Posts

The End of an Era – Next Steps for Adobe Flash

Earlier this week, Adobe announced that Flash will no longer be supported after 2020. Microsoft will phase out support for Adobe Flash in Microsoft Edge and Internet Explorer ahead of this date.

Flash led the way on the web for rich content, gaming, animations, and media of all kinds, and inspired many of the current web standards powering HTML5. Adobe has partnered with Microsoft, Google, Mozilla, Apple, and many others, to ensure that the open web could meet and exceed the experiences that Adobe Flash has traditionally provided. HTML5 standards, implemented across all modern browsers, provide these capabilities with improved performance, battery life, and increased security. We look forward to continuing to work with Adobe and our industry partners on enriching the open web without the need for plug-ins.

We will phase out Flash from Microsoft Edge and Internet Explorer, culminating in the removal of Flash from Windows entirely by the end of 2020. This process began already for Microsoft Edge with Click-to-Run for Flash in the Windows 10 Creators Update. The process will continue in the following phases:

  • Through the end of 2017 and into 2018, Microsoft Edge will continue to ask users for permission to run Flash on most sites the first time the site is visited, and will remember the user’s preference on subsequent visits. Internet Explorer will continue to allow Adobe Flash with no special permissions required during this time.
  • In mid to late 2018, we will update Microsoft Edge to require permission for Flash to be run each session. Internet Explorer will continue to allow Flash for all sites in 2018.
  • In mid to late 2019, we will disable Flash by default in both Microsoft Edge and Internet Explorer. Users will be able to re-enable Flash in both browsers. When re-enabled, Microsoft Edge will continue to require approval for Flash on a site-by-site basis.
  • By the end of 2020, we will remove the ability to run Adobe Flash in Microsoft Edge and Internet Explorer across all supported versions of Microsoft Windows. Users will no longer have any ability to enable or run Flash.

This timeline is consistent across browsers, including GoogleMozilla, and Apple. We look forward to continuing our close collaboration with Adobe, other browser vendors, and the publishing community, as we evolve the future of the web for everyone.

ransomware

5 Top ransomware exploits that you should know

We used to call the Internet the “information super-highway” back in the day, when connections were slow, bulletin boards and gopher were about as techie as it got. Those days are long gone, but something of the ‘highway’ has remained, like a bad smell, one that has come back to haunt us in 2017… The highway robber in the form of ransomware exploits !

The person who went about their villainy on the trade routes and highways of the world, extorting money and valuables from unsuspecting travellers with a simple threat –– ”your money or your life” –– reinforced of course with the trademark flintlock pistol and sabre.

Today’s highway robber is a lot more sophisticated and savvy. They take far less risk and turn to the latest technology to extort you out of your money by threatening your valuables. In this case your data, your technology and most probably your computing ability.

Of course, I’m talking now about ransomware, the threat that’s been in the news almost every day for the past couple of months. The tool of choice for the modern highway robber has become headline news around the world with variants such as WannaCry and the more recent Popcorn Time. Organizations around the world have been affected by this ransomware, from the UK National Health Service, through to the Russian Postal Service in the last few weeks.

Interestingly, WannaCry leverages a previously known vulnerability in the Windows operating system, which is alleged to have been hoarded by a national security agency of the USA. In this case a vulnerability which allowed the ransomware to be especially successful in both current and older versions of Windows, such as XP and Windows 7, by using a weakness in their inbuilt SMB networking functionality. Even when out of support, there are still organisations using Windows XP and putting themselves at risk.

Luckily however an enterprising security researcher managed to find a kill switch written into some variants of WannaCry, in the form of a phone-home domain which hadn’t been registered by the malware’s author. Registering the domain seemed to give these variants of the malware the dead letter box it was looking for in order to shut down, thus halting the attack.

