Downloaded 30 times
![Apr 30, 2016:
In the past 48 hours, the House Information Security
Office has seen an increase of attacks on the House
Network […] focused on putting “ransomware” on users’
computers.[…] .As part of that effort, we will be blocking
access to YahooMail on the House Network until further
notice.](https://image.slidesharecdn.com/eversectrendsincybersecurity-160526201003/85/EverSec-Cyphort-Big-Trends-in-Cybersecurity-19-320.jpg)
More Related Content
Similar to EverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in Cybersecurity
- 1. Ransomware, RATs &other Big Trends in Cybersecurity Nick Bilogorskiy @belogor StephenHarrison EverSec Group
- 2. Agenda o Eversec intro oHow Ransomware works o Malvertising o RATS: Remote Access Trojans o Wrap-up and Q&A
- 3. o Security Design,Analysis, & Implementation Assistance o Security Assessments o Cyber Penetration Testing o Remediation Services o Integration Skills o Managed Services o Dark Net Recon o Customized Hacking/Incident Response Training 3
- 4. 4 $1+ CYBERCRIME NOW trillion industry 100+nations CYBER WARFARE ✚ Over 95% of breaches occur behind perimeter firewalls. ✚ 71% of security breaches involve user devices. ✚ 51% of breaches involve corporate servers.
- 5. o Advanced BreachDetection {ABD} o End Point Detection & Response {EDR} o Advanced Data Loss Prevention {ADLP} o Mobile & BYOD Security o Threat Intelligence Operationalization o Incident Response Orchestration o Cloud Infrastructure Security 5
- 6. “EverSec Group haspulled away from the pack of me-too security solution providers … willing to wager on security startups that are turning network security and endpoint security into outdated concepts.” - CRN.com, February 26, 2015 6
- 7.
- 8. 8 40% ofenterprises will have formal plans to address cyber security business disruption by 2018 60% of enterprise information security budgets will be allocated to rapid detection and response approaches (up from less than 10% in 2014) by 2020
- 10. What is Ransomware Ransomwareis any malware that demands the user pay a ransom. There are two types of ransomware: lockers and crypters.
- 11.
- 12. o More IOT(Internet Of Things) security incidents Prediction #4
- 13.
- 14. • easy touse, • fast, • publicly available, • decentralized, and • Provides anonymity, which serves to encourage extortion. Bitcoin Primer
- 15. How often doyou backup? Computer Backup Frequency 2008-2015 (BackBlaze data) Frequency 2008 2009 2010 2011 2012 2013 2014 2015 Daily 6% 6% 8% 6% 10% 10% 9% 8% Other 56% 57% 58% 60% 10% 59% 63% 67% Never 38% 37% 34% 34% 31% 29% 28% 25%
- 16. The Ransomware BusinessModel o 90% of people do not backup daily o Data Theft in place o Anonymity (TOR, Bitcoin) o Operating with impunity in Eastern Europe o Extortion o Focus on ease of use to drive conversion o Currently 50% pay the ransom, it was 41% 2 years ago
- 17. z Bitcoin Ransom Sent C&C Server PrivateKey Sent Locked Files Unlocked Files The Ransomware Business Model
- 18. HOSPITALS Hollywood Presbyterian Medical Center, Kentucky Methodist Hospital, Alvarado Hospital Medical Center and King's Daughters' Health, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, Baltimore’s Union Memorial Hospital, and many others POLICE Tewksbury Police Department Swansea Police Department Chicago suburb of Midlothian Dickson County, Tennessee Durham, N.H Plainfield, N.J Collinsville, Alabama, hackers in Detroit demanded $800,000 in bitcoin after they had encrypted the city's database. Known Victims… So far SCHOOLS GOVERNMENT 321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, according to the Department of Homeland Security. South Carolina school district paid $10,000 . A New Jersey school district was hit, holding up the computerized PARCC exams. Follett Learning's Destiny library management software, which is used in US schools is vulnerable to SamSam ransomware.
