By Zachery Mitcham, MSA, CCISO, CSIH, VP and Chief Information Security Officer, SURGE Professional Services-Group

1. Introduction of Artificial Intelligence (AI) into cyberattacks. We can’t just dismiss cybercriminals as being unsophisticated imbeciles. It would be a mistake if we did. Cybercriminals are now using computer generated hacking algorithms to create more persistent and efficiently resilient cyberattacks, yielding incredibly favorable results. AI-generated attackers don’t have the weaknesses associated with their human counterparts. They don’t grow weary of trying heuristically to access their targets’ networks. Consequently, they continue until they achieve their ultimate objective.

2. Increase in Cryptojacking. Criminals hacking criminals does not get a lot of press. After all, who cares, right? Wrong! Cryptojacking, if left unchecked, will bleed over to legitimate enterprise activities. Cryptomining of blockchain-generated cryptocurrency has become more attractive to cybercriminals of late. Hackers are leveraging the resources of legitimate computer systems to launch attacks against dark side extortioner sites. The criminals feel like they will go unpunished in that they are attacking the financial resources of a hacker, and no one would care. In the final analysis, who can the criminals being victimized, voice their complaints to?

Also see: How Cryptojacking and Cryptomining Assaults Work

3. Increase in the implementation of immutable backup systems. This will reduce the impact of ransomware attacks.  More organizations have established positions of not negotiating with cyber extortioners. They are deploying technology that will assist them in recovering quickly from cybercrime in the form of ransomware. One technology, in particular, is that of immutable backups. Regular backups offer some resilience against such attacks, but not much. If they themselves are compromised, they are rendered useless. On the other hand, an immutable backup is a backup that cannot be modified or altered by the intruder, thereby making it easier for an organization to recover from a ransomware attack.

Read more predictions from other experts in our January 2022 issue.

About the Author

Zachery S. Mitcham is a 20-year veteran of the United States Army where he retired as a Major. He earned his BBA in Business Administration from Mercer University Eugene W. Stetson School of Business and Economics. He also earned an MSA in Administration from Central Michigan University. Zachery graduated from the United States Army School of Information Technology where he earned a diploma with a concentration in systems automation. He completed a graduate studies professional development program earning a Strategic Management Graduate Certificate at Harvard University extension school. Mr. Mitcham holds several computer security certificates from various institutions of higher education to include Stanford, Villanova, Carnegie-Mellon Universities, and the University of Central Florida. He is certified as a Chief Information Security Officer by the EC-Council and a Certified Computer Security Incident Handler from the Software Engineering Institute at Carnegie Mellon University. Zachery received his Information Systems Security Management credentials as an Information Systems Security Officer from the Department of Defense Intelligence Information Systems Accreditations Course in Kaiserslautern, Germany.

The post Avoid Negotiating with Extortioners and Implement Solutions for Recovery and Resilience appeared first on CISO MAG | Cyber Security Magazine.

By Rudra Srinivas, Senior Feature Writer, CISO MAG

What is Cryptomining?

Cryptocurrency mining or cryptomining is a process of validating cryptocurrency transactions, also called blocks. Cryptocurrencies like Bitcoin, Binance coin, Ethereum, Dash, Monero, etc., use distributed public ledgers to track all the crypto transactions linked to the previous transactions, forming a chain of recorded blocks called a blockchain.

Cryptomining is usually done via sophisticated hardware that solves complex mathematical equations. The first computer (miner) to solve the equation is rewarded with the next block of cryptocurrencies, and the process continues.

How Illicit Cryptomining Works

Anyone with a network of computers (crypto miners) and capable of solving complex mathematical problems can become a crypto miner. However, some crypto miners hire malicious botnets to mine cryptocurrency illicitly. Adversaries leverage malicious cryptomining techniques to compromise cryptocurrencies.  According to Akamai’s report, cybercriminals use several malware variants to infect personal and corporate servers for malicious cryptomining activities. The report stated that the access to fake crypto exchange phishing URLs increased over 500% between March 2020 and May 2021. Threat actors also leverage malicious crypto apps to trick users and steal crypto coins.

Targeting Crypto Wallets

Cryptocurrency hackers often target cryptocurrency exchanges and digital wallets by deploying malicious cryptomining techniques to infect targeted systems and mine crypto coins.

Also Read: How to Safeguard Your Cryptocurrency Wallet from Digital Exploits

A digital wallet (cryptocurrency wallet) allows users to store, transfer, and receive cryptocurrencies without intermediates. Digital wallets are categorized into two types – Hot wallets and Cold wallets. Hot wallets allow users to store, send, and receive digital coins linked with public and private keys that help facilitate transactions. Hot wallets are connected to the internet, making them vulnerable to cyberattacks and unauthorized intrusions. But, cold wallets are stored offline and do not connect to the internet. Therefore, they are not prone to cyberattacks.  Storing your private keys in a cold wallet, also known as a hardware wallet, is the most viable option as these come encrypted, keeping your keys secure.

How to Prevent Illicit Cryptomining  

Cryptocurrency attackers perform illegal cryptomining activities using two methods – Binary-based and Browser-based.

In Binary-based cryptomining, hackers use malicious mobile applications installed on the targeted devices to mine cryptocurrency. These malicious applications automatically download cryptomining botnets to procure digital currency.

In Browser-based mining activity, also known as cryptojacking, bad actors use malicious JavaScript, designed to mine cryptocurrency, embedded into a website. In cryptojacking, threat actors hijack a network of computers and exploit them to mine crypto coins.

How to Prevent Binary-based Cryptomining   

• Research on the app developers. Visit their official website and find their contact details.
• Always download apps from an official app store to reduce the risk.
• Read the terms and conditions carefully. Don’t download if you find anything suspicious.
• Read the reviews to know more about the app.
• Read the app permissions. Don’t install if the app asks for more permissions than required.

How to Prevent Browser-based Cryptomining   

• Frequently update critical systems along with malware intrusion detection software.
• Implement a BYOD (Bring Your Own Devices) at your company and make security awareness training mandatory for all employees.
• Use DNS filters, firewalls, and install the best web filtering tools.
• Install antivirus software and block pages that send cryptojacking mining scripts.
• Continuously monitor your enterprise’s computing resources, check CPU energy consumption, and ensure no cloud misconfigurations exist.

