By Roy Urrico
Finopotamus aims to highlight white papers, surveys, analyses and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.
A BeyondTrust report and an CISA, FBI, and NSA alert on ransomware threats; and a Juniper Research study about robocalls highlight a roundup of cybersecurity analyses.
BeyondTrust Labs Analysis of Ransomware and Phishing Trends
Atlanta-based BeyondTrust, which provides privileged access management, in its BeyondTrust Labs Malware Threat Report 2021 found malware-as-a-service (MaaS) and human-operated ransomware campaigns continue as a major cybersecurity threat. This research provides insights and analysis into threats and privileged account misuse on Windows devices across the globe based on real-world monitoring and analysis of attacks discovered in the wild by the BeyondTrust Labs team between the first quarters of 2020 and 2021.
The research also dives into reoccurring threat themes and maps out tools, techniques, and procedures using 58 techniques in the MITRE Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) Framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, reflecting the various phases of an adversary's attack lifecycle and the platforms.
“For decades, enterprises have made significant investments in security solutions in an attempt to strengthen their cyber defenses,” said James Maude, lead cybersecurity researcher at BeyondTrust. “Many of these investments have proven to be ineffective, particularly with changes brought on by the pandemic. Security perimeters have dissolved, creating an exponential growth in attack surfaces, and rendering network monitoring and firewall technologies less effective. Endpoint privilege management solutions enable enterprises to reduce their attack surfaces, while gaining greater control over their digital infrastructure.”
Key report findings:
· Absent the right protection, malware will disable endpoint security controls and undermine security investments.
· The use of native tools to perform fileless attacks in the initial stages of attack is a growing trend, enabling attackers to gain a strong foothold by establishing a persistence mechanism with security controls disabled.
· The MITRE ATT&CK Framework effectively distills a wide range of malware strains and cyberattacks into mitigatable component techniques.
· BeyondTrust Privilege Management for Window’s out-of-the-box policies proactively disrupted all 150 different, common attack chains tested.
· Removal of admin rights and implementation of pragmatic application control are two of the most effective security controls for preventing and mitigating the most common malware threats.
The report noted while ransomware has clearly evolved, the fundamental needs to execute code and leverage privileges have largely remained consistent. Whether it is ransomware hitting a single endpoint, or a sophisticated, tailored attack, the benefits of proactively reducing attack surfaces by removing admin accounts and controlling application execution are highly effective.
BeyondTrust pointed out threat actors work ceaselessly to evolve its operations and have matured significantly over the past year. Also observed is that a ransomware attack can be comprised of multiple threat actors, tools and platforms. And as threat actors seek to maximize the disruption to organizations and extract the highest ransom payments, the ransomware model is shifting towards human-driven, enterprise-wide attacks.
Parallel to legitimate software companies trending towards software as a service (SaaS), threat actors are shifting to MaaS with specialists emerging in areas including enterprise credential sales, initial access to a target organization, lateral movement capability, and payload delivery.
Joint Cybersecurity Advisory on Conti Ransomware
The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) recently released a joint cybersecurity advisory alerting organizations of increased Conti ransomware attacks aimed at stealing sensitive files from domestic and international organizations. In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.
The warning said Conti, observed in more than 400 attacks on U.S. and international organizations, differs from other ransomware-as-a-service (RaaS) models in that developers pay the ransomware deployers a wage rather than a percentage of the proceeds from a successful attack.
According to the alert, “Conti actors are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. The actors use tools already available on the victim’s network. In some cases, the actors also use TrickBot malware to carry out post-exploitation tasks.” The warning also referenced a recently leaked threat actor “playbook,” in which Conti actors also exploited vulnerabilities in unpatched assets.
Conti actors often gain initial access to networks through:
· Spearphishing campaigns using tailored emails that contain malicious attachments or malicious links.
· Malicious Word attachments often contain embedded scripts used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the ultimate goal of deploying Conti ransomware.
· Stolen or weak remote desktop protocol (RDP) credentials.
· Phone calls.
· Fake software promoted via search engine optimization.
· Other malware distribution networks (e.g., ZLoader).
· Common vulnerabilities in external assets.
CISA, FBI, and NSA recommended that network defenders use multi-factor authentication, implement network segmentation, filter traffic, scan for vulnerabilities, keep software updated, remove unnecessary applications and apply controls, implement endpoint and detection response tools and limit access to resources over the network, especially by restricting RDP.
Robocall Fraud to Cost Consumers $40 Billion Globally In 2022
A new study from Hampshire, U.K.-based Juniper Research, Robocall Mitigation: Emerging Strategies, Competitor Leaderboard & Market Forecasts 2021-2026, found that consumers will lose $40 billion to fraudulent robocalls globally in 2022; rising from $31 billion in 2021.
Fraudulent robocalls pose threats to consumers by encouraging the disclosure of personal information that fraudsters use for identity theft. In most robocall fraud cases, fraudsters impersonate a genuine brand or enterprise to gain the call recipient’s trust.
Research co-author Charles Bowman remarked: “Even if the fraudulent attempt is unsuccessful, subscribers will still be subject to nuisance calls. In 2022, we predict over 110 billion unwanted robocalls will be made globally; significantly diminishing the value of mobile voice channels.” North America is the region most affected by fraudulent robocalling; accounting for 45% of global losses next year, despite representing just 5% of mobile subscribers.
The study predicts that emerging mitigation frameworks will combat fraudulent robocalls by creating an ecosystem to verify brands and enterprises. However, it noted that standardizing services across all stakeholders, including mobile operators, brands and mobile operating system developers, will be essential to creating a service that mitigates fraud in real-time.
The report identified brand authentication technologies as a critical element of these frameworks. Brand authentication services provide mobile subscribers with information on the smartphone screen before answering the call, including the verified identity of the calling enterprise and purpose of the call.