- 19. Apr 30, 2016: Inthe past 48 hours, the House Information Security Office has seen an increase of attacks on the House Network […] focused on putting “ransomware” on users’ computers.[…] .As part of that effort, we will be blocking access to YahooMail on the House Network until further notice.
- 20.
- 21. Ransomware: The PriceYou Pay 2014 - $24 M. | 2015 - $24 M. | 2016 - $209 M in Q1
- 22. o network mitigation onetwork countermeasures o loss of productivity o legal fees o IT services o purchase of credit monitoring services for employees or customers o Potential harm to an organization’s reputation. Ransomware: Additional Costs
- 23. 2016 Ransomware tricks 1.Targeting businesses (e.g. hospitals) rather than individuals. 2. Deleting files at regular intervals to increase the urgency to pay ransom faster – Jigsaw 3. Encrypting entire drives - Petya 4. Encrypting web servers data - RansomWeb, Kimcilware
- 24. 2016 Ransomware tricks 5.Encrypting data on network drives - even on those ones that are not mapped - DMA Locker, Locky, Cerber and CryptoFortress 6. regular intervals to increase the urgency to pay ransom faster – Jigsaw 7. Deleting or overwriting cloud backups. 8. Encrypt each file with its own unique key - Rokku
- 25. 2016 Ransomware tricks 9.Targeting non-Windows platforms – SimpleLocker, DogSpectus, KeRanger 10. Using the computer speaker to speak audio messages to the victim - Cerber 11. Ransomware as a service – Tox 12. Using counter-detection malware armoring, anti- VM and anti-analysis functions - CryptXXX
- 26. How do Usersget Ransomware? Osterman research
- 27. Tips to AvoidRansomware Infection o Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps o Use network protection o Use a comprehensive endpoint security solution with behavioral detection o Turn Windows User Access Control on o Block Macros
- 28. Tips to AvoidRansomware Infection o Be skeptical: Don’t click on anything suspicious o Block popups and use an ad-blocker o Override your browser’s user-agent* o Consider Microsoft Office viewers o Disable Windows Script Host
- 29. Tips to AvoidLosing Data to Ransomware o Identify Ransomware and look for a decryptor: o Shadow Copies o Turn off computer at first signs of infection o Remember: the only effective ransomware defense is backup https://id-ransomware.malwarehunterteam.com/
- 30. Tips to AvoidLosing Data to Ransomware o List of free decryptors: http://bit.ly/decryptors
- 31.
- 32. Malvertising is theuse of online advertising to spread malware. Malvertising involves injecting malicious ads into legitimate online advertising networks and web pages. Anti-Malvertising.com What is Malvertising
- 33. How Malvertising works df User Visitsa popular website, gets infected via exploit kit Website Serves a banner ad, sometimes malicious Attacker Creates and injects malware ads into advertising network Advertising Network Selects an ad based on auction, sends to the website
- 34. Rise of Malvertising 0 500 1000 1500 2000 2500 20142015 2016 Malvertising domains 910 1654 2102 Malvertising domains
- 35. Techniques to avoiddetection o Enable malicious payload after a delay o Only serve exploits to every 10th user o Verifying user agents and IP addresses o HTTPS redirectors
- 36. Who is toblame for Malvertising? Popular websites Ad exchanges Ad networks Users Browsers
- 37. Malvertising o Advertising networksget millions of submissions, and it is difficult to filter out every single malicious one. o Attackers will use a variety of techniques to hide from detection by analysts and scanners o Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains.
- 38.