About the Author:

Rudra Srinivas is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.       

More from the Rudra.

 

The post How Illicit Cryptomining Works, And How to Prevent It appeared first on CISO MAG | Cyber Security Magazine.

Ransomware Attacks in India Decline

According to Sophos, there has been a drop in ransomware attacks this year, compared to the previous year. The Sophos survey also highlighted that 67% of Indian organizations whose data was encrypted paid a ransom to get back their data compared to last year, when 66% paid a ransom.

The Sophos report states, “In fact, Indian organizations were the most likely to pay a ransom of all countries surveyed: the global average was just under one third (32%).”

While ransomware attacks in India saw a dip this year, various research reports show that attackers are taking a more targeted and organized approach. There are new vulnerabilities; zero-day attacks are now common. Ransomware hackers have now zeroed in on blockchain, cryptocurrencies, and cryptocurrency exchanges. EC-Council’s Cyber Research cell will be releasing a report on this next month.

According to the Microsoft Security Endpoint Threat Report 2019, Asia Pacific continued to experience a higher-than-average encounter rate for malware and ransomware attacks – 1.6 and 1.7 times higher than the rest of the world, respectively.

India registered the seventh-highest malware encounter rate across the region, at 5.89% in the past year. This was 1.1 times higher than the regional average. The report also found that India recorded the third-highest ransomware encounter rate across the region, which was two times higher than the regional average.

This was despite a 35% and 29% decrease in malware and ransomware encounters, respectively, over the past year.

Cryptojacking Attacks Increasing

The Microsoft report states that crypto-hacking, malware, ransomware, and drive-by download attacks have high cybersecurity challenges in India. In fact, India recorded a cryptocurrency mining encounter rate that was 4.6 times higher and drive-by download attack volume that was three times higher than the regional and global average.

It’s a well-known fact that millions of Indians have taken to cryptocurrency trading via hundreds of exchanges around the world. And since cryptocurrency is linked with ransomware, it’s not surprising that new attack vectors like crypto-hacking, cryptojacking, and illegal cryptomining are picking up in the region.

Cryptocurrency is generated through crypto mining, which requires a lot of computing power. During cryptojacking attacks, the victims’ computers are infected with cryptocurrency mining malware, which enables criminals to leverage the computing power of victims’ computers without their knowledge, to mine cryptocurrency. Pro-Ocean, which was discovered by Palo Alto Networks, is an example of cryptocurrency mining malware.

New Vulnerabilities Found

In its Q2 Index Update, Cyber Security Works reveals new vulnerabilities in the ransomware arsenal. Its research shows that six vulnerabilities have become associated with seven ransomware strains; among them are the infamous Darkside, Conti, FiveHands, and the newly christened, Qlocker.

“With this update, the total number of vulnerabilities associated with ransomware has increased to 266. We have also noticed a 1.5% increase in the number of actively exploited vulnerabilities that are trending currently, reiterating that a risk-based approach for the remediation of vulnerabilities is the need of the hour.

One of the most compelling observations during this quarter was the exploitation of zero-day vulnerabilities even before vendors published their discovery or released patches,” said Ram Movva, Chairman and Co-founder of Cyber Security Works.

More Targeted Attacks

Another trend we observe is that the attacks are getting more targeted. Going forward you can expect to see attackers going after niche sectors rather than trying to pull off large scale attacks on everyone.

“Ransomware threats actors have been constantly evolving their tradecraft to increase the odds of the ransom payment. The most infamous ransomware variants such as WannaCry, NotPetya were more of opportunistic attacks than targeted. However, the ransomware incidents and attacks from 2020 and 2021 are much more focused, planned, and targeted and are becoming ‘Human-Operated’. They leverage known information such as vulnerabilities/ stolen credentials/ phishing attempts to launch initial attacks. These newer ransomware variants are also including ‘cyber extortion’ angle in the mix along with ransomware rendering the data backups/ restoration controls implemented by organizations less effective,” said Prateek Bhajanka, Sr Principal Analyst, Gartner.

He continued, “In many cases of ransomware incidents, the encryption of data may not even occur, and the threat actor would issue a ransom note saying, we have stolen your regulatory, client and other sensitive information, here is the sample, and if you don’t pay, we will also encrypt your data. The ransomware threat actors are going to various lengths to increase the odds of the payment and even resorting to launching/ threaten a DDOS attack if the organization doesn’t pay, called ‘Triple extortion attacks'”.

Bhajanka also said there will be an increase in the volume of attacks due to emergence of Ransomware as a Service (RaaS) in the dark web, which makes it much easier to target specific organizations. He said the attacks are going to be directed at specific industries.

“In 2020, Healthcare and Pharmaceutical industries were the most sought-after targets and now we are also observing increase in attacks in Retail and education sectors. Alongside, the threat actors are targeting the technology service providers such as Managed service providers (MSPs) and Managed Security Service Providers (MSSPs) to use them as a vector/pivot to large number of victim organizations,” he added.

The post Indian Organizations Among Most Targeted for Ransomware; Most Pay Ransom appeared first on CISO MAG | Cyber Security Magazine.

By Rahil Karedia, Global Head – Threat & Security Intelligence and Security Advisory, Network Intelligence, Inc.

Cyberthreat has been in existence since the early stages of communication and is evolving since then with the subsequent development of technology. From Landline hacking in the 1970s to cryptojacking in 2021, cybercrimes tend to become more and more sophisticated with time. With every passing decade, the technological society and cybersecurity professionals find themselves amidst highly coordinated and relentless attacks on digital assets and infrastructure, where the existing solution or defense either fell short or was not scalable enough for the implementation of emerging technology.

The 50s ad 60s

Cyberthreats in the Pre-millennial era looked completely different than what we know or imagine today. Even before the internet was introduced, cybercrimes were being conducted through targeting telecommunications. The fact that people could reach out to other people over a large distance while being unseen.

