The Evolution of Malware

We’re pleased to be partnering with Cisco for this blog. Scroll down to download the Cisco 2018 Annual Cybersecurity Report 

As many cybersecurity professionals know, the threat landscape is continuing to become more complex, with large increases in cybercriminal activity around the world. 2017 was no exception. In their Annual Cybersecurity Report (ACR), Cisco threat researchers share significant findings about attacker behavior over the past 12 to 18 months.Among the key takeaways, perhaps none is more perplexing than the evolution of malware seen recently in headline-worthy events like WannaCry and Nyetya. It appears malware has evolved both in motivation and in functionality. Although for the purpose of financial gain, newer ransomware strains have become automated to create a larger impact without the need for user interaction.“The advent of network-based ransomware cryptoworms eliminates the need for the human element in launching ransomware campaigns. And for some adversaries, the prize isn’t ransom, but obliteration of systems and data, as Nyetya—wipe malware masquerading as ransomware—proved. Self-propagating malware is dangerous and has the potential to take down the Internet, according to Cisco threat researchers,” the report states.Professionals perplexed about how to combat these evolving strains may be surprised to learn that the impact of WannaCry and Nyetya could have been lessened if proper security practices such as network segmentation and incident response plans were in place.Persistence Pays OffUnfortunately, the persistence of adversaries puts cyber professionals at a disadvantage, even when proper security practices are implemented in an organization. As cited in their ACR, Cisco threat researchers noted high volumes of samples in September 2017 where a malicious payload was delivered after a document is closed within a sandbox (Figure 16).A sandbox is a security mechanism for separating running programs, meant to mitigate system failures or software vulnerabilities from spreading.In this case, the malware is triggered using the “document_close” event, an effective technique because often documents are not closed after the document has been analyzed in the sandbox.Because the sandbox doesn’t explicitly close the document, the attachments are deemed safe by the sandbox, and will be delivered to the intended recipients.The “document close” technique is one of many examples that demonstrates the creativity employed by hackers who try various methods to consistently ramp up their attacks. This particular example also points at the burden of ransomware infection moving from a predominantly unsuspecting end-user to more a complex environment that leverages anti-reverse engineering practices to aid in evading detection from malware analysts and DevOps teams.According to Cisco’s 2017 Midyear Cybersecurity Report, “2017 saw the emergence of DevOps ransomware attacks, beginning with a campaign in January that targeted open-source database platform, MongoDB.  Attackers encrypted public MongoDB instances and demanded ransom payments for decryption keys and software. Soon after, they set their sights on compromising databases, such as CouchDB and Elasticsearch, with server-targeted ransomware.”Based on detailed findings from Cisco partner Rapid7, DevOps services that are deployed incorrectly or are consistently left open provide a prime opportunity for attack, pointing towards a greater need for secure development standards of DevOps technologies.A Race Against the Clock“Trends in malware volume have an impact on defenders’ time to detection (TTD), which is an important metric for any organization to understand how well its security defenses are performing under pressure from the constant barrage of malware deployed by adversaries,” reports Cisco.Previously, patching a vulnerability within 30 days was considered best practice, but now, practitioners are in a constant race against the clock where even the median TTD of 4.6 hours as measured by Cisco is much too long. It is as if cybersecurity must now predict the future.Fortunately, many clues are available to defenders as to what is out there, so the sooner professionals recognize the “speed and scale at which adversaries are amassing and refining their cyber weaponry,” the quicker and more agile they can be at mitigating threats.Luckily, resources like the Cisco 2018 Annual Cybersecurity Report offer an inside look at areas of focus for both attackers and defenders so security strategies may be adjusted accordingly and threats can be responded to more quickly.The Cisco 2018 Annual Cybersecurity Report is designed to help organizations and users defend against attacks. This report looks at the techniques and strategies that adversaries use to break through those defenses and evade detection.The report also highlights major findings from the Cisco 2018 Security Capabilities Benchmark Study, which examines the security posture of enterprises and their perceptions of their preparedness to defend against attacks.

To read the complete Cisco 2018 Annual Cybersecurity Report, click here to download. Additionally, you can earn a badge and a Certificate of Completion when you pass the ACR 2018 Assessment, available here. Simply apply code ACR2018 to take the assessment free.