- 39. o First seen:Nov 2014, new versions throught 2015 o Target: North American and European Banks o Distribution: Spam mails with Word Documents o Some version use p2p over http for carrying out botnet communication o Uses web injects to carry out man-in- browser attack o Uses VNC o It is both a RAT tool and a banking Trojan Dridex malware
- 40. Endpoints Web Deception Network Behavior Email Need complete& correlated Visibility
- 41. Summary 1. Ransomware evolvedinto a major threat allowing criminals to easily monetize malware infections via Bitcoin 2. Every platform is vulnerable to ransomware. 3. Backup your files! Since decrypting encrypted files is not always possible frequent backups become even more critical. And keep your backup offline. 4. Malvertising is on pace to have a record year. 5. Must use defense-in-depth techniques powered by machine learning to defeat malware at every stage of the kill chain.
- 42.
Editor's Notes
- #3 Remote Access Trojans
- #8 Proactive consultative relationship with our clients Support security requirements of large international organizations Commitment to providing cutting edge security solutions Customizable professional services to uniquely address customer needs Strategic partnership with security and managed services firms Strong vendor relationships and ability to advocate for our customers Strong distributor relationships in the US and Europe International Logistics Assistance STI Group, RazorPoint,
- #11 type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction
- #12 Lockers vs Cryptoware. During 2013, Kovter acted as a police ransomware –remaining on the device, listening to the user’s traffic, “waiting” for something to happen. Once a user enters their account credentials or uses file sharing applications to download unsolicited files, Kovter pops up a message stating the user violated the law, demanding they pay a fine. Another similar attack was 2012 Trojan called Reveton. It was claiming that the computer has been used for illegal activities, such as downloading pirated software or child pornography.[41] The warning informs the user that to unlock their system, they would have to pay a fine using a voucher from an anonymous prepaid cash service such as Ukash or Paysafecard. To increase the illusion that the computer is being tracked by law enforcement, the screen also displays the computer's IP address, while some versions display footage from a victim's webcam to give the illusion that the user is being recorded. This threats are very effective, convincing and dangerous. They can even claim a human life. Joseph Edwards, 17, who hanged himself after receiving a scam e-mail which he believed was from the police and referred to indecent photos.
- #13 Ransomware encrypts files on a user’s computer and renders them unusable until the victim pays the ransom and obtains the key to decrypt. Cybercriminals are making millions of dollars from ransomware. According to forecasts and assessments made by experts, the threat of ransomware will continue to rise in the months and years to come. In many cases, victims are left with no other choice than to pay the attackers, and even the FBI often advises victims to pay the ransom as the only recourse. Traditional methods and tools no longer suffice to deal with the fast-evolving landscape of ransomware viruses, and new approaches are needed to detect and counter its devastating effects.
- #14 Tor has become a proven means of communication and is ideal for hosting CNC and ransom payment sites. TOR is: The Tor network is used by anyone who wants to maintain their online anonymity. It does this by routing all traffic from the client to the destination through a series ofrelays called a circuit. Relays are simply Tor clients configured to also act as a router for other clients in order to provide more bandwidth to the network. By default, Tor clients send traffic through a circuit of 3 relays before reaching the final destination. Tor clients encrypt all their traffic so that routers will only know two things: where the traffic came from immediately before it, and where the next stop for the traffic will be. This is done by encrypting the traffic once for each relay in the circuit, using a different key for each layer of encryption. This way, as each relay receives the traffic, it can only strip off one layer of encryption, and then forward the data to the next destination. If the relay is forwarding the data to another relay, all it will see is encrypted ciphertext. The only relay which will see the actual data being sent to the final destination is the exit relay Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals
- #15 Technologies such as bitcoin are contributing to the rising success of ransomware, enabling hackers to stage attacks with more efficiency while hiding their trace. Prior to Bitcoin’s rise in popularity, the principal way that attackers extracted their ransom was by instructing victims to pay by wire transfer or reloadable prepaid debit cards — principally Greendot cards sold at retailers, convenience stores and pharmacies. But unlike Bitcoin payments, these methods of cashing out are easily traceable if cashed out in within the United States western Union can be traced at U.S. cashout locations, as can Greendot payments. Which means you either need an overseas partner [who takes half of the profit for his trouble] or Bitcoin.” What is Bitcoin? Bitcoin is a digital currency that uses consensus in a massive peer-to-peer network to verify transactions. This results in a system where payments are non-reversible, accounts cannot be frozen, and transaction fees are much lower. Where do bitcoins come from? Bitcoins are mined - Some users put their computers to work verifying transactions in the peer-to-peer network mentioned above. These users are rewarded with new bitcoins proportional to the amount of computing power they donate to the network. How to get started with Bitcoin The best way to learn about Bitcoin is to get some and experiment. We have written articles about how to set up your own Bitcoin wallet, how to acquire bitcoins, What can you buy with bitcoin today? Over 100,000 merchants accept bitcoin online. You can pay for things you buy on Dell, Microsoft, NewEgg or Expedia. You can also convert bitcoin into gift cards for Amazon, Target or Walmart. Criminals prefer Bitcoin because it’s easy to use, fast, publicly available, decentralized, and provides a sense of heightened security/anonymity.
- #17 it’s a very successful criminal business model with many copycats. this is just one of the findings of Ransomware. A Victim’s Perspective: A study on US and European Internet Users (PDF), a report conducted by Bitdefender in November of last year.
- #19 Recently, several organizations were badly hit by ransomware, including a police department in Massachusetts, a church in Oregon,schools in South Carolina schools and several medical centers in California and Kentucky,. one of which ended up paying the attackers 40 bitcoins (approximately $17,000). In a recent high-profile case, the Hollywood Presbyterian Medical Center declared an internal emergency after suffering on outbreak of ransomware. Ultimately, this hospital decided to ante up the required Bitcoin ransom payment, handing over $17,000 in order to get access to its computers. The original ransom demand was for $3.7 million in Bitcoins, so if nothing else, that is some decent negotiating on the part of the hospital.
- #20 YahooMail Is So Bad That Congress Just Banned It In response to the attacks, the House’s IT desk blocked access to YahooMail “Until further notice.”
- #22 how much money $24 million in hostage payments according to FBi. But experts say those figures are dwarfed by the actual payments, which likely exceed half a billion dollars per year. 24million < x < 500million cryptowall alone is $325 million (400,000 payments) according to CTA report: http://www.coindesk.com/cryptowall-325-million-bitcoin-ransom/ Cyber-criminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to unlock computer servers. At that rate, ransomware is on pace to be a $1 billion a year crime this year. The FBI told CNN that the number "is quite high" because a few people "reported large losses." 2014 - 25M 2015 - 25M 2016 - 1000M (estimate)
- #23 The financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000. Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers
- #24 *Corporations have more valuable data and more money for ransom ( ransom increases from roughly $500 per computer to $15,000 for the entire enterprise). Ransomware operates like this: for every hour that passes in which victims have not paid the ransom, another encrypted file is deleted from the computer, making it unrecoverable even if the ransom is paid or files decrypted via another method. *The malware also deletes an extra 1,000 files every time victims restart their computers and log into Windows. * ransomware encrypts Master File Table. This table contains all the information about how files and folders are allocated. * are both families that takes this unusual route - instead of going after users computers, they infect web servers through vulnerabilities and encrypt website databases and hosted files, making the website unusable until ransom is paid.
- #25 Encrypting data on network drives - even on those ones that are not mapped. DMA Locker, Locky, Cerber and CryptoFortress are all families that attempt to enumerate all open network Server Message Block (SMB) shares and encrypt any that are found. Compressing files first is to speed up the encryption process. Maktub ransomware does this. Deleting or overwriting cloud backups. In the past, backing up your data to cloud storage and file shares was safe. However, newer versions of ransomware have been able to traverse to those shared file systems making them susceptible to the attack. According to Fabian Wosar, of Emsisoft, when Rokku encrypts a victim's data it will use theSalsa20 algorithm and will encrypt each files with its own unique key. A file's key is then encrypted using RSA and stored in the last 252 bytes of the associated file. This allows the developers to provide individual decryption keys for test file decryption. This is also the first ransomware that I know of that uses the Salsa20 algorithm, which provides much greater encryption speeds compared to AES.
