Gorodenkoff - stock.adobe.com
A quarter of more than one million suspicious outbound enterprise data flows monitored by cyber security startup BlackFog in the first two months of 2019 went to Russia and China, with the bulk of it (18.29%) going to Russia.
Data is being sent to these countries on a daily basis without companies’ knowledge, according to Darren Williams, CEO and founder of BlackFog.
“We do not have the same volumes prior to January and February for comparison, but other research suggests that this level of exfiltration is up significantly from previous years,” he told Computer Weekly.
Data exfiltration attempt data is sent to enterprises and aggregated by BlackFog, but there is no outbound data to the security firm’s servers from devices using the consumer edition. “It is all on-device security, which we believe is important,” said Williams.
BlackFog, which uses 12 algorithmic filters in its software to prevent data from being exfiltrated, has also observed a marked increase in use of fileless malware, which exploits applications that are already installed which are thought to be safe, such as PowerShell.
“Using PowerShell enables adversaries to execute scripts remotely without dropping any malware on the device to evade detection,” said Williams.
The BlogFog data shows that 64% of attempted exfiltrations over the two-month period used a combination of PowerShell and direct internet protocol (IP) use.
Commenting on the recently reported Citrix breach, which appears to be part of a sophisticated cyber espionage campaign by Iranian-backed hackers, Williams said these attack campaigns are highly targeted and growing in number.
“A high proportion appears to be coming from Vietnam and North Korea, so we will be adding those as a destination to monitor for in future,” he added.
Williams said these attacks also appear to be increasingly coordinated. “In the past, they all worked independently, but now they are developing networks among themselves and are sharing code resources,” he said.
Unlike the US, Williams said countries such as China and Russia appear to be throwing a lot of resources at building cyber espionage capabilities rather than into traditional military research and development.
Developing cyber espionage capabilities is much cheaper than developing new traditional military weapons for fighting conventional wars, he said, indicating a gradual shift to cyber warfare.
“The US is starting to realise this too, and is now starting to ramp up its military cyber capabilities and pay more attention to defending critical infrastructure against cyber attack,” said Williams, adding that cyber warfare is fast becoming a reality with breaches being sponsored by major governments for both political and monetary gain.
Social media risk
Social media companies such as Facebook also pose a significant risk to companies, according to BlackFog, because these organisations collect so much personal data from users, including company employees, which adversaries could tap into and exploit for social engineering purposes to enable more sophisticated cyber attacks on businesses.
Commenting on the awareness of companies about data leakage, Williams said most are “pretty surprised” to learn how much data is going out without them being aware of it and also how deeply social media platforms such as Facebook are integrated into websites to collect data invisibly.
“Boards usually tell us they are confident with their current cyber protection, which is typically made up of antivirus software and firewalls, but when we ask about outbound data protection, they are invariably not doing very much,” he said.
“The technical guys often still say they are confident about their organisation’s cyber defences, but they are generally very shocked to see how much outbound traffic there is to potential malicious destinations within 24 hours of installing our software on a few machines in the IT department.”
To allay IT teams’ concerns that the BlackFog approach will interfere with business operations by blocking legitimate outbound data flows, Williams said the software is typically implemented in “learning mode” so that it reports what it would have blocked without taking any action.
“By adopting this approach, the software can be adjusted to particular business and give assurances to IT teams that nothing legitimate will be blocked,” he said.
Commenting on Facebook CEO Mark Zuckerberg’s recent statement that he plans to make the social media platform more privacy oriented, Williams said it will be interesting to see how the company attempts to achieve that transformation, given that its revenue model is so heavily dependent on advertising, which is the main consumer of the data Facebook collects about users.