Last year saw a massive increase in the number of recorded enterprise malware attacks, with hackers also targeting public sector organizations and government agencies with increased frequency. According to the new Dell Security Annual Threat Report, malware attacks virtually doubled in 2015, and reached a staggering 8.19 billion worldwide infections.
The new report makes for worrying reading. The current threat level is greater than ever before and the volume of enterprise malware attacks now taking place has reached unprecedented levels. Organizations that fail to implement robust controls to protect their systems from malware downloads are likely to be attacked.
Dell Reports a 73% Increase in Malware Infections in 2015
To compile the report, Dell gathered data from its Dell SonicWALL Global Response Intelligence Defense network. In 2014, Dell SonicWALL received approximately 37 million unique malware samples. In 2015, that figure increased to 64 million: An increase of 73%. Dell noted increases in malware, ransomware, viruses, Trojans, worms, and botnets in 2015.
Not only is the volume of malware increasing, the vectors used to infect devices and networks are now much broader. Cybercriminals are also getting much better at concealing infections and covering their tracks. When malware is eventually discovered on systems, it has usually been present and active for some time.
Hackers are now using anti-forensic techniques to evade detection, steganography, URL pattern changes, and are modifying their landing page entrapment techniques. Command and Control center communications are also being encrypted making it harder to identify communications from infected devices and systems. Oftentimes, it is communications between malware and C&C servers that allow anti-malware and intrusion prevention systems to identify malware infections.
Spam email is still being used to deliver malicious software although drive-by attacks have increased. IoT devices are also being used to install malware due to the relatively poor security of the devices.
Enterprises now have a much broader attack surface to defend, yet security budgets are often stretched making it difficult for IT security teams to install adequate defenses to repel attacks using such a diverse range of attack vectors. It may not be possible to implement robust defenses to repel all attacks, although by concentrating on the most commonly exploited weaknesses the majority of enterprise malware attacks can easily be prevented.
How to Defend Against Enterprise Malware Attacks
The majority of successful enterprise malware attacks could have been prevented had basic security measures been implemented and had industry security best practices been adopted. Hackers may be using ever more sophisticated methods to infiltrate systems and steal data, but in the majority of cases they do not use zero-day vulnerabilities to attack: Well-known security weaknesses are exploited.
All too often enterprise malware attacks are discovered to have occurred as a result of unpatched or outdated software. Oftentimes, patches and software updates have been available for months prior to attacks taking place. One of the best defenses against cyberattacks is to adopt good patch management practices and ensure that software updates are applied within days of release.
Email spam is still used to deliver a wide range of malware and malicious software, yet spam email is easy to block with a robust spam filtering solution such as SpamTitan. Along with staff training on phishing email identification and basic security best practices, malware infections via email can be easily prevented.
It is also strongly advisable to implement an enterprise web filtering solution. Allowing employees full access to the Internet can leave a business susceptible to drive-by malware downloads. A web filtering solution such as WebTitan Gateway – or WebTitan Cloud for Wi-Fi networks – can prevent malicious file downloads, malvertising, and limit the risk of drive-by enterprise malware attacks.
Using a firewall capable of inspecting every packet and validating all entitlements for access is also advisable. Since hackers are also using SSL/TLS encryption to mask C&C communications, it is a wise precaution to use a firewall that incorporates SSL-DPI inspection functionality.
Locky ransomware is a new threat believed to emanate from the hacking team behind Dridex malware. The new threat is being delivered via spam email and is disguised as a Microsoft Word invoice. If macros are enabled, or if the macro contained in the infected Word file is run, a script will download Locky ransomware: A 32-bit executable file containing a dropper. That dropped malware will run from the %TEMP% folder and will disguise itself as svchost.exe.
Locky ransomware will search for files stored on the infected device and will rename them and add the extension locky. The renamed files cannot be identified by the user. They are given a unique file ID along with a unique ID for each user. Files are locked using RSA-2048 and AES-128 ciphers and all communication between Locky and its command and control server are encrypted.
Once files have been encrypted, a text file will be saved to the desktop detailing the actions that must be taken by the victim in order to restore their files. A bitmap containing the instructions is also set as the user’s wallpaper.
