Enterprise-targeting cyber enemies are deploying vast amounts of potent ransomware to generate revenue and huge profits – nearly $34 million annually according to Cisco’s Mid-Year Cybersecurity Report out this week.
Ransomware, Cisco wrote, has become a particularly effective moneymaker, and enterprise users appear to be the preferred target.
+More on Network World: Security was the HOT topic at Cisco Live+
“Defenders are not protecting systems in a way that matches how attackers do their work. Although defenders have evolved their strategies and tools for fighting online criminals, attackers are still permitted far too much unconstrained time to operate,” Cisco wrote.
“Lack of visibility is the problem, leaving users open to attacks. Security professionals’ reliance on point solutions and a “triage” approach—trying to stop attacks here and there, instead of looking holistically at security challenges—is playing to attackers’ strengths,” Cisco wrote.
Some of the major findings from the Cisco report include:
•On the horizon: faster and more effective propagation methods that maximize the impact of ransomware campaigns and increase the probability that adversaries will generate significant revenue.
•Exploit kits, which have helped ransomware to become such a prominent threat, continue to take advantage of Adobe Flash vulnerabilities. In Cisco researchers’ recent examination of the popular Nuclear exploit kit, for example, Flash accounted for 80%of successful exploit attempts.
•Vulnerabilities in the enterprise application software JBoss are providing attackers with a new vector that they can use to launch campaigns such as ransomware. Cisco research shows that JBoss-related compromises have made significant inroads within servers, leaving them vulnerable to attack.
•From September 2015 to March 2016, Cisco security researchers observed a fivefold increase in HTTPS traffic related to malicious activity. The rise in this type of web traffic can be attributed largely to malicious ad injectors and adware. Threat actors are increasing their use of HTTPS encrypted traffic to conceal their activity on the web and expand their time to operate.
•Even though patches are available from major software vendors almost at the same time vulnerabilities are announced, many users still do not download and install these patches in a timely manner, according to Cisco research. The gap between the availability and the actual implementation of such patches is giving attackers ample time to launch exploits.
•To help draw attention to the security risks that organizations create by not properly maintaining aging infrastructure or patching vulnerable operating systems, Cisco researchers examined a sample set of Cisco devices to determine the ages of known vulnerabilities running on fundamental infrastructure. They reported 23% of those devices had vulnerabilities dating back to 2011; nearly 16% had vulnerabilities that were first published in 2009.
•A small but growing number of malware samples show that bad actors are using Transport Layer Security (TLS), the protocol used to provide encryption for network traffic, to hide their activities. This is a cause for concern among security professionals, since it makes deep-packet inspection ineffective as a security tool.
•Exploit kit authors are always seeking ways to evade security defenses, and they can be very creative in their efforts. One example we recently observed involved the Nuclear exploit kit. The kit, which typically drops variants of ransomware, was observed delivering a variant of Tor, the software used for anonymous communication. This tactic appears to be a method for anonymizing the eventual malicious payload, therefore making the activity more difficult for defenders to track.
In its report, Cisco said there are many ways organizations can and should take action to start improving their defenses. Some recommendations include:
•Instituting and testing an incident response plan that will enable a swift return to normal business operations following a ransomware attack.
•Not blindly trusting HTTPS connections and SSL certificates.
•Moving quickly to patch published vulnerabilities in software and systems, including routers and switches that are the components of critical Internet infrastructure.
•Educating users about the threat of malicious browser infections.
In a blog post about the report Cisco also recommended users employ a ‘first-line of defense’ such as patching, password management and segmentation to impede lateral movement and propagation and improve IT hygiene by upgrading aging infrastructure and systems, patching quickly, and consistently backing up your data
“We expect the next wave of ransomware to be even more pervasive and resilient. Organizations and end users should prepare now by backing up critical data and confirming that those backups will not be susceptible to compromise. They must also ensure that their backup data can, in fact, be restored quickly following an attack. For enterprises, restoration can be a major undertaking; therefore, being proactive about identifying potential bottlenecks is essential. Organizations should also confirm that known vulnerabilities in their Internet infrastructure and systems have been patched,” Cisco wrote.
Cisco security researchers said they anticipate, based on trends and advances observed to date, that self-propagating ransomware is the next step for innovators in this space—and urge users to take steps now to prepare. Attackers’ use of JBoss back doors earlier this year to launch ransomware campaigns against organizations in the healthcare industry is a strong reminder that adversaries, when given time to operate, will find new ways to compromise networks and users, the researchers wrote.
Check out these other hot stories: