Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

Anti-Malware Is Necessary In The Data Center: 3 Examples

by

By Jeremiah Grossman - Dark Reading

Simply because data center endpoints don’t have the same threat profile as general desktops doesn’t mean they don’t need anti-malware software. Here’s why.

People often ask about the value of anti-malware software on data center endpoints such as Web servers, databases, file servers - the list goes on. This is a reasonable question because, with respect to malware, data center endpoints simply don’t have the same threat profile or business use-cases as general desktops, where users click on things all day, every day. Also, when endpoints don’t have all those pesky users, it would seem malware would have a much harder time getting onto data center endpoints. Yet, it happens all the time. How?

Before providing the best practices for a successful data center relocation, a security guidance is required. I would first like to share the most common attack patterns seen in the wild, and recommendations backed up by data. For this, I rummaged through the Verizon Data Breach Investigations Report (DBIR) 2016, which combines knowledge from more than 3,000 confirmed data breaches, and has a lot to say about malware usage.

The figure below, from the DBIR, presents an insightful attack pattern. What’s happening is, through a variety of extremely common techniques, such as phishing and others, a user’s desktop is compromised and infected with malware. While the data on this particular compromised endpoint may not be of high value, the malware is used to harvest static credentials (user names and passwords) just the same.

The next step in the breach is often to leverage the stolen credentials to pivot across the network, logging into point-of-sale systems, databases, Web servers, and file servers — where the real crown jewels are located — and infecting them with malware for command and control, and data exfiltration purposes. Since the threat actor is using valid credentials to access these data center endpoints, and not exploits, intrusion detection alarm bells are less likely to be triggered. So, in this case, if anti-malware software had been installed on these endpoints, that’s one more effective security control a threat actor would have had to bypass in order to obtain what they were after.

Another topic the Verizon DBIR discusses is “secondary motives.” For example, threat actors will compromise Web servers in the data center, often through exploiting SQL Injection or a PHP Remote File Include, and implant malware on the endpoint. The malware will typically have a couple of common purposes separate from data exfiltration.

One purpose is what’s referred to as a watering hole attack. The threat actor selects a certain website to compromise and serves up malware to a particular set of users - their primary targets - who are likely to visit the website. Another purpose is for the malware to launch spam campaigns or DDoS attacks on more primary targets.

Websites often have far more computing resources and bandwidth at their disposal than a typical user PC, which makes them attractive targets. Again, if sufficient anti-malware technology had been installed on Web servers, it would have made it that much harder for the bad guys to establish a foothold, even though they successfully exploited a vulnerability.

- Also read: Decommissioning An Outdated Server With Professional Help.

Count of Hashes by Lifespans in Seconds

Source Verizon DBIR

These examples show how important anti-malware software would have been in protecting against these unwarranted attacks. When reviewing common attack patterns, anti-malware software absolutely has value in the data center. With the introduction of new, signature-free next-generation approaches that use machine learning and dynamic behavior tracking, organizations can deploy this technology in a minimally invasive manner.

This is crucial to understand. As the Verizon DBIR also said, and the figure above illustrates, “99% of malware hashes are seen for only 58 seconds or less.” If we can disrupt the way adversaries generally conduct their operations, we can make the biggest impact in protecting our systems.

 

 

The big cybersecurity trends that will likely continue through 2017

by

By George V Hulme - BitDefender

Predictions are never easy, and they are seldom right or very useful: but they are always fun. And as the holiday season is upon us and the New Year approaches so does the time of year reflection and, you guessed it: cybersecurity predictions.

Here’s my attempt at highlighting what I see as some of the bigger trends that are likely to keep security professionals struggling to keep up in the year ahead, and how I see these trends continuing.

Big cybersecurity trend 1: The information wars heat up

If cybersecurity taught us anything in 2016, it’s that data breaches can now be as much about the damage that can be wrought when private information is made public than data theft for financial gain or competitive advantage. The hacking of the Democratic National Committee (DNC) and email systems, for instance, brought the resignation of Debbie Wasserman Schultz as chairwoman of the DNC. Email server security also plagued candidate Hillary Clinton to the very end of her campaign to become the 45th President of the United States of America. And as 2016 was quite the eventful year when it came to cybersecurity, it’s forgivable to have forgotten Sigmundur Davíð Gunnlaugsson, Iceland’s Prime Minister, for having to step down because of the Panama Papers breach.

These types of events, where large amounts of data are made public as part of a whistleblowing campaign or to publicly embarrass some type of opponent in government or business, are going to increase. And they will continue to be extremely disruptive to our institutions and those who currently have power.

Big cybersecurity trend 2: Nation state meddling

We saw accusations of nation state driven data breaches increase this year. It was in the summer of 2015 that the Obama administration decided to retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management. This year, U.S. Senator Marco Rubio (R-Fla.) warned Russia that there should be consequences to election meddling.

This is another trend that will continue, and the risks of a (hopefully) measured cyber-conflict exchange between nation states increases every year.

Enterprises need to understand if they are operating in a critical infrastructure industry (healthcare delivery, finance, power generation and distribution, manufacturing, etc.) or support such industry than they need to prepare for the possibility of getting caught in the crossfire.

Big cybersecurity trend 3: Fraud is dead, long live credit fraud

As the US, has deployed chip cards, and more people have embraced chip-enabled EMV cards and digital wallets such as Apple Pay and Google Wallet, point of sale system fraud rates have fallen, and this category of fraud is expected to continue to fall. However, card not present fraud was only $10 billion in 2014, it will be more than $20 billion by 2018.

According to this story, New Trends in Credit Card Fraud, in 2015, identity thieves moved from cloning counterfeit cards of existing accounts to opening new fraudulent accounts through identity theft. Expect that to continue, as well as more online fraud. Crime never goes away, it just moves to the paths of least resistance.

That means fraudsters will take aim at your website systems, especially any that accept payments. Watch your online systems and look for ways to detect fraud, such as behavior analysis.

Big cybersecurity trend 4: The Internet of Things (IoT)

For a couple of years now, experts have been predicting that the Internet of Things was creating an emergent set of risks – but as with the rise of most new technologies the hype arrives long before reality. Unfortunately for us, the cybersecurity predictions around IoT began to come true in 2016. A big part of this is not only because these devices have been adopted by so many consumers, but they are also being embraced by enterprises. In fact, roughly 31 percent of organizations, per IDC’s Global IoT Decision Maker Survey, have launched an IoT initiative, with 43 percent planning to deploy IoT in the next twelve months. Most enterprises don’t view these initiatives as trials, but strategic.

This situation is going to get considerably worse. One of the biggest challenges with IoT isn’t enterprises securing these devices – it’s that the device makers are shipping inherently insecure devices. They are too often shipping with default passwords that don’t require they be changed, or communication with the devices doesn’t require proper authentication, firmware updates can occur without being properly signed. And the list goes on.

Organizations are going to continue to get hit by attacks directly attributable to IoT weaknesses, whether a continuation of distributed denial of service attacks – or by encroachments onto their networks made possible by IoT weaknesses.

Big cybersecurity trend 5: Regulatory upheaval

Government and industry regulations that affect cybersecurity are about to get volatile. In the European Union, IT will face data security and breach notification operational changes from the General Data Protection Regulation (GDPR). And in early 2018 the GDPR becomes a legal requirement. Many expect that the GDPR will increase costs of doing business as new data protection measures are put into place to control how, who, and when data is accessed.

Expect more data privacy and security harmonization changes, government surveillance law changes, as well as the potential for Internet of Things cybersecurity design and implementation regulations (maybe not next year for this one, but it’s likely coming soon.).

The regulatory landscape will be changing swiftly, and enterprises will need to be ready to have their security, privacy, and overall risk posture adapt.

Malware Most Common Smart Hospital Data Security Threat

by

By Elizabeth Snell - HealthIT Security

The European Union Agency for Network and Information Security reviewed top smart hospital data security threats, mitigation techniques, and good practices.

Malware is the most common type of potential attack scenario for smart hospitals that poses a data security threat, according to a recent study from the European Union Agency for Network and Information Security (ENISA).

Smart hospitals have become more prevalent as Internet of Things (IoT) components support core functions of a hospital, ENISA stated in its study.

