Hybrid Cloud Security
Data Center & Virtualization
Security Fit for DevOps
Solutions for Security Teams
Advanced Threat Protection
Endpoint & Gateway Suites
SaaS Application Security
Endpoint Detection & Response
Point of Sale
All Products and Trials
Centralized Visibility & Investigation
Global Threat Intelligence
Connected Threat Defense
Breaking News & Intelligence
Simply Security Blog
Security Intelligence Blog
UK Security Blog
Education & Certification
Glossary of Terms
Research & Reports
The Deep Web
Internet of Things (IoT)
Zero Day Initiative (ZDI)
Login to Support
Virus & Threat Help
Renewals & Registration
Free Cleanup Tools
Find a Support Partner
Pre-Sales Technical Advice
For popular products:
Find a Partner (Reseller, CSP, MSP)
Become a Partner (Reseller, Integrator)
All Alliance Partners
Customer Success Stories
Corporate Social Responsibility
Diversity & Inclusion
Internet Safety and Cybersecurity Education
Find a Partner
1-877-218-7353(M-F 8-5 CST)
Learn of upcoming events
Social Media Networks
+44 (0) 203 549 3300
In the beginning of 2015, we were faced with a paradox: none of the prominent threats were new—the schemes and attacks we saw used very common cybercriminal tactics—and yet they were all still so effective. Regardless of how well individuals and organizations implemented basic security measures, the simplest of blind spots had left them exposed. Who knew online and mobile ads, over-the-counter transactions, and even basic Word documents could still cause so much trouble?
Complete and blind trust in third-party vendors or service providers can put online users at risk. Cybercriminals used infected online ads to inject the BEDEP malware, which automatically downloads itself when the ads are displayed. Lenovo® indirectly allowed man-in-the-middle (MitM) attacks by packaging Superfish, a visual search technology that exhibits adware behaviors, in their consumer-grade laptops. Meanwhile, mobile attackers disguised the adware “MobiDash” or “MDash” on Google Play™ and used them to display ads that compromise user mobile safety.
These attacks exploit online advertising systems and reveal security gaps in the “supply chain.” This exposes site visitors to threats, and could potentially damage the reputations of web administrators.
[Read: Malvertising: When Online Ads Attack]
Crypto-ransomware numbers are still rising. Infection counts quadrupled from 1,540 in Q1 2014 to 7,844 in Q1 2015. Crypto-ransomware infections make up almost half (49%) of the total ransomware volume found as of last quarter
Notably, work files are continually being held for ransom. Certain crypto-ransomware variants have routines that directly target enterprises. The TorrentLocker copycat CryptoFortress can encrypt files in network shares, a resource sharing behavior usually established in enterprise networks.
Meanwhile, Ransomweb (CRYPWEB) can encrypt websites and web servers. Although similar routines were seen last year, the emergence of two new ones further establishes enterprises as crypto-ransomware targets.
A new crypto-ransomware variant, CRYPAURA, can encrypt over a hundred file types. Meanwhile, Teslacrypt targets online gamers. By using the “freemium” model to establish good faith, cybercriminals were able to trick gamers before going in for the kill.
[Read: Crypto-Ransomware Sightings and Trends for 1Q 2015]
Given the rise of crypto-ransomware numbers and its apparent expansion to cover enterprise targets, there is more reason for individuals and companies to strengthen backup systems and ensure that their files are protected.
[Take the Quiz: How Would You Fare in an Actual Data Disaster?]
Knowing is always half the battle. The continuous surge of macro malware teaches new generations to look back on old threats; ignorance of these can be used to exploit them. Macros automate repetitive tasks in Microsoft Office® to save time, but these have been disabled by default in Office 2003 to avoid being used by malware.
Do note that users need to enable the macro feature for the malware to work. Last quarter, cybercriminals used email attachments and instructed their victims to enable macros to read it. This allowed the download of banking malware VAWTRAK. The BARTALEX Trojan also used spammed messages and embedded macros to automatically spread in user systems.
The use of macros may also be seen as an attempt for threats to bypass traditional antimalware solutions. Macros used in these threats are often obfuscated, allowing them to potentially pass through spam filters or scanners, which are better at detecting executable programs than macros. Macros that can be enabled using batch files are also difficult to detect. Sandboxing may not work due to the obfuscation or because users were already explicitly asked to agree to open the macro, unknowingly allowing malware to run in their system.
The FREAK vulnerability arrives hard on the heels of last year’s widely covered flaws Shellshock, Heartbleed, and POODLE. FREAK is a flaw that affects the Transport Layer Security/Secure Sockets Layer (TLS/SSL) authentication protocol used by countless sites and browsers, including roughly 10% of top domains as well as Android and Safari web browsers. Discovered by factoring RSA export keys (FREAK) and thus named, this bug forces a secure connection to use weaker encryption—making it easy for cybercriminals to decrypt sensitive information.
The fact that the FREAK flaw has been in existence for decades and takes advantage of code written years ago, it revives issues on vulnerability disclosure. The lack of direct accountability for patching these flaws makes it harder for IT administrators to mitigate risks. Such issues call for third-party solutions that independently and proactively researches vulnerabilities in existing systems to shorten the exposure window and avoid exploits.
