Herjavec Group’s Threat Summary Analysis

January 31, 2019

Herjavec Group circulates Threat Advisories on a regular basis to share threat intelligence and security recommendations. Our Threat Management Team has provided an overview of the most common threats and vulnerabilities communicated over the last quarter. Phishing, Ransomware, Crypto-Jacking and IoT Vulnerabilities were prominent in 2018. A summary of each threat type, as well as their potential impact and mitigation strategies, has been outlined below.

Phishing

Summary

Phishing is always a common vector of attack and we observed some interesting trends in phishing campaigns in Q4 2018. In many cases, attackers leverage credentials from previous breaches to add legitimacy to their lures and attempt to extort the user. Moreover, there has also been a shift away from targeting individual users. Attackers are increasingly targeting larger organizations (leading to illegitimate bank transactions, loss of information, etc.).

A common email scam observed over the last few months includes phishing authors forging “Non-Delivery Receipt” notices to users in an attempt to steal credentials when “resending” the email.

Impact

Increasingly convincing fraudulent emails may trick users into falling for phishing attempts, resulting in compromised accounts and systems, as well as reputational and financial loss.

Recommendations to Mitigate Risk

Phishing will continue to be an evolving threat for both individuals and organizations. The emails used by threat actors will be increasingly difficult to detect as fraudulent. It is imperative enterprises prioritize security awareness to keep users trained, and knowledgeable about how to report suspicious communications.

We recommend organizations implement staff training and education, spam and anti-malware analysis for email traffic, and simple methods for employees to report suspicious messages to internal IT departments.

Ransomware

Summary

Ransomware is malware designed to deny access to a system or data until a ransom is paid. While more than 350 variants have been identified since 2017, most recently Samas, GandCrab, and Kraken have spiked in popularity. WannaCry and NotPetya continue to dominate headlines as they have caused massive operational impacts worldwide.

Impact

Last year, the FBI estimated that the total amount of ransom payments was approaching $1 billion annually. Ransomware attacks can typically cost organizations from $200-$500 per system to pay the ransom if full backups are not in place.

Recommendations to Mitigate Risk

Herjavec Group recommends that organizations take regular, functional backups, as well as ensure proper preventative controls and network segmentation, to prevent the spread of malware infections. We recommend organizations take the following steps to mitigate ransomware risk:

  • Train your staff to recognize a phishing scam and other common social engineering tactics used by cybercriminals.
  • Unplug the network cable and turn any infected machine off to remove it from the internal network and stop the ransomware from spreading to other devices.
  • If your business has a BYOD (bring-your-own-device) policy, ensure that your staff are aware of any risks associated with using their own devices at work.
  • Regularly update and patch all applications to avoid being exploited by vulnerabilities used by cybercriminals to propagate the ransomware.
  • When downloading any documents through email, always disable macro scripts and using Office Viewer software to view the downloaded documents.
  • Restrict the ability to install software applications using the “Least Privilege” principle for all systems and services.
  • Build a stronger security plan by whitelisting certain trusted applications that may be used by employees and requiring the use of a VPN for remote work.

Crypto-Jacking

Summary

Crypto-jacking is the unauthorized use of another computer to mine cryptocurrency. In 2018, 2.5 million new samples of crypto-jacking malware were identified. Some crypto-jacking malware families also target enterprise systems and have infected corporate websites and networking infrastructure, making detection and remediation more difficult. Most recently, WebCobra was uncovered and has reportedly infected systems around the globe.

Impact

Crypto-jacking is increasingly being observed as a way for unsuspecting users to be leveraged in a scheme to make money. Since it impacts the user far less significantly and is more legally dubious, crypto-jacking is now being employed more often than ransomware.

Crypto-jacking may slow the user’s system. Otherwise, the effect is quite minimal providing the IT/Help Desk time to help remediate identified infections. 

Recommendations to Mitigate Risk

Organizations should ensure proper endpoint protection (i.e. ad-blocking, EDR technology, etc.) and train users to avoid suspicious sites and files. Organizations should also monitor for traffic to known crypto-mining sites and increased CPU usage to help identify current infections.

Internet of Things (IoT) Vulnerabilities

Summary

As an increasing number of small and unsophisticated devices are connected to the Internet, adversaries continue to adapt and leverage these new technologies in malicious ways.  Recently, the Torii botnet was discovered. Using sophisticated techniques, it is able to spread to more platforms and execute more commands than previous IoT botnets (Mirai, in particular).  

Impact

As billions of IoT devices are introduced to the market, with little or no consideration for security, threats to, and from, IoT devices will continue to increase. IoT botnets can be surprisingly damaging given the small size of the individual infected system. Large websites and hosting providers have been taken offline from DDoS attacks.

The creation and organization of powerful botnets is just the first exploitation of IoT that cyber criminals have imagined. Other creative and malicious tactics should be expected.

Recommendations to Mitigate Risk

To proactively reduce the risks associated with IoT devices, Identity Services have become a pivotal component to an organization’s information security framework. Organizations can ensure the protection of their endpoint and perimeter by engaging with products and services that support the 3 pillars of identity: Identity Governance & Administration, Privileged Access Management, and Access Controls.

Herjavec Group regularly publishes Threat Advisories with the most up-to-date information on industry threats and vulnerabilities. A subset of Herjavec Group’s recent Threat Advisories can be viewed here.

To receive timely and informative Threat Advisories from Herjavec Group, sign up for our mailing list below.


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn