Malware Defense
 
Notifications
Clear all

Malware Defense

1 Posts
1 Users
0 Likes
393 Views
(@deep_gajiwala)
Posts: 4
New Member
Topic starter
 

Understanding Malware & Threats:

Malware is intrusive software that is designed to damage and destroy computers and computer systems. Malware is a contraction for “malicious software.” Examples of common malware includes viruses, worms, Trojan viruses, spyware, adware, and ransomware.

The motives behind malware vary. Malware can be about making money off you, sabotaging your ability to get work done, making a political statement, or just bragging rights. Although malware cannot damage the physical hardware of systems or network equipment, it can steal, encrypt, or delete your data, alter or hijack core computer functions, and spy on your computer activity without your knowledge or permission.

Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system. Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts within most organizations.

It comes in a mysterious variety of forms. Computer viruses are probably the most familiar type of malware — so named because they spread by making copies of themselves. Worms have a similar property. Other types of malwares, such as spyware, are named for what they do: In the case of spyware, it transmits personal information, such as credit card numbers.

 

How to identify Malwares’:

Malware can reveal itself with many different aberrant behaviours mentioned below --

  • Your computer slows down:

One of malware’s side effects is to reduce the speed of your operating system (OS), whether you’re navigating the Internet or just using your local applications, usage of your system’s resources appears abnormally high. You might even notice your computer’s fan whirring away at full speed—a good indicator that something is taking up system resources in the background. This tends to happen when your computer has been roped into a botnet. i.e., a network of enslaved computers used to perform DDoS attacks, blast out spam, or mining cryptocurrency.

  • Your screen is inundated with annoying ads:

Unexpected pop-up ads are a typical sign of a malware infection. They’re especially associated with a form of malware known as adware. What’s more, pop-ups usually come packaged with other hidden malware threats. So, if you see something akin to “CONGRATULATIONS, YOU’VE WON A FREE PSYCHIC READING!” in a pop-up, don’t click on it. Whatever free prize the ad promises, it will cost you plenty.

  • Your system crashes:

This can come as a freeze or a BSOD (Blue Screen of Death), the latter occurs on Windows systems after encountering a fatal error.

  • You notice a mysterious loss of disk space:

This could be due to a bloated malware squatter, hiding in your hard drive aka bundleware.

  • There’s a weird increase in your system’s Internet activity:

Take Trojans for example. Once a Trojan lands on a target computer, the next thing it does is reach out to the attacker’s command and control server (C&C) to download a secondary infection, often ransomware. This could explain the spike in Internet activity. The same goes for botnets, spyware, and any other threat that requires back and forth communication with the C&C servers.

  • Your browser settings change:

If you notice your homepage changed or you have new toolbars, extensions, or plugins installed, then you might have some sort of malware infection. Causes vary, but this usually means you clicked on that “congratulations” pop-up, which downloaded some unwanted software.

  • Your antivirus product stops working:

As you cannot turn it back on, leaving you unprotected against the sneaky malware that disabled it.

  • You lose access to your files or your entire computer:

This is symptomatic of a ransomware infection. The hackers announce themselves by leaving a ransom note on your desktop or changing your desktop wallpaper itself in to a ransom note. In the note, the perpetrators typically inform you that your data has been encrypted and demand a ransom payment in exchange for decrypting your files.

 

How Malware enters in systems: 

The two most common ways that malware accesses your system are the Internet and email. So basically, anytime you’re connected online, you’re vulnerable.

Malware can penetrate your computer when (deep breath now) you surf through hacked websites, view a legitimate site serving malicious ads, download infected files, install programs or apps from unfamiliar provide, open a malicious email attachment or pretty much everything else you download from the web on to a device that lacks a quality anti-malware security application.

Malicious apps can hide in seemingly legitimate applications, especially when they are downloaded from websites or direct links (in an email, text, or chat message) instead of an official app store. Here it’s important to look at the warning messages when installing applications, especially if they seek permission to access your email or other personal information.

 

“Malware attacks would not work without the most important ingredient: you.”

 

Types of malwares:

  • WORM: Worms are a malicious software that rapidly replicates and spreads to any device within the network. Unlike viruses, worms do not need host programs to   A worm infects a device via a downloaded file or a network       connection       before it multiplies and disperses at an exponential rate. Like viruses, worms can   severely disrupt the operations of a device and cause data loss.

Worms are divided into two categories:

Network Service Worms: A network service worm takes advantage of vulnerability in a network service to propagate itself and infect other hosts.
Mass Mailing Worms: A mass mailing worm is similar to an email-borne virus but is self-contained, rather than infecting an existing file.

 

  • Working: Worms can be transmitted via software vulnerabilities. Or computer worms could arrive as attachments in spam emails or instant messages (IMs). Once opened, these files could provide a link to a malicious website or automatically download the computer worm. Once it’s installed, the worm silently goes to work and infects the machine without the user’s knowledge.

