Malware In Documents Is Latest Hacker Trend

There is a new Threat Spotlight released by Barracuda Networks.

One of the biggest trends in 2019 (where threats against businesses of all sizes are concerned) now takes the form of poisoned documents attached to emails.

The company analyzed more than 300,000 email samples collected over the past twelve months.

They discovered that the frequency of document-based malware attacks increased markedly during the first quarter of 2019, with nearly sixty percent of poisoned files taking the form of documents.

As Jonathan Tanner of Barracuda Networks put it:

“For the past couple of years, script files were a very popular attack method.  The percentage of these sort of files declined drastically, however, and was a significant source of the increase of documents as an infection method…

Documents are a natural evolution from script files, since the languages used are also the ones used for documents – namely VBScript and JavaScript.  The same attacks could be converted to the document-based ones with only slight modifications.  The script authors had already become very adept at obfuscation techniques, so these could contribute greatly to document-based malware where scripting is already more common and thus deeper inspection of the script itself is required.”

The good news is that most antivirus software is quite good at detecting malicious files.  Of course, the weakest link in the equation isn’t detection software, it’s users.  In light of the evolving threat, education is more important than ever. Although to date, the majority of employees have been stubbornly resistant to educational measures designed to reduce the rate at which employees will click on and open documents received from un-trusted or even unknown sources.

As a business owner, that will likely be one of your great challenges in the year ahead.  The more wary you can make your employees about opening files from people they don’t know, the safer your network is bound to be.

Ransomware Attackers Targeting Larger Companies For More Money

If you haven’t heard of the GrandCrab ransomware strain, it’s something you should put on your company’s radar.  It first emerged as a viable threat in early 2018.

Since that time, its creators have been constantly tweaking and honing their approach, turning it into a devastatingly effective strain.

The latest version GrandCrab 5.2 was released in February 2019, and researchers at Crowdstrike have been digging into both the software and the operating tactics of the group responsible for it.  Their findings are disturbing to say the least.

The creators of GrandCrab are essentially operating their software under and affiliate scheme, where the owners of the software deploy it on behalf of hacker clients, offering it as a service for hire in exchange for 30-40 percent of the profits.  The company is even advertising on black hat forums and across the Dark Web, using ads designed specifically to pique the interest of other hackers in the community.

In addition to that, GrandCrab’s creators are ramping up their own efforts. They are increasingly ignoring smaller targets in preference for large companies with sprawling global networks, seeking a greater infection percentage (and a correspondingly higher payday).

The plan works like this:  Once they get a hold inside a corporate network, rather than triggering the infection immediately, they explore the space and try to use their beach head to expand the number of machines their infectious software resides on.  Only when they’ve achieved deep network penetration that spans a large percentage of the company’s networked machines do they trigger the infection. This results in the mass encryption of files across much (if not all) of the target network, instantly bringing the company to its knees.

The researchers have taken to calling this approach ‘Big Game Hunting’ for obvious reasons., It is proving to be brutally effective because statistically, infected companies are more likely than not to pony up the ransom money being demanded.

All that to say the hackers are getting increasingly savvy and organized.  Don’t let your guard down.

2018 Was The Record Breaking Year For Data Breaches

We knew fairly early in the year that 2018 was on track to beat 2017 and set a new record for the number of data breaches in the year.

Afterall, 2017 had shattered 2016’s record the year before.  Now that the final numbers are in though, we can see just how big an increase we’ve seen in the number of data breaches from one year to the next.

The numbers aren’t pretty.  With 12,449 reported data breaches in 2018, we’ve seen a staggering 424 percent increase year over year. 2019 is already shaping up to be another record-breaking year.  All that to say, our problems with hackers and data security are getting worse, and there’s no end in sight.

As with last year, the United States leads the pack in terms of the total number of records exposed by data breaches. Although in terms of raw numbers, the US’s total was fairly modest. It’s simply that all of the year’s biggest breaches occurred here.