After intense examination of WannaCry’s tactics by the security community, we now know the infection spread within organizations by means of leveraging SMB connections. And, while patching the known vulnerability (as the patch had been out for over a month) helps sqelch WannaCry’s ability to spread, there are a broad range of ransomware sources through which you can get infected, such as:

  • Trojans – Perhaps the most common and the ransomware attack source we read the most about. Email attachments that contain malicious macro attachments are the chosen method here.
  • Removable media – Perhaps the most likely ransomware source of infection for the majority of malware in an enterprise, whether it’s ransomware or something more nefarious. Especially for those organisations that don’t lock down their USB ports. USB sticks and removable media are a very simple way to infect a PC as users generally trust those devices. A study by Google and two US universities showed that dropping USB sticks in public places was a simple and effective way to trigger human curiosity, with a full 49% of the ‘bait USBs’ being plugged into a computer by people who found them. Imagine if those had been malicious?
  • Malvertising – Malver-what-now? A portmanteau of malicious advertising. Where attackers compromise the weak infrastructure of an online ad network that serves adverts to legitimate websites. Therefore, when users view those adds, usually on well-known news websites, they can be used to trick browsers into downloading malware through the page display ads. Exploit kits such as Angler and Neutrino are often used as the initial dropper of the malware, which often then allows cyber criminals complete control of the infected endpoint. Ransomware is just one of the common outcomes of these watering-hole or drive-by attacks.
  • Social media and SMS – The prevalence of shortened links used on social media platforms and in SMS text messages gives attackers a superb mechanism to deliver ransomware and malware. Users rarely, if ever, check the destination of shortened links in social media, SMS or even email and attackers know this. Security solutions that ‘link-follow’ are increasing in popularity, but not fast enough. Ransomware delivered through shortened links is also often JavaScript based and requires little action on the users’ part, other than to click the link.
  • Ransomware-as-a-Service – RaaS? Yes, it does exist, as one of the many ‘Crime-as-a-Service’ networks. (Yes, those exist too). RaaS allows criminals of any variety to use ransomware exploits and become instant cyber criminals, to the extent we’re seeing a drop off in classic crime like burglary, as RaaS is far a less risky ransomware source for them. RaaS and CraaS have given rise to vast affiliate networks too, where ransomware is easy to deploy and manage for almost anyone and where the earning potential is significant. I use this example to demonstrate the sophistication and motivation of the cybercriminals behind ransomware. Ignore them at your peril.

Of course, we’re used to thinking of ransomware as an email-specific or Trojan-based attack and that’s certainly the most common route it takes, but we should note that once ransomware makes its way into your business, ransomware creators will attempt to take as many routes possible to ensure as widespread an infection as is possible.

What all of these attacks and the breadth of ransomware sources show us is that it’s a live and hostile environment on the information super-highway and that for all the good we do, there are still people intent on exploiting, stealing, violating and pillaging our assets. Don’t be under any illusion they’re not motivated either; ransomware is a great money earner for them so don’t expect the attacks to die down anytime soon. Technologically not doing your best is not an option either. Sitting back hoping Windows XP or 7 will “struggle on for a little longer” or that those patches you didn’t deploy don’t matter is not a sensible strategy. Remember there are books written about hope not being a strategy, so don’t fall into that trap.

Patch your stuff, back up your valuables and keep an eye out for the highway robbers and those ransomware exploits.

Stay safe out there.

Update Adobe Flash Player NOW

One of the favourite pieces of software for malicious hackers to target on users’ computers is Adobe Flash Player.
Why? Well, there are a few reasons.

Firstly, Adobe Flash Player is on an awful lot of computers. Many users may have installed it long ago in order to access Flash-based media content online, such as videos. Malicious hackers can rely upon a large number of people having Flash installed, making it a target for attack.

Secondly, the version of Adobe Flash Player installed on your computer may be out-of-date. Users may have failed to configure updates properly, or chosen to ignore reminders to update the software promptly when a new security update is released. There’s only one thing more attractive to a malicious hacker than widely-used ubiquitous software, and that’s widely-used ubiquitous software that hasn’t been kept updated with the latest patches.

It doesn’t matter if a hacker doesn’t have a zero-day exploit to throw at your Adobe Flash Player if you haven’t been bothering to keep it protected against known vulnerabilities.

Thirdly, there has been a long history of malicious hackers finding critical security holes in Adobe Flash Player, and building their attacks into exploit kits for anyone to deploy. Flash is closed, proprietary software controlled by Adobe and it has been plagued with software vulnerabilities and serious flaws over many years. Quite why Flash has been targeted so often is open to some debate, but the mere fact that it has suggests that it will continue to be for some time to come.