Landline Hack: Throughout the 1950s and 60’s the wired telecommunication technology was booming, and landlines were available in the majority of households across developed countries. This decade also marked the onset of the first digital-based crime known as “Phreaking,” where the perpetrators exploited the tone system used in telephone networks [1]. The episode dates back to the late 1950s, where a group of phreaks, a short form for the term “Phone Freaks” [2], decided to hack telephone networks by making unauthorized and unauthenticated long-distance phone calls by reverse-engineering the tones used by the telephone organizations. They also set up special party lines to help other fellow phreaks. Perpetrators often impersonated officials, an extensive search of the Bell Telephone company garbage to find any secret information or data, and experimented on the early telephone hardware to learn how to exploit them meticulously, which results in free long-distance telephone calls [3].

The 70s

“The introduction of computer virus”

The decade of over-the-top fashion and new genres of music also saw a new change in the digital landscape. Though research on self-replicating programs was in progress since the ’50s, the first practical implementation, i.e., a computer virus attack was seen in the early 1970s [4]. Bob Thomas, an engineer at BBN Technologies, wrote an experimental self-replicating program, which could move between computers connected by the ARPANET — the technical foundation of the internet [4].

As it could move from one system to another, it was termed as ‘Creeper,’ and while coping itself to the remote system of the 33 ASR teletype model, it left a message that read: “I’M THE CREEPER: CATCH ME IF YOU CAN,” [5]. The techniques which were used in the Creeper were later used in the McROSS — Air traffic simulator to allow certain parts of stimulation to move across the network. The invention of Creeper was soon followed by the development of its enhanced versions. Ray Tomlinson later coded an enhanced version of the Creeper and also went on to write a program called the Reaper, which moved through the ARPANET removing the existing copies of the Creeper.

With the trend of developments and enhancements that defined this decade, programmers with malicious intent for destruction began to emerge, and soon various other viruses were coded and deployed. One of the progenies of such a trend was the rabbit virus that came to light in 1974. This virus is also considered by some as the foundation to early malware, as it was coded to self-replicate until the system crashed [6].

The 80s

The decade that was witness to the birth and propagation of personal computers and wireless telecommunication was also witnessing a prominent growth of destructive viruses. In the same year of 1981, when IBM released its first personal computer, a ninth-grader from Pittsburgh wrote a program called “Elk Cloner” that attached itself to Apple DOS 3.3 OS and was designed to be activated on its 50^th use. This was the first virus to appear in the wild and was spread through the mean of the floppy disk.

The term ‘Computer Virus’ was coined by Leonard Adleman, and research termed “Computer Viruses – Theory and Experiments” was first published by his student Fred Cohen in 1984. With the passing years and constant evolution of technologies, viruses started becoming more sophisticated and destructive every year. In 1986, the PC platform was struck with the first-ever “Global epidemic” called the “brain virus,” as the internet was connecting many systems across the globe, hence, scaling up the spread of the virus. The propagation of the brin virus depicted the lack of security of the systems and was followed by the Vienna virus in the 1987’s, the first-ever virus which was meant to destroy the data.

This decade saw the actual rapid evolution of computer viruses that began to be classified into different categories based on their behavior, such as worms, trojans, etc., that developed with time. The first-ever worm— Morris Worm, was released in November 1988 by Robert Tappan Morris. Morris wasn’t aware of his creation as to what capabilities it held, as it was not designed with an intent of malice. In 1988, the Morris worm, which replicated itself soon with time, evolved into the world’s first large-scale Denial-Of-Service (DOS) attack. It spread through the world and brought many organizational servers and personal computers to a halt. Though Morris released the solution soon enough, for shutting down the program, severe damage caused by the worm was already done and evident. Morris was prosecuted and charged with violating the Computer Fraud and Abuse Act in 1989 [8].

Ransomware attacks first became known to the public in 1989, where the “Aids Trojan” was used to hide files. It was written by Joseph Popp and coded so that the files were encrypted with their names and, when done, displayed a message that stated: “User license to use the software has been expired.” The victims were asked to pay 189 dollars to the PC Cyborg Corporation to receive the repair tool that decrypted the encrypted files [9]. Though this was not considered extremely damaging as encrypting files with names backfired and was easy to restore, this gave rise to the idea of extortion through encryption which soon caught on. Since then, ransomware attacks have evolved and have become more sophisticated, as seen in recent times. Ransomware has grown to be the biggest cyberthreat in today’s time.

On the positive side, this decade witnessed the rise of cybersecurity, with many antivirus products becoming commercially available in the market. Many businesses targeting this market emerged around this period, which includes renowned cybersecurity giants such as Avast, McAfee, etc.

The 90s

As the world went online through the boom of the internet, this decade witnessed the first polymorphic viruses that replicated themselves while the original algorithm was intact in order to avoid any kind of detection.

As organizations began to digitalize and incorporated this into their marketing strategy, i.e., providing free disk, this gave malware a platform to spread further. By 1996 many viruses evolved like the stealth capability, polymorphic viruses, macro viruses, etc. They kept multiplying and spreading in the wild in such a way that by 2007, there were more than five million viruses and malware [7].

Towards the end of the 1990s, emails were a booming trend, and almost everyone with a system and internet connection possessed an email-id for themselves to communicate with ease. This became one of the most popular platforms for threat actors to spread malware and spam. Phishing attacks made the most use of this platform to trick victims into providing sensitive information or downloading malicious attachments.

In 1999, the Melissa Virus surfaced, which initiated the victim’s system via a Word document. It emailed copies of itself to the first 50 email addresses in Microsoft Outlook. It is still one of the fastest spreading viruses, which caused a damage of 80 million dollars to rectify and fix the damages.

The Turn of the Century

AS time progressed, viruses started becoming more progressive and sophisticated, which was evident throughout the 2000s. Numerous viruses came into existence, targeting specific functions of the system via the internet, network, and techniques, ranging from keystroke logging to advanced ransomware attacks.

The Distributed Denial of Service (DDOS) was the epitome of network-based attacks, as the world noticed a breakpoint in Feb 2000, where a series of DDOS attacks surfaced when a 15-year-old Canadian hacker known as the “mafia boy” mounted and executed the DDOS attacks which targeted the e-commerce websites (including Amazon and eBay). The attack led to a loss of 1.7 billion dollars and forced organizations to shut down their websites to regulate legitimate traffic flow.