Links are supplied which the user must access via the Tor network and further instructions unique to that user are detailed on a unique webpage for each user. Users are instructed how to buy Bitcoin and how to send the ransom of 0.5 to 1.0 Bitcoin (around $200-$400) to the attackers. Upon paying the ransom the victim will receive a security key which will enable them to unlock their files. Locky ransomware encrypts data stored on local drives, removable media, and ramdisks, although it is also capable of encrypting data on network resources.
Locky ransomware can only be installed if a malicious macro contained in the Word file is run. Opening the infected Word document will not result in the device or network being infected until macros have been enabled. If this happens, the Word document macro will save a file to the device (Troj/Ransom-CGX) which will act as a downloader and will install the ransomware payload.
Once downloaded the payload will start to encrypt a wide range of files. Those files include documents, multimedia files, images, office files, and source code. Shadow copies (VSS files) on the device will also be removed. Even the wallet.dat file is encrypted, leaving Bitcoin users no alternative but to pay the ransom. The ransomware will encrypt files on any connected or mounted drive, and will lock files regardless of the operating system used.
Any user logged in with administrator privileges when Locky ransomware strikes will see a considerable amount of damage caused, leaving them no alternative but to pay the ransom to unlock files. Bear in mind that the above ransom amounts have been seen for individual users. There is no telling what ransom will be demanded if a business user is infected.
How to Protect Against Locky Ransomware Attacks
There are a number of ways that businesses can protect their networks from a Locky ransomware attack. The first is to prevent the malicious word document from being delivered.
- A robust anti-spam filter can filter out malicious emails and quarantine them, preventing phishing and malicious spam emails from being delivered to end users’ inboxes.
- Staff training is essential in case malicious emails find their way into end users’ inboxes. Employees must be warned of the risks of ransomware and other malware, told how the malicious software is delivered, and how to identify potentially malicious emails. End users must be told never to open a file attachment sent from someone they do not know.
- All devices with Word installed should have macros disabled. If users are required to use macros, they should enable them to work on files and disable the macro function when the task has been completed. If macros are set to run automatically, opening an infected Word document will allow malicious code to run automatically.
- Portable drives should not remain connected when they are not in use.
- Users should never log in as an administrator unless it is strictly necessary. Always log in without administrator rights unless they are necessary for a particular task to be performed and log out afterwards.
- Regularly backup important files (daily) and store backups off site.
- Not all malware is delivered via spam email. Hackers are increasingly using FTP sites, file sharing websites, and compromised websites to deliver malware. Blocking these sites using a web filtering solution such as WebTitan is strongly advisable. WebTitan can also block files commonly used to deliver malware (BAT, SCR, and EXE files).
- Patches should be installed promptly and browsers and plugins updated as soon as patches and updates are released. Security vulnerabilities can be exploited via malicious websites and malware and ransomware downloaded without any user action.
The failure to use a school web filter could result in children gaining access to hardcore pornography in the classroom. If a school web filter is used, it is essential to ensure that it is configured correctly. Two Canadian parents have just discovered that porn is still accessible via classroom computers after conducting a simple test at their daughters’ school.
In this case, the Internet could only be accessed at the elementary school in Markham, Ontario, using a valid account and Internet access is supervised, so the chance of children viewing adult content is limited. That said, if children want to view porn they would not be prevented from doing so. The software solution that had been put in place did not block pornography and other adult content from being displayed.
After gaining permission to use her daughter’s Internet login, Eva Himanen conducted a simple search on Google to see whether it was possible for images of an adult nature to be viewed in the classroom. She did this by typing the search terms “porn” and “naked sex” into Google.
Rather than images and search listings being blocked, the search brought up numerous thumbnail images of exactly the material one would expect such as search to produce. There were also listings of a wide range of porn websites that had not been blocked. A school web filter was allegedly in place, but images were still displayed.
Access to the Internet is controlled by logins and parents and children are required to sign an acceptable use form each year. However, while students may agree not to search for adult website content, that does not prevent them from viewing inappropriate material.
If a child was able to access pornographic images without being spotted by a teacher, it is likely that the Internet use would be discovered. Logs of all websites visited are maintained by the school and are regularly checked. Any websites of an adult nature that are accessed would be tied to an individual child’s login and action would be taken again that individual. However, the damage would have already been done. If one student was to perform such a search and break the rules, other children’s may also be affected.
The Importance of Implementing Robust but Flexible School Web Filter
Blocking access to certain sections of the Internet is straightforward with WebTitan. WebTitan’s school web filter is quick and easy to implement and can offer protection in a matter of minutes. It is possible to block websites by category as well as by keyword term, and blacklists can be uploaded easily.
