Q1 2019 Security Update: Cybersecurity Threats Continue to Evolve

Cybersecurity threats constantly change and evolve. Here’s a summary of some of the newest trends putting your clients at risk.

Attention Shifts from Ransomware to More Sophisticated Attacks

Ransomware attacks decreased in 2018, but the news isn’t as good as it may first seem. Cybercriminals have concluded that it’s more lucrative to use cryptomining or cryptojacking to infect a victim’s computer, and mine bitcoin, rather than take control of a computer or network and hold data for ransom.

According to McAfee’ Labs Threats Report in December 2018, cryptomining malware grew 4,467 percent in 2018, and surged by about 55 percent in Q3 ’18 alone.

Action Items:

Dark Reading offers advice on defending against cryptomining attacks including:

  • Implement endpoint protection best practices: use ad blockers, disable JavaScript, use browser extensions designed to prevent cryptomining.
  • Provide security technology tools that detect and restrict malicious activity.
  • Consider a web application firewall (WAF)
  • Provide your clients with access control solutions
  • Restrict unnecessary features

IoT Devices are Targets

And while ransomware has declined and cryptomining attacks have grown, the target has also expanded to include IoT devices. The McAfee report states that cybercriminals are attacking IP cameras, routers, and smart devices with cryptomining malware. The report explains that although the CPUs in those devices aren’t as strong as those in PCs or laptops, they are traditionally equipped with less security, so cybercriminals can control more endpoints, taking advantage of higher volume of devices rather than a single computer’s CPU.

Action Items:

The United States Computer Emergency Readiness Team (US-CERT) has posted best practices for securing connected devices:

  • Change default passwords: Make sure your clients change defaults – and if you are in a position to establish a default to make setup easier, think twice. Force users to choose strong passwords.
  • Keep devices updated: Make sure software is updated and patches are promptly installed.
  • Make sure clients haven’t modified devices: Your clients may tailor devices – or have them tailored – to provide different functionality, but that can impact security.
  • Consider segmentation: Help your clients determine if all devices need to be connected to the internet.

A Federal Tech Talk from the National Cybersecurity Center of Excellence provides guidance on managing IoT devices used by federal agencies.

More News from US-CERT

US-CERT posted notifications of security updates for several platforms and applications in January including:

The U.S. Food and Drug Administration (FDA) also posted a notification of updates to Medtronic cardiac implantable electrophysiology devices (CIED).

DNS Infrastructure Hijacking Campaign

US-CERT made notification of a DNS Infrastructure Hijacking Campaign. In this global campaign, attackers redirect user traffic to attacker-controlled infrastructure. This allows them to obtain encryption certificates domain names, enabling man-in-the-middle attacks.

Action items:

The National Cybersecurity and Communications Integration Center (NCCIC) advises:

  • Review the FireEye and Cisco Talos Intelligence blogs on global DNS infrastructure hijacking for more information.
  • Provide multifactor authentication on domain registrar accounts.
  • Implement processes to find and revoke any fraudulently requested certificates. 

Top Trojan

Symantec’s latest security intelligence reveals that Ramnit topped Trojan activity for December, responsible for nearly half (48.6 percent) of financial Trojan activity. Emotet follows with 25.5 percent of activity.

Recent Attacks

Hacker News reports that Ukranian police have arrested hackers, ages 26 to 30, who stole 5 million Hryvnia (approximately $178,380). They allegedly infected computers with Trojan malware to take remote control of the systems and then, using key-logging, attempted to capture banking credentials.

A subgroup of Magecart, “Magecart Group 12,” compromised nearly 300 e-commerce websites by using supply chain attacks. Magecart typically uses JavaScript code inserted into checkout pages that captures payment information. But Magecart Group 12 inserts code into a third-party JavaScript library, which enables loading the code into all websites using it.