- #26 Targeting non-Windows platforms. SimpleLocker encrypts files on Android, while Linux.Encode.1 encrypts files on Linux, and KeRanger on OSX. Using the computer speaker to speak audio messages to the victim. Cerber ransomware generates a VBScript, entitled “# DECRYPT MY FILES #.vbs,” which allows the computer to speak the ransom message to the victim. It can only speak English but the decryptor website it uses can be customized in twelve different languages. It says “Attention! Attention! Attention!” “Your documents, photos, databases and other important files have been encrypted!” Ransomware as a service: this model is offered on underground forums networks, it will provide the malicious code and infrastructure to facilitate the transfer of funds and the encryption key for the victim to be able to access their information. Tox ransomware does this. <BONUS> Using counter-detection malware armoring - Anti-VM and anti-analysis functions. CryptXXX does this.
- #27 drive-bye's and email (ms office documents, and JS in ZIP) - Phishing emails may contain malicious attachments. These attachments are not always delivered in executable form; as security vendors and security best practices dictate that receiving executables via email is, in general, something we want to prevent, threat actors have to adapt to the changing landscape. This can be done by indirect delivery mechanisms. In Windows, for example, a malicious actor may opt for a less direct method of delivery: embed an obfuscated Javascript file into an archive, and rely on the end user for the rest. Opening a .JS file on a Windows host will launch the default browser, and the Javascript can then reach out to an external URL to grab an executable, deliver it to the victim, and execute it. At this point, preventing users from receiving executables via email is no longer effective, as the executable is delivered via HTTP. - Exploit kits (such as Angler, or Neutrino) have been known to deliver ransomware to users by exploiting vulnerable web servers and hosting malicious web scripts on them which exploit visitors when certain criteria are met, and then delivering a malicious payload (Reference)
- #28 Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps.. A common way in for ransomware is via Exploit Kits, like Angler. These bundle many application vulnerabilities into one kit, and try drive-by exploits for each one in sequence. The more your apps are outdated, the more likely, some of these exploits might work and infect you with ransomware. Use network protection A very important part of a comprehensive security strategy is to use network traffic monitoring system that is based on machine learning and behavior analysis. As most of these attacks come in via internet channels, make sure your network protection can parse and analyze both email and web traffic. Use a comprehensive endpoint security solution with behavioral detection The endpoint (user's computer) is whether the ransomware infection takes place. So it is important to use a modern security solution here as well, with a signature-less approach. Signature-less approach, aka behavior detection is the only way to catch zero-day threats, that are new and do not have signatures written for them yet. Turn Windows User Access Control on Windows has added this security feature to help you stay in control of your computer by informing you when a program makes a change that requires administrator-level permission. UAC works by adjusting the permission level of your user account. If you’re doing tasks that can be done as a standard user, such as reading e‑mail, listening to music, or creating documents, you have the permissions of a standard user—even if you’re logged on as an administrator. Take full advantage of it. Office 16 provides a Group Policy setting that enables you to block macros from running in Word, Excel and PowerPoint files from the Internet.