One of the problems that can occur with a school web filter is the overblocking of website content. It is possible that blocking a particular category of website, or a specific keyword term such as “sex”, would result in some website content being blocked incorrectly. This could potentially prevent individuals from accessing sexual education material, some of which may be required under the curriculum.
A web filter may therefore require a certain degree of fine tuning. False positives will always occur with any web filter, although careful implementation and choice of keyword terms and website categories will keep this to a minimum, while ensuring that harmful content is blocked. Using a flexible, and easy to use school web filter such as WebTitan will make this as straightforward as possible.
WebTitan’s web filtering solutions for schools have a high degree of granularity, allowing potentially harmful content to be easily filtered, while ensuring that valuable educational material is still displayed. It is still important to have allowable use policies in place, but should a student attempt to break the rules, they would still be prevented from viewing adult content, and their actions would be logged to allow action to be taken.
For further information on the full range of features of WebTitan’s school web filtering solutions, contact the sales team today for advice.
US Sales +1 585 973 5080
UK/EU Sales +44 (0)247 699 3641
IRL +353 91 54 55 00
or email us at firstname.lastname@example.org
The healthcare ransomware threat is not new, but the threat of attack is growing. Last week, a healthcare provider in the United States found out just how damaging a ransomware attack can be. Hollywood Presbyterian Hospital experienced a ransomware attack on February 5, resulting in part of its computer network being taken out of action for more than a week.
The healthcare provider’s electronic health record system (EHR) was locked by ransomware and a demand of $17,000 was made by the attackers to supply the security keys. This is not the first time that a healthcare provider has had to deal with a ransomware infection, but attacks on healthcare organizations have been relatively rare.
What makes this attack stand out is the fact that the ransom was actually paid. CEO Allen Stefanek said “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom.”
The Healthcare Ransomware Threat is Very Real
Many businesses in the country have been attacked and have been forced to pay sizable ransoms in order to get a security key to decrypt their locked data. If data is encrypted by attackers, and no backup exists, there is little choice but to pay the ransom and hope that the attackers make good on their promise to supply the security keys.
There is no guarantee that the attackers will pay of course. They could just demand even more money. There have also been cases where the attackers have “tweaked” their ransomware, but accidentally broke it in the process. Even if a ransom was paid, it would not be possible to unlock the data.
Paying a ransom does not therefore guarantee that the security keys will be supplied. In this case, the attackers did make good on their promise and supplied the keys allowing business to return to normal.
The public announcement about the ransomware attack, and the disclosure of the payment of the $17,000 ransom, could potentially lead to even more attacks taking place. That is a big payment for a hacker, yet orchestrating a ransomware campaign is relatively easy, and does not require a major financial outlay. The return on investment will be significant if a healthcare provider is forced to pay a ransom. Since the ransom was paid, this may prompt many more hackers to attack healthcare providers.
Ransomware Attack Raises a Number of Questions
This attack does raise a number of questions. What many security professionals will be asking is why the hospital paid at all. In the United States, healthcare providers are required to make backups and store those data off-site. In event of emergency, such as this, a healthcare provider must be able to restore patient data. This is a requirement of the Health Insurance Portability and Accountability Act (HIPAA). It doesn’t matter what the emergency is, if computers or networks are taken out of action, the protected health information of patients cannot be lost.
The reality however, is that restoring computer systems after a ransomware attack may not be quite as straightforward. It would depend on the extent of the ransomware attack, the number of systems that were compromised, the difficulty of restoring data, and how much data would actually be lost.
Backups should be performed daily, so it is possible that 24 hours of data may have been lost, but unlikely any more. Even if data loss had occurred, it is probably that the data were stored elsewhere and could be recovered. The payment of the ransom suggests that there may have actually been an issue with the backups, or that the cost of recovering data from the backups would have been more than the cost of paying the ransom.
Dealing with the Healthcare Ransomware Threat
Regardless of the reasons why data restoration was not possible, or paying the ransom seemed preferable, other healthcare providers should be concerned. Further attacks are likely to take place, so it is essential that backups are performed regularly, and critically, those backups are tested. A backup of data that cannot be restored is not a backup. It is a false hope.
Furthermore, healthcare providers must ensure employees are trained how to spot a malware and ransomware, and software solutions should be implemented to prevent spam emails from being delivered to inboxes. Staff should be prepared, but it is best not to put the malware identification skills to the test.
Not all ransomware is delivered via spam email. Additional protections must also be put in place to prevent drive-by attacks and malvertising should be blocked. A web filtering solution, such as WebTitan, should also be installed to reduce the risk of ransomware downloads and to enforce safe use of the Internet.
There is no silver bullet that can totally negate the healthcare ransomware threat. It is impossible to make any system 100% secure, but by implementing a range of protections the risk of a ransomware infection can be reduced to an acceptable level. A disaster recovery plan must also exist that will allow data to be restored in the event that an attack does prove to be successful.
In recent months, concern has been growing over the lack of medical equipment cybersecurity protections in place at hospitals and medical centers. Healthcare providers are being targeted by cybercriminals for the confidential data they store on patients. Medical devices, and their associated computer hardware, could potentially be targeted by cybercriminals. Medical device security is often overlooked by health IT professionals, and the manufacturers of the devices often fail to make their equipment secure.
Healthcare providers store Social Security numbers, health insurance data, financial information, and the personal information of patients. These data have a high value on the black market as they can be used by criminals to commit identity theft and a multitude of fraud.
Cyberattacks on hospitals and health insurers are increasing, and while cybersecurity protections as a whole are improving, the industry still lags behind other industry sectors when it comes to implementing robust cybersecurity protections. Numerous security vulnerabilities are often allowed to exist, making it relatively easy for hackers to take advantage.
Medical equipment cybersecurity is particularly lax. The devices may not provide easy access to the types of data sought by identity thieves in some cases, but they are networked. If access is gained, attacks on other parts of a healthcare network could take place.
If hackers are able to gain access to a medical device a considerable amount of harm could be caused. A malicious hacker could alter or delete data, crash the device, or steal data stored on the device or the computer connected to it. If settings can be altered patients could be seriously harmed. Doses of medication could be altered or medical diagnoses or test results changed, with disastrous consequences for the patient.
Expensive equipment could be sabotaged or the devices could be locked with ransomware. The ransomware infection of Hollywood Presbyterian Medical Center this month shows that the threat of malware is very real. In fact, attacks on hospitals can be very lucrative for hackers. The hospital recently paid $17,000 for security keys to unlock its EHR system after a ransomware infection took it out of action.
How Bad Are Medical Equipment Cybersecurity Protections?
So how bad are medical equipment cybersecurity protections? Recently, Sergey Lozhkin of Kaspersky Lab decided to find out. He recently announced the results of his attempts to hack medical devices at the 2016 Security Analyst Summit (SAS 2016) in Tenerife.
Lozhkin set out to hack a hospital and succeeded in doing just that by exploiting a lack of medical device cybersecurity protections at a hospital. The hack started with a search using the Shodan search engine. Lozhkin discovered a number of hospital devices and contacted the owner. Along with his friend, he decided to conduct a penetration test to see just how easy it was to gain access to the devices. The senior managers of the hospital were aware of the test and secured real data to prevent any unauthorized disclosure or data loss as a result of the test.
The first attempt at hacking the medical devices failed. The hospital’s systems administrator had done a good job of securing systems from external attack. However, the second attempt at hacking was successful. Lozhkin decided that instead of attacking from home, he would travel to the hospital and try to attack from within. However, physical access to the hospital was not necessary. He was able to hack the hospital from his car, since he could park outside and gain access to the hospital’s local Wi-Fi network.
Once he hacked the network key he was able to gain access to a tomographic scanner. By exploiting a vulnerability in an application he gained access to the file system of the device and was able to view (fake) patient data. The real data had been secured prior to the test. In this case, the hack was possible because the hospital’s systems administrator had made a fundamental mistake, having connected a medical device to the hospital’s public WiFi network.
Forget Medical Equipment Cybersecurity Protections at your Peril
If medical equipment cybersecurity protections are insufficient, it may be hacktivists or data thieves that gain access to data rather than pen testers. Hospitals must ensure that medical equipment cybersecurity protections are put in place, but security must also be tested to ensure cybersecurity defenses actually prevent access to medical devices and the sensitive data they contain.
Better medical equipment cybersecurity protections must also be incorporated into the design of medical devices by the manufacturers to make sure medical equipment is harder to hack.