During the past few years, the top attack vectors haven't change much, but attacks have increased in sophistication and are more surgically precise. The underlining commonality is that in many cases humans are the main target of these attacks, through spear phishing in the form of bad content delivered as an e-mail attachment.
So says Antonio Forzieri, cyber security practice lead EMEA Symantec, who will be presenting on 'Ransomware, the IOT and how we are exposed to threats' during the ITWeb Security Summit at Vodacom World from 16 to 20 May.
He says these spear phishing attacks can range in format from PDFs, Microsoft Excel, Microsoft Word and RTF documents containing an exploit, to less sophisticated attacks where the payload is delivered as an attachment in the form of a zip file containing a binary file (either an EXE or an SCR).
"Many of these attacks do not use any form of 0-day exploit, rather attackers leverage well known one-day exploit usually packaged in affordable exploit kits to achieve their objective."
Watering hole tactics are also used, he says. "In this case the attacker injects a hidden link onto a legitimate Web site and waits for victims to visit the infected site. The hidden links usually point to a commercial exploit kit that can serve exploits for multiple technologies on multiple platform and delivers a payload (a specific piece of malware) on the compromised system. Exploit kits can be really effective in compromising a large number of users, but they are used in very targeted attacks too."
Supply chain attacks are another popular method, says Forzieri. Sometimes attackers infiltrate big companies by compromising one of their suppliers or third-party partners. This is usually easier as these partners are not necessarily as robust in terms of their cyber security investments.
Ransomware
Speaking of ransomware, a type of malware that prevents or limits users from accessing their systems, demanding a ransom in order to release the data and systems, he says the concept has reached an incredibly high level of maturity.
"Ransomware has been hitting PCs (mainly windows) and mobile phones to date. As Windows is by far the most widely used operating system in the world, this comes as no surprise. Ransomware specifically designed for the other major desktop operating systems such as Linux or Mac OS X has been thin on the ground, most likely due to the low market share of those operating systems, making ransomware investment in them unattractive."
He says multi-platform ransomware has also reared its ugly head. "Browlock is the first example of this sort of ransomware, however, its effectiveness is limited since it only targets the Web browser and can be relatively easily overcome. Recently we have also seen the first ransomware fully written in Javascript able to potentially encrypt multiple platforms."
In terms of what is next for ransomware, he says the rise in IOT devices might see the infection of these new platforms. "Infecting smart watches or smart TV has been researched and demonstrated already. What would happen if a gang decided to infect millions of smart TVs in SA and locks them just before the Springboks start playing a match?"
When asked what can be done to combat this particular scourge, he says educating the user base is key. "Make your users aware about modern threats. Symantec's Simulation offering can help in this space providing the right training to the right people. Also, backup, backup, backup. Should you be infected, backup is the easier solution. Same goes for patching. One of the most common delivery methods for ransomware is through drive-by downloads caused by watering hole attacks, which is why turning on automatic updates for Microsoft OS, Adobe and Java is really key."
Next he cites using a comprehensive endpoint protection technology. "Endpoint protection technologies provide multiple scanning and identification engines. Be sure you have all the detection engines active - signature, behavioural, reputation, heuristics, network protection via Host IPS and suchlike."
Forzieri also advises the use of a specialised threat analysis and protection (STAP) solution, as these are key in identifying new mutations of ransomware and stopping them possibly before they can do mayor damage.
Share