- #29 Be skeptical: Don’t click on anything suspicious--Don’t click on any emails or attachments you don't recognize, and avoid suspicious websites altogether. As most of the infections come from user action - opening attachments or visiting websites, being vigilant is the most effective way to minimize damage. Block popups and use an ad-blocker: Popups are regularly used by criminals to spread malicious software. To avoid accidental clicks on or within popups, it's best to prevent them from appearing in the first place. According to Statista, nearly 200 million people worldwide already followed this advice and use ad-blockers. Override your browser’s user-agent. As some Exploit Kits use your user-agent to tailor the write exploit for your Operating system, it pays to trick them by setting the wrong user-agent on purpose. For instance, when using Firefox on Windows, set your user-agent to say “Firefox on Linux” to confuse malware redirectors and exploits. Block Macros, Disable Windows Script Host
- #30 Locky also removes any Volume Snapshot Service (VSS) files, also known asshadow copies, that you may have made. Shadow copies are the Windows way of making live backup snapshots without having to stop working – you don’t need to logout or even close your applications first – so they are a quick and popular alternative to a proper backup procedure. Shadow Copies Sometimes crypto ransomware can have weaknesses in their implementation which could allow victims to recover at least some of their files without paying. For example, Windows can be set up to make recovery points at regular intervals. These backups are called shadow copies. If this service is enabled and if a crypto ransomware does not interfere with this feature, it may be possible recover some files using this method. This blog details various Windows tools that can be useful to aid recovery in case of a crypto ransomware attack. File recovery software Another point worth noting is that when a file is deleted in Windows, the contents of the file are not usually scrubbed from the physical disk itself. Instead, the entries defining the file are removed from the disk allocation tables, freeing up the space. The original data in the freed space is not overwritten until a new file is written to the same space on the disk. This makes it possible to recover delete files if the disk space has not already been overwritten by another file. Victims can use file recovery software such as PhotoRec to scan for deleted files and recover them. No bullet-proof solution It should be noted that the more advanced crypto ransomware groups are aware of these techniques and take steps to prevent their successful use. As a result, some crypto ransomware threats delete shadow copies to prevent victims from being able to recover files. Similarly, other crypto ransomware threats such as Trojan. Ransomcrypt.R use a secure deletion tools such as SDelete to ensure that original files are securely erased from the disk after encryption. In this situation, the only answer is to have a backup of the files as there is no practical way for the files to be recovered or decrypted without the right key.
- #33 Malvertising is the practice of injecting malicious advertisements into legitimate online advertising networks. It is served with the goal to compromises users and their devices. It can occur through deceptive advertisers or agencies running ads or compromises to the ad supply chain including ad networks, ad exchanges and ad servers. Malvertising is not new malware, just a different delivery vehicle.. Malvertising is popular because compromising websites that have high traffic is very effective for malware distrubution. And because attacking these sites ad networks is easier and requires less efforts thatn finding a vulnerability in the site software.
- #34 Websites or web publishers unknowingly incorporate a corrupted or malicious advertisement into their page. Once the advertisement is in place, and visitors begin clicking on it, their computer can become infected. Malvertising often involves the exploitation of trustworthy companies. Those attempting to spread malware place "clean" advertisements on trustworthy sites first in order to gain a good reputation, then they later "insert a virus or spyware in the code behind the ad, and after a mass virus infection is produced, they remove the virus", thus infecting all visitors of the site during that time period. The identities of those responsible are often hard to trace because the "ad network infrastructure is very complex with many linked connections between ads and click-through destinations." [8] Users visit a website and get infected by malware without any action or warning. Website loads a banner ad that has been messed with ( injected with a JavaScript to redirect to a malicious site). That site will load a pack of different drive-by exploits to penetrate the users browser or plugin, achieve remote code execution, and then to install the malware payload. So the lifecycle is: Website -> redirect -> exploit -> payload. The goal of these attacks, seen so far, is to make money , and that is achieved by loading a monetization payload. Most popular ones are Ransomware , like Cryptowall and ad-fraud Trojans like Bedep.
