[BreachExchange] Trickle Down Cybercrime

Audrey McNeil audrey at riskbasedsecurity.com
Tue Oct 18 19:21:30 EDT 2016


http://www.information-management.com/news/security/trickle-down-cybercrime-
10030022-1.html

October is National Cyber Security Awareness and this week’s theme,
cybercrime, is particularly apt with the holiday shopping season getting
underway. Cybercrime is the fastest growing economic crime, jumping from
fourth to 2nd place among the most reported types of economic crimes in
PwC’s Global Economic Crime Survey 2016.

Attacks by cybercriminals are also growing more and more sophisticated and
costly. Take the financial sector. While financial institutions have always
been a target of choice, the stakes were raised significantly with this
year’s hack of the SWIFT messaging system, which siphoned off $81m from the
Bangladesh central bank and has caused problems for numerous other
institutions.

The threat is so severe that last week the G7 group of nations jointly
issued a cybersecurity framework for the financial sector. Unfortunately,
while useful as a starting point for discussions, the framework offers
little in the way of practical advice.

That is not surprising given the complicated nature of these threats.
Advanced Persistent Threats (APTs), the type used in the SWIFT breach,
employ sophisticated evasive techniques tailored for their target to avoid
detection.

Upon infiltration, they persistently connect to an external command and
control system to continuously monitor and extract data. The infamous
Carbanak attacks, which took many dozens of banks for an estimated total of
$1 billion, are another example. In that case, the malicious malware
breached the banks’ systems for months, tracking the working process of the
employees, and sending back video feeds to hackers.

The Trickle Down Effect

Once upon a time, the advanced evasive maneuvers used by such APTs could be
safely ignored by the vast percentage of businesses and individuals. Not
anymore. Advanced attack software and even technical support can be rented
by anyone.

Malware-as-a-service has become a thriving organized crime industry. When
put together with other “businesses,” like the black market in stolen
credentials, or the sale of 0-day and 1-day vulnerabilities, cybercrime has
become a huge chunk of organized crime’s revenue. A report by the Rand
Corporation found that the cyber black market could be more profitable than
the illegal drug trade.

With such readily available tools, even mass attacks, like malware spam
(malspam), have begun incorporating advanced attack techniques.

Ground Zero

But how does malware get to the endpoint in the first place? Endpoint
attack infiltration vectors can be grouped into two types.

The first, or the malspam type, requires user interaction or consent. Using
some type of social engineering, a user is convinced to go to a specific
site and enter credentials, or enable a macro (that then downloads
ransomware or a key logger or password stealer), or download malicious
software disguised as legitimate software or execute an executable file
attachment.

A recent example is the Locky ransomware campaign that sends emails with a
Word “invoice” attached. Victims are prompted to enable a macro to see the
“invoice,” thereby downloading and launching the ransomware. However, the
second type involves no user consent. It exploits vulnerabilities in
browsers (often Internet Explorer or Firefox – JavaScript or VB), third
party plugins (most commonly Flash, Silverlight, Java), document viewers
(Office, Acrobat), scanning engines (Antivirus scanning for files) and
graphic parsers (usually Windows OS drivers).

In the Carbanak attacks mentioned earlier, a Trojan-infected Word email
attachment exploited the MS Office CVE-2015-2545 vulnerability to
automatically download malicious code upon opening.

Attacks that exploit memory vulnerabilities are increasingly common and
particularly difficult for cybersecurity systems to detect and block. A
memory vulnerability results from possible wrong inputs into software. For
example, inputs that are too long without proper validation can result in
Buffer overflows (heap or stack). Additional memory vulnerabilities include
Type confusion, Use-after-free condition and Integer overflow, among others.

Combating Cybercrime

While cybercrime methods have gotten smarter and cheaper to perpetrate,
overall defenses have not kept up. All detection-based security products
are necessarily limited by their detection logic – whether signature-based
like traditional AV or more sophisticated solutions based on heuristics,
reputation lists or machine learning. They also usually fall flat at
dealing with file-less malware and can add significant administrative
burden in terms of generating false positive results and update
requirements.

Evasive techniques need likewise defense. Moving Target Defense (MTD) is
one such emerging strategy. It uses counter-deception techniques to
constantly change the target surface, concealing vulnerabilities in
applications and web browsers and trapping attempts at access. MTD holds
promise especially when combined with traditional antivirus, which is easy
and cheap to administrate and still surprisingly adept at catching
run-of-the-mill malware.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161018/865fc710/attachment.html>


More information about the BreachExchange mailing list