Cyberthreats: When Innovation is a Bad Thing and You Can’t Do Anything About It
We can all agree that innovation is essential for any business. And it’s a wonderful thing, when in the right hands. But, cyberthreats pose a huge risk.
Global cybersecurity data gathered over the past year shows that bad threat actors have also been getting creative, using powerful new combinations of malware. And, though organizations are increasing cyber defenses, attackers are innovating and automating at a faster pace and taking advantage of the current crisis.
Exploiting Fear and Vulnerabilities
The pandemic has impacted the global economy in many ways, and cybersecurity is not immune. Non-digital native businesses had already been migrating toward online operations. The professional world was sent home to work indefinitely.
Mandated shutdowns have made websites and customer portals even more crucial and vulnerable, whether hardened against cyberattacks or not.
Individuals have also naturally taken to the internet to obtain more information about the virus, to shop online while under lockdown and to generally engage more with the online world than pre-COVID-19 times. Bad threat actors have exploited this to their benefit.
Phishing attacks leveraging COVID-19 started in mid-January, for instance, and escalated thereafter in types and volumes. Websites posing as ‘official’ information sources but hosting exploit kits and/or malware were created at an incredible rate – even exceeding 2,000 new sites per day. In some cases, open redirects have pushed information-stealing malware, prompting users to download an app allegedly from the World Health Organization.
As for organizations now relying more on their web presence than ever before, they have stepped into a well-developed enemy target zone.
According to findings presented in the NTT Ltd., 2020 Global Threat Intelligence Report (GTIR), which draws upon data collected from October 1, 2018 to September 31, 2019, nearly 55 percent of all detected threats were either application-specific or web-application attacks.
In other words, bad threat actors have gone after weaknesses in specific apps, whether broken authentication, lack of encryption, misconfiguration, non-updated systems, etc. Or they have used malware, bots and attack programs to threaten web apps more generally.
Content management systems (CMSs) have been heavily targeted, along with OpenSSL, an open-source implementation of protocols designed to secure website communications.
Scanners, Botnets and Webshells
Containing a vast amount of data, the GTIR is somewhat like a global weather report, with cyberthreats shifting and trending by industry, region and type. One of the most significant trends over the past year has been the increased use by adversaries of multi-function attack tools and capabilities.
Some tools, by themselves, can be used for good or ill. Consider vulnerability scanners. In the right hands, perhaps as part of a red team/blue team exercise, they are excellent ways to take inventory and discover your own system’s weaknesses. According to NTT’s report, however, adversarial reconnaissance has become a prominent, even dominating attack activity in some regions, such as the Americas.
The combination of scanners, such as zmeu and muieblackcat, with common malware is trending as a global threat. Known for spreading attacks on Internet of Things (IoT) devices, botnets like Mirai and IoTroop can now propagate further through scanning and subsequent infection. It’s a development that has given a resurgence to an old botnet like Mirai, used in multiple distributed denial of service (DDoS) attacks in 2016.
Another category of sophisticated malware comes from the webshell family. This is a web security threat that allows for remote access to a web server, including a server’s file system. Remote access is another technique that can benefit an organization, especially when the workforce is distributed. But remote code execution and injection are now prominent global attack vectors. China Chopper, the second-most detected malware in the Americas, accounted for 54 percent of all webshell activity.
Maturity and Resilience
As bad threat actors have seized opportunities and innovated, there have been constants. The single most-detected malware in the Americas, for instance, was the WannaCry ransomware. Launched in 2016, when it infected hundreds of thousands of computers in countries across the world, WannaCry continues to compromise computers running the Windows OS by encrypting data and demanding payments via Bitcoin.
Keeping what works and trying out new approaches, adversaries reveal a kind of maturity that their targets would do well to surpass.
The GTIR offers a matrix that maps levels of maturity (from non-existent to optimized) across three categories: process, metrics and tools. It also reveals benchmark scores across six industries. The takeaway is that the gap between current and desired states of maturity persists, with baseline scores not progressing appreciably over the past year.
Attacks, which can knock an organization off course for weeks, months or even longer, continue to be successful because of poor practices related to network, operating system, and application configuration, testing and security controls.
In short, a lack of basic security hygiene!
Beyond the basics, organizations should also aim for resilience. Related goals would involve addressing threats that emerge with evolving landscapes; maintaining infrastructures, applications and operations that are secure by-design; leveraging threat intelligence and real-time visibility; and making governance, risk and compliance part of any regular cybersecurity agenda.