The upshot of this is that when Adobe releases new security patches for Adobe Flash Player, it would be very sensible indeed for its users to sit up and take notice.

Earlier today Adobe issued a security advisory detailing updates it has released for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS.

The updates are said to address critical vulnerabilities that could allow an attacker to penetrate a vulnerable system, allowing a remote attacker to execute code on a victim’s computer and take control over the device.

Adobe recommends that users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player version 26.0.0.137 as soon as possible. You can do this either by visiting the official Adobe Flash Player download page, or ensuring that Flash’s global settings are set to “install updates automatically when available”.

Even with that option enabled you may be disappointed to find that security updates are not immediately available to you, and – rather than wait – prefer to manually force an update instead.

Things are a little simpler for those who rely upon the Adobe Flash Player code integrated with the Google Chrome and Microsoft Edge browsers, as they should be automatically updated to the latest version as the browser itself updates.

The best approach of all, of course, if you want to permanently secure your computers and devices against Flash flaws is the nuclear option: uninstall Flash from your computer. Or – if you just need Adobe Flash for very specific websites or bespoke applications – have Flash installed on an alternative browser rather than the one you regularly use to surf the web.

If you’re not quite ready to take the step of entirely uninstalling Flash, then you should at the very least consider enabling “Click to Play”, which stops Flash elements from being rendered in your browser unless you give specific permission.

malware attack

Microsoft networking protocol at the core of recent global malware attacks

The company is going to kill off SMB1 at long last, but you shouldn’t wait to disable it

Another day, another global malware attack made possible by a Microsoft security hole. Once again, attackers used hacking tools developed by the U.S. National Security Agency (NSA), which were stolen and subsequently released by a group called Shadow Brokers.

This time around, though, the late-June attack apparently wasn’t ransomware with which the attackers hoped to make a killing. Instead, as The New York Times noted, it was likely an attack by Russia on Ukraine on the eve of a holiday celebrating the Ukrainian constitution, which was written after Ukraine broke away from Russia. According to the Times, the attack froze “computers in Ukrainian hospitals, supermarkets, and even the systems for radiation monitoring at the old Chernobyl nuclear plant.” After that, it spread worldwide. The rest of the world was nothing more than collateral damage.

The NSA bears a lot of responsibility for this latest attack because it develops these kinds of hacking tools and frequently doesn’t tell software makers about the security holes they exploit. Microsoft is one of many companies that have beseeched the NSA not to hoard these kinds of exploits. Brad Smith, Microsoft’s president and chief legal officer, has called on the NSA “to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits” and stop stockpiling them.

Smith is right. But once again, a global malware attack exploited a serious insecurity in Windows, this time a nearly 30-year-old networking protocol called SMB1 that even Microsoft acknowledges should no longer be used by anyone, anywhere, at any time.

First, a history lesson. The original SMB (Server Message Block) networking protocol was designed at IBM for DOS-based computers nearly 30 years ago. Microsoft combined it with its LAN Manager networking product around 1990, added features to the protocol in its Windows for Workgroups product in 1992, and continued using it in later versions of Windows, up to and including Windows 10.

Clearly, a networking protocol designed originally for DOS-based computers, then combined with a nearly 30-year-old networking system, is not suitable for security in an internet-connected world. And to its credit, Microsoft recognizes that and is planning to kill it. But a lot of software and enterprises use the protocol, and so Microsoft hasn’t yet been able to do it in.

Microsoft engineers hate the protocol. Consider what Ned Pyle, principal program manager in the Microsoft Windows Server High Availability and Storage group, had to say about it in a prescient blog in September 2016:

“Stop using SMB1. Stop using SMB1. STOP USING SMB1!… The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes.”

Back in 2013, Microsoft announced it would eventually kill SMB1, saying the protocol was “planned for potential removal in subsequent releases.” That time is almost here. This fall, when the Windows 10 Fall Creators Update is released, the protocol will finally be removed from Windows.

