TrendLabs 2016 Security Roundup: A Record . - Trend Micro

2y ago
12 Views
2 Downloads
2.16 MB
42 Pages
Last View : 2m ago
Last Download : 2m ago
Upload by : Vicente Bone
Transcription

TrendLabs 2016 Security Roundup:A Record Year for Enterprise ThreatsTrendLabsSM 2016 Annual Security Roundup

ContentsTREND MICRO LEGAL DISCLAIMERThe information provided herein is for generalinformation and educational purposes only. It is notintended and should not be construed to constitutelegal advice. The information contained herein maynot be applicable to all situations and may notreflect the most current situation. Nothing containedherein should be relied on or acted upon withoutthe benefit of legal advice based on the particularfacts and circumstances presented and nothingherein should be construed otherwise. Trend Microreserves the right to modify the contents of thisdocument at any time without prior notice.Translations of any material into other languagesare intended solely as a convenience. Translationaccuracy is not guaranteed nor implied. If anyquestions arise related to the accuracy of atranslation, please refer to the original languageofficial version of the document. Any discrepanciesor differences created in the translation are notbinding and have no legal effect for compliance orenforcement purposes.Although Trend Micro uses reasonable effortsto include accurate and up-to-date informationherein, Trend Micro makes no warranties orrepresentations of any kind as to its accuracy,currency, or completeness. You agree that accessto and use of and reliance on this document andthe content thereof is at your own risk. TrendMicro disclaims all warranties of any kind, expressor implied. Neither Trend Micro nor any partyinvolved in creating, producing, or delivering thisdocument shall be liable for any consequence,loss, or damage, including direct, indirect, special,consequential, loss of business profits, or specialdamages, whatsoever arising out of access to, useof, or inability to use, or in connection with the useof this document, or any errors or omissions in thecontent thereof. Use of this information constitutesacceptance for use in an “as is” condition.4Ransomware Spiked 752% in NewFamilies in 20168BEC Scams Generate Hundreds ofThousands in Losses Across theWorld10Adobe Acrobat Reader DC andAdvantech’s WebAccess Have theMost Number of Vulnerabilities13Mirai Botnet’s Massive DDoS AttackElevates IoT Security Conversation15Biggest Data Breach in HistoryUnderscores Responsible Disclosureof Companies18Angler Leaves the Scene with OtherExploit Kits Rising21Bank Hacking Perseveres withBanking Trojans and ATM MalwareDevelopments24Threat Landscape in Review

2016 was an unprecedented year for cybersecurity, particularlyfor enterprises. Although there were considerable wins in terms ofcybercriminal arrests—resulting in the drop in exploit kit numbers—anarray of threats, which hit a record high, still caused billions of dollarsin accumulated losses.It was indeed the year of online extortion, with ransomware leadingthe charge. Over 200 new ransomware families triggered significantdamages to a number of institutions worldwide. Business emailcompromise (BEC), likewise, raked in huge profits for cybercriminalswhile proving to everyone that social engineering is still very effectivewhen targeting large organizations.Vulnerabilities discovered in widely used platforms, includingSupervisory Control and Data Acquisition (SCADA), also surpassedrecords in terms of volume. This left security researchers andmalicious actors caught in a race to find weak points in a system first.The biggest data breach in history was also reported in 2016. Theevent exposed issues in how some companies handle user data.Other organizations felt the effects of poor Internet of Things (IoT)security when the Mirai botnet surfaced and took down their servers.Banking threats also continued to develop, posing new challenges tothe financial sector.This roundup reviews the pertinent security stories of 2016 and aimsto help enterprises determine what to expect in the months aheadand what security strategies they can adopt to stay protected.

