Endpoint

9/11/2017
03:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

Ransomware, BEC, ICS Top Midyear Security Concerns

Business email compromise, ransomware, and industrial control attacks were among top security concerns in the first half of 2017.

Business email compromise (BEC) attacks and SCADA vulnerabilities are two top concerns among security experts thinking back on the first half of 2017. Threat actors have begun to rely on time-tested strategies to launch simple attacks and trick businesses out of billions, according to a report released today by Trend Micro.

BEC attacks caused $5.3 billion in global losses from 2013 to 2017, cites Trend Micro in its 2017 midyear roundup, "The Cost of Compromise." The report reviews data and trends from security events to give a recent picture of the threat landscape.

Experts noticed a resurgence of old BEC techniques as attackers turn to social engineering to trick their victims. The most frequently spoofed executive in these attacks is the CEO, followed by the managing director. Fraudulent emails typically go to heads of finance.

"The typical fake email comes from the CEO and the typical forged recipient is the CFO," says William Malik, VP of infrastructure strategies at Trend Micro. These emails are tricky because they bypass automated tools installed to trap BEC attacks, he adds. They don't watch for rogue processes on systems or rely on knowledge of unpatched vulnerabilities.

"It's good old social engineering," Malik adds. The "statistically most likely" scenario involves a fake email from the CEO to the CFO requesting a favor, which usually involves the transfer of funds. Common words and phrases associated with BEC emails include "acquisition," "contract," "instructions," "invoice," "request," and "swift response needed."

BEC attachments have traditionally been executable files but these are usually flagged and recipients are discouraged from clicking them, diminishing the likelihood of a successful attack. Cybercriminals are working around this by using HTML pages for phishing attachments.

Industrial threats and ransomware  

Malik says it's "somewhat worrying" to see attackers more frequently targeting supervisory control and data acquisition (SCADA) systems. Researchers found SCADA vulnerabilities increased from 34 in the second half of 2016 to 54 in 2017.

In a research paper "Rogue Robots: Testing the Limits of an Industrial Robot’s Security," experts saw more than 83,000 exposed industrial routers and 28 exposed industrial robots via search engines including Shodan, ZoomEye, and Censys. Researchers found attacks on industrial robots in smart factories can cause the robot to move inaccurately and lead to workplace defects.

Financial motivation is the primary driver for these attacks. Threats to SCADA and industrial control systems put major entities, like power plants, at risk and the cybercriminals behind them are usually seeking ransom from large organizations, says Malik.

Monetary gain will drive attacks outside industrial systems. When asked about his top concern for the end of 2017 and beginning of 2018, he answers "ransomware" without hesitation.

"The successes the bad guys have achieved using ransomware to date are so staggering, I just see that continuing in an upward trajectory," he says. "Business email compromise is, in its nature, a single transaction - one company, one executive, one crime. Ransomware is the one that's going to have large numbers of people concerned; large numbers of enterprises potentially harmed."

Given the success of WannaCry and NotPetya, Malik expects more incidents of this volume. "The people doing this are in for the money and if they have an effective weapon that hasn't been countered, they're going to fire it again," he says. Attackers will continue to exploit old vulnerabilities, as recently seen in the "catastrophic" Equifax breach.

How to prepare your team

Malik advises conducting a security assessment to check how your employees might respond to an incident. He poses the following situation: if a member of your security team noticed someone making a security error, how would they answer the following questions:

  • Would they know if it was wrong?
  • Would they report it?
  • If they picked up the phone, would they know who to call?

"If the answers are 'yes,' 'yes,' and 'yes,' you're in good shape," he says. It's the "tone at the top" that sets the stage for how security incidents are properly logged. If people aren't aware of what might be considered risky behavior, or hesitate to report it, the business is in trouble.

"Technology has never in human history been able to correct an organizational or management failure," Malik adds.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable v...
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend pat...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fix...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provide...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially c...