Ransomware, Phishing, Scan-and-Exploit, And More…
If March comes in roaring like a lion, as the saying goes, it may just be because February tends to be the most terrifying cyber-stat month of all.
In recent weeks, a number of industry players have delivered worrisome reports about the state of cybersecurity over the past year. Here’s a small sample:
The Netskope Cloud and Threat Report, February 2021 Edition reports on how attackers evade legacy security defenses by abusing cloud service apps to deliver malware. Cybercriminals host phishing lures on cloud apps, adding extra credibility as well as making them harder to detect.
Popular cloud storage and collaboration apps were used in particular to deliver malicious Microsoft Office documents that established Emotet footholds in target enterprises. This cloud app delivery vector peaked to represent 38% of malware detected by the Netskope Security Cloud platform in Q3 2020, before receding to end the year at 27% of malware detected.
Cloud apps are also increasingly a phishing target: 36% of2020phishing campaigns targeted cloud app credentials.
IBM Security’s X-Force Threat Intelligence Index 2021, reports that ransomware was the top type of threat in 2020, comprising 23% of security events. Sodinokibi and Nefilim, both of which blend data theft with ransomware attacks, together accounted for one third of ransomware attacks. Scan-and-exploit attacks were the top infection vector, accounting for 35% of incidents, followed closely by phishing attacks, which accounted for a further 33%.
X-Force and Quad9 together report blocking an average of 10 million malicious DNS requests every day. IBM claims to identify malicious domains an average of 8 days earlier than other threat intelligence partners – but does not specify how many days these domains have been around before they identify them as malicious.
In a recent report, GreatHorn identified a new technique for delaying identification of phishing sites: Phishers have been using malformed URL prefixes – primarily replacing one or more of the slashes that usually follow “https:” — to extend the timeframe before new phishing sites are identified by traditional URL defenses.
Digital Shadows’ Initial Access Broker’s Report sums it all up in its subtitle: An Excess of Access. The report cites RDP, VPNs and web shells among the access methods most targeted by cybercriminals. With the surge in RDP and VPN use due to COVID-related remote work, the number of attacks that leverage their “internet portals” to gain access to organizations’ internal infrastructure has skyrocketed.
Like VPNs and RDP, web shells, which enable remote administration of internet-facing web servers, are not inherently malicious. However, threat actors infect target web servers by injecting a malicious web shell into a website via SQL injection or cross-site scripting, so they can run server commands that enable them to steal data or launch other malicious activity like man-in-the-middle attacks and ransomware distribution. Microsoft recently reported that the number of monthly web shell attacks almost doubled during 2020, with an average of 140,000 web shells found on compromised servers every month.
Containing the Danger with Zero Trust
It has grown ever more apparent that securing an enterprise or organization from cyberattack entails a continuous struggle to prevent penetration, enhance detection, and accelerate remediation and recovery. This requires 3-pronged strategic approach leveraging a comprehensive set of security controls across key IT areas including devices, networks, cloud workloads, applications, and data.
The Zero Trust approach of assuming breach, enforcing least-privilege, and explicit verification is the key to protecting organizations from all the various scourges highlighted in February’s dismaying reports. The key is to apply these principles consistently and in an integrated manner, across traditional infrastructure scenarios as well as newer configurations including cloud-based services and remote users.
Essential capabilities include the ability to implement Zero Trust network access controls that can significantly curtail the incidence and severity of RDP and VPN enabled access – beyond, of course, prompt patching to eliminate vulnerabilities. In this area, organizations must use:
- Microsegmention to prevent lateral movement on networks, for both authorized and unauthorized users
- Identity and access management (IAM) to ensure that only authenticated users can access applications and data for which they are authorized
- Multifactor authentication to prevent access using stolen credentials
- Rule-based access control to enforce granular, policy-driven least-privilege access control
Phishing sites and ransomware delivered via cloud apps, infected websites, and malicious attachments present a significant Zero Trust challenge: These resources must always be considered as malicious, since zero-day exploits; as-yet-uncategorized URLs; and new ways to hide malware prevent them from ever being verifiable as safe.
Uniquely, remote browser isolation (RBI) enables a Zero Trust approach to the web by assuming all website content is malicious. Ericom RBI executes website content in a remote, isolated cloud-based container. Regardless of whether a user browses to a site or clicks a URL embedded in an email, they are completely safe even if the site is malicious, since web content never executes directly on their device. No malware, even sophisticated zero-days, can infect the endpoint because only safe rendering information is sent from the cloud container to the user’s regular device’s browser, where they can interact with it as usual.
Websites launched from URLs in emails can be rendered in read-only mode to prevent users from entering credentials, providing additional phishing protection. Additionally, files downloaded from websites, social media sites, or web storage apps can be sanitized before being transmitted to devices, ensuring that malware within attachments – like those infected Microsoft Office documents — cannot compromise endpoints.
Detection will always be crucial. But an important first step is to limit the ability of malware to penetrate systems by closing the crucial web-to-endpoint delivery channel.