TrendLabs 2016 Annual Security RoundupRansomware Spiked 752% inNew Families in 2016In a span of 12 months, the number of discovered ransomware families jumped from 29 to 247. This marksa 752% increase compared to the volume of ransomware families detected in 2015.247250752%increase15029020152016Figure 1. Number of newly added ransomware families, 2016This record increase in new families can be a result of different of factors, the first being how effectiveransomware is as a moneymaking scheme. Using ransomware, cybercriminals reportedly managed torake in about US 1 billion in 2016.1 The whopping amount is the result of several affected enterprises stillchoosing to pay their attackers to have their data and assets decrypted and restored.Although many organizations are advised not to pay the ransom and focus on creating backups, this is easiersaid than done. Many of 2016’s new ransomware families were designed to target specific file types criticalto businesses. These include tax return files, server files, virtual desktop images and the like. Database filesthat are used to manage pertinent business information have also become targets.24 TrendLabs 2016 Security Roundup: A Record Year for Enterprise Threats

TrendLabs 2016 Annual Security SQL filesTax filesCAD filesVirtualdesktop filesFigure 2. Number of known ransomware families encrypting business-related files, 2016NOTE: For the full list of ransomware families, refer to table 7 in the appendix.Affected enterprises also had to withstand significant system downtime and corporate data loss. Despitenot having any guarantee of getting their data back, many organizations still opted to give in to cybercriminaldemands. In November, the San Francisco Municipal Transportation Agency was asked to pay 100 bitcoins(approximately US 70,000) after a ransomware attack locked their computers.3 VESK, a provider of hostedvirtual desktops, paid approximately US 23,000 to get the decryption keys that will restore all of theirservices.4 The New Jersey Spine Center paid an undisclosed amount after attackers encrypted electronicmedical records, disabled their phone system, and even locked out staff members from accessing theirbackup files.5Other factors driving the increase of ransomware families were the presence of open source ransomwareand the introduction of ransomware-as-a-service (RaaS). Originally designed for educational purposes,open source ransomware like Hidden Tear and EDA2 were used by cybercriminals to target web serversand databases.6 The source codes for those ransomware strains have already been taken down after thereported abuse. RaaS also made it easier for rookie cybercriminals to utilize ransomware. Since RaaS isavailable in the underground, the service provides fledgling cybercriminals the necessary tools to run theirown extortion campaigns.7Among the ransomware threats we detected and blocked in 2016, spam remained the top ransomwarevector, accounting for 79%. Since email has become the most common entry point for ransomware eithervia malicious attachments or URLs found in the email organizations should be able to utilize web and emailgateway solutions. Possible ransomware threats can be prevented through effective monitoring of emailtraffic and filtering potentially unsafe URLs, attachments, and other malicious payloads.5 TrendLabs 2016 Security Roundup: A Record Year for Enterprise Threats

TrendLabs 2016 Annual Security RoundupCRYPRADAMEncrypts files related to hostinga websiteJANLOCKYArrives as a macro embedded inspam attachment, a new methodidentified at that timeEMPERAsks for 13 bitcoins, one of thehighest at that timeFEBCERBERIncorporates various tactics suchas use of Windows scripting filesand cloud platforms; first tointroduce voice readout ofa ransom noteJIGSAWThreatens to delete a number offiles for every hour the ransomis not paidMARWALTRIXOne of the first ransomwarefamilies in 2016 distributed viaexploit kitsCRYPSAMInfects serversPETYAOverwrites Master Boot Record(MBR)APRGOOPICDropped by Rig exploit kit;gives users longer period forransom payment beforepermanently encrypting dataWALTRIX 2.0Encrypts files and preventsaccess to desktop via lock screenMAYZCRYPTSpreads through USB donglesand flash drivesJUNCRYPBEEUses malicious macros andcompromised websites asinfection vectorsSTAMPADOThreatens to delete one file everysix hours of nonpayment. Itthreatens to delete all encryptedfiles after 96 hours ofnonpayment.JULMIRCOPDisguises itself as a fake ThaiCustoms form. Instead of theusual ransom note, MIRCOPdemands to be paid back,assuming affected users knowhow ransomware paymentworks. It also asks for more than40 bitcoins in payment—one ofthe highest seenCERBER 3.0Is distributed by Magnitude andRig exploit kitsELFREXDDOSAUGA Linux ransomware that iscapable of launching DDoSattacksMILICRYPackages and sends gatheredinformation as a .PNG fileDETOXCRYPTO 2.0Uses a spoofed Trend MicrocertificateCOMLINESEPFirst ransomware seen that usescommand line to executeSHOR7CUTTargets web serversSMASHLOCKDisables Task Manager,command line, and RegistryEditor. It displays a series ofmessage boxes including a timerand progress bar.TELECRYPTUses Telegram channels(api.telegram.org) tocommunicate with its commandand control (C&C) serverOCTPOPCORNTYMInstructs affected users to spreadthe malware in exchange for thedecryption keyNOVGOLDENEYEConnects to MISCHA and PETYAransomware. This malwarereboots the system whichtriggers the ransomware’sencryption routine.DECFigure 3. A timeline of noteworthy ransomware families, 20166 TrendLabs 2016 Security Roundup: A Record Year for Enterprise Threats