Information security is a key issue for these organizations, and malicious actions, human errors, system and third-party failures, and natural phenomena should all be considered as a potential threat.

“The risks that result from these threats and corresponding vulnerabilities are typically mitigated by a combination of organisational and technical security measures taken by smart hospitals which comprise good practices,” the report’s authors wrote. “With respect to organisational measures, compliance with standards, staff training and awareness raising, a sound security organisation, and the use of guidelines and good practices are particularly relevant.”

ENISA investigated the current status of Smart Hospitals and related information security issues, focusing on deployments in the EU for the study.

Respondents included hospital representatives, industry representatives, and policy makers.

Along with malware, those surveyed said that device tampering, social engineering, denial of service attacks, and theft, were also top attack scenarios for smart hospitals.

Traditional hospitals may also be vulnerable to these types of attacks, researchers noted. However, the consequences can be much more severe in connected organizations.

“Protection becomes difficult because, with the high number of networked devices, many potential points of attack are emerging,” the report states. “The consequences become more severe because information systems and devices are more intensely connected within hospitals and across organisational boundaries.”

Respondents also rated threat categories according to their likelihood of occurrence on a scale from 1 (low likelihood) to 5 (high likelihood). Human errors were the most likely to occur, according to the survey, while a natural phenomena was given the lowest likelihood of taking place.

“With respect to human errors, user errors, non-compliance with policies and procedures and loss of hardware, for instance, were perceived as posing considerable risk to smart hospitals,” the researchers explained.

However, malicious actions, which include threats from malware, social engineering, hacking, denial of service and device tampering, were considered particularly critical for smart hospitals by a larger group of respondents than human errors.

Specifically, 77 percent of respondents said that malicious actions were a critical threat, while 70 percent said human errors were the top threat. Just over half of those surveyed - 53 percent - listed system failures as a critical threat.

ENISA recommended that hospitals establish effective enterprise governance for cybersecurity, and also provide specific IT security requirements for IoT components in the hospital. Conducting a risk assessment and vulnerability assessment were also recommended, which are required for US organizations under HIPAA regulations.

Industry representatives should perform the following measures to enhance smart hospital data security:

  • Incorporate security into existing quality assurance systems
  • Involve third parties (healthcare organisations) in testing activities
  • Consider applying medical device regulation to critical infrastructure components
  • Support the adaptation of information security standards to healthcare

Several of these recommendations are also already being considered for US-based healthcare organizations.

For example, the National Health Information Sharing and Analysis Center (NH-ISAC), the Medical Device Innovation, Safety and Security Consortium (MDISS), and the U.S. Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH) recently signed a memorandum of understanding to help organizations identify, mitigate, and prevent medical device cybersecurity threats.

The Information Sharing and Analysis Organization Standards Organization (ISAO SO) also released several documents in October 2016 on cybersecurity information sharing guidance, which focused on cybersecurity risks, incidents, and best practices. In terms of healthcare cybersecurity information sharing, one document discussed privacy and security aspects of cybersecurity risk.

“At a minimum, privacy considerations should include the individual members of an organization, the privacy of any individuals whose data may be included in cyber threat indicators to the extent provided by law, and a full range of other constituencies, customers, and individuals,” the document stated. “To adequately protect privacy while accomplishing the goals of an ISAO, it is important for the ISAO to provide guidance to members, participants, and ISAO staff that will be helpful in striking a balance between allowable sharing of cyber threat information and protecting privacy.”

 

 

Cerber Ransomware Delivered via Google, Tor2web

by

by Eduard Kovacs - SecurityWeek

A new version of the Cerber ransomware has been delivered by cybercriminals using spam emails, Google links, the Tor2web proxy service and malicious macro-enabled Word documents.

Cerber is a relatively new piece of ransomware, but it has evolved a great deal over the past months. The malware is believed to generate an annual revenue of $2.3 million by infecting hundreds of thousands of devices worldwide.

Check Point researchers reported last week that Cerber developers had released versions 5.0 and 5.0.1. The security firm detailed some changes in the ransomware, including new IP ranges and modifications in the way files are encrypted. However, it appears there are also some changes in the way the malware is distributed.