Worms can modify and delete files, and they can even inject additional malicious software onto a computer. Sometimes a computer worm’s purpose is only to make copies of itself over and over — depleting system resources, such as hard drive space or bandwidth, by overloading a shared network. In addition to wreaking havoc on a computer’s resources, worms can also steal data, install a backdoor, and allow a hacker to gain control over a computer and its system settings.

  • Identification: If you suspect your devices are infected with a computer worm, run a virus scan immediately. Even if the scan comes up negative,   continue to be proactive by following these steps,

 

  1. Keep an eye on your hard drive space
  2. Monitor speed and performance
  • Be on the lookout for missing or new files

 

  • Examples:
  1. The Morris Worm was launched in 1988 by Robert Morris, an American student who wanted to discover how big the internet really was. To do this, he launched a few dozen lines of code, but he didn’t know that the code was riddled with bugs that would cause a variety of problems on affected hosts. The result was thousands of overloaded computers running on UNIX and a financial damage ranging between $10 million and $100 million.

 

  1. The Storm Worm is an email worm launched in 2007. Victims would receive emails with a fake news report about an unprecedented storm wave that had already killed hundreds of people across Europe. More than 1.2 billion of these emails were sent over the course of ten years in order to create a botnet that would target popular websites. Experts believe that there are still at least a million infected computers whose owners don’t know that they are part of a botnet.

 

  • SQL Slammer was unique in that it didn’t utilize any of the traditional distribution methods. Instead, it generated a number of random IP addresses and sent itself out to them in hopes that they weren’t protected by antivirus software. Soon after it hit in 2003, the result was more than 75,000 infected computers unknowingly involved in DDoS attacks on several major websites.

 

  • Prevention:
  1. Invest in strong internet security software solution
  2. Be extra cautions against phishing
  • Update your operating systems

 

 

  • TROJAN: A Trojan horse is a self-contained, nonreplicating program that, while appearing to be benign, actually has a hidden malicious purpose. Trojan horses  either replace existing files     with malicious versions or add new malicious files to hosts. They often deliver other attacker tools to hosts.

 

  • Working: Once installed, trojans may perform a range of malicious actions. Many tend to contact one or more Command and Control (C2) servers across the Internet and await instruction. Since individual trojans typically use a specific set of ports for this communication, it can be  relatively simple to     detect them. Moreover, other malware could potentially "take over" the trojan, using it as a proxy for malicious action.

 

  • Identification: Trojans are used as a delivery device for a number of different types of malwares, if you suspect your device may have been breached  by a Trojan, you should look for many of the same tell-tale signs of malicious These may include:

 

  1. Poor device performance is your computer or mobile device running slowly or crashing more frequently than normal?
  2. Strange device behaviour are programs running you didn’t initiate or are other unexplained processes being executed on your device?
  • Pop-up and spam interruptions are you noticing an uptick in the number of interruptions from browser pop-ups or email spam?

 

  • Examples:
  1. Zeus - Also known as Zbot, Zeus is a successful Trojan malware package with many variants used to carry out a number of different types of attack. It’s perhaps most well-known for its successful hack of the U.S. Department of Transportation. 
  2. Wirenet - Wirenet is a password-stealing Trojan notable for being among the first to target Linux and OSX users, many of whom were migrating from Windows operating systems based on perceived security flaws.
  • Mobile banking Trojans - Webroot has documented a number of Trojans written to target mobile banking apps for the purpose of stealing login credentials or replacing legitimate apps with malicious ones.

 

  • Preventions: As with protecting against most common cybersecurity threats, effective cybersecurity software should be your front line of protection.   An effective internet security solution should run fast, frequent scans and alert you as soon as a Trojan virus is detected. 

 

  1. Never download or install software from a source you don’t trust completely.
  2. Never open an attachment or run a program sent to you in an email from someone you don’t know. 
  • Keep all software on your computer up to date with the latest patches.
  1. Make sure a Trojan antivirus is installed and running on your computer.

 

  • MALICIOUS MOBILE CODE: Malicious mobile code is software with malicious intent that is transmitted from a remote host to a local host and then executed on the local host, typically without the user’s explicit instruction. Popular languages for malicious mobile code include Java, ActiveX, JavaScript, and 

 

  • Working: Malicious mobile code criminals are not only well-versed in computer programming, they are also knowledgeable in marketing techniques that are based on how Internet surfers think. These are marketing strategies that appeal to the Internet surfer's interests.

 

Armed with this knowledge, malicious mobile code criminals program codes that install malware into items of interest such as free screensavers, music downloads, games, pornography, and other applications that are accessed on the Internet. All of these applications generally require interactive plug-ins such as ActiveX, JavaScript, or Flash, and they exist on websites that are infected with malware.

 

Once the user clicks on the website and uses these applications, the malware is installed without the user's permission and is usually the initial step to a combined malware attack. The malware is installed on the user's computer and then it generates additional malware such as spyware, keylogging, adware, and other malicious software. This allows the intruder to access personal and financial information, passwords, logins, and other sensitive data.