TrendLabs 2016 Annual Security RoundupReputation-based analysis should also be able to filter against web and file threats. Based on the numberof ransomware-related detections, downloads from URLs that host ransomware or exploit kits distributingransomware were at 20%, while detections from actual ransomware files were at 1%.Security solutions that are able to blend this kind of reputation technology with other anti-ransomwarecapabilities like whitelisting and application control, behavioral analysis, network monitoring, vulnerabilityshielding, and high-fidelity machine learning can better protect organizations while minimizing the impact ontheir computing resources. Endpoint application control, for example, allows users within the organizationto access known good files while the rest go through filtering. This provides undisrupted access to safecontent while limiting incidents of false positives. Machine learning, utilized during pre-execution and runtime, can further provide more accurate detection.As ransomware families continue to evolve and multiply, it is critical for enterprises to recognize this realityand help make their data security strategy stronger and more efficient.7 TrendLabs 2016 Security Roundup: A Record Year for Enterprise Threats

TrendLabs 2016 Annual Security RoundupBEC Scams Generate Hundredsof Thousands in Losses Acrossthe WorldBEC attacks are responsible for causing an average of US 140,000 in losses for companies worldwide.8Leoni AG, the fourth largest wire and cable manufacturer in the world, became a victim of a BEC attack whenits Chief Financial Officer (CFO) was tricked into transferring about US 44.6 million to a foreign account.9Scammers also swindled approximately US 330,000 from the local council of Brisbane in Australia afterthey posed as one of the council’s suppliers.10 SS&C Technology also lost US 6 million to a BEC scam thatforced the company to temporarily take its operations offline.11BEC scams have spread in 92 countries. Those most affected countries include the United States, theUnited Kingdom, Hong Kong, Japan, and India. The map below shows all the affected regions in n2.75%Hong ina1.45% 1.44%1.44% - 1% 1%Unspecified country domainsFigure 4. Countries with the most number of companies affected by BEC, 20168 TrendLabs 2016 Security Roundup: A Record Year for Enterprise Threats

TrendLabs 2016 Annual Security RoundupIn the latter part of the year, cybercriminals ramped up their campaigns with CEO fraud schemes, a type ofBEC scam wherein cybercriminals impersonate a CEO or any executive who can authorize fund transfers.Cybercriminals used this technique when they targeted 17 healthcare institutions in the United States, 10in the United Kingdom, and eight in Canada in just two weeks.12 These institutions included general andteaching hospitals, specialty care and walk-in clinics, and even pharmaceutical companies.Since BEC scams heavily rely on social engineering, there’s great weight on the human factor. The morestaff members—from a CEO to a rank-and-file employee—are aware of how BEC works and how to identifyit, the more equipped an organization will be to defend against this threat. Fraudulent wire transfer requestsusually require urgent action from the targeted employee. And so it is important for everyone to scrutinizeand double-check transfer details first. Recognizing phishing emails, in particular, and being wary of clickingon any links can also reduce the chances of being at the mercy of cybercriminals.When processing confidential emails, it is also recommended to manually enter the email addresses of theconcerned parties instead of just relying on the provided default addresses. Manually typing addressesfrom a contact list will help ensure that correspondences and wire transfers are indeed legitimate. Havinganother efficient method of verifying a fund transfer, such as phone verification, will also help reduce the riskof processing a fraudulent request.Since most types of BEC emails don’t involve a malware payload, traditional email solutions that tend to onlydetect malicious behavior won’t be able to stop these kinds of scams from landing inside an employee’sinbox. Organizations are recommended to have web and email gateway solutions that don’t only have antispam and anti-phishing capabilities but also context-aware social engineering attack protection features,which are capable of inspecting email headers and other social engineering tactics used in BEC attacks.9 TrendLabs 2016 Security Roundup: A Record Year for Enterprise Threats