- #35 Cyphort Labs crawler monitors top sites in the world 24×7 to find cases of malicious code served via drive-by exploits. Most of the sites we see serving exploits are not compromised themselves, but redirect to advertisers poisoned by malware. This technique is called malvertising and we issued a special report on the phenomenal growth of malvertising in August of 2015. Here is the latest update on the numbers of unique domains we have found per year: Year Number of unique domains 2014 910 2015 1654 2016 2102* *estimate based on the number seen so far. As you can see malvertising growth continues, and is on pace for the largest year ever. - See more at: http://www.cyphort.com/malvertising-on-pace-for-a-record-breaking-year/#sthash.d1bzdjaE.dpuf
- #36 It’s common practice to outsource the advertising on websites to third-party specialists. These companies re-sell this space, and provide software which allows people to upload their own adverts, bidding a certain amount of money to ‘win’ the right for more people to see them. This often provides a weak point, and cyber criminals have numerous clever ways of inserting their own malicious adverts into this self-service platform. Once loaded, all they have to do is set a price per advert, to compete with legitimate advertisers, and push it live. The ad networks get millions of ads submitted to them and any one of those could be malvertising. They try to detect and filter malicious ads from their systems, but it is challenging. The potential damage is high, as ad networks have a very deep reach and can infect many people quickly. The attackers are accustomed to tricking the networks by making "armored" malverts, where they use various techniques to appear legitimate to the analysts, but infect the users nonetheless. For instance they will enable the malicious payload after a delay of several days after the ad is approved. Another way is to only serve the exploits to every 10th user, or every 20th user who views the ad. Verifying user agents and ip addresses also is a common strategy to hide from analysts and automated malware detection. The attackers can implement various targeting strategies for malware infection, which appear normal in the context of advertisement, but in effect evade certain security detection. The use of redirection via HTTPS is unique (Hypertext Transfer Protocol Secure, a communications protocol for secure encrypted communication). It makes it harder to analyse the origin of attack because even if a security company has the recorded network traffic it is impossible to decrypt and reconstruct the origin of the malware redirect.
- #37 Everyone is partly to blame: Popular websites still using ads exchanges for monetization, ignoring the risk to their users. Ad exchanges pass the blame onto other entities in the ad food chain , like ad networks. Ad networks are not filtering their ad creatives completely. Users do not secure their browsers , do not patch their systems and still use broken technologies from the 90s like Java and Flash. Browsers do not yet disable all of these technologies by default for “good user experience.”
- #39 We even saw a revival of Microsoft Office macros with the latest Cridex variant, referred to as Dridex. This threat has recently been distributed through emails with malicious Word document attachments which download the malware using macros embedded in the document. The emails use the brands of legitimate firms and claim that the attached documents are invoices from these companies. The documents actually contain a VBA macro that downloads the threat onto the user’s computer. Once the malware has compromised the computer, it steals login credentials for online banking sites.
- #40 We even saw a revival of Microsoft Office macros with the latest Cridex variant, referred to as Dridex. This threat has recently been distributed through emails with malicious Word document attachments which download the malware using macros embedded in the document. The emails use the brands of legitimate firms and claim that the attached documents are invoices from these companies. The documents actually contain a VBA macro that downloads the threat onto the user’s computer. Once the malware has compromised the computer, it steals login credentials for online banking sites. Dridex/cridex/Feodo/Bugat: Infected Users: 904 million records compromised Target: North American Banks (JP Morgan Chase's breach) ,European banks(Bank of Scotland, Lloyds Bank, Danske Bank,Barclays, Kasikorn Bank, Santander,Triodos Bank) First Seen : Nov 2014 Delivered by: Spam Messages Actors: unknown https://www.proofpoint.com/us/threat-insight/post/LogIn-Waz-Here http://researchcenter.paloaltonetworks.com/2014/10/dridex-banking-trojan-distributed-word-documents/
- #41 We need to holistically examine the entire malware attack kill chain – every stage of it from the download to the data exfiltration, and use defense in depth techniques powered by machine learning.
- #42 The business of backing up data will thrive because of recent high-profile ransomware attacks We need to holistically examine the entire malware attack kill chain – every stage of it from the download to the data exfiltration, and use defense in depth techniques powered by machine learning.