 

  • Examples: Hackers are continuously working to compromise technical defences against malicious code. Some of the better-known examples of malicious attacks include:

 

  1. Trojan Horse – Emotet – appears as applications a user would benefit from
  2. Worms – Stuxnet – replicated through network computers
  • Bots – Echobot – launched a flood of attacks
  1. Ransomware – RYUK – disables access to company assets until the ransom is paid

 

  • Prevention: Providing continuous protection includes a comprehensive approach to application, network and data security that includes:

 

  1. Stress to employees the importance of never opening unexpected emails from external sources. It’s especially important to avoid opening attachments or clicking links from such sources.
  2. Install and update antivirus software on all computers as a first defence.
  • Block pop-ups to prevent some incidents of intentional or accidental clicking on potentially harmful links.
  1. Use minimal permissions on web applications to limit the authority and prevent hackers from having the potential to spread malicious code to critical systems.
  2. Keep software updated to ensure any applicable security patches or improvements are included.
  3. Scan websites and code for malicious code regularly.
  • Implement secure firewalls for all network traffic.
  • Utilize software tools to monitor suspicious activity, especially any use of unauthorized web sites, access to bank accounts, or emails to or from unrecognized email accounts.
  1. Utilize secure VPN software for mobile employees who may utilize business systems from home, customer or job sites, or on public networks.

 

  • Blended Attacks: A blended attack uses multiple infection or transmission methods. For example, a blended attack could combine the propagation methods of  viruses and 

 

  • Working: Blended attacks use a combination of multiple attack vectors and malware capabilities to achieve their ultimate goal. If a bad actor wants to launch a DDoS attack on an organization and infect them with a server rootkit during the attack, they will not use their own server for the

 

  • Examples:

 

  1. An attacker launches a phishing campaign against your organization or successfully compromises one of your collaboration apps.
  2. The attack involves the submission of infected links that redirect your employees to a malicious website.
  • From there, those who are tricked to click on the link will download a virus or a Trojan worm that spreads across multiple endpoints within your IT ecosystem.
  1. The Trojan virus opens a backdoor to your systems, which in turn allows the attacker to create a botnet.
  2. The attacker launches a DDoS attack against a third party using your organization’s IT resources as well as other endpoints the attacker controls.
  3. While the security team of the organization under attack deals with the DDoS attack, the bad actor manages to install a rootkit on their web server, which gives unrestricted access to sensitive data and resources to further penetrate their network.

 

  • Prevention:

An organization cannot prevent blended attacks from occurring, but security teams can make it harder for an attacker to penetrate their corporate network.

 

As blended attacks use multiple attack vectors and employ mimicry tactics, organizations must adopt a mix of cybersecurity measures and strategies to match the complexity of a blended attack.

 

A typical combination of tools to stop blended attacks include next-generation firewalls and a mix of next-generation antivirus and spyware detection software that are able to detect both known and unknown threats in real-time. A blended attack does not give teams much time to respond, so intrusion prevention systems should detect unknown threats as they materialize.

 

To prevent blended attacks from happening and spreading across a corporate network, organizations should also implement a strict policy for user access control that addresses elevation of privileges and abuse of login credentials. A cyber threat is as dangerous as the access privileges it gets – infecting an endpoint such as a workstation might be acceptable damage, infecting a server or a computer in use by a system administrator is not.

 

Attacker Tools:

Various types of attacker tools might be delivered to a host by malware. These tools allow attackers to have unauthorized access to or use of infected hosts and their data, or to launch additional attacks.

 

Popular types of attacker tools are as follows:

 

  • BACKDOORS: A backdoor is a malicious program that listens for commands on a certain TCP or UDP port. Most backdoors allow an attacker to perform a certain set of actions on a host, such as acquiring passwords or executing arbitrary commands. Types of backdoors include zombies (better known as bots), which are installed on a host to cause it to attack other hosts, and remote administration tools, which are installed on a host to enable a  remote attacker to gain access to the host’s functions and data as needed.

 

  • Working: In order for cybercriminals to successfully install a backdoor on your device, they first need to gain access to your device, either through physical access, a       malware attack, or by exploiting a system vulnerability         — here are some of the more common vulnerabilities      that hackers target:
    • Open ports.
    • Weak passwords.
    • Out-of-date software.
    • Weak firewalls.

 

  • Prevention: The bad news is that it's difficult to identify and protect yourself against built-in backdoors. More often than not, the manufacturers don't even know the backdoor is there. The good news is that there are things  you can do to protect yourself from the other kinds of     

 

  1. Change your default passwords.
  2. Monitor network activity.
  • Choose applications and plugins carefully.
  1. Use a good cybersecurity solution.

