Articles Newss Web Security

Ransomware encounters declined by 60% in 2018: Microsoft report

Machine learning is declining the risks of phishing attacks, but the number of such attacks are still on the rise, finds the 24th edition of the Microsoft Security Intelligence Report (SIR).

Microsoft analyzes over 6.5 trillion security signals every day to get a wide and unique perspective into latest trends in the cybersecurity arena. The company has been releasing the security intelligence report for more than a decade now to share its expert insights with the enterprises.

The SIR this year is reflected on security events in 2018, including overview of security landscape, lessons learnt from it, and best practices that need to be followed. Some of the cybersecurity trends in 2018 included rise in cryptocurrency mining and supply chain compromises, decline in ransomware, and more.

Attackers are increasingly mining cryptocurrency in the background of user systems, without their permission and awareness. This activity significantly consumes bandwidth and causes security risks to users.

Having said that, let’s have a deep dive into the key findings of the Microsoft’s latest security report.

Key takeaways from Microsoft Security Intelligence Report:

1. Ransomware encounters declined significantly in 2018

Ransomware attacks like WannaCrypt and Petya were the biggest security events in 2017. Such attacks locks or encrypt computers and then demands money from users to restore access. It was anticipated that these ransomware attacks will increase in future.

However, the latest report says that ransomware encounter rates have declined by around 60% between March 2017 and December 2018.

The main reason behind this decline is improved detection and education among enterprises. This made it tough for cybercriminals to get what they were intending.

ransomware encounter rate in 2018

Highest ransomware encounter rate:

The highest average ransomware encounter rate per month were found in Ethiopia (0.77%), followed by Mongolia (0.46%), Cameroon (0.41%), Myanmar (0.33%), and Venezuela (0.31%).

Lowest ransomware encounter rate:

On the other hand, the lowest ransomware encounter rates per month were found in Ireland (0.01%), Japan (0.01%), the United States (0.02%), United Kingdom (0.02%), and Sweden (0.02%).

2. Cryptocurrency mining is becoming prevalent

Since the cybercriminals found it difficult to conduct ransomware attacks, they shifted their efforts to cryptocurrency mining. As a result, the cryptocurrency mining is increasing.

While the average ransomware encounter rate in 2018 was just 0.05%, the same for cryptocurrency coin mining encounter was 0.12%.

Cryptocurrencies like Bitcoin and Ethereum work as digital money and can be used anonymously. However, the cryptocurrencies require users to perform some calculations that are resource intensive. While new cryptocurrency coins are released very frequently these days, the calculations are becoming more difficult.

Mining of top cryptocurrencies like Bitcoin is almost impossible, if the immense computing resources are not accessible. As a result, the cybercriminals have turned to a malware that helps them gain access to the computers of victims and then mine cryptocurrency coins. By this way, they can leverage the processing power of hundreds of thousands of computers, rather than one or two.

Highest cryptocurrency mining encounter rate:

Ethiopia (5.58%), Tanzania (1.83%), Pakistan (1.47%), Kazakhstan (1.24%), and Zambia (1.13%) are the five locations with the highest cryptocurrency coin mining encounter rates in 2018.

Lowest cryptocurrency mining encounter rate:

The lowest average monthly coin mining encounter rate was approx. 0.02% in 2018. Ireland, Japan, the US, and China were the locations with lowest rate during the period.

3. Browser-based cryptocurrency mining comes to the scene

Typically, the cryptocurrency miners are installed on the computers of victims in the form of malware. But a new kind of threat has come to scene, where the malware is based entirely within web browsers, which doesn’t need to be installed on the computers.

What cybercriminals are doing is offering a number of services that promise website owner to monetize traffic to their websites without need of advertising. The site owners are asked to add JavaScript code to their webpages. This code starts mining cryptocurrency in the background. When a website is compromised, the attackers can take advantage of the users who visit that website.

These are browser-based cryptocurrency miners that don’t need to compromise the computers. Such miners can impact the computer performance and waste electricity while the users browse the compromised websites.

According to the report, Brocoiner was the most prevalent browser-based cryptocurrency in 2018.

Brocoiner encounter rate

4. Software supply chains are at risk

Attackers try to compromise the development or update process of a legitimate software to gain access to the software and systems of people who use the compromised software.

By injecting the malicious code into the software, attackers can easily gain the same trust and permissions as the software. This has become a primary concern for IT leaders as these attacks are increasing and can make the enterprise IT departments vulnerable.

software supply chain at risk

For example, the first major software supply chain in 2018 was found in March. Microsoft’s Windows Defender ATP blocked a massive campaign that was delivering Dofoil trojan, also called Smoke Loader.

The attackers had replaced the update package of an application with malicious code. This trojan had carried a coin mining payload and exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods.

Windows Defender Antivirus had blocked over 400k infection attempts, in the first 12 hours of the campaign.

Suggested reading: Carelessness of employees leading to enterprise security concerns: Microsoft report

5. Email phishing is still a preferred attack method

Office 365 is the most popular enterprise productivity available out there. Microsoft said that it analyzes over 470 billion email messages per month to scan phishing and malware. In 2018, the phishing messages in inbound emails increased by 250%.