But enterprises shouldn’t wait for then. They should remove the protocol right away, just as Pyle recommends. Before doing that, they would do well to read the SMB Security Best Practices document, put out by US-CERT, which is run by the U.S. Department of Homeland Security. It suggests disabling SMB1, and then “blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.”

As for how to disable SMB1, turn to a useful Microsoft article, “How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server.” Note that Microsoft recommends keeping SMB2 and SMB3 active, and only deactivating them for temporary troubleshooting.

An even better source for killing SMB1 is the TechNet article “Disable SMB v1 in Managed Environments with Group Policy.” It is the most up-to-date article available and more comprehensive than others.

Turning off SMB1 will do more than protect your enterprise against next global malware infection. It will also help keep your company safer against hackers who specifically target it and not the entire world.

This article was reposted from : www.computerworld.com

Ransomware Attack Goldeneye

Ransomware Attack: Goldeneye

Ransomware Attack Goldeneye

 

In the wake of another ransomware attack, this one labeled Goldeneye, we’re reaching out to ensure our partners that we’re focused on security first. According to Forbes, there are similarities with WannaCryptor, but experts are labeling this a variant of Petya aimed at the file system—specifically targeting the master boot record—instead of encrypting individual files. It utilizes the same attack vector that WannaCry used last month – an SMBv1 exploit that was patched in March under MS17-010 known as EternalBlue.

The attack has effected systems beginning in Ukraine, and has been confirmed as spreading through a trojanized version of M.E.Doc accounting software. The massive ransomware campaign was launched in the early hours of June 27, and the outbreak is spreading globally. The National Bank of Ukraine has shared a warning on their website to help protect other banks, and the financial sector is taking steps to “strengthen security measures and counter hacker attacks.” The Independent is reporting affected systems in Spain and India, along with issues arising for Danish and British companies.

Reports are now coming in that Goldeneye has reached the US, with systems affected in major companies like Merck. Advanced security systems can block the currently known samples of new ransomware variants like Goldeneye, keeping most users safe from system infiltration.

Just like the WannaCry cyberattacks in May, this attack is highlighting the importance of maintaining up-to-date patching to keep your systems safe from these exploitative malware programs. Keeping your systems fully patched and using a vetted security solution with network segmentation can help prevent large-scale issues.

Patching, in conjunction with third-party products like anti-virus, anti-malware & backup, are critical to providing the best IT services, and an integrated ecosystem of solutions allows you to:

  1. Close Windows vulnerabilities by keeping it up to date with latest patches from Microsoft
  2. Detect new threats as the IT landscape continues to shift with anti-virus and anti-malware protection
  3. Prevent an all-out disaster by procuring continuous backups of data

See how our partners and other AV solution providers are addressing the latest attack:

Bitdefender
ESET
Webroot
Malwarebytes
VIPRE
Acronis
StorageCraft

This article was provided by our service partner : Connectwise

webroot

Web Security : Is Your Chat Client Leaving You Exposed?

Popular third-party chat platforms like Slack, Discord, and Telegram are just a few of the many new productivity applications that are being hijacked by cyber criminals to create command-and-control (C&C) communications infrastructures for their malware campaigns. As corporate web security teams become more aware of traditional malware threats and deploy new security solutions to defend against them, cyber criminals continue to innovate. Now they’ve turned to well-known chat and social media applications as platforms to communicate with their deployed malware.

Hiding in Plain Sight

The appeal of these chat programs for cyber criminals is born from the fact that many of them are free, easy to use, and incorporate application programming interface (API) components that simplify connections between the programs and custom-built applications. It’s this use of APIs that allows hackers to operate undetected on corporate networks. This clever technique enables hackers to entrench their access by camouflaging themselves with normal data flows. Plus, because this malware leverages software platforms and services that are readily available (and free), all hackers need to do in order to stay connected to their growing malware bot farm is set up an account on their chat platform of choice. It is better to Send SMS from Slack| to have a secure chat for business purposes.

Granted, not all software using APIs is susceptible to this type of attack. However, these attacks are a clear demonstration that tools used by project management and software development teams can be compromised in ways that expose their organizations to significant risk. I predict that similar vulnerabilities in productivity services and applications used by corporate technology teams will continue to be exploited—at an even greater rate. In many ways, these attacks mirror what we’ve seen recently targeting core protocols that operate on the Internet.