[Read: Developing Timeless Protection: Not Just for Zero-Day or Legacy Vulnerabilities]
The past quarter also introduced Ghost, a buffer overflow vulnerability in Linux operating systems. Although initially thought of as a serious source of concern, this flaw has already been patched and reduced to a very limited attack surface.
The past quarter highlighted two notable trends observed in targeted attacks and data breaches: healthcare organizations as targets, and iOS™ devices as attack vectors.
The value of healthcare data was not lost on the perpetrators of separate data breaches against health insurers Anthem and Premera Blue Cross. Attackers stole the names, email addresses, and other personal information of millions of both insurers' customers and patients.
Country: United States
Records Lost: 80M
Types of Information Compromised: Names, dates of birth, member ID numbers, social security numbers, addresses, phone numbers, email addresses, employment information
Country: United States
*detected in January 2015 but may have occurred as early as May 2014
Records Lost: 11M
Types of Information Compromised: Names, dates of birth, email addresses, addresses, telephone numbers, social security numbers, member ID numbers, bank account information, claims information, clinical information
Country: United States
Records Lost: 4.5M
Types of Information Compromised: Five years' worth of patient data, names, addresses, social security numbers
Country: United States
Records Lost: 4M
Types of Information Compromised: Names, addresses, dates of birth, social security numbers
Country: United Kingdom
Records Lost: 8.3M
Types of Information Compromised: Unencrypted patient records
Country: United Kingdom
Records Lost: 8.3M
Types of Information Compromised: Patient records, prescriptions
Millions of iOS devices still using iOS 7 were also put at risk viaapps used in Operation Pawn Storm. Researchers found two spyware apps compatible with iOS 7 that can use the device for snooping. Both jailbroken and non-jailbroken ones were affected since these apps can be downloaded via enterprise provisioning.
Meanwhile, Operation Woolen Goldfish, a politically motivated campaign that continued its operations in the past quarter, was found attacking a number of public and private Israeli and European organizations using a malicious file hosted in Microsoft OneDrive®. This operation is one of the two campaigns ran by the Rocket Kitten cyber threat group, the other one being the GHOLE malware campaign.
Retailers also remain targets of cyber attacks as Point-of-Sale (PoS) malware infections continue to rise. One-man PoS malware campaign, FighterPOS, had stolen more than 22,000 unique credit card from late February to early April 2015.
Meanwhile, the old but just recently detected PwnPOS malware believed to have existed since 2013, was found using a RAM scraper to look for data and connect to SMTP to steal valuable information.
Exploit kits, notorious for being effective means to deliver Web-based attacks, have been around since 2006 and have since evolved to adapt new technologies in their routines. In the underground market, exploit kits are easily sold as on-the-go Web threat programs.
Compared to the same quarter last year, we found a 30% increase in attacks using exploit kits. Of these attacks, the most exploited apps were Java™, Adobe®, and Internet Explorer.
There has been a notable a dip in the number of newly released exploit kits. Even so, the prevalent use of old and developed exploit kits prove that Internet users can expect related infections to continue for the rest of the year and beyond.
Threats analysts Brooks Li and Joseph Chen also noted a harrowing pattern, saying, “zero-day exploits are now being deployed in malicious ads right away, instead of first being used in targeted attacks against enterprises or other large organizations.”
[Read: Exploit Kits and Malvertising: A Troublesome Combination]
Similar to client- and server-side vulnerabilities, web application vulnerabilities need to be patched as these are possible entry points for attackers. These applications are able to process business-relevant data and store them in a back-end database, which may have security holes.
Organizations are prone to attacks exploiting vulnerabilities in the widely used PHP platform—nearly all of which are associated with server-related vulnerabilities. These flaws are rated High to Critical and have been patched in the latest versions of the program.
Many web applications are most vulnerable to non-persistent cross-site scripting (XSS), a severe flaw that only needs users to visit planted URLs so that attackers can access personal user accounts. Other critical flaws to web apps include SQL injection, which are attacks that issue malicious SQL statements to gain site access, and OS commanding, which are attacks that execute system-level commands.
The Trend Micro Smart Protection Network™ blocked a total of 14, 006, 002, 252 or over 14 billion threats in Q1 2015 alone.
Of these threats, the top three malware families counted last quarter were SALITY (85K), DOWNAD/ CONFICKER (83K), and KRYPTIK (71K). SALITY variants are known for critically damaging routines done by spreading infected .EXE and .SCR files. DOWNAD/ CONFICKER variants are notorious in the threat landscape for their persistence in exploiting vulnerabilities and propagating fast. KRYPTIK variants are Trojan types that have recently been used to attack victims during the tax season.
There are now a total of 5,395,718 or roughly 5.4 million malicious and high-risk Android apps, a 27% increase compared to Q4 2014 (4.3 million). Of these apps, roughly half are adware apps which display advertising content usually without the consent of mobile device users.
Like it? Add this infographic to your site:1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.