It shows that email phishing is still one of the most preferred attack methods for cybercriminals. Microsoft is rapidly strengthening the email security with anti-phishing protection, detection, and investigation. But, since the emails involve human decisions and judgement, it is a problem to completely get rid of the phishing.

email phishing in 2018

Suggested reading: Office 365 is now the most effective solution at mitigating phish emails

Email phishing lures can come in these forms:

  • Domain spoofing— the email message domain is an exact match with the original domain name.
  • Domain impersonation— the email message domain is a look alike of the original domain name.
  • User impersonation— the email message appears to come from someone you trust.
  • Credential phishing links—the email message contains a link to a page that resembles a login page for a legitimate site, so users will enter their login credentials.
  • Phishing attachments—the email message contains a malicious file attachment that the sender entices the victim to open.
  • Links to fake cloud storage locations— the email message appears to come from a legitimate source and entices the user to give permission and/or enter personal information such as credentials in exchange for accessing a fake cloud storage location.

For full Microsoft Security Intelligence Report (SIR), click here. Microsoft has also created an interactive website to allow users dig into the data specific to the regions.

Articles Web Security

400 million unique malware samples detected globally in Q2 2018: Comodo Global Threat Report

In the second quarter of 2018, the leading cybersecurity firm Comodo detected more than 400 million unique malwares in the top-level domains of 237 countries. In its Global Threat Report, the cybersecurity firm distinguished the types of malware and their impacts around the world.

The types of malware included computer worms, high threat malware, medium threat malware, and low threat malware.

Computer worms are similar to virus, but they autonomously travel across the internet exploiting the computers with a malicious payload. These can diminish local system resources, consume high bandwidth, and cause a denial of service. Comodo placed the computer worms in a special category named Strategic Threat because of their ability to travel faster across the internet and infect many devices at a time.

Computer worms

The highest number of worm infections were found in Russia, Turkey and India. Whereas, the highest number of backdoors were detecting in the United Kingdom, as per Comodo’s Global Threat Report Q2 2018.

The high-threat malware includes backdoors, viruses, trojans and exploits. The high-threat malware is more localized threat as compared to worms because they require interaction of users for propagation and installation.

high-threat malware

Whereas, the medium-threat malwares are somewhat rarer but more exotic. These can include constructors, email flooders, virtual tools, jokes, and malware packers. The low-threat malware includes a range of malicious functionalities detected within unwanted and unsafe apps.

In its quarterly reports, Comodo presents the threat findings and analysis, highlights the pervasive malware and cyberattacks, and analyzes the malware patterns focusing on specific industries and geographies.

Global Threat Report

Key findings of the Global Threat Report by Comodo:

  • Trojans top the list of malwares

A sudden change in malware competition has been detected in Q2 2018. Trojans, the malware programs that pretend to be genuine applications, spread the most during the quarter, accounting for more than half of all kinds of malware.

What the trojans do is create backdoors in the systems that allow attackers to steal data, implant ransomware, adware, crypto-miners, and even crash the complete systems. The owner of the systems infected by trojans remain unaware of the attack for a long time.

The attackers can also disrupt the performance of computer or network of computers. As a result, the enterprises are facing major attacks where malware is hidden in the systems with long-term activity.

Malware distribution by type

Of all the trojans, TrojWare.Win.32.Injector was found to be the most widespread trojan. The attackers spread this trojan through a fake email imitating a message from a shipping and trading company. It could steal the credentials and personal data from browsers, email clients, FTP clients, WebDav, and SCP clients.

“Trojans have always been a prevalent and dangerous threat, but their evolution in Q2 is particularly interesting as they are now able to hide for longer periods of time and persist despite the efforts of some of the most efficient AV solutions on the market,” commented VP of Comodo Cybersecurity Threat Research Labs, Fatih Orhan. “Q2 has by far displayed the most sophisticated variants of Trojan malware we have ever discovered.”

  • Cryptominers becoming multifunctional malware

Researchers at Comodo found decrease in the number of cryptominers, however their capabilities have become more harmful. The cryptominers have become more developed in terms of better hiding and stronger persistence.

Earlier, the cryptominers could use the infected system resources for cryptocurrency mining on the behalf of attackers. Since most of the cryptominers could consume the CPU data rather than steal or destroy data like malware, several users didn’t consider them as particularly dangerous.

But the situation has changed now. Comodo malware analysts detected new samples of cryptominers that had more harmful capabilities instead of just cryptomining.

The new samples could hide and fight the anti-malware services, kill competing cryptominers, camouflage themselves, and even crash the entire system.

For example, WinstarNssmMiner cryptominers can steal the computer resources to mine cryptocurrencies for cybercriminals. This cryptominer comes with a special feature that allows it to be rooted so deeply into the system that nobody can remove it. If the users try to kill the WinstarNssmMiner, it will kill the target system totally.

  • Android malware spying on users, stealing confidential data

Cybercriminals and malware creators are increasingly targeting the Android devices. The users of Android devices not only store the personal data on the smartphone but also use it for most of the financial transactions.

Apart from targeting the financial transactions, the cybercriminals are spying on the owner of the device to steal confidential information. They use the confidential content of the device to blackmail the users. And if the owner of the attacked device is a politician, a CEO or any other VIP, then they sell the content to interested parties for huge sums or blackmail them.

Comodo reported that spying on the users has become the number one purpose of Android malware. The analysts found several kinds of spying tools in the second quarter that infect mobile devices and extract data from them.

Among the family of Android malware, a very dangerous one detected by Comodo is KevDroid, which is distributed in three versions.

The first version, Naver Defender application, enters a device and resides without showing an icon on the launcher screen. This can steal name, phone numbers, contacts, account details, and email address. It reads the call logs, emails, and photos of the contacts.

It also records the phone calls, gather information about installed applications, running services, and name of launcher. Further, the KevDroid encrypts the extracted data and send it to the server of attackers.

The second version, Netease Defender, can control the camera on an Android device. It records all the activities of the users and sends the video to attackers’ server. Whereas, the third version makes a list of files on the mobile, collects history of web browsers, and additional device information.

The Android users think that they are safe if they download apps from Google Play Store, but this is a wrong assumption. This year, a spyware called Desert Scorpion was found spreading through official Google Play Services. It was camouflaged as a chat app called Dardesh Instant App.

Suggested reading: It costs $715,000 to mitigate a DNS attack in 2018

Wrapping up:

The new cybersecurity trends not only show an increase in malware around the world, but also that malware is becoming more cunning in delivery method. Such malware can’t be easily tracked using anti-virus software.

Further, the mobile devices are becoming appealing to attackers as these devices contain several types of valuable information but aren’t secured as compared to the desktop systems.

The trends promise a big impact on IT end-users and cybersecurity market, forcing the IT-security departments and cybersecurity providers to revamp their security measures and strategies.

Download the full Global Threat Report Q2 2018 here.

Images source: Comodo

Articles Cloud Cloud News

Cryptojacking becoming a serious emerging threat to businesses: Cloud Security Trends report

Around 25% organizations experienced cryptojacking activities in their cloud environment in 2018, up from just 8% in last quarter, according to Cloud Security Trends report by RedLock.

RedLock’s Cloud Security Intelligence (CSI) team published the report to shed light on the cloud security trends in 2018.

  • Cryptojacking becoming mainstream

The report highlighted that cryptojacking, a cyber-attack where hackers hijack processing power of target to mine cryptocurrency, is becoming a serious emerging threat to the businesses.

Organizations are aware of the attacks against cloud and use several practices to prevent from attacks, but still the attack vectors are on the rise. The cryptojacking increased by more than thrice this year.

The cryptocurrency mining requires a lot of computing power, and hence the attackers are stealing cloud computing resources to mine it. CSI team found that some attackers were using advanced evasion techniques for cryptojacking.

  • Majority of resources do not restrict outbound traffic

85% of the organizational resources related to security groups didn’t have any firewall restrictions on outbound traffic, up from 80% a year before. This could lead to accidental data loss and data exfiltration in data breach incidents.

RedLock suggested that organizations should implement a ‘deny all’ default firewall policy, monitor network traffic to identify suspicious activities, and monitor the user activity as well for any abnormal behavior.

  • 43% of access keys not rotated in last 90 days

Another key finding of the report was that 43% of organizations had not changed their access keys and credentials in last 90 days. It’s a big concern because despite the past issues like leaked credentials in GitHub repositories, a majority of organizations left themselves open to attack vectors.

Around 17% organizations suffered from potential account compromises, and 51% organizations publicly exposed one or more cloud storage service.

  • 20% organizations allowing root user activities

A positive finding of the report was that only 20% of organizations allowed root user account to be used for performing the activities, down from 73% last year. The root user accounts should not be used for regular operations. The multi-factor authentication should be enforced on root user accounts, and should be monitored for any suspicious behaviors.

  • 49% of databased not encrypted

With the growing trend to encrypt databases because of cybersecurity standards like GDPR (general data policy regulation), the database encryption has increased. Last year, 82% databases were found unencrypted, which has now decreased to 49%.

CSI team further revealed in the report that 24% of organizations had hosts missing critical patches in public cloud. This left the host vulnerable to suspicious traffic from internet.

Also read: 25% of businesses had their data stolen from public cloud: McAfee Study

“We understand why there might be fatigue with endless reports on IT infrastructures that lack adequate security, and there are signs that corporations are stepping up initiatives to minimize vulnerabilities, but there’s definitely more to do,” said Gaurav Kumar, CTO of RedLock and head of the CSI team. “That’s why this report not only shines a light on emerging dangers but also offers concrete advice on how best to ward off attacks. Cloud computing environments bring tremendous flexibility and great economies of scale, but those advantages are meaningless without top-level security. This is a constant and shared responsibility.”