Cisco Talos has been monitoring a Cerber 5.0.1 campaign and noticed the use of some interesting techniques. The attack starts with a short and basic spam email referencing pictures, transaction logs, order details or loan acceptance letters. All spam messages include the name of the recipient in the subject line.

The emails apparently point to google.com, but if the link is clicked, the user is taken to a Google redirect page that reveals the true destination – a domain on the Tor network.

If the victim clicks on the onion.to link, the Tor2web proxy service is used to access the Tor network and download a document file. Using Tor2web enables access to Tor without the need to install a dedicated client.

“Additionally, as the actual malicious file is hosted on a server within the Tor network, it is significantly less likely that the malicious file will be removed or taken down like it would be if hosted traditionally on the internet via malicious or compromised web servers. It also allows the attackers to modify the redirection chain quickly and easily to attempt to evade reputation based blacklisting technologies,” explained Talos researchers.

The file downloaded from Tor is a Word document that claims to store protected content. If users follow the instructions in the file and enable macros, the Windows Command Processor invokes PowerShell, which fetches and executes Cerber. The malware binary is also downloaded from the Tor network using the Tor2web service.

Once their files are encrypted, victims are instructed to pay roughly $1,000 in bitcoins to obtain the “Cerber Decryptor.” If the ransom is not paid within five days, the amount doubles.

In mid-August, researchers discovered a flaw that allowed them to decrypt files held for ransom by Cerber versions 1 and 2, but the weakness was quickly fixed by cybercriminals. Decryption tools for newer versions have yet to be developed.

Windows Malware Infections spiked 106% from Black Friday to Cyber Monday

by

by Kelly Sheridan - Dark Reading

The number of infected PCs jumped some 106% during the holiday season’s first shopping weekend and 118% above normal on Cyber Monday.

‘Tis the season for gift-giving, snowfall - and cybercrime. The 2016 holiday shopping season has already proven risky, with malware infections in the US jumping 106% between Black Friday and Cyber Monday.

The data comes from Enigma Software Group (ESG), which compiled data on infections recorded in its SpyHunter program. ESG analyzed malware data in the month leading up to Thanksgiving and compared it with infections recorded between Nov. 25 and Nov. 28, 2016.

It’s worth noting this data only applies to malware infections recorded on PCs, and does not include activity from smartphones or Apple products.

The number of recorded infections has doubled year-over-year. This year’s 106% jump marks a significant increase from the same weekend in 2015, when malware was 84% above normal. Malware activity peaked on Cyber Monday, when instances were 118% higher than normal.

ESG believes there are multiple drivers behind the malware surge, says spokesperson Ryan Gerding.

“The biggest thing is that there are more people who are shopping online every year,” he explains. “What’s more, the bad guys are getting smarter in tricking people into accidentally clicking on links that install malware on their computers.”

Consumers are most likely to fall for emails that appear to come from legitimate companies. These messages may promise a free gift card or claim there is a problem with an order, but instead include a malicious link that will download malware onto the victim’s computers.

During the holidays, more people are shopping and anticipating these types of emails. They’re more likely to click on a money-saving coupon or wonder if there really is a problem with their order. As a result, malware infections continue to climb.

Emails aside, hackers also abuse social media accounts and post status updates containing malicious links. Others bundle malware with software downloaded from the Internet; for example, programs that promise to bypass location-specific restrictions on services like Netflix.

The vast majority of these infections are “nuisanceware,” says Gerding. They may slow down victims’ PCs or cause a spike in pop-up ads; things that are annoying but not necessarily dangerous.

However, the occasional dangerous attacks do take place. Ransomware makes up a tiny percentage of infections, but it can be devastating when it hits. ESG discovered about 0.5% of all infections include ransomware.

It’s a miniscule percentage, but Gerding notes the amount of infections made of ransomware has doubled since 2015. One year ago, ransomware made up about 0.25% of malware attacks. The trend promises ransomware will continue to grow as a consumer-facing threat in 2017.

“As long as the crooks are successful in getting people to pay a ransom, they’ll keep trying to get infections out there on as many computers as possible,” he says.