Archive for June, 2015

6 Truly Shocking Cyber Security Statistics

Tuesday, June 30th, 2015

Written by Peter Glock for IT Governance:

We’re now halfway through the year, so I thought I’d take a look back at some of the most shocking cyber security statistics so far.

Shocking cyber security stats

  1. 98% of tested web apps are vulnerable to attack

Trustwave’s 2015 Global Security Report found that a staggering 98% of tested web applications were vulnerable to attack. Web apps are everywhere now, and it is essential that updates and patches are installed so that known vulnerabilities are addressed.

  1. 90% of large organisations reported suffering a security breach

The Department of Business, Innovation & Skills’ 2015 Information Security Breaches Survey was published at the beginning of June and was stuffed full of disturbing statistics. The report highlights how cyber attacks affect nearly every organisation, with 90% of large and 74% small organisations suffering a breach in 2014.

  1. 75% of directors are not involved in the review of cyber security risks

We’ve written about this story a few times this year. Research undertaken by PwC for their 2015 Global State of the Information Security Survey found that only 25% of directors are actively involved in reviewing security and privacy risks. Shocking behaviour.

  1. 93% of DPA breaches are caused by human error

People: the weakest link in the cyber security chain. The Information Commissioner’s Office reported that 93% of incidents it investigated in Q4 of 2014-15 were caused by human error.

  1. Online banking fraud increases 48% year-on-year

Figures published in the first quarter of 2015 by Financial Fraud Action UK (FFA UK) found that losses from online banking fraud rose by 48% in 2014, costing £60.4 million. It identified a total of 53,192 individual incidents.

According to the FFA, “A key driver behind increasing levels of fraud continues to be fraudsters tricking customers into revealing personal and financial information, normally over the telephone.”

  1. 144% increase in successful cyber attacks on businesses

CYREN’s 2015 Cyberthreat Yearbook report begins “Enterprises of all sizes are now besieged by cybercrime at an alarming rate”. It found that successful cyber attacks on businesses of all sizes increased by 144% over a four-year period, adding further weight to the argument that organisations should now aim for cyber resilience: the ability to not only repel but also respond to a cyber attack.


More SaaS to Meet Demand – Securing Business Futures

Wednesday, June 24th, 2015

Written by Jill Kyte for Cloud Passage:

Businesses face a massive amount of pressure to stay competitive in their markets. Stakeholders, both internal policy-makers and external consumers demand speed, reliability, and convenience. Will SaaS save the day?

Consumers have become accustomed to personalized real-time engagements with businesses. Competitors are looking at ways to provide better availability, cost savings, innovations, greater efficiencies and an ability to scale as they grow. What are the biggest factors fueling this agility? Cloud adoption and SaaS offerings. In today’s market, operating without considering the cloud comprises significant disadvantages.

As businesses adapt to the changing landscape, they find themselves looking for ways to transform their products and services to fit their consumers and end-users’ expectations. Consumers embody a certain type of stubbornness, demanding to have it ‘their way,’ causing businesses to move themselves away from traditional infrastructures, and premise based applications and security. They are moving quickly into the cloud and developing or utilizing more SaaS applications to take advantage of a way to adapt and create the end-user experience in a timely manner that will work for the demands of their individualized business. 

SaaS Adoption to Meet Business Demands

To keep up with this ever-moving market, companies without the cloud, perhaps unsurprisingly, are looking to adapt it quickly. Cloud and SaaS adoption is critical for businesses to stay ahead — one where the dangers of rapid adoption take second place to the dangers of not participating. This market, according to The Financial Times, is expected to reach $290 billion by 2018.

There may be another factor at play, however. IBM recently reported three interesting trends in how tech employees are moving in response to cloud and SaaS adoption. The company found that roughly 85 percent of all new software is being built for the cloud; 72 percent of developers are creating applications designed for the cloud and, by 2016, it estimates that roughly one-fourth of the world’s applications will be available on the cloud. The cloud is clearly the popular choice!

Those factors may explain why companies are placing a high priority on SaaS. In fact, researchers estimate that cloud computing will become the dominant technology model within the next 10 to 15 years, replacing traditional data centers. There is a sense of urgency to stay ahead, and SaaS adoption is the perfect tool to achieve success.

However, there is still the realistic fact that customer and business security and compliance concerns can make or break the success of a SaaS solution.

