Cyber Weekly Flash Briefing 28 August 2020: cyber crime cost per minute $11.4m by 2021, Trend block 28 billion Cyber Threats H1 2020, Malicious Attachments Top Threat, NK hackers ramp up bank heists
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
The global cost of cyber crime per minute to reach $11.4 million by 2021
Cyber crime costs organisations $24.7, YOY increase of more than $2 every minute, according to a new report. It will also have a per-minute global cost of $11.4 million by 2021, a 100% increase over 2015.
The report covers the top threats facing today’s organizations, which are proliferating at a clip of 375 per minute, and reflects the current surge in attacks leveraging the COVID-19 pandemic.
Other malicious activity
1.5 attacks on computers with an Internet connection per minute
375 new threats per minute
16,172 records compromised per minute
1 vulnerability disclosed every 24 minutes
5.5 vomain infringements detected per minute
1 Magecart attack every 16 minutes
1 COVID-19 blacklisted domain every 15 minutes
35 COVID-19 spam emails analysed per minute
Why this matters:
The sheer scale of today’s threat activity is driven by a variety of factors, including that cyber crime is easier than ever to participate in and better threat technology makes cyber criminals more effective and wealthier than in the past.
Read more: https://www.helpnetsecurity.com/2020/08/28/global-cost-of-cybercrime-per-minute/
Trend Micro Blocks 28 Billion Cyber-Threats in H1 2020
Trend Micro blocked nearly nine million COVID-related threats in the first half of 2020, the vast majority of which were email-borne, it revealed in a new mid-year roundup report.
The security giant said it detected 8.8 million cyber-threats leveraging the virus as a lure or theme for attacks, 92% of which were delivered by spam emails.
However, the figure represents less than 1% of the total of 27.8 billion threats the vendor blocked in the first six months of the year.
This chimes with data from Microsoft and others which suggests that cyber-criminals merely repurposed existing campaigns to take advantage of COVID-19. As such, the pandemic itself has not prompted a rise in overall cyber crime levels.
However, the data does show conclusively that email remains the number one threat vector: 93% of total blocked threats were heading for users’ inboxes.
As part of this trend, Business Email Compromise (BEC) detections increased by 19% from the second half of 2019. This is due in part to scammers trying to capitalize on distracted home workers who may be more exposed to social engineering, and less able to check with colleagues if a money transfer request is legitimate or not.
Why this matters:
Email remains the number one threat to all firms and by far the most likely way firms will end up being breached, and this depends on your users being aware and switched on and efficient at spotting email borne attacks as technology solutions alone are not good at blocking email based attacks. Criminals will always exploit current events and crises to improve their effectiveness of their attacks.
Read more: https://www.infosecurity-magazine.com/news/trend-micro-blocks-28-billion/
Malicious Attachments Remain a Cyber Criminal Threat Vector Favourite
Malicious attachments continue to be a top threat vector in the cybercriminal world, even as public awareness increases and tech companies amp up their defences.
While attachment threat vectors are one of the oldest malware-spreading tricks in the books, email users are still clicking on malicious attachments that hit their inbox, whether it’s a purported “job offer” or a pretend “critical invoice.”
The reason why threat actors are still relying on this age-old tactic, researchers say, is that the attack is still working. Even with widespread public awareness about malicious file attachments, attackers are upping their game with new tricks to avoid detection, bypass email protections and more. The attack vector is still widespread enough where tech giants are re-inventing new ways to try to stomp it out, with Microsoft just this week rolling out a feature for Office 365 that aims to protect users against malicious attachments sent via email, for instance.
Why this matters:
Email attachments, such as PDF or Office files, are an easy vector to deliver malicious content to end users. For enterprises, the risk is that malicious actors can use these attachments to establish a toe-hold at the outermost edges of the enterprise, and then wait and wind their way to the crown jewels in their data stores.
Read more here: https://threatpost.com/malicious-attachments-remain-a-cybercriminal-threat-vector-favorite/158631/
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it’s also important to know quantitatively how a delay could increase risk. What are the chances that attackers breach an organisation using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, researchers analysed 45,450 the publicly available exploits in the Exploit Database at the time of this writing. The research correlated the exploit data with vulnerability and patch information to study exploit development in multiple facets.
The research reveals that:
Of the 45,450 public exploits in Exploit Database, there are 11,079 (~26%) exploits in Exploit Database that have mapped CVE numbers.
Among those 11,079 exploits:
14% are zero-day (published before the vendors release the patch), 23% are published within a week after the patch release and 50% are published within a month after the patch release. On average, an exploit is published 37 days after the patch is released. Patch as soon as possible – the risk of a vulnerability being exploited increases quickly after vendors release the patches.
80% of public exploits are published before the CVEs are published. On average, an exploit is published 23 days before the CVE is published. Software and hardware may also have vulnerabilities with public exploits that don’t have CVEs. Check security updates from vendors frequently and apply updates as soon as possible.
Analysis of the entire CVE list since 1999 found that, on average, a CVE is published 40 days after its CVE-ID is assigned. Of the 177,043 entries analysed more than 10,000 CVEs have been in “reserved” status for more than two years. It shows that there is a long delay between vulnerability discovery and CVE publication.
Why this matters:
Patches should always be applied as soon as possible, exploits either follow very soon after vulnerability disclosure but as this study shows sometimes vulnerabilities are being exploited before fixes are released. The longer between fixes being released and being applied the more vulnerable you are to attack.
Read more here: https://unit42.paloaltonetworks.com/state-of-exploit-development/
Forget your space-age IT security systems. It might just take a $1m bribe and a willing employee to be pwned
A Russian citizen is accused of flying to America in a bid to bribe a Tesla employee to infect their bosses' IT network with ransomware.
Egor Kriuchkov has been charged with one count of conspiracy to intentionally cause damage to a protected computer. He was nabbed by the Feds at Los Angeles airport and is behind bars awaiting trial.
It is claimed Kriuchkov, 27, was the point man of a plot to get data-stealing malware onto the network of an unspecified US company in Nevada and then use the lifted data to extort the corporation for millions of dollars: paid up, or the internal files get leaked and file systems scrambled.
To do this, Kriuchkov and his associates back in Russia had recruited a worker at the business, it is claimed, and promised to pay $500,000 for placing the malware onto its network. The bribe was later increased to $1m to persuade the employee, along with an $11,000 advance, yet instead he went to his bosses, and the FBI was brought in, we're told.
According special agent Michael Hughes, in late July Kriuchkov travelled from Russia to Reno, Nevada, where the employee worked, and over the early weeks of August tried to win over the employee to join the conspiracy. This included a night out for the worker and friends at a Lake Tahoe resort, followed by Kriuchkov pulling the worker aside and convincing them to play a key role in the operation, it is claimed.
Why this matters:
Again this shows that employees are more likely than your technical systems to be exploited by malicious actors, fortuitously for Tesla the employee didn’t take the bribe but many staff in different organisations would be tempted. Imagine if the employee that was approached was already feeling disgruntled against their employer.
Read more here: https://www.theregister.com/2020/08/26/russian_malware_plot/
Ex-Cisco staffer charged with deliberately deleting 400+ VMs
A disgruntled former Cisco employee has pleaded guilty to intentionally deleting hundreds of the networking firm's virtual machines (VMs), according to an IT News report.
Sudhish Kasaba Ramesh, an ex-Cisco engineer who left the company in April 2018, accessed the firm's AWS environment months later and deleted a total of 456 VMs, which the company used to run the WebEx Teams application.
In a statement, issued before a US federal court in San Jose by the US Department of Justice and the FBI, it was said that Ramesh “intentionally accessed a protected computer without authorization and recklessly caused damage”.
“During his unauthorized access, Ramesh admitted that he deployed a code from his Google Cloud Project account that resulted in the deletion of 456 virtual machines for Cisco’s WebEx Teams application, which provided video meetings, video messaging, file sharing, and other collaboration tools,” the statement said.
Why this matters:
Insiders will always be amongst the biggest threats to every organisation and the damage a disgruntled employee or former employer could cause should never be underestimated. Any time a member of staff leaves an organisation it must be ensured that they no longer have access to any accounts accessed in the course of the performing their duties, and doubly so for accounts with privileged or elevated permissions, for the very reason they could do so much damage.
Read more: https://www.itproportal.com/news/ex-cisco-staffer-charged-with-deliberately-deleting-400-vms/
North Korean hackers ramp up bank heists: U.S. government cyber alert
North Korean hackers are tapping into banks around the globe to make fraudulent money transfers and cause ATMs to spit out cash, the U.S. government warned on Wednesday.
A technical cyber security alert jointly written by four different federal agencies, including the Treasury Department and FBI, said there had been a resurgence in financially motivated hacking efforts by the North Korean regime this year after a lull in activity.
“Since February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs,” the warning reads.
U.S. law enforcement titled the hacking campaign “Fast Cash” and blamed North Korea’s Reconnaissance General Bureau, a spy agency, for it. They described the operation as going on since at least 2016 but ramping up in sophistication and volume recently.
Why this matters:
Over the last several years, North Korea has been blamed by U.S. authorities and private sector cyber security companies for hacking numerous banks in Asia, South America and Africa.
North Korean cyber actors have demonstrated an imaginative knack for adjusting their tactics to exploit the financial sector as well as any other sector through illicit cyber operations.
Read more here: https://www.reuters.com/article/us-cyber-usa-north-korea-idUSKBN25M2FU
New Zealand stock exchange resumes trade after cyber attacks, government activates security systems
New Zealand’s stock exchange resumed trading on Friday, after facing disruptions for four consecutive days in the wake of cyber attacks this week, while the government said national security systems had been activated to support the bourse.
There is no clarity on who was behind these two “offshore” attacks, but the failure to stop them has raised questions about New Zealand’s security systems, experts said.
NZX Ltd had to halt trading until afternoon on Friday, after crashing earlier due to network connectivity issues, marking the fourth day that trading has been hit.
Why this matters:
Organisations of all sizes are vulnerable to attacks, larger firms are vulnerable because of the sheer number of users and the complexity of their systems, smaller firms because they often lack maturity and don’t have the most appropriate controls and protections in place. Firms also need to make sure they have plans in place to recover and return to operational effectiveness as quickly as possible.
Read more here: https://www.reuters.com/article/uk-nzx-cyber-idUSKBN25O03Q