 

  • KEYSTROKE LOGGERS: A keystroke logger monitors and records keyboard use. Some require the attacker to retrieve the data from the host, whereas other loggers actively transfer   the data to another host through email, file transfer, or other      

 

  • Identification: Keyloggers invade PCs (and Macs, and Androids, and iPhones) in the same way that other malware does. They install when you click on a file attachment that you’ve been duped into opening—most commonly because you fell for a social engineering scheme or a cleverly designed phishing expedition. The attachments can come to you by email, through a text      message, an instant message, on social networks, or even through a visit to an otherwise legitimate but infected website, which exploits a vulnerability in it and drops a drive-by malware download. Also, keyloggers rarely arrive solo. The same Trojan that delivers the keylogger can slip other malware on your system—such as adware, spyware, ransomware, or a virus.

 

  • Examples: In 2016, a major survey conducted by a US-based cybersecurity firm revealed that businesses from 18 countries were targeted as part of a coordinated        campaign that used the Olympic Vision keylogger to obtain confidential      business related information.  Distributed via fake emails allegedly sent       by        business associates, this software-based keylogger logged not only     keystrokes       but also clipboard images and texts,   saved logins, and instant messaging      chat histories.

 

In 2007, a group of Romanian hackers launched a global phishing campaign that involved the sending of malicious emails to millions of email addresses. When potential victims clicked on the link included in these emails, a software-based keylogger would be installed on their computers. The perpetrators of this cyber-attack were finally identified in October 2018, when it was also revealed that they had stolen more than $4 million since the launch of the attack.

 

In 2015, a UK student was arrested and sentenced to four months in prison after it was revealed that he had used a keystroke logging software to up his exam marks. He installed the software on the computers at his university and used it to steal the staff’s login info. After that, he used the login info to access his university records and up the marks on five of his exams.

 

  • Prevention: Avoid keyloggers by avoiding the user mistakes that lead to their ability to infect phones and  It starts with keeping your operating system, your applications, and web browsers up to date   with the latest security patches. Always be sceptical about any attachments you receive, especially unexpected ones even if they seem to come from someone you know. When in doubt, contact the sender to ask. Keep your passwords long and complex, and avoid using the same one for different services.

 

Avoid keyloggers by avoiding the user mistakes that lead to their ability to infect phones and computers. It starts with keeping your operating system, your applications, and web browsers up to date with the latest security patches. Always be skeptical about any attachments you receive, especially unexpected ones even if they seem to come from someone you know. When in doubt, contact the sender to ask. Keep your passwords long and complex, and avoid using the same one for different services.

 

  • WEB-BROWSER PLUG-INS: A web browser plug-in provides a way for certain types of content to be displayed or executed through a web browser. Malicious web browser plug-ins can monitor all use of a browser.

 

  • Working: First of all, extensions can be downright malicious. That happens mostly with extensions that come from third-party websites, but sometimes — as in cases with Android and Google Play — malware sneaks into official markets as well.

For example, security researchers recently uncovered four extensions in the Google Chrome Web Store that posed as innocuous sticky notes apps but in fact were caught generating profits for their creators by secretly clicking on pay-per-click ads.

How can an extension can do something like that? Well, to do something, an extension requires permissions. Problem is, of the browsers people commonly use, only Google Chrome prompts the user to grant these permissions (or not); other browsers allow extensions to do anything they want by default, and the user doesn’t have a choice but to accept it.

However, even in Chrome that permissions management exists only in theory — in practice, it doesn’t work. Even basic extensions usually require permission to “read and change all your data on the websites you visit,” which gives them the power to do virtually anything with your data. And if you don’t give them that permission, they won’t be installed.

  • Prevention: It might be safer not to use them at all, but that’s inconvenient, so we need a way to use extensions more          or less safely. Here’s how:
  1. Don’t install too many extensions. Not only do they affect computer performance, but they are also a potential attack vector, so narrow their number to just a few of the most useful.
  2. Install extensions only from official Web stores. There, they undergo at least some scrutiny, with security specialists filtering out those that are malicious from head to toe.
  • Pay attention to the permissions that extensions require. If an extension already installed on your computer requests a new permission, that should immediately raise flags; something is probably going on. That extension might’ve been hijacked or sold. And before installing any extension, it’s always a good idea to look at the permissions it requires and think about whether they match the functionality of the app. If you can’t find a logical explanation for the permissions, it’s probably better not to install that extension.
  1. Use a good security solution. Kaspersky Internet Security can detect and neutralize malicious code in browser extensions. Our antivirus solutions use a vast database of malicious extensions that is frequently updated — and we discover new malicious Chrome extensions almost every day.

 

  • E-MAIL GENERATORS/PHISING: An email generating program/phishing can be used to create and send large quantities of emails, SMS, calls such as malware and spam, to other hosts without the user’s permission or knowledge.

 

  • Working: A basic attack attempts to trick a user into entering personal details or other confidential  information, and email is the most common method of performing these attacks.

 

The sheer number of emails sent every single day means that it's an obvious attack vector for cyber criminals. It's estimated that 3.7 billion people send around 269 billion emails every single day.