Security Purpose-Built for the Cloud

Employing a security solution that is purpose-built for the cloud is necessary. It deploys rapidly and scales with business growth. It also protects cloud instances in real-time as they are added and dismissed, and it automates standard security procedures faster than any IT team could possibly manage. SaaS providers and businesses looking for a security solution should feel a sense of ease as they discover CloudPassage Halo, our premier security automation platform. Halo deploys within minutes and scales with the needs of the business.

As we recently outlined in our white paper, “Automating Security for Greater SaaS Success,” companies should not only be conscious of how they are changing their business applications but also be aware that this action can be a catalyst to move to a security approach that will not cause friction in cloud environments, allowing security policies and requirements to easily adapt to the needs of fast-moving markets. As the research continues to show the value of cloud adoption, it becomes increasingly more important for businesses to adequately secure themselves and find protection solutions that will harmonize with their objectives by making it faster and easier to reach new audiences.

Closing the gaps in EU cyber security

Tuesday, June 23rd, 2015

Written by Thomas Boué for Computer Weekly:

Inconsistent approaches to cyber security across Europe are undermining attempts to harmonise policy and preparedness in the EU


Bolstering cyber security is a challenge facing boardrooms and government officials around the world. While technology is enabling us to be smarter about how we communicate, create and solve problems, it has also introduced risks that must be managed.

European officials, including representatives from the UK, are closing in on negotiations for an EU Network and Information Security (NIS) Directive, which is the EU’s first attempt at crafting cyber security legislation.

The NIS Directive is aimed at harmonising cyber security laws and improving pan-European co-ordination on cyber security incidents. This is no small feat when brokering an agreement among 28 countries. A recent analysis from the Business Software Alliance (BSA) charts just how big a task officials have before them.

The BSA EU Cyber Security Dashboard examines national cyber security laws and policies across the EU, and finds an unhelpful patchwork exists when it comes to cyber preparedness. While some countries have strong cyber security legal frameworks – the UK, Germany and Estonia, for example – others still have much work to do.

There are also considerable discrepancies between countries’ operational capabilities when it comes to cyber threats. The result is gaps and fragmentation that put the entire European market at risk.

Encouragingly, most countries recognise cyber security should be a national priority, with a particular focus on ensuring the cyber resilience of critical infrastructure. Truly critical services, such as transport, energy and banking, are where disruption from cyber incidents could do the most harm.

Yet, more than half of EU member states have yet to go through the process of assessing and establishing priorities for providers of critical services and infrastructure.

Lack of co-operation

Among other gaps the report highlights is a lack of co-operation between governments and the private sector on cyber security. This issue was similarly called out by US president Barack Obama in February 2015, when he signed an executive order aimed at encouraging better information sharing between US public and private sectors about cyber attacks.

Likewise in Europe, most infrastructure is owned by the private sector, making public-private co-operation essential. Yet only a handful of European countries have an established framework for public-private partnerships on cyber security. The more communication and co-ordination taking place between EU, national governments and the private sector, the more resilient all of us will be in the face of evolving cyber security threats.There are fundamental elements of a strong legal cyber security framework. These range from establishing strong legal foundations and a comprehensive and regularly updated cyber security strategy, to engendering trust, working in partnership and promoting cyber security education. These building blocks provide valuable guidance for national governments that are ultimately responsible for implementing cyber security rules and policies.

Protectionist rules

But there are also worrying developments around the world, as some governments use cyber security as justification for protectionist rules that reduce choice and undermine cyber protections.

Policymakers should avoid country-specific cyber security standards, obligations to disclose sensitive information, such as source code or encryption keys, data localisation requirements, or preferences for indigenous providers, among other unhelpful policies. Such policies undercut cyber security rather than improving it. They also impose unfair market access barriers on global producers and service providers, whether intended or not.

As the UK and other EU member states attempt to complete work on the NIS Directive and agree on common language with the European Parliament and the European Commission over the coming months, harmonisation should be top of mind.

The aim of the directive should be to establish a foundation of cyber security preparedness, with harmonised rules grounded in a risk-based approach and focused on providers of truly critical infrastructure and services.

Cyber threats take no notice of national borders. The sooner we raise the level of cyber resilience across all EU member states – particularly for Europe’s most critical infrastructure – the closer we’ll be to securing our governments, citizens and businesses against malicious cyber attacks. We’re much stronger if we’re in it together.

CIF: Server 2003 death to breathe life into cloud

Friday, June 19th, 2015

Written by Hannah Breeze for CRN:

Cloud Industry Forum claims almost 80 per cent of firms use at least two cloud services


The Cloud Industry Forum (CIF) predicts the end of support for Windows Server 2003 will boost the already booming cloud industry in the UK.

According to its latest research, 78 per cent of the 250 senior IT and business decision makers it surveyed have formally adopted two or more cloud services, and the adoption rate for cloud in the UK stands at 84 per cent. When the survey was first carried out in 2010, the adoption rate was just 48 per cent.

Half of all respondents to the survey, which was performed in February, expect to move their entire IT estate to cloud in the future, with 16 per cent claiming they want to do this as soon as practically possible.

CIF chief executive Alex Hilton said cloud is on the up.

“Cloud computing has come a long way in just a few short years,” he said. “[Since 2010] cloud has moved from the edge of the IT estate to its centre, and it is now largely regarded as just another way that we do IT.”

Last week, reseller Annodata said the government IT framework G-Cloud would likely surge in popularity as Windows Server 2003 came to the end of support this July. CIF’s Hilton said the entire cloud industry would benefit.

Hilton agreed. “Looking to the year ahead, we have every confidence that the cloud’s momentum will be maintained, helped in no small part by the retirement of Microsoft Windows Server 2003 and Microsoft Small Business Server 200,” he said.

“While first-time adoption is likely to slow somewhat, penetration of cloud services within organisations, which appears to be happening at a faster rate than we had anticipated, will continue unencumbered. Assuming, that is, that cloud service providers can effectively put forward the business case for adoption and build further confidence among end users by improving levels of accountability, capability and transparency.”

Growing cyber threats challenging cost reduction as reason to use managed services

Thursday, June 18th, 2015

Written by Karl Flinders for Computer Weekly:

Mid-sized companies plan to use more managed services and many see it as improving security

Over a third of IT operations at mid-sized companies will move to an outsourced managed service over the next five years, as IT directors seek security as well as cost reductions.

Outsourcing to save money is still the main motivation for taking up a managed service, but businesses that lack huge IT resources and struggle to keep up with the changing cyber crime landscape are increasingly outsourcing for security.

A survey carried out by Vanson Bourne for communications supplier Daisy found companies are planning to move 37% of their IT to a managed service over the next five years. A total of 67% said this is to reduce costs, and 55% said growing cyber threats are driving them to outsource security.

The other main reasons to move to managed services include the desire to gain organisational agility (50%) and a drive to optimise existing IT resources (40%).

“The combined business objectives of cost reduction and the insatiable desire to accelerate innovation mean the adoption of an IT managed service is becoming an increasingly attractive proposition for many organisations,” said Andy Bevan, director of client solutions at Daisy Corporate Services.

“At the same time, the risk of cyber attack – growing significantly and visibly over recent years – has prompted an increasingly stringent regulatory environment for all sectors, forcing organisations to jump through far more compliance hoops.

“As a result, many businesses are now finding it is easier, and significantly more cost-effective, to outsource their security management to a service provider with the certifications and expertise necessary to tackle the rapidly changing threat landscape to protect their data, customers and reputation,” added Bevan.

While big companies with large IT teams and IT budgets might see the outsourcing of security as a step too far, small and mid-sized firms feel safer if supported by experts.

Mark Lewis, outsourcing lawyer at Berwin Leighton Paisner, said cost has always been a part of any outsourcing decision, but security is an increasingly influential factor.

“The complexity of managing and keeping up to date with cyber threats is leading smaller companies, and those not regulated to outsource,” he said, adding that it remains to be seen whether this is the right decision.

DDoS attacks on sale for $2 an hour

Wednesday, June 17th, 2015

Written by Doug Woodburn for CRN:

Cybercriminals can now purchase DDoS attacks for $2 (£1.32) an hour from a rampant online marketplace of tools and services.

That is according to a new white paper analysing the growth of the “as-a-service” nature of cybercrime penned by two senior technical bods at security vendor McAfee.

The study seeks to shatter the perception that all cybercriminals are technical masterminds. Instead, all they need to bring a global corporation of their choosing to its knees is a credit card.
“We are witnessing the emergence of a whole new breed of cybercriminal. As a result, the volume of cyberattacks is likely to increase…” said report authors Raj Samani, vice president and chief technology officer EMEA and Francois Paget, senior threat research engineer at McAfee.

The study highlighted a service offering to launch a DDoS attack on behalf of would-be attackers from as little as $2 per hour, for a one- to four-hour attack. A DDoS attack lasting five to 24 hours was priced at $4 an hour, with a 24- to 72-hour attack costing $5 an hour.

The service simply required attackers to inform it of which site they wish to launch a DDos attack against, decide how much they are willing to pay, and initiate the service. The service also earnestly admitted that it does not offer refunds “due to the nature of our business”.

“What may surprise many of us is the low cost of the service,” Samani and Paget wrote. “This may demystify the sophisticated portrayal of today’s hacker.”

This is just one example of a vast array of services and tools that make up a tumescent online marketplace wannabe cybercriminals can use to gather components of a cyberattack – or outsource the process altogether, the study found.

Prospective attackers can use the marketplace to procure stolen credit card numbers and online banking login information. In the US, the credit card number of a Visa Gold/Premier credit card will fetch $25. This figure rises to $100 if a PIN is supplied and $200 with a PIN and good balance. An AMEX Gold card with the credit card number alone goes for $50.

Stolen bank login information commands a higher price than credit card numbers, with prices ranging from two to 10 per cent of the account’s balance.

Exploits can be purchased to take advantage of vulnerabilities, but they can also be rented. The CritX toolkit, for instance, charges by the day and recently advertised for $150 a day, Mcafee said. Meanwhile, so-called “bulletproof” hosting providers – firms which knowingly provide web or domain hosting to cybercriminals – can charge between $50 and $400 for their services per month.

Troels Oerting, head of EC3 European Cybercrime Centre – who wrote the white paper’s foreword, said: “Today’s cybercriminals do not necessarily require considerable technical expertise to get the job done, nor, in certain cases, do they even need to own a computer. All they need is a credit card.

“A marketplace offering cybercrime tools and services provides would-be criminals with an arsenal that can either be used as a component of a cyberattack or a handy way of outsourcing the process entirely.”

Ransomware crims earning $1m a year

Tuesday, June 16th, 2015

Written by Doug Woodburn for CRN:

Cybercriminals can expect to bank $84,100 (£54,400) in profit from a typical monthly ransomware campaign, according to Trustwave, equivalent to an annual pay packet of just over $1m.

In its latest annual threat report, the security vendor estimated that a large-scale, 30-day ransomware campaign would generate proceeds of $90,000, with an investment of only $5,900 required.

With an estimated return on investment of 1,425 per cent, the spoils of an opportunistic attack can be greater than those from the targeted attacks that have dominated headlines in recent years, Trustwave said.

It claimed all its calculations were based on actual tools and services for sale in underground markets used in real attacks in 2014.

A budding cybercriminal need cough up just $3,000 for ransomware variant CTB-Locker and $500 to rent RIG, an exploit with a promised infection rate of 10 to 15 per cent, Trustwave found.

Purchasing access to compromised websites that will generate traffic of 20,000 users a day will set them back a further $1,800 a day. Finally, camouflage that will ensure the payload is not detectable by anti-virus is theirs for a snip at $600.

Based on estimates that 0.5 per cent of infected victims will pay a $300 ransom, estimated proceeds will come in at $90,000 – without the perpetrators having to write a single line of code. See p67 of the report for a more detailed breakdown.

“To succeed in a targeted attack takes far more expertise and effort than an opportunistic attack that distributes malware to many thousands of users,” Trustwave said.

“In fact, the burgeoning underground market for related tools, services and support allows cybercriminals to carry out these opportunistic attacks and generate significant revenue without developing even a single line of code themselves.”

Commenting on the report, George Quigley, a partner at KPMG’s security practice, said the threat posed by ransomware is growing because of two factors.

“The first is that the expertise can be bought; you don’t need to be an expert to do this,” he said. “The second is that the economics make it more than viable.”

Kaspersky Lab praised for handling of Duqu 2.0 cyber attack

Friday, June 12th, 2015

Written by Warwick Ashford for Computer Weekly:

Kaspersky Lab determined the best approach to cyber attack was to not only admit that it had been hacked, but also to provide extensive information on the malware

Moscow-based security firm Kaspersky Lab has been praised for the way it handled a cyber attack on its network, which also hit high-profile targets in Europe, the Middle East and Asia.

When a company suffers an attack, it can pretend it never happened, issue a bland security advisory or admit the attack took place and explain the implications, said independent security consultant Graham Cluley.