With the start of the 2000s, a new era of malware emerged as emails were seen as exploitable access points for the perpetrators, who aimed at causing more destruction. The ‘ILOVEYOU’ worm infected nearly 50 million systems which corrupted the data and self-propagated itself by exploiting the victim’s email contacts. This gave an insight into how cybersecurity was crucial and the necessity for all systems to have antivirus software installed to safeguard their systems and data.

The 2000s came to be known as the carding era [10], where digital cash was still a new thing, and people using their Debit Credit cards to purchase various items online. With people relying on the internet for various purposes and digital transactions becoming a trend, Carding attacks increased. Speculations started with the Russian carding forums and marketplaces used by the perpetrators to steal card details and utilized sensitive information for multiple purposes like identity theft and phishing attacks. Cardholders who often used e-commerce platforms were susceptible to carding and phishing attacks, allowing perpetrators to access sensitive information critical to their personally identifiable information (PII). The stolen details were often sold to other criminals or put on sale on various hackers’ platforms and the dark web. The stolen details are often used to make new, fake cards. One such website was the CarderPlanet, founded by Golubov D.I. et al. in the year 2001.

The Twen’tē-tens

Data breaches soon became the center of attraction for the information security landscape due to the emergence of various malware attacks in the decade. In contrast to the previous era where the threat landscape saw the evolution and drastic changes occurring in the time frame of few years, the 2010s and the subsequent decade would see a change in trend every year. There were not any notable novel cyberthreats in this decade, but the development in the existing threat and attack vectors, and their aspects such as mode of dissemination, target, counter anti-cybercrime strategies contributed to the exponential growth of the threat landscape. As time passed by, various new attacks were witnessed with the bypassing years like [10]:

• The year of the data breach – 2011
• The post PC era – 2012
• The year of online banking threats – 2013
• The year of cyberattacks – 2014
• The year of botnets – 2015
• The year of digital extortion – 2016
• The year of global ransomware outbreaks – 2017

This decade saw numerous organizations become victims of data breaches and malware attacks. Especially the initial years were known to be the most challenging for organizations and cybersecurity professionals as the victims of data breaches lost reputation due to the loss of confidential and sensitive information and bore resulting financial burdens and losses towards stabilizing the situation and fixing the damages. Conditions were adverse where organizations like RSA and Sony Play Station had no other options other than disclosing the details and facts about the attack against their organization to assure their customers that proper mitigation steps are taken to resolve the issues.

After initial years the digital data and online presence of users started to move away from personal computers and towards mobile and virtual machines. This change is marked as the post-PC era and also noticed a significant rise in the cybercrimes focused on Android platforms, social networking sites, cloud, etc. As it took less than three years for android devices to reach the threat level of the PCs, which took nearly 14 years for the same, mobile-based cyberthreats and attacks rose in recognition.

The Twen’tē-20s

The future of cyberthreat is projected to be similar to that of the previous decade, where the existing threat vectors and attacks will be developed upon with unique implementation across emerging technologies such as the Internet of Things (IoT), cloud computing, and virtual machines, and blockchain technology. Attack vectors such as phishing and social engineering are here to stay, and the cybersecurity experts do not see them going away any time soon.

Apart from this, the IoT and blockchain technology has given rise to a new form of threat known as crypto-jacking. Crypto-jacking is an evolved form of botnet attacks and is an attack carried out by perpetrators who gain unauthorized access to the victim’s devices (PCs, Tablets, Mobiles, serves of an organization, etc.) to mine cryptocurrencies. Cryptocurrency is digital or virtual money in tokens or coins based on blockchains, and Bitcoin is one of the most popularly known cryptocurrencies. The main of crypto-jacking is to benefit from crypto mining without bearing the vast costs (mining hardware, high electricity costs) of the mining process [11]. Cybercrimes related to cryptocurrencies are seen from 2009 till date, but the cryptocurrency sector is booming, and many individuals investing in cryptocurrencies (especially the ones that have larger values such as bitcoin) have drawn the attention of many attackers. It embeds itself on the victim’s device and uses its resources to mine cryptocurrency.

Conclusion

Cybercrimes have evolved drastically! And malicious use of programs and exploitation of vulnerabilities has greatly modified the cybersecurity landscape. From small viruses that were created as pranks to their use as a threat evolved with time and then scaled to spread across the globe with change from ARPANET to the internet. With the introduction of platforms such as email, networks, cloud, IoT, blockchain, etc. that connected people and data across the globe with lightning speed, the attackers were on the run to create the perfect virus, malware, and other attacks which would compromise on the authenticity, integrity and the confidentiality of the data and cause great harm to the victim and systems.

With the development of technology and integration of security standards, attackers pushed themselves to be a step ahead and create advanced malware, trojans, ransomware, and protocols and procedures that successfully bypassed the security mechanisms. This has been a recurring stance since the technology started developing. Cybercrimes, like cybersecurity, are a forever developing and evolving process. Perpetrators are constantly working on building sophisticated threats, malware, etc., on infiltrating the prevalent and upcoming security measures. It is essential to enhance security measures and protect ourselves from becoming a victim of the ever-growing cybercrime.

About the Author

Rahil Karedia, Global Head – Threat & Security Intelligence and Security Advisory, Network Intelligence, Inc. Rahil is a trusted, responsible and knowledgeable cyberspace veteran with more than five years of experience in operational security domains such as Security Operations Centre (SOC), Threat Intelligence (TI), Threat Hunting (TH), and Incident Response (IR). He is currently leading Threat Intelligence, Security Intelligence, and Security Advisory services.

He has assisted corporate, government, and defense customers from diverse industries (Banking and Finance, Healthcare and Insurance, FinTech and Biotech, Oil and Gas, Power Grid and Nuclear Facility, Government and Foreign Affairs, Aerospace and Defense, Surveillance and Investigation, etc.), for effectively managing the Cyber Security workforce by providing clear visibility on their cyber risk profile and exposure to the cyber threats. He is currently serving EC-Council’s Global Advisory Board for CTIA and has jointly authored a Cyber Research whitepaper on “Role of a Pen Tester in Ethical Hacking” with EC-Council.

Rahil is also focused on terrorism and cyber terrorism, CBRN terrorism, and human trafficking and migrant smuggling issues. He has jointly collaborated with the U.S. Army, U.S. Army TRADOC, and CSFI on four projects related to cyber intelligence, operational security, and telecommunication and internet surveillance.

