[BreachExchange] Constant Vigilance Requires Looking Back as Well as Forward

Audrey McNeil audrey at riskbasedsecurity.com
Thu Dec 26 21:55:54 EST 2019


Security researchers continue to report that many of the primary threats to
organizations today come from older attacks and exploits targeting
vulnerable systems for which patches are readily available. In fact, older
vulnerabilities seem to be preferred.

One recent report indicates that exploits targeting vulnerabilities
reported in 2007 outnumber those targeting newer vulnerabilities from
2018/2019, with the same being true for every year in between. An example
of this is the growing emphasis on targeting publicly-facing edge services
with known vulnerabilities for remote execution exploits. Some evidence
suggests that this may be a reaction by cybercriminals to organizations
aggressively addressing phishing attacks with end-user training and
advanced email security tools. As would be expected, cybercriminals are
responding by actively expanding their ability to deliver malicious malware
using methods beyond just phishing. And like their phishing malware
counterparts, these attacks also generally target older vulnerabilities.

Like Older Vulnerabilities, Older Malware Remains a Problem

In addition to older vulnerabilities, aging malware also continues to
plague modern networks. Of the top five botnets identified during Q3 of
2019, number four was Mirai, the botnet that caused such widespread
devastation in August of 2016. In spite of its notoriety and the assumption
that most organizations would at least have hardened their systems to that
threat, Mirai still represents a serious threat to organizations around the

Emotet is another example of this phenomenon. It was first discovered in
2014 as a “simple” banking Trojan. And even though it is now more than five
years old, the US Department of Homeland Security still identifies Emotet
as “among the most costly and destructive malware affecting state, local,
tribal, and territorial (SLTT) governments, and the private and public

Part of the reason it is still such a threat is that it has a very active
team of developers working on it. In its latest iteration, it has evolved
into a botnet with advanced modularity, such as the ability to deliver a
variety of malicious payloads using its worm-like capabilities and
effectively evade detection through its manipulation of registry files.

Old Problems in New Bottles: Malware and Ransomware as a Service

Emotet is also now making those capabilities available as a
Malware-as-a-Service (MaaS) solution on the dark web. Criminals can now pay
to access the millions of infected devices to target victims and drop
additional malware, bypassing all of the effort required to initiate an
initial network breach. In addition to being able to drop malware like
Trickbot, Emotet can also deliver ransomware, which continues to be a
serious and growing threat to organizations.

Part of the reason for the continued growth of ransomware is that the
developers of GandCrab were among the first pioneers to develop
Ransomware-as-a-Service (RaaS). This is part of the reason why authorities
estimate that its developers were able to reap as much as $2 billion in
just over a year before announcing their retirement last May. With such
advanced malware now available to thousands of online criminals for the
price of merely splitting any subsequent profits, its spread was a foregone
conclusion. Other ransomware developers have not overlooked the success of
this sort of criminal enterprise, as two more RaaS solutions were
introduced in Q3 of 2019 – Sodinokibi and Nemty. Organizations should begin
preparing now for a spike in ransomware attacks over the next few years.

If it Ain’t Broke…

While some efforts continue to be made by cybercriminals to develop new
malware or zero-day attacks, that development process is expensive. And
like other enterprises, ROI is a driving financial consideration for many
criminal organizations. As a result, their efforts tend to focus on five

1. Refining existing malware to evade detection and deliver increasingly
sophisticated and malicious payloads, such as seen with the ongoing
evolution of the Emotet malware. This strategy is far more cost-effective,
especially when the number of unprotected older vulnerabilities waiting to
be exploited is still so large.

2. Expanding their earning potential by converting their attack tools into
a MaaS or RaaS solution. The two latest additions to the growing family of
RaaS solutions are just the beginning of what can be expected to be a flood
of similar services. For example, Emotet has cleverly adapted this model by
selling access to millions of infected devices to deliver a range of
malicious payloads.

3. Changing attack vectors to catch organizations off guard. The recent
spike in remote access control attacks targeting edge services to deliver
malware provides an additional attack vector. Moving to an unexpected or
overlooked area of the network enables cybercriminals to persist when their
usual avenues of attack are being shut off.

4. Targeting older, vulnerable systems that have not been adequately
secured. Cybercriminals prefer targeting older vulnerabilities not only
because they already have exploits available, but also because they are
often an indication that other security protocols may be lax as well.

5. Exploiting the expanding attack surface, such as operational technology,
which is now being exposed to public networks. These attacks could have
devastating effects on things like critical infrastructures. Exploits could
allow criminals to commit acts of terrorism, steal valuable intellectual
property, and hold high-value targets such as manufacturing floors for

Preparing for the Future Requires Clear Hindsight

The message is clear. Organizations cannot afford to over-focus on the
latest threat trends or attack vectors. Instead, as shown with the rise in
the targeting of publicly facing edge services, organizations must adopt a
holistic approach to securing their distributed networked environment that
enables them to see and manage their entire distributed network, including
all attack vectors, through a single pane of glass. And it requires having
a clear understanding of issues from the past and then mending those fences
to prepare for the new threats based on them looming just over the horizon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191226/c7785b39/attachment.html>

More information about the BreachExchange mailing list