“Kaspersky determined the best approach was to not only admit it had been hacked, but also to provide extensive information on the malware (dubbed Duqu 2.0) it found attempting to infiltrate information from its servers,” Cluley wrote in a blog post.

The cyber security firm also co-ordinated blog posts by founder Eugene Kaspersky on his site and on Forbes, live-streamed press conferences in London and published detailed technical analyses of the malware.

“In short, it handled what could have been a corporate crisis well, and reassured customers and partners their data was safe and the integrity of its security products had not been compromised,” said Cluley.

Kaspersky Lab revealed it detected a cyber intrusion affecting several of its internal systems in early spring 2015, using a prototype of an anti-APT (advanced persistent threat) technology.

The ensuing investigation led to the discovery of a malware platform, which Kaspersky Lab has described as “one of the most skilled, mysterious and powerful threat actors” in the world of APTs.

Kaspersky Lab believes the attackers were confident that it was impossible to discover the cyber attack, which included some unique features that leave almost no traces.

The attack exploited zero-day vulnerabilities, and after elevating privileges to domain administrator the malware is spread in the network through Microsoft Software Installer (MSI) files, which are commonly used by system administrators to deploy software on remote Windows computers.

Duqu 2.0: An international threat

Researchers said the Duqu 2.0 attack did not leave behind any disk files or change system settings, making detection extremely difficult.

“The Duqu 2.0 group is a generation ahead of anything seen in the APT world,” the researchers added.

The attackers exploited up to three zero-day vulnerabilities. The last remaining zero-day (CVE-2015-2360) was patched by Microsoft on 9 June (MS15-061) after Kaspersky Lab reported it.

The malicious program used an advanced method to hide its presence in the system and the code of Duqu 2.0 exists only in the computer’s memory and tries to delete all traces on the hard drive.

Kaspersky Lab then found other Duqu 2.0 attacks in some western countries, the Middle East and Asia, including venues linked to international talks on Iran’s nuclear programme.

Kaspersky said it found the Duqu 2.0 malware in three European hotels used in the negotiations involving Iran and six world powers, and also on its computers.

“Some of the 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal,” Kaspersky Lab said in a statement.

P5+1 refers to the six world powers negotiating with Iran on curbs to its disputed nuclear programme: the US, Russia, China, Britain, France and Germany. The talks have been held in Geneva, Lausanne, Montreux, Munich and Vienna, according to the Guardian.

In addition to the P5+1 events, Kaspersky Lab said the Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau, which was attended by many foreign dignitaries and politicians.

According to Kaspersky Lab, the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes, but the company said no interference with processes or systems was detected.

“Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services,” it said in a statement.

The attackers also showed a high interest in Kaspersky Lab’s current investigations into advanced targeted attacks.

Researchers believe the attack was carefully planned and carried out by the same group behind the 2011 Duqu APT campaign, which Kaspersky Lab thinks is sponsored by a nation state.

A sophisticated cyber attack

Kaspersky Lab said Duqu 2.0 had evolved from the earlier Duqu, which was deployed against unidentified targets for years before it was discovered in 2011.

According to researchers, there is an overlap between Duqu and Stuxnet, which has been linked to a US-Israeli project to sabotage Iran’s nuclear programme.

“The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar,” said Costin Raiu, director of the global research and analysis team at Kaspersky Lab.

“This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high. To stay hidden, the malware resides only in kernel memory, so anti-malware systems might have problems detecting it.

“It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers,” said Raiu.

Eugene Kaspersky, CEO of Kaspersky Lab, warned: “Sooner or later technologies implemented in similar targeted attacks will be examined and utilised by terrorists and professional cyber criminals – and that is an extremely serious and possible scenario.

“Reporting such incidents is the only way to make the world more secure. This helps to improve the security design of enterprise infrastructure and sends a straightforward signal to developers of this malware: all illegal operations will be stopped and prosecuted.

“The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly. We will always report attacks regardless of their origin,” he said.

Kaspersky Lab believes this attack had a much wider geographical reach and many more targets.

“Judging from what the company already knows, Duqu 2.0 has been used to attack a complex range of targets at the highest levels with similarly varied geo-political interests,” it said.

Symantec security researchers described Duqu 2.0 as a “stealthy, information-stealing tool” that can be used to gain a persistent foothold inside a targeted domain.

A need for serious cyber offense

Symantec said it also found evidence that Duqu has been used in a number of different attack campaigns against a limited number of selected targets.

Among the organisations targeted were a European telecommunications operator, a North African telecommunications operator and a Southeast Asian electronic equipment manufacturer. Infections were also found on computers located in the US, UK, Sweden, India and Hong Kong.

Symantec believes these may have been “stepping stone” type attacks to infiltrate another organisation and eavesdrop on their network.

Tod Beardsley, engineering manager at security firm Rapid7, said Duqu 2.0 represents both the state of the art and the minimum bar for cyber operations.

“Even if one doubts that Stuxnet, Duqu and Duqu 2.0 are sourced from well-financed, highly skilled and geopolitically motivated Western nations, Duqu 2.0 is precisely where we should expect any serious national cyber offensive capability to be,” he said.

According to Beadsley, this, in turn, informs where defensive thinking needs to focus.

“If you cannot defend against a Duqu 2.0-style long-term campaign, you better not have any data or resources that a national offensive cyber organisation will care to compromise,” he added.

Beardsley said Kaspersky has a reputation for being one of the most capable detection and defence organisations in the world, and the fact that it was compromised is a “sobering reminder that the gap between offense and defence is massively lopsided in favour of the attacker”.

He also praised Kaspersky’s handling of the attack on its network.

“It is more transparency than what we usually see with initial breach reports. I’m hopeful that as this story unfolds, Kaspersky will provide more details on exactly how it did detect the activity of Duqu 2.0, since these detection techniques are what CISOs at critical infrastructure networks need to defend and remediate against similar attacks,” said Beardsley.

DDoS attacks starting to resemble APTs, warns Imperva

Thursday, June 11th, 2015

Written by Warwick Ashford for Computer Weekly:

Like advanced persistent threats (APTs), many distributed denial of service (DDoS) attacks are characterised by long durations, repetition and changing attack vectors

Distributed denial of service (DDoS) attacks are beginning to resemble advanced persistent threats (APTs), according to Imperva’s Q2 2015 Global DDoS Trends Report.

The report is based on more than 3,000 mitigated DDoS attacks against organisations, from 1 March to 7 May 2015.

Like APTs, many of these DDoS attacks were characterised by long durations, repetition and changing attack vectors aimed at evading simple, signature-based defence systems.

During the research period, 71% of all network layer attacks lasted under three hours; and over 20% lasted for more than five day​s.

The longest attack seen during the research period was 64 days, with many other sustained attempts to bring down websites.

Once targeted by an application layer attack, a website will likely be attacked again once every 10 days on average. Some 17% of sites were attacked more than five times; 10% attacked more than 10 times; and several sites were attacked every day, during the 72-day research period.

Botnet hire costs drop

The report highlighted inexpensive botnet-for-hire services used to perpetrate attacks.

With these tools costing as little as $19.99 a month and available for online purchase using Bitcoin, the report said the barrier to mounting such attacks has dropped significantly.

Short, single-vector attacks associated with botnet-for-hire services accounted for approximately 40% of all network layer attacks during the research period.

“Compared to just a few years ago, the frequency, sophistication and duration of attacks have noticeably increased,” said Marc Gaffan, general manager for the Incapsula service at Imperva.

“Professional hackers are mounting advanced attacks that are now resembling advanced persistent threats. We believe that this increased sophistication is due to attackers studying how DDoS mitigation solutions detect and block attacks and implementing new techniques to attempt to bypass them,” said Gaffan.

“As a result, it’s important for enterprises of all sizes to understand the risks DDoS attacks pose and create a readiness plan.”

In May 2015, it emerged that a gang using DDoS attacks to extort bitcoins had begun targeting high-profile organisations in key sectors in Europe, prompting government advisories.

This is in line with the trend of criminal gangs repurposing DDoS attacks initially intended to knock organisations offline by flooding them with network traffic.

But cyber criminals are increasingly using DDoS attacks as a smokescreen to hide other activities, such as stealing data or money, and for extortion.

Extortion gang DD4BC (DDoS for bitcoins) looks set to take this form of attack to a new level, threatening financial and energy sector firms with unprecedented volumes of malicious traffic.

Businesses face spike in ransomware attacks, reports McAfee Labs

Wednesday, June 10th, 2015

Written by Warwick Ashford for Computer Weekly:

Businesses face a substantial increase in the number of ransomware attacks, according to the latest McAfee Labs Report released by Intel Security.