 

Researchers at Symantec suggest that almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day.

 

Most people simply don't have the time to carefully analyse every message that lands in their inbox - and it's this that phishers look to exploit in a number of ways.

 

  • Identification: The 'spray and pray' is the least sophisticated type of phishing attack, whereby basic, generic messages are mass-mailed to millions of users. These are the 'URGENT message from your bank' and 'You've won the lottery' messages that look to panic victims into making an error -- or blind them with greed. Some emails attempt to use fear, suggesting there's a warrant out for the victim's arrest and they'll be thrown in jail if they don't   click through.

 

Schemes of this sort are so basic that there's often not even a fake web page involved - victims are often just told to respond to the attacker via email. Sometimes emails might play on the pure curiosity of the victim, simply appearing as a blank message with a malicious attachment to download.

 

 
   
  • Example: This is the way Locky ransomware spread in 2016 and at the time it was one of the most effective forms of the file-encrypting malware around. Many of the most damaging ransomware campaigns have now switched to other means of gaining access to networks, such as compromising internet-facing servers or remote desktop ports, although there's recently been aresurgence in phishing emails being used to distribute ransomware. 

                                    -------------------------------------------------------------------------------------

The rise of mobile messaging services – Facebook   Messenger and WhatsApp      in particular – has provided phishers with a new method of attack.

Attackers don't even need to use emails or instant messaging apps in order to meet the end goal of distributing malware or stealing credentials - the internet-connected nature of modern communications means text messages are also an effective attack vector.

SMS phishing - or smishing - attacks work in much the same way as an email attack; presenting the victim with a fraudulent offer or fake warning as an incentive to click through to a malicious URL.

 

Once the victim has clicked on the link, the attack works in the same way as a regular phishing attack, with the victim duped into handing over their information and credentials to the perpetrator.

  • Prevention: Fortunately, due to their commonplace nature, phishing scams are avoidable if you know how to correctly identify and prevent them.

Tips to prevent phishing attacks,

 

  1. Know what a phishing scam looks like
  2. Don’t click on unwanted links
  • Get free anti-phishing add-ons
  1. Don’t give your information to an unsecured site
  2. Rotate password regularly
  3. Don’t ignore updates
  • Don’t be tempted by pop-ups

 

Malware Examples:

We've already discussed some of the current malware threats looming large today. But there is a long, storied history of malware, dating back to infected floppy disks swapped by Apple II hobbyists in the 1980s and the Morris Worm spreading across Unix machines in 1988. Some of the other high-profile malware attacks have included:

  • ILOVEYOU:  a worm that spread like wildfire in 2000 and did more than $15 billion in damage
  • SQL Slammer:  which ground internet traffic to a halt within minutes of its first rapid spread in 2003
  • Conficker: a worm that exploited unpatched flaws in Windows and leveraged a variety of attack vectors – from injecting malicious code to phishing emails – to ultimately crack passwords and hijack Windows devices into a botnet.
  • Zeus: a late '00s keylogger Trojan that targeted banking information
  • CryptoLocker: the first widespread ransomware attack, whose code keeps getting repurposed in similar malware projects
  • Stuxnet, an extremely sophisticated worm that infected com

 

Malware trend:

  • You can count on cyber criminals to follow the money. They will target victims depending on likelihood of delivering their malware successfully and size of potential payout. If you look at malware trends over the past few years, you will see some fluctuation in terms of the popularity of certain types of malwares and who the most common victims are—all driven by what the criminals believe will have the biggest ROI.
  • Recent research reports indicate some interesting shifts in malware tactics and targets. Crypto miners, which had surpassed ransomware as the most common type of malware, are falling out of favour due to the decline in cryptocurrency values. Ransomware is becoming more targeted, moving away from a shotgun approach.

Real-life malware examples:

  • Petya (Ransomware, 2016): Petya blocks your machine’s entire operating system, and the only way to release it is by paying a ransom. Today, the estimated value of Petya losses had reached USD10 billion since its release about five years ago. Common businesses that fall for this trap are banks, oil companies, airports, shipping companies, and more.

 

  • CryptoLocker (Ransomware, 2013): One of the most famous ransomwares in history is the CryptoLocker and was released in 2013. This ransomware used a large encryption key that made it difficult for experts to penetrate. With this, it has caused USD 3 million worth of damages, infecting more than 200,00 Windows devices. Since an attack uses emails, it’s crucial to implement email security to avoid cases like this.

 

  • ILOVEYOU (Worm, 2000): Sadly, this malware attack disguises itself as a love letter, and one can receive it via email. This worm infected over 45 million people in 2000, causing over USD15 billion in damages. ILOVEYOU is known to be the first of its kind in social engineering, and once you trigger it, it can self-replicate using the victim’s email.

 

  • CovidLock (Ransomware, 2020): The fear that the COVID-19 pandemic brought in was exploited by cybercriminals. This malicious software promises to offer information about the disease, but instead, it encrypts your data and denies access. But the only way to get back your data is by paying a fee of USD100 per device.

 

  • LockerGoga (Ransomware, 2019): This ransomware infected large corporations worldwide like Hydro and Altran Technologies. With this attack, it was estimated to have caused millions of dollars. LockerGoga infects devices through malicious emails, credential theft, and phishing scams. This attack is pretty dangerous since it completely blocks a victim’s access to their system.

 

Awareness:

  • Not opening suspicious emails or attachments, clicking on hyperlinks, etc. from unknown,
    or known senders, or visiting websites that are likely to contain malicious content.
  • Not clicking on suspicious web browser popup windows.
  • Not opening files with file extensions that are likely to be associated with malware (e.g., .bat,.com,.exe,.pif,.vbs).
  • Not disabling malware security control mechanisms (e.g., antivirus software, content filtering software, reputation software, personal firewall).
  • Not using administrator-level accounts for regular host operation.
  • Not downloading or executing applications from untrusted sources.
  • Never reply to email requests for financial or personal information. Instead, contact the person or the organization at the legitimate phone number or website. Do not use the contact information provided in the email, and do not click on any attachments or hyperlinks in the email.
  • Do not provide passwords, PINs, or other access codes in response to emails or unsolicited popup Only enter such information into the legitimate website or application.
  • Do not open suspicious email file attachments, even if they come from known senders. If an unexpected attachment is received, contact the sender (preferably by a method other than email, such as phone) to confirm that the attachment is legitimate.
  • Do not respond to any suspicious or unwanted emails.

 

Prevention:

Scenario 1 - Advisory practices attacked by a Trojan virus

In this scenario, a number of advisory practices were subject to a targeted malware attack via a Trojan virus. This virus helped the cyber criminals access several advisers’ PCs and obtain the login details for systems that had been used.

This attempted fraud took place while the practice was closed over the Christmas holidays.

"We locked up the office that afternoon just before Christmas and went home. We were all looking forward to a nice long break, it’d been a busy year. We wouldn’t be back in the office until the New Year."

Transactions were submitted to the platform over the Christmas period using several advisers’ user IDs.

Direct credit (EFT) bank account details were edited to credit the cyber criminals' ‘mule’ Australian bank account. From this account the cyber criminals would be free to transfer the funds overseas.

Luckily for the practice, the fraud was uncovered before any funds were paid out.

"Even though we were on holiday, we all continued to check our transaction updates via the platform each day. We called the platform right away and they were able to stop the fraudulent payments in time."

Preventing this type of fraud

  • Be diligent about checking platform transaction updates sent by email or displayed online. Specifically look out for withdrawal requests, new accounts opened, asset sell downs and changes to contact details.
  • When taking annual leave, nominate a colleague to check platform transaction updates on your behalf in your absence.
  • Call us immediately if you suspect fraud or malware on your system. We’ll suspend your login ID to attempt to prevent further fraudulent transactions.

Bring in a tech specialist immediately to run and update security software and restore your systems back to normal.

 

Scenario 2 - Adviser subject to a malware attack causing account lock

A Melbourne advisory practice was the target of a malware attack, having found malware on their system which locked their access to the platform. The malware allowed the cybercriminal to gain access to an adviser’s login details for all systems he had used recently.

The cyber criminals now had access to every website or account that required a login. This included personal banking, platform desktop software, Xplan software and Facebook.

The next time the adviser tried to log in to his platform desktop software, he was locked out.

He rang our account executive team to report his access was locked. He couldn’t login, even though he was using his correct user’s name and password.

The platform reset his password. The next day when the adviser tried again to login, he was locked out of the system again.

It became obvious that the adviser’s user ID had been compromised. At this point, the user ID was deleted.

Where you have had your platform access locked or you suspect fraud or malware on your system call us immediately as part of your reporting response so we can suspend your login ID to attempt to prevent further fraudulent transactions. Bring in a tech specialist immediately to run and update security software and restore your systems back to normal.

Preventing this type of fraud

  • Be on the lookout for requests to check and confirm login details.
  • Increase the strength of your identifiers and ensure two or more proofs of identity are required before access to company systems is enabled.
  • Use virus protection software to prevent hackers from accessing your information and to help protect you if you click on a suspicious link or visit a fake website.
  • Schedule regular training for employees so that they can better detect malicious links or avoid downloading content from untrustworthy sources.

 

Scenario 3 - Opening email attachment causes all PCs in the office to shutdown

A staff member in an advisory practice opened a file attached to an email received one morning.

It turned out the attachment contained a ‘worm’ that infected not only the staff member’s PC, it also spread to all other PCs in the practice network.

This malware caused all PCs in the office to shut down.

The adviser needed to use the platform software that day to ensure his clients participated in a Corporate Action that was closing the following day.

With help from their Business Development Manager, the office worked through the issue so they were able to log into the platform software to complete this critical work from a home laptop that hadn’t been infected with the virus.