Rahil’s key aim is to assist and enable organizations in taking intelligence-driven decisions and actions in cybersecurity operations and management.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

References:

1. https://hub.packtpub.com/the-evolution-cybercrime/
2. https://www.britannica.com/topic/cybercrime/Spam-steganography-and-e-mail-hacking
3. https://www.floridatechonline.com/blog/information-technology/a-brief-history-of-cyber-crime/
4. https://www.latrobe.edu.au/nest/fascinating-evolution-cybersecurity/
5. https://corewar.co.uk/creeper.htm
6. https://www.nortonlifelockpartner.com/security-center/evolution-of-computer-viruses.html
7. https://cybersecurityventures.com/the-history-of-cybercrime-and-cybersecurity-1940-2020/
8. https://www.webroot.com/blog/2019/04/23/the-evolution-of-cybercrime/
9. https://resources.infosecinstitute.com/topic/evolution-in-the-world-of-cyber-crime/
10. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolution-of-cybercrime
11. https://www.kaspersky.com/resource-center/definitions/what-is-cryptojacking
    

    ---

The post Everything You Need to Know About the Evolution of Cyberthreats appeared first on CISO MAG | Cyber Security Magazine.

By Anis Pankhania CISO Cloud Infrastructure Services, Capgemini India

Trends in Cybercrime

As stated earlier, the ever-changing threat landscape and the development of technology being used maliciously pose a variety of challenges for the digital forensic investigator. Organizations are under constant threat of attack as there is no shortage of factors that induce disruption, which range from substantial information breaches to malware and botnet assaults. Some of the current trends in cyberattacks could be listed as:

• Malware: The spreading of malware today has turned into a sort of continuous campaign, with the majority of recent incidents involving the use of ransomware or some other form of malware. Spyware and ransomware are the most dangerous malware that poses a serious threat to information security, as they tend to encrypt or exfiltrate sensitive information. To make matters worse, this malware is increasingly equipped with sophisticated anti-forensic techniques that tend to increase the amount of time required for the investigators to retrieve any artifact or evidence. Encryption of data itself is an anti-forensic technique wherein if the threat actor gains a greater privilege, then not only the sensitive information (which is to be held for ransom) but also their digital footprints could be encrypted, never to be decrypted again. Ransomware typically targets all types of file extensions without any barriers, as such files that are of some importance to the victim. Even if the targeted organization pays the ransom, which by the way is now illegal, according
  to the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), there is very little probability of getting back the encrypted data.
• Botnets: Botnets are compromised systems that are controlled by the threat actors through a remote network of command and control without the knowledge of their owners/users. Botnets are generally used to conduct a DDoS attack, cryptojacking, click fraud, phishing, spam, and multiple other malicious operations. The threat actor could issue the command for the attack to the bots at any moment through the command-and-control network. A high level of internet privacy and security knowledge is required on the part of the network administrator and forensic analyst to identify and stop the botnet attack.
• Cryptojacking: This is the advanced application of the botnet network, where the bots are installed with crypto mining programs to mine cryptocurrency. This cryptojacking malware is designed to hijack the processor of the device to run crypto-mining programs effectively, which will, in turn, overheat the power source, hence, damaging the device. Though crypto mining is not illegal, it is a legitimate method used by blockchain experts to mine and generate digital currency, but this process requires high and fast performance on the part of the systems, which is generally expensive. Where legitimate miners use their high-end systems and tools, malicious attackers use their botnet network to mine digital currency.

Importance of Cyber Forensics

Though it may seem that cyber forensics exists due to the existence and implementation of cybersecurity programs, and a failed information security framework feeds the digital forensics operations. But in reality, both are co-dependent and go hand-in-hand. Digital forensics provides the information that feeds the developments in cybersecurity. The cumulative information about the state of security is obtained through numerous cases investigated through cyber forensics. Understanding this delicate balance between the two will help cybersecurity professionals to create a better security architecture…To read the full story, subscribe to CISO MAG

This story first appeared in the June 2021 issue of CISO MAG.

About the Author

Anis Pankhania is a technology leader, with a thorough understanding of adapting technology expertise to “business vision.” He is an award-winning information security leader with 23 years of experience in leading the complete information security, infrastructure management, digitalization, application development and management, program/ project management, IT network and data center operations, telecom circle/ corporate/business operations, etc. The majority of his tenure has been spent with large telecom and IT companies in India (Bharti Airtel, Aircel, IBM, and Vodafone). Pankhania established IT divisions from scratch, involving the design of strategy & execution roadmap, objectives, operating procedures, multi-site facilities, end-user workspace for 30k+ end users.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post How Digital Forensics Complements Cybersecurity appeared first on CISO MAG | Cyber Security Magazine.

Higher the value, grave the crime

The price of cryptocurrencies is highly volatile. The rise in crypto values certainly influences the frequency of illicit cryptomining in the wild. As the price skyrockets, crypto hackers perform various crypto hacking campaigns using malware payloads like RATs and banking Trojans. Attackers often target cryptocurrency exchanges and digital wallets to steal virtual currency.

Among all cryptocurrencies, Monero is the most preferred virtual coin for attackers in their illicit mining activities. The standard design of Monero enabled attackers to mine them on unsuspecting systems across the globe.

“It appears that the mining activity does have some dependence on the value of the currency. The most cryptomining activity we’ve ever seen has occurred in the last couple of months when Monero hit its all-time high. Outside of the short price drop that occurred in early 2021, before the massive spike, the graph tracks almost identically the value of the currency. This was honestly a surprising correlation since it’s believed that malicious actors need a significant amount of time to set up their mining operations, so it’s unlikely they could flip a switch overnight and start mining as soon as values rise. This may still be true for some portion of the threat actors deploying miners, but based on the actual data, many others are chasing the money,” Cisco Talos said.

Crypto Threats Surge by 500%

According to Akamai’s report, cybercriminals are using several malware variants to infect both personal and corporate servers for malicious cryptomining activities. The report stated that the access to fake crypto exchange phishing URLs increased over 500% between March 2020 and May 2021. Threat actors are also leveraging malicious crypto apps to trick users and steal crypto coins.