Know Your Enemy

Luckily, knowing the enemy is half the battle. With this in mind, we can manage these types of threats, and some of the steps I recommend come down to basic cyber hygiene. I highly recommend security professionals deploy an antivirus solution that incorporates anti-malware and firewall services to all endpoints. A solid threat-intelligence service is also vital to educate security staff and business stakeholders on the current threats and threat actors targeting their business.

One final point: it’s a good idea to screen all outbound network traffic in order to verify that it’s going to legitimate destinations. Hopefully, you’ve already deployed these recommended security controls. If you are missing one or more of these elements, it’s time to shore up your web security efforts to protect yourself and your organization.

This article was provided by our service partner : Webroot

ransomware

Understanding Cyberattacks from WannaCrypt

Cyberattacks are growing more sophisticated, and more common, with every passing day. They present a continuous risk to the security of necessary data, and create an added layer of complication for technology solution providers and in-house IT departments trying to keep their clients’ systems safe and functional. Despite industry efforts and innovations, the world was exposed to this year’s latest cyberattack with ‘WannaCrypt’ on Friday morning.

The attacked—stemming from “WannaCrypt” software—started in United Kingdom and Spain, and quickly spread globally, encrypting endpoint data and requiring a ransom to be paid using Bitcoin to regain access to the data. WannaCrypt exploits used in the attack were derived from the exploits stolen in an attack on the National Security Agency earlier this year.

On March 14, Microsoft® released a security update to patch this vulnerability and protect customers from this quickly spreading cyberattack. While this protected newer Windows™ systems and computers that had enabled Windows to apply this latest update, many computers remained unpatched globally. Hospitals, businesses, governments, and home computers were affected. Microsoft took additional steps to assist users with older systems that are no longer supported.

Our goal at Netcal is to provide partners with the tools they need to support their clients and prevent these kinds of attacks from happening.

See how our vendors are addressing the latest attack:

-> Bitdefender
-> ESET
-> Webroot
-> Malwarebytes
-> VIPRE
-> Acronis
-> StorageCraft

Cisco Umbrella

Healthcare industry embraces Cisco Umbrella

Healthcare industry expenditures on cloud computing will experience a compound annual growth rate of more than 20% by 2020. The industry has quickly transitioned from being hesitant about the cloud to embracing the technology for its overwhelming benefits.

George Washington University, a world-renowned research university, turned to Cisco Umbrella to protect its most important asset: the global reputation as a research leader.

“We chose Cisco Umbrella because it offered a really high level of protection for our various different user bases, with a really low level of interaction required to implement the solution, so we could start blocking attacks and begin saving IR analyst time immediately,” said Mike Glyer, Director, Enterprise Security & Architecture.

 

Customers love Umbrella because it is a cloud-delivered platform that protects users both on and off the network. It stops threats over all ports and protocols for the most comprehensive coverage. Plus, Umbrella’s powerful, effective security does not require the typical operational complexity. By performing everything in the cloud, there is no hardware to install, and no software to manually update. The service is a scalable solution for large healthcare organizations with multiple locations, like The University of Kansas Hospital, ranked among the nation’s best hospitals every year since 2007 by U.S. News & World Report.

“Like every hospital, we prioritize the protection of sensitive patient data against malware and other threats. We have to safeguard all network connected medical devices, as a compromise could literally result in a life-or-death situation,” says hospital Infrastructure Security Manager Henry Duong. “Unlike non-academic hospitals, however, our entwinement with medical school and research facility networks means we must also protect a lot sensitive research data and intellectual Property.”

Like many healthcare providers, The University of Kansas Hospital would spend a lot time combing through gigabytes of logs trying to trace infections, point of origin and identify which machines were calling out.  The team turned to Cisco Umbrella for help.

“First we just pointed our external DNS requests to Cisco Umbrella’s global network, which netted enough information to prompt an instant ‘Wow, we have to have this!’ response,” Duong says. “When our Umbrella trial began, we saw an immediate return, which I was able to document using Umbrella reporting and share with executive stakeholders. Those numbers, which ultimately led to executive buy-in, spoke volumes about the instant effect Umbrella had on our network.”

