5 Dangerous Cyberattacks Targeting Businesses Right Now
2015 Brings More Malware Infections, Targeted Attacks
Adobe Systems patched a zero-day vulnerability and issued a new warning about another potential zero-day flaw being targeted by attackers. While targeted attack campaigns use new and sophisticated malware and can target previously unknown software vulnerabilities, the vast majority of attacks don't need to be sophisticated or complex. New variants of older threats are surfacing with increased functionality and redesigned components, fine-tuned to evade detection and make malware analysis difficult. These five threats were documented by researchers over the past month. They serve as a reminder that the threat landscape is constantly evolving.
Sleeper Agents
Forensics investigators at Dell SecureWorks Counter Threat Unit uncovered a remote access Trojan designed to remain dormant, only executing when an administrator logged in to perform management software maintenance. The installer file uncovered by the investigators had been dormant on the system for eight months without being detected, according to the security vendor. The technical indicators of compromise -- the command and control server domains, IP addresses and file hashes -- were useless in detecting the "sleeper" RAT, according to Dell SecureWorks. When the Sleeper RAT executes it is coded to create a different domain and IP address. It can only be detected with endpoint analysis technology designed to identify objects that could be dormant installer files. The evasion technique is significant and can be copied by criminals for use in future attacks.
Skeleton Key Malware
Newly discovered malware called "Skeleton Key" can bypass authentication on Active Directory systems that are configured to only require a single password for authentication. Attackers can use a password of their choosing to authenticate any user, according to Dell SecureWorks, which uncovered the threat. The infection was discovered on a corporate network that enabled employees to access webmail and VPN using a single password for authentication. Dell SecureWorks said it has seen attacks using Skeleton Key with credentials stolen from critical servers, administrator workstations and targeted domain controllers.
Regin Malware Attack Tools Revealed
Regin, a complex threat on par with Stuxnet and Duqu, has been used for large-scale data collection and intelligence-gathering campaigns, according to malware analysts at Symantec, Kaspersky Lab and other security vendors. The attackers stole emails and documents and compromised telecom operators to enable the launch of additional sophisticated attacks, including the ability to attack using the telecom operators' Global System for Mobile Communications (GSM) network, according to a Kaspersky Lab analysis issued in November. The latest research documents a module called Hopscotch, a well-designed tool used for lateral movement on an infected system and "Legspin," a command line utility designed to be used as a system backdoor. The sophisticated modules are estimated to be more than a decade old, according to Kaspersky Lab, which may mean the attackers have already transitioned to even more advanced and evasive malware.
Sir DoOom And Kjw0rm
Leaked source code associated with the Njw0rm worm has spawned a line of new remote access Trojans that can spread quickly to sensitive systems, according to malware analysis conducted by Trend Micro. The worm propagates on removal drives and will inspect infected systems for a virtual machine installation. Trend Micro researcher Michael Marcos said the malware may be used by an Arabic-speaking country. Kjw0rm is used to give attackers the ability to gain remote access and upload additional malware. If a virtual machine is identified on a system, the Kjw0rm worm uninstalls and terminates itself, a common evasion technique used to avoid falling in the hands of malware researchers, Trend Micro said. Sir DoOom is one of the latest iterations. It was released in December and the criminals behind the attack campaign have been actively developing new malware variants.
CryptoWall 3.0
The attack campaigns associated with CryptoWall aren’t targeted, but it is a dangerous threat driven by financially motivated cybercriminals. CryptoLocker, the ransomware notorious for its ability to encrypt files and extort victims for the decryption key, is no longer functional, but security vendors have been warning about a new round of copycat ransomware. The third iteration of CryptoWall rose significantly in the past month. The attackers force victims to visit a payment age that requests $500 to receive the decryption key. Payment is made via bitcoins. The price is fixed for the first 167 hours, then the ransom increases over time, according to Microsoft, which named the new CryptoWall malware Crowti. Victims of the infection either clicked on a link in a spam email or were infected by a Trojan downloader connected to Crowti. More than 70 percent of the thousands of encounters of the threat were detected in the U.S., Microsoft said. Microsoft recommends users back up their files and be vigilant about suspicious links in email messages.