Preventing this type of fraud

  • Never open attachments in emails if you don’t know or trust the source.
  • Ensure your office network is protected with up-to-date anti-virus software.
  • Call us immediately if you suspect fraud or malware on your system. We’ll suspend your login ID to attempt to prevent any further criminal activity.
  • Bring in a tech specialist immediately to run and update security software and restore your systems back to normal.

 

Social Engineering and malware attacks:

Social engineering is a popular malware delivery method that involves the manipulation of human emotions. Social engineering uses spam phishing via email, instant messages, social media, and more. The goal is to trick the user into downloading malware or clicking a link to a compromised website that hosts the malware.

Often, the messages come in the form of a scare tactic, stating that there is something wrong with an account, and that the user should immediately click on the link to log into their account or download an attachment that conceals malware.

The link will lead the user to a copy of the legitimate website, in the hope that the user will enter their credentials for the site so they can be taken by the cybercriminal.

 

How to reduce risk of an organization

  1. Encrypt your data and create backups:

Make sure all your sensitive data is encrypted. Saving your data in normal-text format only makes it easy for hackers to access. Data encryption, on the other hand, limits data access to parties that have the encryption key. It also ensures that even when unauthorized parties gain access to the data, they can't read it. Some data encryption software even lets you know when other people try to alter or tamper with the information.

You should also conduct regular backups for your important information. Sometimes cybersecurity breaches can result in data loss. When this happens, and you don't have a reliable and secure backup, it could result in operational disruptions that could cause your organization a lot of lost revenue. One of the most effective data backup strategies is the 3-2-1 rule. Based on this strategy, you should have at least 3 copies of your data stored. 2 of them should be stored on different media, and one should be in an offsite location.

 

 

 

  1. Conduct regular employee training:

One of the common ways malicious hackers gain access to your database is through phishing emails sent to your employees. In fact, statistics show that over 3.4 billion phishing emails are sent globally. These emails contain malicious malware in the form of links that give hackers access to user data, including login credentials.

Phishing emails are often hard to detect as they seem legitimate. For instance, a hacker may send an email impersonating leader in the organization asking for personal details. Without proper training, the employee may end up divulging this information. This is why it's vital that you conduct cybersecurity awareness training. Let your employees know of the main forms of cybersecurity attacks and the best ways to prevent them.

You should also emphasize the importance of checking email addresses before replying to them and checking links before clicking on them. Finally, don't forget to highlight the organizational policy when it comes to sharing sensitive information, even on social media.

 

  • Keep your systems and software updated:

Software and system updates highly impact your cyber security and digital safety. This is because they not only add new features but also fix bugs and help patch security flaws and vulnerabilities that can be exploited.

Malicious hackers write code that they use to exploit the vulnerabilities. Most of the time, this code is packaged in the form of malware which can affect your entire system. So, make sure you use a patch management system to automatically manage all updates and uphold information security.

 

  1. Use strong password:

Here's an interesting fact; over 80% of organizational data breaches result from weak passwords. Hackers don't need much to gain access to your systems. They only require a small gap, and they'll exploit it fully.

Password cracking technology has greatly advanced, and simple passwords don't cut it anymore. Instead, you need to use complex passwords and deploy multi-factor authentication strategies to discourage cybercrime in your organization. You should also discourage password sharing among employees so that even if one desktop is hacked, the rest remain secure.

Some of the security risk mitigation strategies you should implement when it comes to passwords include;

  • All passwords should contain at least 8 characters.
  • They should contain alphanumeric characters.
  • They shouldn't contain any personal information.
  • They should be unique and never used before.
  • They should ideally not have any correctly spelled words.
  1. Assess and monitor your vendors:

Chances are that your cyber security is highly dependent on third-party vendors, which is why you can’t afford to ignore vendor risk management. This will help you mitigate third-party risk instead of solely relying on incident response.

Your main focus should be on:

  • Cybersecurity risk: onboard vendors using the right strategies and monitor them throughout your relationship.
  • Legal, regulatory, and compliance risk: ascertain that the vendor will not impact your compliance with regulations, agreements, and local legislation.
  • Operational risk: if the vendor is a critical aspect of your organization, ensure that they won't disrupt your operations.
  • Strategic risk: ensure the vendor will not impact your ability to meet your organizational objectives.

Don't leave your cybersecurity to chance, so make sure you manage your third-party exposure as soon as possible.

  1. Reduce your attack surface:

Your attack surfaces are the vulnerabilities or entry points that malicious hacker can use to access sensitive data. They could be anything like IoT, software, web application systems, and even employees that are often susceptible to social engineering attacks such as whaling and phishing.

There are 3 main types of attack surfaces:

  1. Physical attack surface: this includes organizational assets that a hacker can get if they have physical access to your premises.
  2. Digital attack surface: these are assets that are accessible through the internet and live outside a firewall. Digital attack surfaces include known assets such as your corporate servers/ operating system, unknown assets such as a forgotten website, and rogue assets such as apps that impersonate your company.
  3. Social engineering attack surface: this is one of the most critical yet often overlooked attack surfaces. In this case, the hackers exploit human psychology and manipulate your employees into divulging sensitive information.