At least part of what’s driving the phenomenon of the steadily increasing number of breaches is the fact that there are a staggering number of user login credentials for sale and re-sale on the Dark Web.  These are purchased for modest sums and used by hacking groups all over the world to try their hand at breaking into various networks.

Unfortunately, given the sorry state of password security, it’s often months before a hacked account sees its password changed. That gives nefarious elements plenty of time and loads of opportunities to inflict whatever damage they will, and they’re only too happy to comply.

With the grim statistics above firmly in mind, it’s time to make data security at your firm your top priority.  Based on the numbers, it’s not a question of whether you’ll be hacked.  It’s only a matter of when.

Bots Are Attacking Retail Sites On A Large Scale

If you own a retail business, an attack known as “credential stuffing” is the latest online threat to be concerned about.  If you’re not sure what that is, read on and prepare to be dismayed. According to the 2019 State of the Internet, Retail Attacks, and TPI Traffic Report published by Akamai, there has been an surge in large scale botnet attacks against businesses, with retail outlets being the hardest hit.

In fact, according to the report, between May and December of 2018, there were approximately 28 billion credential stuffing attempts made.  One of the web’s largest retail sites suffered over 115 million bot-driven login attempts in a single day.

A spokesman for Akamai had this to say about the report:

“The insidious AIO (all-in-one) bots hackers deploy which are multi-function tools that enable quick purchases by leveraging credential stuffing and a number of evasion techniques, allowing a single AIO bot to have the ability to target more than 120 retailers at once.

A successful AIO campaign may go completely undetected by a retailer, which might see the online sales and record-setting transactions as proof its product is in demand.  They’ll have little to no indication that its inventory clearing was automated and used to fuel a secondary market or scrape information from its customers.”

In most cases, the damage caused by credential stuffing attacks is limited.  Customers whose accounts are compromised may find that they lose points or perks, and that unauthorized charges are made on their accounts. In some cases, a credential stuffing attack could lead to an attacker gaining a foothold inside your corporate network.  Also, large and pervasive attacks could strain web resources and have (on more than one occasion) crashed a web server.

Even in cases where your business isn’t directly impacted, an attack on your customers’ accounts is still an attack on you.  Unfortunately, with so many stolen credentials available on the Dark Web, it’s a notoriously difficult problem to come to grips with.  The best thing you can do is remain vigilant and maintain excellent communications with the customers you serve.

New Malware Is Coming Through Messaging Apps

As if your stressed IT staff didn’t have enough to deal with, there’s a new threat to be on the lookout for.

Researchers at the antivirus company Avast have discovered a new strain of malware that can spread by way of Skype and Facebook Messenger spam messages. The malware, called “Rietspoof” is described as a multi-stage malware strain.

It was first discovered back in August of last year, and until recently, didn’t raise any eyebrows because it was seldom used. That has now changed.  There’s been a notable uptick in the number of instances of Rietspoof detected on the web.

As malware goes, Rietspoof by itself isn’t all that threatening.  Its goal is merely to infect as many devices as possible, serving as a bridge between an infected device and a command and control server that allows other strains of malware to be systematically injected onto infected systems.

Rietspoof accomplishes this goal by placing a shortcut (LNK file) in the Windows Startup Folder. This is one of the critical folders that Avast and other major antivirus programs monitor rigorously. However, Rietspoof has managed to slip through the cracks, bypassing security checks because it is signed with legitimate certificates.

The malware’s infection cycle consists of four discrete steps. Three of them are dedicated to establishing a Rietspoof beachhead on a target system, and the fourth is reserved for the downloading of more intrusive and destructive malware strains.

According to the research team that discovered it, since they first began tracking the malware, it has undergone a number of incremental changes. That lead them to the conclusion that Rietspoof is a work in progress and currently undergoing testing and further development.

Although it may have limited functionality now, that could very easily change as the hackers behind the code continue to modify it.  Be sure your IT staff is aware, and stay vigilant!