lolloj - Fotolia

Segment and segregate to defend data from cyber attack in 2016, urges F-Secure

Attackers will focus on critical data in 2016, mainly with the motive of cyber extortion, according to the latest threat report from F-Secure

Cyber extortion emerged as a strong trend in 2015, and is expected to continue in 2016, according to the latest threat report by security firm F-Secure.

The most common form of cyber extortion in recent months is the use of malware to encrypt organisations’ files and demand ransom payment in return for the decryption keys.

2015 saw the rise in popularity of several families of so-called ransomware, especially CryptoWall, Crowti and Teslacrypt, the report said.

While the Angler exploit kit delivered Alpha Crypt, Reveton and ransomware, the Nuclear exploit kit delivered CTB-Locker and Troldesh. However, Cryptowall and TeslaCryp was delivered by both, with Cryptowall also delivered by the Magnitude and Fiesta exploit kits.

In the first quarter of 2016, F-Secure said several large organisations had been hit by consumer-type ransomware, including some hospitals and local government authorities, causing “a considerable amount of pain” for those organisations.

Exposing data

However, cyber extortion is being increasingly conducted using the threat of distributed denial-of-service (DDoS) attacks and the threat of exposing sensitive commercial data.

This data typically includes intellectual property and information relating to legal cases or mergers and acquisitions, according to Sean Sullivan, security advisor at F-Secure Labs.

“We expect 2016 to be the year of cyber extortion, with big company database breaches followed up by demands for payment not to publish the data,” he told Computer Weekly.

Sensitive data is often easily accessible to attackers because there are no barriers or controls
Sean Sullivan, F-Secure Labs

In the past ten years, said Sullivan, malware as a service has become entrenched as a business model in the hands of organised professionals, moving beyond commoditised malware to hacks of corporate databases.

“If corporations have not started segregating and segmenting their data into isolated zones on the network, that is tantamount to negligence,” he said.

Far too many organisations are keeping mission-critical documents and intellectual property on network shares, said Sullivan. These can be accessed by hackers and even commoditised malware.

“Just by moving laterally across a network, sensitive data is often easily accessible to attackers because there are no barriers or controls,” he said.

In 2015, Sullivan said there was plenty of evidence that organisations are not able to prevent intrusions by commoditised malware.

“If organisations were not prepared for commoditised malware and dumb bots in the past year, they are unlikely to be prepared for human hackers following the bot in 2016,” he said.

Cyber extortion

F-Secure researchers predict there will be a shift towards intelligent, targeted attacks aimed mainly at extorting money from organisations.

Sullivan believes the attack on Sony Pictures Entertainment in November 2014 fell into this category. It was the first of this kind of attack to make headlines.

Although the attack has been linked to North Korea’s anger over the film The Interview, Sullivan said the initial emails relating to the attack demanded money, which means cyber extortion was more likely the prime motive for the attack.

Similarly, he said the attacker behind the Ashley Madison breach may have disapproved of the company’s business, but the prime motive was extortion and data was dumped only when the company failed to give into demands.

Sullivan suspects there may have been several other similar cases that have not made the headlines because targeted companies elected to pay off the cyber extortionists.

“In 2016, I think we will see an example of a large corporation dealing with customer data facing threats of that data being dumped onto the internet if they fail to make a certain payment,” he said.

Exploit kits

Another key finding of the report is that exploit kits face a disruptive future in the light of the fact that prominent exploit kits such as Angler, Nuclear and others mostly took advantage of vulnerabilities in Adobe Flash.

Sullivan predicts that Google Chrome will kill Flash support in early 2017, and Mozilla Firefox and Microsoft Edge will follow. This could mean that, by early 2017, Flash will no longer bear fruit for exploit kit makers.

Exploits, which have become one of the most common vehicles for malware in the past decade, need out-of-date software to accomplish their goal of getting through security holes. However, that software will become increasingly difficult to find, according to Sullivan.

For example, with HTML 5’s capability to “do it all”, the need for third-party browser plugins has mostly been eliminated. Today’s browsers themselves are auto-updated, without the need for the user to intervene, so users always have the latest version.

Hopefully exploits will die, said Sullivan, with Microsoft’s software being much more secure than it used to be; with Adobe’s other software becoming increasingly cloud based; and with browser developers forcing Java into a restricted place.

Macro malware makes a comeback

However, he said, cyber attackers will move onto something else. This will most probably be, for the short term, falling back on email attachment-based malware schemes. One such scheme is macro malware, which re-emerged in 2015 after lying low since the early 2000s.

Malware authors use the macro feature in Microsoft Office to implant malicious code to documents they email as attachments.

With Office 2003, Microsoft changed default settings to no longer run macros automatically, making attacks much more difficult. But now macro malware attempts to get around Microsoft’s default settings by displaying text in the open document that claims it is a “protected” document that requires the user to enable macros.

“In the past, we have seen attackers revert to older methods, such as when the Blackhole exploit kit was shut down, the attackers behind the GameoverZeus Trojan switched to using zip files and macro documents to distribute the malware,” said Sullivan.

As attackers are less able to exploit browser plugins to install malware on the disk, F-Secure also expects attackers to turn to malware that is resident only in memory and does not require installation on disk.

“Cyber extortion through encrypting critical files does not necessarily require persistence, it only has to life long enough to locate and encrypt the targeted data,” said Sullivan.

Greater focus on browsers

As third-party plugins are phased out, F-Secure expects greater focus on using browsers as a way to infect computers.

“Even though there has been a concerted effort to harden browsers, there are probably tricks up attackers’ sleeves that they haven’t used yet,” said Sullivan.

To defend against these tactics, he said organisations should ensure they have usable backups that are not cloud based or connected to the corporate network in any way.

“In 2016, organisations should really be focusing on protecting their data, because that is what attackers are going after more than ever,” said Sullivan.

Read more about ransomware

Read more on Hackers and cybercrime prevention