carried out by the Business Continuity Institute report that they had experienced at least one cyber incident during the previous twelve months, while 15% stated they had experienced at least ten incidents during the same period.

The frequency of these cyber incidents demonstrates exactly why it’s so important for organisations to have plans in place to mitigate them or otherwise lessen their impact.

The Cyber Resilience Report, conducted by the BCI and sponsored by Crises Control, found that there was a wide range of response times for cyber incidents. Almost a third of organisations (31%) stated that they responded within one hour. However, one fifth (19%) take a worrying four hours or more in responding to a cyber event, while almost half (44%) take more than two hours to respond. This has clear implications for the time taken to return to business as usual, and the ultimate cost of the incident to the host organisation.

IntelligenceLedSecurity2

Even if businesses wish to respond immediately to a cyber attack, the nature of the attack may render them unable to do so. The research finds that phishing and social engineering are the top causes of cyber disruption, with over 60% of companies reporting being hit by such an incident over the past 12 months and 37% attacked by way of spear phishing.

The BCI has discovered that 45% of companies were hit by a malware attack and 24% by a Distributed Denial of Service episode. All these forms of attack will, in different ways, render an organisation’s own network either contaminated or inoperable. Their website may have been taken down and they may well have to switch off their Internet connection until they can secure themselves from further attack.

A detailed study of 369 business continuity and resilience professionals from across the world, the research also reveals that the costs of these incidents varied greatly, with 73% reporting total costs over the year of less than €50,000, but 6% reporting annual costs of more than €500,000.

David James-Brown FBCI, chairman of the BCI, commented: “This piece of research is one of the most timely, insightful and relevant the BCI has ever produced. Cyber attacks tend to target the weakest links of an organisation. That calls for a greater awareness of cyber crime. As the cyber threat evolves, it’s crucial to stay on top of it, building long-term initiatives and regularly updating recovery plans.”

Rickie Sehgal, chairman of Crises Control, added: “Rapid communication with employees, customers and suppliers is vital for any company in terms of responding effectively to a major business disruption event such as a cyber attack. When your business is at risk, even a one-hour delay in responding to an incident can be too long. Taking more than two hours to respond, as almost half of companies appear to do, is simply unacceptable.”

Leave a comment

Filed under Risk UK News, Uncategorized