“We believe the increase in malicious traffic is driven by the increase in cybercriminals’ motivation to execute cryptomining activities. As cryptocurrency prices grow, and the potential benefit from malicious mining activities increases, cybercriminals gain momentum as well,” the report added.

The post Illicit Cryptomining Surges Amid Soaring Crypto Value appeared first on CISO MAG | Cyber Security Magazine.

By Zachery S. Mitcham, MSA, CCISO, CSIH, VP and Chief Information Security Officer, SURGE Professional Services-Group

What is it?

Simply put, cryptojackers attack enterprise technological systems with the goal of leveraging their computer resources to launch cryptomining assaults on cryptocurrency firms. Graboid, PowerGhost, Badshell, MinerGate, and Prometei are all well know cryptojacking variants that intruders use to capitalize on the resources of the enterprise and personal systems with the intent of conducting cryptomining of popular cryptocurrencies.

How does it work?

Cybercriminals surreptitiously gain access into enterprise or personal computer systems and inject malicious computer code onto them. No systems are safe from cryptojacking. Cloud-based, file-based, and browser-based systems have all been known to have been affected by cryptojackers.  The method of choice used by the intruder to introduce the code onto a system is by way of phishing attacks in various forms.  Once the code’s payload is applied to the system it behaves similarly to a technological parasite, much like a tick on a dog or a leach on a host.  The injected code works in the system background undetected. The preferred code used by the intruder is usually a polymorphic, zero-day, advanced persistent malware deployed as a rootkit.

The intent of the code is not to harm the host, rather hijack its CPU resources in order to launch attacks on other computer systems particularly cryptocurrency targets. Cryptojackers view crypto mining of cryptocurrency as less risky than ransomware in that cryptocurrency firms do not have the same emotional public and law enforcement support as does traditional brick and mortar enterprises that directly affect their everyday lives as was the case with the ransomware attack on the colonial pipeline causing a major consumer panic.

How do I know If my system is affected?

The degraded performance of your system could be an indication that its resources are being used to conduct unwitting cybercriminal activities. Traditional methods used to detect common vulnerabilities such as antivirus protection and popular vulnerability scans are ineffective when it comes to detecting Cryptojacking malware.  Network monitoring tools are more effective in detecting Cryptojacking activities in that they reveal increased and unexplainable CPU usage that could possibly cause endpoint failure due to overheating as a result of the increase in usage. Utilizing various network monitoring tools such as Simple Network Management Protocol tools in tandem with Security Information and Event Management tools configured to detect changes within an enterprise technological network, servers and endpoints will be beneficial in the quest for discovering Cryptojacking within your organization.

How can I protect my system against cryptojackers?

1. Both non-governmental organizations (NGOs) and government organizations (GOs) can avoid becoming unwitting accessories to cybercrime by implementing the NIST 800-207 Zero Trust framework throughout their enterprise. The Zero trust framework focuses on three primary areas of enterprise computing operations:  the user, the device, and the application.  Computer systems at their inception were designed to be collaborative in nature and therefore did not focus much on security.  In 1988 that paradigm shifted with the introduction of the Morris Worm. Zero Trust now becomes the default, with the idea that the device, the user, and the application cannot be trusted, even when they have been vetted and confirmed as being a legitimate component of the enterprise’s network.  The user’s identity and authentication coupled with the authentication of the device and application access controls are the foundation of this model. Zero trust forces administrators to approach every component of their network as possibly being compromised and therefore require stringent policies and configurations that must be met in order to allow them to operate within its schema.  Network segmentation and sensitive data compartmentalization, irrespective of where the system computing occurs or resides, whether it be in the cloud, or on-premise, are treated in the same manner.  When all of these conditions are met then, and only then will the device, user, or application be allowed to operate freely within the network given audit trails and constant monitoring.
2. Information security awareness education and training are of paramount importance in combatting Cryptojacking. The enterprise must create a culture of security that is ubiquitous throughout the organization.  Everyone in the enterprise has a role to play in protecting the organization’s technological assets from the Board of Trustees, Senior Management to the frontline operational staff.  Again, this culture must be pervasive throughout the organization.
3. Newer endpoint protection products are now capable of detecting and isolating some of the most popular Cryptojacking variants. The enterprise must invest in outfitting its computer systems with robust endpoint protection.

The long and short of it is that cybercriminals do not have to comply with any rules, regulatory compliance mandates, or standards.  Their tactics to disrupt, destroy and manipulate organizations technological system operations are ever-evolving.  Therefore, the enterprise must be ever vigilant in the safeguard of their technological resources.

Stay alert! Stay Alive!

About the Author

Zachery S. Mitcham, MSA, CCISO, CSIH is the VP and Chief Information Security Officer at SURGE Professional Services-Group. He is a 20-year veteran of the United States Army where he retired as a Major. He earned his BBA in Business Administration from Mercer University Eugene W. Stetson School of Business and Economics. He also earned an MSA in Administration from Central Michigan University. Zachery graduated from the United States Army School of Information Technology where he earned a diploma with a concentration in systems automation. He completed a graduate studies professional development program earning a Strategic Management Graduate Certificate at Harvard University extension school. Mr. Mitcham holds several computer security certificates from various institutions of higher education to include Stanford, Villanova, Carnegie-Mellon Universities, and the University of Central Florida. He is certified as a Chief Information Security Officer by the EC-Council and a Certified Computer Security Incident Handler from the Software Engineering Institute at Carnegie Mellon University. Zachery received his Information Systems Security Management credentials as an Information Systems Security Officer from the Department of Defense Intelligence Information Systems Accreditations Course in Kaiserslautern, Germany.

Disclaimer

 CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.

The post How Cryptojacking and Cryptomining Assaults Work appeared first on CISO MAG | Cyber Security Magazine.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” the researchers said in a statement.

The new malware campaign was first spotted on June 10, 2020. The attackers later resumed their campaign on June 11 with an upgraded version of the malware, which included the addition of anti-sandbox capability and new checks for device drivers. According to the researchers, the vulnerabilities targeted by Lucifer malware include Rejetto HTTP File Server (CVE-2014-6287), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Oracle Weblogic (CVE-2017-10271), Laravel framework  CVE-2019-9081), and Microsoft Windows (CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464).