This overwhelming success led the team to later purchase Umbrella Investigate.

“We suddenly went from struggling to track attacks to being able to correlate users with events and trace every click of their online travels. Then, Cisco Umbrella Investigate gave us the power to understand each threat’s entire story from start to finish,” Duong says. “We’re able to dig deep into the analysis to see what users are doing, where they’re going, and pinpoint any contributing behaviors so we can mitigate most efficiently.”

University of Kansas estimate that with Cisco Umbrella – they have :

  • Decreased threats by an estimated 99 percent
  • Shortened investigation time by 75 percent
  • Increased visibility and automation while reducing exposure to ransomware

This article was provided by our Service Partner : Cisco

veeam

Veeam : Ransomware resiliency – The endpoint is a great place to start

Fighting ransomware has become a part of doing business today. Technology professionals around the world are advocating many ways to stay resilient. The most effective method is to have end-user training on how to handle and operate attachments and connectivity to the Internet. One other area to look is frequent endpoint devices: Laptops and PCs.

Veeam has taken ransomware resiliency seriously for a while. We’ve put out a number of posts such as early tips for some of the first attacks and some practical tips when using Veeam Backup & Replication. Now with Veeam Agent for Linux and Veeam Endpoint Backup FREE available as well as Veeam Agent for Microsoft Windows (coming VERY soon) as options for laptops and PCs, it’s time to take ransomware resiliency seriously on these devices.

Before I go too far, it’s important to note that ransomware can exist on both Windows and Linux systems. Additionally, ransomware is not just a PC problem (see recent survey blogpost), as at Veeam we see it nearly every day in technical support for virtual machines. We’ll see more content coming for the virtual machine side of the approach for most resiliency, in this post I’ll focus on PCs and Laptops.

Veeam Agent for Linux is the newest product in which Veeam has offered image-based Availability for non-virtualized systems. Veeam Agent for Linux is a great way to do backups of many different Linux systems with a very intuitive user interface:

veeam linux agent

For ransomware resiliency for Veeam Agent for Linux, putting backups on a different file system will be very easy to do with the seamless integration with Veeam Availability Suite. In this way, backups of Veeam Agent for Linux systems can be placed in Veeam Backup & Replication repositories. They also can be used in the Backup Copy Job function. This way, the Linux backups can be placed on different file systems to avoid propagation of ransomware across the source Linux system and the backups. The Backup Copy Job of Veeam Agent for Linux is shown below writing Linux backups to a Windows Server 2016 ReFS backup repository:

veeam backup copy config

Now, let’s talk about Microsoft operating systems and resiliency against ransomware when it comes to backups. Veeam Endpoint Backup FREE will soon be renamed to Veeam Agent for Microsoft Windows. Let’s explain this changing situation here briefly. Veeam Endpoint Backup FREE was announced at VeeamON in 2014 and since it has been available, it has been downloaded over 1,000,000 times. From the start, it has always provided backup Availability for desktop and server-class Windows operating systems. However, it didn’t have the application-aware image processing support and technical support service. Veeam Agent for Microsoft Windows will introduce these key capabilities as well as many more.
For Veeam Agent for Microsoft Windows, you also can put backups on several different storage options. Everything from NAS systems to removable storage, a Linux path, tape media, a deduplication appliance when integrated with Veeam Availability Suite and more. The removable storage is of interest as it may be the only realistic option for many PC or laptop systems. A while ago, Veeam implemented a feature to eject removable media at the completion of a backup job. This option is available in the scheduling option and when the backup target is a removable media and is shown below:

veeam backup schedule

This simple option can indeed make a big difference. We even had a user share a situation where ransomware encrypted one’s backups. This underscores a need for completely offline backups or otherwise some form of an “air gap” between backup data and production systems. Thus, behave as if when you have ransomware in your organization the only real solution is to restore from backup after it is contained. There is a whole practice of inbound detection and prevention but if it gets in, backup is your only option. Having media eject offline is another mechanism that even with isolated PCs and laptops can have more Availability by having the backup storage offline.
Availability in the ransomware era is a never-ending practice of diligence and configuration review. Additionally, the arsenal of threats will always become more sophisticated to meet our new defenses.

This post was provided by our service partner : Veeam

cyber secuirty

Cyber Security: Cyber-Threat Trends to Watch for in 2017

Faced with the volume and rapid evolution of cyber threats these days, technology solution providers (TSPs) may find offering cyber security to be a daunting task. But with the right knowledge to inform your security decisions, and the right solutions and mitigation strategies in place, organizations like yours can keep customers ahead of the rushing malware tide.

The Webroot team recently released the latest edition of their annual Threat Report, which gives crucial insight into the latest threat developments based on trends observed over the last year, the challenges they bring, and how to defeat them. Let’s review 2016’s Threat Report highlights.

The New Norm: Polymorphism

In the last few years, the biggest trend in malware and potentially unwanted applications (PUAs) observed by Webroot has been polymorphic executables. Polymorphic spyware, adware, and other attacks are generated by attackers so that each instance is unique in an effort to defeat traditional defense strategies.

Traditional cyber security relies on signatures that detect one instance of malware delivered to a large number of people. It’s virtually useless for detecting a million unique malware instances as they are delivered to the same number of people. Signature-based approaches will never be fast enough to prevent polymorphic breaches.

During 2016, approximately 94% of the malware and PUA executables observed by Webroot were only seen once, demonstrating how prevalent polymorphism is. Oddly enough, however, the percentage of malicious executables related to malware and PUAs has dropped significantly over the past 3 years, a 23% and 81% decline, respectively.

While this decline in the volume of new malware encountered by Webroot customers is a decidedly positive trend, TSPs and their customers should continue to treat malware as a major threat. Approximately one in every 40 new executable file instances observed in 2016 was malware. These types of files are customized and often designed to target individuals, and cannot be stopped by traditional antimalware technologies.

Ransomware Continues to Rise

You’ve probably heard about at least one of the numerous ransomware attacks that have crippled hospitals and other institutions. According to the FBI, cyber criminals were expected to collect over $1 billion in ransoms during 2016.[1] It’s quite likely that actual losses suffered were even higher, given the disruption of productivity and business continuity, as well as a general reluctance to report successful ransomware attacks.

In 2017, Webroot anticipates that ransomware will become an even larger problem. According to the Webroot cyber security Threat Research team, the following are 3 ransomware trends to be aware of:

Locky, the most successful ransomware of 2016

In its first week in February 2016, Locky infected over 400,000 victims, and has been estimated to have earned over $1 million a day since then.[2] Throughout 2016, Locky evolved not only to use a wide variety delivery methods, but also to camouflage itself to avoid detection and to make analysis more difficult for security researchers. Locky shows no signs of slowing down, and is likely to be equally prolific in the coming year.

Exploit Kits

The second important trend involves the frequent changes in the exploit kits ransomware authors use. As an example, most exploit kit ransomware in the first half of 2016 was distributed using Angler or Neutrino. By early June, Angler-based ransomware had virtually disappeared, as cybercriminals began switching to Neutrino. A few months later, Neutrino also disappeared. Toward the end of 2016, the most commonly used exploit kits were variants of Sundown and RIG, most of which support Locky.

Ransomware as a Service (Raas)

Despite having emerged in 2015, ransomware-as-a-service (RaaS) didn’t find its place in the ransomware world until 2016. RaaS enables cybercriminals with neither the resources nor the know-how to create their own ransomware and easily generate custom attacks. The original authors of the RaaS variant being used gets a cut of any paid ransoms. RaaS functions similarly to legitimate software, with frequent updates and utilities to help distributors get the most out of their service. The availability and ease of RaaS likely means even greater growth in ransomware incidents.

Stay Informed

The best defense is knowing your enemy. Download the complete 2017 Webroot Threat Report to get in-depth information on the trends we’ve explored above, as well as other crucial insights into phishing, URL, and mobile threats.

[1] http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/index.html

[2] http://www.smartdatacollective.com/david-balaban/412688/locky-ransomware-statistics-geos-targeted-amounts-paid-spread-volumes-and-much-

————————————————————————————————————————–
The information above was provided by our service partner : Webroot.