2017 has proved to be a lucrative year for cybercrime. Prominent malware and attack methods continue to evolve at a frightening pace, creatively bypassing existing security solutions. 2017 is shedding light on a new trend – simple, yet highly effective malware families are causing rapid destruction globally.

So far, in 2017 cyber-attacks are occurring at a higher frequency than previous years. Recent infiltrations have demonstrated the agility, scale and persistence of an attack that criminals are capable of executing. All regions have suffered from these large-scale attacks, reinforcing the need for proactive solutions. Massive attack campaigns such as WannaCry and NotPetya showcase the nature of today’s threat landscape.

Now-a-days the goal of attackers is to find as many targets as they can to infect maximum systems and organizations. Small to medium sized businesses are highly targeted since they do not have resources, financially or otherwise to prepare for potential ransomware threats. Attackers are now trying newer methods by which they can easily get into the systems and infect as many systems as possible.

The sophistication of the 2017 attackers does not stop at variating the vectors and surfaces, but also in the payload itself and its delivery method. Attackers have come up with a brand-new method of attack exploitation where a mouse hover over malicious hyper-links and images in a Power Point presentation (without actually clicking on it) is enough to get infected.[1]

Current Malware Trends:

  1. Click-less infection

More and more organizations are providing security awareness training, so now users are aware about the common threats and they make sure not to click on suspicious links. As a result, attackers now don’t rely on tricking users to launch successful infections. Two thirds of ransomware infections in Q1 2017 were delivered via Remote Desktop Protocol (RDP). Attackers also used Brute forcing authenticating credentials on network services. E.g. WannaCry

 

  1. Living off the land

Instead of crafting a new software with malicious code, attackers are now targeting local software utilities like administrative utilities or scripting utilities such as PowerShell, Macros. Attackers avoid dropping malicious files on disk which could bypass machine learning, file scanning solutions as well as whitelisting or blacklisting. E.g. NotPetya

 

  1. Worm capabilities

Attackers are now focusing on creating malwares which have capacity to spread laterally like a worm which could infect larger number of systems inside the organization. Just one infected device could compromise entire network. E.g. Emotet, QakBot, and TrickBot banking trojans.

 

  1. File-less Malware

With recent research from Kaspersky Labs, it was discovered that file-less malware was present in the systems of over 140 organizations in 40 countries. What made these programs particularly unique is that they were hiding in memory, such as your computer’s RAM, and not on hard drives, so they were much more difficult to detect than traditional malware files. The key with these types of attacks is that although they can be discovered by traditional security solutions if they are located in a computer’s RAM, for instance, hackers have targeted forms of memory that are used or accessed less frequently such as registry files and .dll files, where the malware can lie in, wait and steal data, making them much more difficult to find and much more dangerous.

 

  1. Hybrid Attacks

Attackers are now developing some form of malware delivery that is grouped together with a DDoS (distributed denial of service) attack. When both of these attack methods are launched in tandem, most resources will go toward getting a website, service, or application back online while the ransomware or other form of malware goes at least temporarily undetected and can do some damage. But things are about to get worse, because these types of attacks are going to pull—and indeed have already started pulling—IoT (Internet of Things) devices into the mix for greater impact and reach.

 

One example of such malware is BrickerBot. It is launched from compromised routers and wireless access points against other Linux-based devices. The malware attempts to authenticate with common username and password combinations on devices that have the Telnet service running and are exposed to the internet. If successful, it launches a series of destructive commands intended to overwrite data from the device’s mounted partitions. It also attempts to kill the internet connection and render the device unusable.

 

  1. Socially Engineered Malware

An end-user is somehow tricked into running a Trojan horse program, often from a website they trust and visit often. The otherwise innocent website is temporarily compromised to deliver malware instead of the normal website coding. The maligned website tells the user to install some new piece of software in order to access the website, run fake antivirus software, or run some other “critical” piece of software that is unnecessary and malicious. The user is often instructed to click past any security warnings emanating from their browser or operating system and to disable any pesky defences that might get in the way. Sometimes the Trojan program pretends to do something legitimate and other times it fades away into the background to start doing its rogue actions.

 

Contributing factors for new malware trends:

  1. Advanced tools falling into the hands of attackers

Attackers behind the WannaCry ransomware used the data from Shadow brokers leak of NSA exploits in April, including EternalBlue (CVE-2017-0144) and DoublePulsar (CVE-2017-0143). Perhaps the most worrisome new trend is “nation-state level malware” for the masses – as these leaked sophisticated capabilities can now haunt virtually everyone, rather than the selected strategic targets they were initially designed for.

 

  1. Success of WannaCry and NotPetya ransomwares

Looking at the success of WannaCry and NotPetya ransomwares and the amount of money involved, attackers are now developing newer variations of ransomware which are built on the lines of WannaCry ransomware’s worm capability.

 

Why the organizations are not able to protect against the malware?

  1. Ineffective protection
  • Traditional protection does not work against exploits and file-less attacks.
  • Next-gen protection forces compromise between protection and false positives.

 

  1. Complex management
  • Extensive setup requires professional services and high ongoing management cost.

 

  1. False positives
  • Disrupts device owner productivity
  • Costly for IT to manage

 

 

Counter measures

  1. Analyse attributes and behaviours at runtime to stop attacks.
  2. Identify malicious activities at the CPU level.
  3. Deploy machine learning techniques to predict prevent and stop malware and cyber-attacks. It includes scanning and monitoring running processes to protect devices from file-less malware.
  4. Secure SMB and RDP services.
  5. Patch what you can and isolate what you can’t.
  6. Deploy endpoint security with exploit and behavioural based protection.
  7. Disable tools and commands you don’t actively need.
  8. Social engineered malware programs are best handled through ongoing end-user education that covers today’s threats.

 

Even with massive outbreaks such as WannaCry and NotPetya making global news, most organizations continue to rely on a strategy of detection and response after an attack has occurred rather than prevention. Many of these prominent attacks use known malware variants that could easily have been blocked had the proper security been implemented before the attack had occurred. To stay one step ahead of cybercriminals, organizations should remain attuned to the ever-changing threat landscape.

The frequency of cyberattacks impacting small- and mid-sized businesses has reached a level we have never seen before. Many of these businesses cannot afford the impact of one breach, and have limited internal IT staff to help manage their security programs.

However even the sophisticated attacks could have been prevented, had enterprises utilized solutions that are available on the shelf today, such as network micro-segmentation, threat emulation and extraction and endpoint security.

By understanding emerging threats and implementing the latest prevention technologies, organizations can create a solid cyber security defensive posture.

With ever-greater frequency, new security threats arise that either didn’t exist previously or are more sophisticated versions of older types of attacks and now have a better shot at getting past existing security measures. There is no doubt that companies are continually playing catch-up with hackers and other bad actors, which means that security vendors are having to ramp up their efforts in turn against ever-evolving threats. But let’s face facts: no matter what solutions these vendors make available, there will always be another uncovered vulnerability, another hole in the general security fabric that attackers find a way to exploit.

 

References:

  1. https://research.checkpoint.com/cyber-attack-trends-mid-year-report/
  2. https://www.cybertrend.com/article/24143/digital-threat-landscape-2017
  3. https://www.brighttalk.com/webcast/15821/273837?utm_campaign=child-community-webcasts-feed&utm_content=IT%20Security&utm_source=brighttalk-portal&utm_medium=web
  4. https://qz.com/1003250/this-malware-activates-when-you-hover-over-a-link-in-microsoft-powerpoint/
  5. http://www.zdnet.com/article/microsoft-office-malware-banking-trojan-downloads-if-you-hover-over-powerpoint-hyperlink/
  6. https://www.csoonline.com/article/3188429/security/iot-malware-starts-showing-destructive-behavior.html
  7. https://www.cylance.com/content/dam/cylance/pdfs/business-brief/Fileless_Malware_Business_Brief.pdf

[1] The malware is built to steal credentials such as banking information and is capable of persistence remote access, network traffic monitoring and browser manipulation. This new method doesn’t require macros, but rather abuses a hover action in PowerPoint slide show mode to install malware. If the recipient opens the PowerPoint file and hovers over hyperlinked text in the document, it will run a PowerShell command that connects to a malicious domain and downloads malware files.

According to Trend Micro, the malware was first used in a spam campaign in France in 2015, where spammed messages were masqueraded as a letter from the French ministry of Justice. Hackers distributed the PowerPoint files using typical spamming methods, sending emails designed to look legitimate to unsuspecting users, targeting industries that include manufacturing, device fabrication, education, logistics, and pyrotechnics. The users have to open the PowerPoint files to become infected by the malware—though don’t have to do anything besides hover over the links to activate it.

 

Article by: Vaibhav Shah, Team CyberSecurity, Arrka