If an attacker exploits the flaws successfully, the malware installs itself and connects to the command-and-control (C2) server and executes arbitrary commands on the vulnerable device. Researchers also stated that Lucifer contains three resource sections – the X86 resource section that contains a UPX-packed x86 version of XMRig 5.5.0; the X64 resource section that contains a UPX-packed x64 version of XMRig 5.5.0; and the SMB section that contains a binary, which includes exploits like EternalBlue, EternalRomance, and DoublePulsar backdoor implant.

“Lucifer is quite powerful in its capabilities. Not only is it capable of dropping XMRig for cryptojacking Monero, it is also capable of C2 operation, and self-propagation through the exploitation of multiple vulnerabilities and credential brute-forcing. Lucifer also checks for the presence of the following device drivers, DLLs, and virtual devices. If any of these objects are detected, the malware enters an infinite loop, stopping its execution from going further. Applying the updates and patches to the affected software are strongly advised,” the researchers concluded.

The post Lucifer Malware Exploits Windows Vulnerabilities to Launch DDoS Attacks appeared first on CISO MAG | Cyber Security Magazine.

In an exclusive e-mail interview with Augustin Kurian, Senior Feature Writer of CISO MAG, Mukherjee talks about the fast-moving cryptocurrency markets and how bitcoin is helping cryptojacking to stay a relevant lucrative option for cybercriminals. He discusses some of the pressing cybersecurity issues faced by Indian telcos. Mukherjee states that unknown zero-day threats are just that — unknown. And there is no way to predict the next vulnerability avenue that will be exploited. He highlights how SonicWall’s intelligence-driven analytic service addresses zero-day attacks.

In one of your earlier interviews with CISO MAG, you said, “The rise of ransomware forced companies to improve their defenses against malware and intrusions. As a result, malware developers seek new ways to evade network security defenses.” While hackers are innovating and leveraging methods like cryptojacking, what are the steps taken by Sonic Wall to thwart malicious activities like cryptojacking and many others?

With the rising costs of mining cryptocurrencies such as Bitcoin, hackers develop and distribute malware to make victims do it for them. SonicWall prevents cryptojacking software from being downloaded and spreading throughout the network through the power of our next-generation multi-layered technology chain of security devices and services.

Cryptocurrency markets are fast-moving, where quick bull runs (often caused by price manipulation) can cause dramatic price spikes. Bitcoin ($BTC) prices also drive the value of Monero ($XMR), which is the alt coin of choice for many cybercriminals since its transactions can’t be publicly tracked like bitcoin. Halfway through 2019, bitcoin is surging again and is helping cryptojacking stay relevant as a lucrative option for cybercriminals. Cryptojacking volume hit 52.7 million registered attacks for the first six months of the year, as published in the mid-year update of the 2019 SonicWall Cyber Threat Report.

We can log hits and analyze signatures all day. But it remains difficult to align cryptojacking attacks — and criminal intentions — with cryptocurrency value.

Ultimately, it doesn’t matter what they mine. It only matters how they mine and all forms of these illegal miners — and future — damage systems and create security vulnerabilities.

SonicWall Firewalls filter out cryptojacking software entering the network. Intrusion Prevention Service (IPS) stops cryptojackers like Coinhive from spreading across the network and connected devices. Eliminate phishing emails with SonicWall Email Security. Scan email attachments and embedded URLs for advanced threats. Prevent malicious uploads with SonicWall Secure Mobile Access (SMA). Roll back affected endpoints with cryptojacking software to a clean state with Capture Client. Leverage SonicWall Gateway Anti-virus to stop known forms of cryptojackers. Funnel suspicious files to SonicWall Capture ATP to discover and stop new strains of coinhive and other related attacks. Block access to cryptojacking websites with Content Filtering Service. Continuously monitor system behavior for cryptocurrency mining behavior.

SonicWall is aiming to provide managed security services to Indian telcos. What advancements have been made on that front? Also, what are the pressing cybersecurity issues faced by Indian telcos?

Risk to non-adherence to cybersecurity regulations, breach of subscriber data, DDoS intended to disrupting services, risk management and mitigation for rolling out new technologies with right security controls, stopping leakage of database by outsourced entities, minimize the magnitude of an event to recover as quickly as possible and reduce the impact on their customers.

These however have brought new avenues to telcos. They can offer cybersecurity services to enterprises, providing services on securing end customer networks, thereby using cybersecurity as an opportunity to gain upper hand in a very competitive market.

In this perspective SonicWall has developed many offerings for MSSP and in India we have started offering our services with one of the leading telcos and we are in process of launching several new services in next few months.

When it comes to malware detection and protection, several companies are relying on signature-based malware monitoring. What are the challenges in using signature-based malware monitoring? How does SonicWall differentiate itself from other vendors when it comes to malware detection and protection?

Threat detection has evolved from static to dynamic behavioral analysis to detect-threatening behavior. Comprehensive layers of defense, properly placed within the network and the endpoint, provide the best and most efficient detection and response capabilities to match today’s evolving threats.

For years, SonicWall offered endpoint protection utilizing traditional antivirus (AV) capabilities. It relied on what is known as static analysis. The word “static” is just like it sounds. Traditional antivirus used static lists of hashes, signatures, behavioral rules and heuristics to discover viruses, malware and potentially unwanted programs (PUPs). It scanned these static artifacts across the entire operating system and mounted filesystems for retroactive detection of malicious artifacts through scheduled scanning.

Traditional antivirus focuses on pre-process execution prevention. Meaning, all the scanning mechanisms are primarily designed to prevent the execution of malicious binaries. If we go back 20 years, this approach was very effective at blocking the majority of malware, and many antivirus companies capitalized on their execution prevention approaches.

SonicWall developed advanced real-time memory monitoring to detect malware designed to evade sandbox technology. Today, SonicWall uses a multitude of capabilities — coupled with patent-pending Real-Time Deep Memory Inspection (RTDMITM)—to identify and mitigate malware more effectively than competing solutions.

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine, Capture Client applies advanced threat protection techniques, such as machine learning, network sandbox integration and system rollback. Capture Client uses automated intelligence to adapt and detect new strains of malware through advanced behavior analytics. One crucial feature of the latest Capture Client solution is the ability to record all the behaviors of an attack and the processes involved on an endpoint into an attack storyline—essential for security operations detection, triage and response efforts. SonicWall Capture Client combines multiple technologies to provide the most efficient and effective defense against threat actors. The solution should be paired with a defense-in-depth security strategy across all the key layers of transport, including email, network and endpoints.

Adoption of AI and ML is touted to be the future of cybersecurity. In that front, SonicWall has always been way ahead in the league. Briefly tell us about the upcoming products and services from SonicWall that aim to counter threats of the future.

Unknown zero-day threats are just that — unknown. You have no way (besides historical experience) to predict the next vulnerability avenue that will be exploited. The other quandary faced when tackling complex targeted zero days is the skills gap. Staffing a security operations center (SOC) with highly skilled cybersecurity professionals comes at a cost and only becomes profitable with economies of scale that a large customer base brings.

AI understands the big data coming from behavioral analysis. It can adapt the discovery approach to uncover threats that try to hide and, once determined as malicious, can fingerprint the payload via signature, turning a zero day into a known threat. It is the speed of propagation of this new, known signature to the protection appliances participating in the mesh protection network that drives the efficiencies to discover more threats.

Also, it’s the size of the mesh network catchment area that allows you the largest overall service area of attaches, which helps your AI to quickly learn from the largest sample data set. SonicWall has you covered on all these fronts. With more than one million sensors deployed across 215 territories and countries, SonicWall has one of the largest global footprints of active firewalls. Plus, the cloud-based, multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox service discovers and stops unknown, zero-day attacks, such as ransomware, at the gateway with automated remediation. Our recent introduction of the patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology, which inspects memory in real time, can detect and prevent chip vulnerability attaches such as Spectre, Meltdown and Foreshadow. It’s included with every Capture ATP activation.

At SonicWall, the mantra of automated, real-time breach detection and prevention is fundamental to our security portfolio. It is how our partners drive predictable operational expenditures in the most challenging security environments. Only via connected solutions, utilizing shared intelligence, can you protect against all cyberthreat vectors.

Can you update us how SonicWall products address zero-day attacks? What is the kind of “threat intelligence” and “predictive capabilities” in your products?

SonicWall Analytics is a powerful intelligence-driven analytic service. It gives a direct line of sight into the threat intelligence of your networks and users in real time, all through a single pane of glass. With drill-down capabilities, security teams can mine various sets of contextualized firewall log and flow data to easily find and tackle security as well as network performance issues quickly.

SonicWall provides single-pane visibility and complete situational awareness of the network security environment, perform deep investigative analysis, gain deeper knowledge and understanding of potential and real risks and threats, hunt, detect and remediate risks with greater clarity, certainty and speed, reduce incident response time with real-time, actionable threat intelligence.

Analytics is available in SaaS mode via the SonicWall Capture Security Center and can also be deployed on key virtual platforms such as VMWare and Hyper-V. The flexibility to leverage this product across multiple platforms along with capex or opex-based licensing helps ease the financial and operation planning and decision processes. This gives organizations the operational and economic benefits of virtualization and cloud computing. It also enables dynamic upscaling of storage to fulfill the growing data retention requirements from virtually unlimited number of firewall nodes.

SonicWall is announcing new offerings for managed security service providers (MSSP) on April 6, 2020. The newly announced capabilities allow MSSPs to simplify oversight, visibility and management of cybersecurity ecosystems as they continue to expand.

The cyberthreat intelligence, which is available in the SonicWall Security Center, maps the behavior of cybercriminals and the tactics they employ to breach the networks of businesses and organizations across the world. Included with Capture ATP, SonicWall’s patent-pending RTDMI technology catches more malware than behavior-based sandboxing methods, with a lower false positive rate.

First announced in February 2018, RTDMI technology is used by the SonicWall Capture Cloud Platform to identify and mitigate even the most insidious cyberthreats, including memory-based attacks. RTDMI proactively detects and blocks unknown mass-market malware — including malicious PDFs and attacks leveraging Microsoft Office documents — via deep memory inspection in real time. Because of obfuscation techniques, many legacy firewalls and anti-virus solutions are unable to effectively identify and mitigate PDFs or Microsoft Office file types that contain malicious content.

The post “Threat Detection has Evolved from Static to Dynamic Behavioral Analysis to Detect-Threatening Behavior” appeared first on CISO MAG | Cyber Security Magazine.

Most Targeted Web Applications

According to the research, attackers mostly targeted popular web applications like SharePoint, Atlassian Confluence, Drupal Oracle WebLogic, Microsoft Windows GDI, Slack, G Suite, and Dropbox, which offer cloud-first interfaces and web versions to complement on-premise software.

Other Major Findings

The research also highlighted statistics on different attack vectors like ransomware, cryptojacking, and other cyberattacks. It revealed that 9.9 billion malware attacks were reported during 2019, from which 187.9 million were detected as ransomware attacks. Encrypted threats increased by 27 percent whereas cryptojacking attacks had fallen by 78 percent, the research stated.

SonicWall President and CEO Bill Conner said, “In a modern, citizen-centric environment, successful ransomware attacks are highly disruptive. Networks from city hall, law enforcement agencies, sanitation, courthouses or the DMV could be compromised in minutes and everyday operations held for ransom, often at exorbitant costs. Once these attacks are weaponized by mainstream criminal groups, we will see critical damage across infrastructure, servers, security appliances, data repositories, mobile devices and a wide range of endpoints.”

SonicWalls’s RTDMI Technology

In an earlier research, SonicWall’s Real-Time Deep Memory Inspection (RTDMI) identified over 74,000 never-before-seen attacks, a number that already surpassed in the first quarter of 2019 with more than 173,000 new variants detected. The company’s patent-pending RTDMI technology identified over 83,000 unique, never-before-seen malicious events, of which over 67,000 were PDFs linked to scammers and more than 5,500 were PDFs with direct links to other malware. SonicWall stated that this fraud campaign took advantage of recipients’ trust in PDF files as a safe file format that is widely used and relied upon for business operations.

The post Attacks on Web Applications Surged in 2019: Report appeared first on CISO MAG | Cyber Security Magazine.