July 13, 2016
“5 days for a banking system to be down? That’s a lot of money down the drain… We can’t afford this hack right now… And frankly I think we can find 5.9million in between our couch cushions. It’s nothing.”
- Susan Jacobs, general counsel, E Corp
Season 2 Spoiler Alert – If you watch Mr. Robot – Be aware. the season starts July 13th on USA Networks.
The popular dark cyber-thriller and hit US TV-show, Mr. Robot, is back and the show’s global success offers a perfect opportunity to educate businesses and employees around the dangers of email security. If you don’t want to know how the first episode plays out, look away now.
The new episode features the hacking group, Fsociety, conducting a Cryptowall ransomware attack on E Corp, crippling all of its networked computers, and demanding a hefty ransom. The firm’s general counsel recommends they pay the ransom as it will cost more in lost earnings to do otherwise.
This price point dilemma is at the heart of ransomware’s success. For smaller businesses, the ransom is often pitched at $400-$1,000, paid of course, in bitcoins.
The temptation to pay up and move on is all too easy. Ransomware is therefore flourishing around the world and as of the end of March, 93 percent of all phishing emails contained encryption ransomware, according to a report released last month by PhishMe.
Yet the FBI doesn’t support paying a ransom in response to a ransomware attack. They say that you should never try to negotiate with the attackers because it further encourages cybercrime and that there is no guarantee they’ll even release your data. Instead, pull the plug (yes, pull the power) on the affected patient zero computer, so you can preserve its hard drive for forensic analysis later.
This same style of malware disrupted a series of US hospitals in March and Lincolnshire County Council in February. More recently there were reports that Office 365 was being targeted by a massive Cerber ransomware attack.
Mimecast Threat Labs have seen significant ransomware attacks spread by weaponized attachments. These are often Microsoft Office files booby-trapped with malicious macros, delivered by email, that download and execute ransomware when opened. Our own research recently found 44% of firms had seen an increase in attacks with added social engineering asking users to enable macros. 67% were not confident their employees would spot this combined attack.
So how do you defend your organization against ransomware?
The FBI suggests two key approaches:
- Prevention efforts—both in terms of awareness training for employees and robust technical prevention controls
- The creation of a solid business continuity and backup plans in the event of a ransomware attack
Prevention is key but traditional anti-virus software is increasingly little protection against new variants of malware sent by email. Organizations need to combine rigorous employee training with technology that analyses malicious links and attachments in real-time.
Ransomware has become a well-funded, well-organized cyber threat in today’s market. The perpetrators have simply become too good at it and quietly paying attackers off in the event that your network is hit, only emboldens them further. A variant of Cryptowall earnt its creators around $300 million in a very short space of time; so these criminals are well-funded and very capable. Who has a similarly sized IT budget? Not many of us, if any.
Effective cyber resiliency, therefore, requires new methods of prevention and third-party archives to get you back on your feet if something still gets through.
Interested in reading more? Click here.
In a brief warning alert last week, US-CERT urged individuals and organizations to proactively secure systems against an increase in malware spread via macros. Mimecast is today offering new guidance to help organizations combat this threat.
Our own research also points to resurgence in this attack technique. We found that:
- 50% of firms have seen email attacks that use macros in attachments increase
- 44% saw increase in attacks with social engineering asking users to enable macros
- 67% are not confident employees would spot this combined attack
These findings came from a recent Mimecast security survey of 436 IT experts at organizations in the US, UK, South Africa and Australia in March 2016.
While most organizations choose to block executable attachments at the gateway by default, they must still allow files such Microsoft Office documents to pass freely if employees are to be productive. Attackers exploit this by weaponizing files in these common formats.
Here’s a recent targeted attack email we saw containing a weaponized attachment:
Mimecast Email Security Guide to Stop Malicious Macros
Here are five recommendations to help you stop weaponized attachments and macro-enabled malware:
- Ensure macros are not enabled by default across your Microsoft Office application estate, and that ‘Protected View’ is enabled at all times
- Consider disabling macros and VBA code in all but essential applications
- Ensure all email attachments are sandboxed by an appropriately advanced email security gateway. Remember non-sandboxing gateways are not able to recognize or signature macros, as the code is not a viral payload
- Consider a secure email gateway that offers the capability to neutralize weaponized attachments, or strip active code from all inbound Office documents
- Train and educate end users to the changing nature of threats in email. Ensure they understand the risks presented to their inboxes, and how to handle unexpected email and attachments. Ensure they understand the hacker’s tactics and how to recognize simple social engineering attacks
You can see more examples in my recent security advisory on macro threats.
Surely everyone changed their LinkedIn credentials in 2012, when the LinkedIn hack was made public right?
Furthermore, most users would have doubled down on their credential security - changing their passwords to something complex and perhaps using a secure service like LastPass to manage those credentials securely, right?
LinkedIn confirmed last week that more than 100 million members' email and password combinations stemming from a 2012 data breach have been posted online.
So when LinkedIn confirmed last week that more than 100 million members' email and password combinations stemming from a 2012 data breach have been posted online, the natural question is 'why bother'?
As I pointed out to CNET this week, it's no longer the credentials themselves which have value (although there might be a few laggards who still haven't changed their passwords). It's the fact that cybercriminals now hone in on a target by building very accurate pictures of companies and employees ripe for targeting. Also, as I discussed with Computing in March, LinkedIn is now the principle super market for enterprise hacking intelligence - a front door for hackers.
Once the overall picture of an organization is complete, the email account of the target be it personal or professional becomes the Holy Grail for the attackers. Suddenly the penny drops…Peace, who according to a story from Vice's Motherboard is trying to sell the credentials for about $2,200 in bitcoin is actually selling the email addresses.
And I'm sure he or she will sell the information in no time at all - because who thought it was important to change their password and email address in 2012? Not many.
Aside from the immediate damage of social engineering-based attacks, the damage will really be felt by organizations who've been hacked over the last few years and are high-value targets in general. What this action has done is highlight the long-tail value of hacking - inspiring cybercriminals to re-harvest old hack data and inspire more audacious attacks in future as the financial incentive has been boosted further still.
You think you’re prepared to deal with cybersecurity threats. But, what if your organization became the target of a whaling attack, spear-phishing or weaponized attachment? These are just a few methods hackers and cybercriminals use to steal confidential data, employee information and even cash. Are you confident that your corporate email can protect your organization from these insidious attacks?
To ensure you really are confident to cope with email-based attacks, you need to get in touch with your true IT security self. This can help you find out how much of an impact past experience with email attacks has on future preparedness, and whether or not your organization is dedicating enough of your IT budget to cybersecurity.
Don’t worry: we can help. Mimecast recently surveyed hundreds of IT security pros across the globe to get to the bottom of how they felt about email security preparedness. Those responses identified the gaps between how prepared they think their companies are against email threats, and how prepared they actually are. Based on this insight, we spotted five security “personas” of IT security pros, or ways of helping you self-identify with a group that shares your values:
- The Vigilant: This is less than one-fifth of IT security professionals. They demonstrate a high confidence in their ability to handle or defend against cyber threats, despite no experience with email hacks or data breaches.
- The Equipped Veterans: Approximately one-fifth of IT security professionals – they are confident in their cybersecurity and have dealt with attacks in the past.
- The Apprehensive: About one-third of IT security professionals – they have no experience with data breaches or hacks and do not feel confident in their level of preparedness.
- The Nervous: Less than one-tenth of IT security professionals – they feel completely ill-equipped to cope with the cyber threat.
- The Battle-Scarred: Just over one-quarter of IT security professionals – these have experienced a history of data breaches or email hacks, but still feel unprepared to defend themselves against attacks in the future.
Ready to find out your true IT security persona? Take our IT Security Persona Test now. Learn about your distinct personality type and tips to boost your confidence.