Make sure you conduct an attack surface analysis to determine your threat landscape, identify all your security gaps and reduce the attack vectors.

  • Pay close attention to physical security:

Most organizational cyber risk management policies focus on the digital aspect of cyber risks and entirely neglect their physical premises. Conduct a security assessment and determine whether your critical infrastructure is safe from security breaches. You should also analyse your data protection policy and decide whether or not it has data disposal strategies.

Think of a scenario where your online systems are safe from cybercriminals, but you experience a breach because someone broke into your offices and rummaged through your file cabinets. That would be tragic! There are even other instances where janitors go through the garbage and obtain customer and employee personal information.

If you have any restricted areas, make sure they are protected using high-value systems. You should also use 2-factor authentication such as key cards and biometrics. This way, even if the key card is lost or stolen, no one will be able to access the area.

 

  • Put a kill switch in place:

Having a kill switch protects you from large-scale attacks. It is a form of reactive cybersecurity protection strategy where your information technology department shuts down all systems as soon as they detect anything suspicious until they resolve the issues.

Most of the time, cybercriminals don't cover their tracks, especially when they don't expect to be caught. So, have your IT security teams analyse all server logs frequently and conduct cybersecurity framework audits to make sure their integrity is intact. You should also invest in network forensic analysis tools that analyse information flow through your network.

Most malicious firewall and ransomware attacks are a result of human error. Some of them are even caused by your employees. In fact, statistics show that around 94% of organizations have suffered cyber security threats due to insider breaches. Make sure you scan all new hires to ascertain that they aren't a cyber risk to your organization. You should also put measures to discourage employee negligence, which is a major contributor to cyber risks.

 

  1. Install firewall:

Cyber security threats are becoming more sophisticated, and everyday hackers come up with new ways of accessing data. So, you should defend your networks from cyber-attacks by installing firewalls. A reliable system will effectively protect you from brute attacks or prevent security incidents from causing irreversible damage.

In addition to this, firewalls monitor your network traffic to identify any suspicious activity that could compromise your data integrity. They also prevent complex spyware from gaining access to your systems and promote data privacy.

Be very careful when choosing the right firewall for your organization. Go for a system that gives you full security control and visibility of your application and networks. It should also have protection and prevention capabilities as well as a streamlined security infrastructure.

 

  1. Create a secure cyber security policy:

Your organization's cybersecurity is highly influenced by the policies that you have in place. Do you have guidelines for data breach prevention and detection? How often do your IT teams conduct risk assessments or penetration testing? It all starts with your guidelines!

Go through your existing policies and identify any loopholes they may have. Some of the guidelines you should have in place include;

  • Disaster recovery: If a breach occurs, a disaster recovery plan ensures that your employee and IT teams know the next course of action. It's aimed at reducing the amount of time that you are offline, thereby ensuring that your operations resume as soon as possible.
  • Access control/management: this policy highlights the parties that can access sensitive information, reducing the risk of unauthorized access. Data mishandling has both financial and legal consequences, so make sure your access management policy specifies which stakeholders are allowed access to what and under which circumstances they can share this information.
  • Security testing: the policy should state the frequency of your cybersecurity tests. This allows you to uncover vulnerabilities before it’s too late. Some of the security tests that you should conduct include; vulnerability scanning, security posture assessment, penetration testing, ethical hacking, cybersecurity assessments, etc.
  • Incident response plan: this is documentation of the steps and procedures that should be implemented in case of a breach. It also highlights the responsibility of key information security players and reduces your organization's response time.

Make sure your plan also has a clause that highlights the consequences of data mishandling as well as the legal steps that will be taken on employees that are the cause of a breach. This will discourage insider attacks.

What if somehow ransomware takes entry in system:

  1. If data is very essential and user don’t have enough time then pay whatever the attacker asks.
  2. Rent supercomputer to decrypt the algorithm. Eventually, there is no fix time, Supercomputer may take 1 day or 1 year or specifically more time depends on the layer of encryption that particular Ransome have.

 

 

Some malware statistics and facts

 

      I.         Employees with infected machines are spreading viruses more broadly.

     II.          Business-disrupting ransomware attacks are on the rise.

    III.         Organizations in the US report the largest number of ransomware attacks, followed closely by those in the UK.

    IV.            Over 60% of organizations may have understaffed cybersecurity teams.

      V.            Phishing sites are now an incredibly popular attack method.

    VI.            Google removing far fewer malware-infected sites.

  VII.             The number of malware attacks declined for the first time since 2016.

VIII.           New malware variants decreasing year-over-year.

  IX.             Domain Generation Algorithms are still hampering malware mitigation efforts.

 
Posted : 15/04/2022 10:46 am
Share: