Opportunistic cybercriminals tweaking old threats for new targets: Forcepoint

Medium-sized businesses face a surging threat from opportunistic cybercriminals who are changing their strategies as large enterprises become more complex to penetrate, a security-strategy director has warned as new figures correlate declines in spam email with a resurgence in time-honoured document-based macro malware.

The warnings come as newly minted security firm Forcepoint releases its Forcepoint 2016 Global Threat Report, which for the first time combines the experience of a global Special Investigations team comprised of security specialists across its former Raytheon Cyber Products, Websense, and Stonesoft constituent organisations.

This year's report, which draws on analysis of security trends across 155 countries, includes the discovery of a new botnet campaign called Jaku that had a mean dwell time – the time between infection and detection – of 93 days and had persisted within the networks of its 19,000 victims, in 134 countries, for up to 348 days without detection.

A significant drop in the volume of email that is classified as spam – from 88.5 percent in 2014 to 68.4 percent last year – suggests that attackers are shifting their approach away from scatterbomb attacks to more focused, carefully-crafted attacks.

Nearly 92 percent of spam and malicious email now includes a URL – intended to direct users to malware-laden Web sites – and the inclusion of macros in malicious emails was up 44.7 percent over the previous year, with more than 4 million malicious macros detected.

“We saw a lot of malicious code that wasn't an actual executable attack,” director of security technologies Bob Hansmann told CSO Australia. “This makes sense since in the past few years everyone has been responding to the threat by saying that they need better malware defences, sandboxes, and all this protection against executables.”

“The bad guys are just saying 'OK, we'll go around that'. And all of a sudden, macros are coming back to life. Spam is going down yet new techniques around malicious code are going up – which means you have a greater risk from email now than we have seen in years.”

Many attackers were also sharpening their use of ransomware, which has proven to be remarkably successful – particularly in Australia, with its massive base of vulnerable small and medium businesses. Those businesses were increasingly coming to cybercriminals' attention as larger companies' improved defences drove them to search for softer targets.

“They are realising that the really big companies have invested in defences so they are going to go where the money is easier,” Hansmann said, “and that is the massive middle market. So organisations need to realise that if they pop up in any kind of a Google search as being in a country with a good economy, in an industry that's making money, that a number of factors can make them look like very juicy targets for these criminals.”

Businesses were also often being left exposed through poor integration of security practices during mergers and acquisitions – which, the reports author's warned, represent “one of the greatest cybersecurity risk catalyst across industry sectors. Blending companies increases the complexity in protecting an organisation's sensitive data.... The creation of a blueprint for secure consolidation and management of critical data is indispensable to the successful integration of formerly independent organisations.”

This and other advice, however is often falling on deaf ears, Hansmann said, noting that “people just aren't paying attention to those common good practices” in areas like password protection and that more than half of insider threats were due to accidents rather than malicious Edward Snowden-like compromise.

Lack of investment in insider threat-prevention programs had perpetuated this problem, with less than 40 percent of recently surveyed organisations saying they had dedicated budget to preventing insider threats. This, despite widespread use of remote access and use of easily-compromised credentials providing direct access to key corporate servers.

“We are getting cavalier about it,” he says. “A lot of it comes from the proliferation of mobile apps that encourage us to go and click and interact with the world. There are behaviours that we need to teach people in business and in the office; they need to consider things from a different perspective.”

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attackscyber criminalsbotnet campaignsecurity strategyransomwaremalwarewebsensemacro malwareStonesoftForcepointtargeted attacks

More about CSOGoogleStonesoftWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts