Last week, a new threat known as Mylobot was trending that included multiple evasions and a large number of separate malware variants blended into a single threat. We also documented a new threat dubbed “Thrip” that combined over 123 malwares with various public tools. This is a significant development in terms of cyberattacks. Traditionally, attacks come preloaded with a single malware threat, and they are either distributed using a “spray and pray” model, or as highly targeted attacks that enables the malware to identify and spread to vulnerable devices.
Instead, these new attacks come loaded with a large array of tools that they can utilize to complete their cyber mission. This seems to be evidence that cybercrime missions get more complex, adversaries need more tools to accomplish their goals. Mylobot, for example, performs a number of tasks, such as disabling AV and windows updates as well as adding ports to block on the firewall before launching its primary attack.
One of the most interesting trends we have been following for quite some time is the addition of admin tools to an attack’s malicious toolkit. It is important to remember that there are two sides to every admin tool, and solutions like PSEXEC and PowerShell, which were both part of the recent Thrip campaign, continue to be misused by attackers to enable them to move laterally across the network without being detected. The difference is that these densely packed attacks have coupled these tools with a host of other malware in order to maximize their ability to compromise a network with a single blow.
If an organization has logging set up, minor security events not only need to be captured, but also trigger some type of deeper investigation and response process. Detecting malicious files is important, and we should continue to do so, but let’s not forget to look for and alert on the more simple activities, or on the digital fingerprints malware may leave behind or create, such as a disabled AV or blocked firewall port. Of course, this approach can also cause a lot of noise in larger organizations, so you need to start by ensuring you have a good baseline in order to establish solid use cases.
Proper end-to-end visibility across the distributed network that leverages interconnectivity between security devices, centralized management and analysis, and automated response should help organizations detect and respond to these more complex attacks. And of course, when you get that crucial alert you can then let those automated technology controls that span multiple security solutions to take initial actions to contain the breach in order to minimize damage.
Another IoT-based attack also showed up last week, targeting security cameras with a DDoS attack. This is yet another example of the lack of security in many IoT devices and the reality that many manufacturers simply don’t see securing these devices as a priority. The important lesson from this attack is that vulnerable IoT devices aren’t only consumer goods. This vulnerably targeted a line of cameras used to monitor high-security environments such as casinos, banks, prisons, etc.
Losing visibility in a Casino can have a huge impact as it opens the potential of missing a dealer or player (or both) cheating. This attack shows that a cybercriminal that is able to identify the cameras that are looking at a certain Blackjack table could potentially target and compromise them. Once that casino loses visibility, a card counter accomplice can then operate unnoticed. Similar exploits in a bank, trading floor, prison, or other high security environment can have similar severe results. This might sound like a movie, but given the trends, it is entirely possible that we will begin seeing cyber exploits combined with physical criminal activity start to occur in the future.