In the first quarter of 2015, McAfee Labs saw a 165% increase from the previous quarter in new ransomware. The malware typically encrypts company data and demands payment for the decryption key.

Researchers said the spike was driven largely by the new, hard-to-detect CTB-Locker ransomware family, a new ransomware family called Teslacrypt, and the emergence of new versions of CryptoWall, TorrentLocker and BandarChor.

McAfee Labs attributes CTB-Locker’s success to clever techniques for evading security software, higher-quality phishing emails and an “affiliate” programme that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages.

McAfee Labs suggests organisations and individuals make it a priority to learn how to recognise phishing emails, including the use of tools such as the Intel Security Phishing Quiz.

In the first quarter of 2015, Adobe Flash malware samples increased by 317%. The researchers attributed the spike in exploits to the popularity of Adobe Flash as a technology; user delay in applying available Adobe Flash patches; new methods to exploit product vulnerabilities; a steep increase in the number of mobile devices that can play Adobe Flash files; and the difficulty of detecting some Adobe Flash exploits.

Industry cleaves to counter threat

Researchers are seeing a continued shift in focus among exploit kit developers, from Java archive and Microsoft Silverlight vulnerabilities to Adobe Flash vulnerabilities.

In the first three months of 2015, 42 new Adobe Flash vulnerabilities were submitted to the US National Vulnerability Database. Adobe made initial fixes available for all of them on the day they were posted.

“With the popularity of a product like Flash, there comes a tremendous responsibility to proactively identify and mitigate security issues threatening millions of users,” said Vincent Weafer, senior vice-president of McAfee Labs.

“This research nicely illustrates how the technology industry works together constructively to gain an advantage in the realm of cyber security  – industry partners sharing threat intelligence, and technology providers acting on information quickly to help prevent potential issues.”

To get the full benefit of software supplier efforts to address vulnerabilities, McAfee Labs is urging organisations and individual users to be more diligent in keeping their products updated with the latest security patches.

Malware reprogrammes SSDs and HDDs to evade detection

The McAfee Labs’ report reveals that the reprogramming modules in malware used by the Equation Group that were discovered in February 2015 have been found to be capable of reprogramming the firmware in solid state drives (SSDs) as well as the previously-reported hard disk drive (HDD) reprogramming capability.

Once reprogrammed, the HDD and SSD firmware can reload associated malware each time infected systems boot and the malware persists – even if the drives are reformatted or the operating system is re-installed. Once infected, security software cannot detect the associated malware stored in a hidden area of the drive, researchers said.

“We at Intel take hybrid software-hardware threats and exploits seriously,” said Weafer. “We have closely monitored both academic proofs of concept and in-the-wild cases of malware with firmware or BIOS manipulation capabilities, and these Equation Group firmware attacks rank as some of the most sophisticated threats of their kind.

“While such malware has historically been deployed for highly targeted attacks, enterprises should prepare themselves for the seemingly inevitable ‘off-the-shelf’ incarnations of such threats in the future.”

McAfee Labs advises that organisations take steps to strengthen threat detection at point of initial attack, such as phishing messages with malicious links and malware-infected USB drives and CDs. McAfee Labs said organisations should also consider security systems that can help prevent data exfiltration.

Other 2015 security developments

The first quarter report identified several other developments in the first quarter of 2015:

  • PC malware growth

The first quarter saw a slight decline in new PC malware, which researchers attribute mainly to the activity of one adware family, SoftPulse, which spiked in Q4 2014 and returned to normal levels in Q1 2015. The McAfee Labs malware database grew 13% during that time, and now contains 400 million samples.

  • Mobile malware

The number of new mobile malware samples jumped by 49% from Q4 2014 to Q1 2015.

  • Secure sockets layer (SSL) attacks

SSL-related attacks continued in Q1 2015, although they tapered off in number relative to Q4 2014. Researchers said this reduction is likely the result of SSL library updates that have eliminated many of the vulnerabilities exploited in prior quarters. Shellshock attacks are still quite prevalent since their emergence late in 2014.

  • Spam botnets

The Dyre, Dridex, and Darkmailer3.Slenfbot botnets overtook Festi and Darkmailer2 as the top spam networks. Their main areas of involvement included pharmaceuticals, stolen credit cards and “shady” social-media marketing tools, the McAfee Labs report said.