TrendLabs 2016 Annual Security RoundupAdobe Acrobat Reader DC andAdvantech’s WebAccess Have theMost Number of VulnerabilitiesIn 2016, Trend Micro and the Zero Day Initiative (ZDI) (with TippingPoint) discovered a record high of765 vulnerabilities (including 60 zero days)—an increase from 714 in 2015. Of the 765 total, Trend Microresearchers independently discovered 103 vulnerabilities, while ZDI found 678. Sixteen vulnerabilities arecommon to both.ProductTrend Micro8716ZDI662Figure 5. Number of vulnerabilities discovered byTrend Micro and ZDI, 2016Number ofVulnerabilitiesAdvantech WebAccess109Adobe Acrobat Reader DC89Apple OS X 52Android52Foxit Reader49Adobe Flash 38Microsoft Internet Explorer 33Microsoft Windows OS26SolarWinds 25Microsoft Edge22Table 1.Trend Micro and ZDI (with TippingPoint)Top 10 applications based on number ofvulnerabilities discovered in 2016Most of the vulnerabilities were found in Adobe Acrobat Reader DC and Advantech’s WebAccess (with 26zero days). The former is an enterprise application that handles .PDF files, while the latter is used in SCADAsystems.10 TrendLabs 2016 Security Roundup: A Record Year for Enterprise Threats

TrendLabs 2016 Annual Security RoundupAlthough Adobe Acrobat Reader DC saw no increase or decrease from its 2015 record, the application stillhad the most number of vulnerabilities compared to all other Adobe products. Adobe Flash noticeably hadfewer vulnerabilities compared to last year’s 67 vulnerabilities, which marks a 43% decrease. That numbermay continue to drop as more browsers are disabling Flash by default and are now migrating to HTML5.13Despite that, the presence of Adobe Flash zero-day vulnerabilities14 still leaves outdated systems vulnerableto attacks. For instance, an Adobe Flash zero day allowed attackers behind Pawn Storm to ramp up theirspear-phishing campaigns against governments and embassies across the world.15Meanwhile, Microsoft saw a 47% decrease in its vulnerabilities, with a total of 93 recorded vulnerabilities—down from the previous year’s 175. While Internet Explorer still has the highest number of vulnerabilitiesamong all Microsoft products, the total volume of the vulnerabilities found on the platform got significantlylower. From 121 recorded vulnerabilities in 2015, it came down to only 33, indicating a 73% decrease.There are a few factors which may have affected this drop. Apart from Microsoft offering bounty programsfor bugs and vulnerabilities, the vendor has also been proactive in rolling out security patches. Instead ofmaking individual bulletins for each patch available, Microsoft is pooling all the updates into a single monthlydeployment.16 This streamlined approach is better at providing users with continued security.VendorProduct2015 vs. 201647% Internet Explorer73% Office 53% Windows26% 2,100% MSXML100% Chakra100% .NET100% Reader100% MicrosoftEdgeWindows Media CenterVendorProduct2015 vs. 20168% Flash43% Acrobat ReaderDC0%—Acrobat Pro DC133% Digital Edition200% Creative Cloud 100% 145% iOS 275% OS X189% AdobeApple100% QuickTime 57% 0Days17% Safari 175% Android206% 421% SCADATable 2.Trend Micro and ZDI (with TippingPoint)discovered vulnerabilities 2015 versus 201611 TrendLabs 2016 Security Roundup: A Record Year for Enterprise Threats

TrendLabs 2016 Annual Security RoundupThe number of vulnerabilities found in Apple products, on the other hand, saw a considerable rise in 2016.There were 81 vulnerabilities in its products in 2016—a 145% increase from the 33 discovered vulnerabilitiesin 2015. Its desktop computing (OS X) and smartphone (iOS) products, both of which are used in enterprises,saw a 189% and 275% increase, respectively, in 2016. In October, attackers abused the iOS platformto replace a legitimate app in the App Store with a malformed and enterprise-signed app. Through therepackaged and adware-laden apps, hackers were able to manipulate iOS’s code signing process, andgranted them access to a user’s personally identifiable information (PII) and banking credentials.Advantech’s WebAccess had the most number of discovered vulnerabilities for 2016. These and otherSCADA vulnerabilities can be leveraged to compromise critical components in industrial automationnetworks. Many essential services and utilities, like water and electricity, rely on SCADA so failing to securethese systems could lead to real-world risks. An example of which was the power outage caused by amalware called BlackEnergy. The attack was directed against a power grid, which left about half of thehomes in a Ukrainian region with no access to electricity for several hours.18 For the list of other SCADAapplications with discovered vulnerabilities, refer to Table 5 in the Threat Landscape in Review section.As for mobile platforms, our data showed that Android vulnerabilities increased by 206% in 2016. A malwarevariant called DressCode allows attackers to gain access to internal networks every time devices withTrojanized apps are connected to them. At least 3,000 Trojanized apps were found in well-known Androidmarkets and even Google Play.19Knowing that there are a number of vulnerabilities on SCADA systems allows the private and public sectorsto develop an efficient security framework before attackers can find ways to exploit them. Initiatives like ZDI(founded by TippingPoint) can help in this aspect. ZDI rewards security researchers for responsibly reportingvulnerabilities in various products and platforms. After these vulnerabilities are disclosed, vendors createand deliver the patches.System administrators should make it a habit to apply secu

Trend Micro reserves the right to modify the contents of this . Other organizations felt the effects of poor Internet of Things (IoT) security when the Mirai botnet surfaced and took down their servers. . TrendLabs 2016 Security Roundup: A Record Year for Enterprise Threats.

Related Documents:

TrendLabs 2016 Annual Security Roundup 4 TrendLabs 2016 Security Roundup: A Record Year for Enterprise Threats 0 250 150 2015 2016 29 247 752% increase Ransomware Spiked 752% in New Families in 2016 In a span of 12 months, the number of discovered ransomware families jumped from 29 to 247. This marks

Roundup Ready Herbicide with PLANTSHIELD ACTIVE CONSTITUENT: 690 g/kg GLYPHOSATE PRESENT AS THE PRESENT AS THE MONO-AMMONIUM SALT. GROUP M HERBICIDE. Herbicide for the control of many annual and perennial weeds in Roundup Ready , Roundup Ready Flex , TruFlex with Roundup Ready Technology and Triazine Tolerant-Roundup Ready crops and

Trend Micro publishes its Annual Threat Roundup and Forecast based on information from TrendLabs, Trend Micro’s global network of research, service, and support centers committed to constant threat surveillance and attack prevention. With accurate, real-time data, TrendLabs delivers effective, timely security measures designed to

Nov 29, 2010 · Roundup Original Max 5000 5000 Moderate Moderate Roundup Pro Concentrate 5000 5000 Moderate Slight Roundup ProMax 5000 5000 Moderate Slight Roundup UltraDry 3700 5000 Moderate Slight Roundup

5 TrendLabs. (2014). Trend Micro Security News. “TrendLabs 2Q 2014 Security Roundup: Turning the Tables on Cyber . with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over 20 years’ experience, we deliver

A TrendLabs Report TrendLabs Security Intelligence Blog Jay Yaneza and Erika Mendoza . discussed above seem to imply that their targets have bare internet access. Furthermore, . Trend Micro detects all of the indicators of both threats, and is constantly in the look-out for such .

environments. Powered by the industry-leading Trend Micro Smart Protection Network cloud computing security infrastructure, our products and services stop threats where they emerge—from the Inter-net. They are supported by 1,000 threat intelligence experts around the globe. TRENDLABS. SM. TrendLabs is a multinational research .

ONLINE REGISTRATION: A STEP-BY-STEP GUIDE CONTENTS OVERVIEW 3 HOW TO LOG IN TO ONLINE REGISTRATION 6 PERSONAL DETAILS 7 1. Personal Information (Gender, Marital Status, Mobile Phone No.) 8 2. Social Background (Occupational Background, No. of Dependants). 9 3. Country of Origin/Domicile 9 4. Home Address 10 5. Term Time Address 11 6. Emergency Contact Details 12 7. Disabilities 14 8. Previous .