Hackers are making personalised ransomware to target the most profitable and vulnerable

Hackers are making personalised ransomware to target the most profitable and vulnerable

Once a piece of ransomware has got hold of your valuable information, there is very little you can do to get it back other than accede to the attacker’s demands. Ransomware, a type of malware that holds a computer to ransom, has become particularly prevalent in the past few years and virtually unbreakable encryption has made it an even more powerful force.

Ransomware is typically delivered by powerful botnets used to send out millions of malicious emails to randomly targeted victims. These aim to extort relatively small amounts of money (normally £300-£500, but more in recent times) from as many victims as possible. But according to police officers we have interviewed from UK cyber crime units, ransomware attacks are becoming increasingly targeted at high-value victims. These are usually businesses that can afford to pay very large sums of money, up to £1,000,000 to get their data back.

In 2017 and 2018 there was a rise in such targeted ransomware attacks on UK businesses. Attackers increasingly use software to search for vulnerable computers and servers and then use various techniques to penetrate them. Most commonly, perpetrators use brute force attacks (using software to repeatedly try different passwords to find the right one), often on systems that let you operate computers remotely.

If the attackers gain access, they will try to infect other machines on the network and gather essential information about the company’s business operations, IT infrastructure and further potential vulnerabilities. These vulnerabilities can include when networks are not effectively segregated into different parts, or are not designed in a way that makes them easy to monitor (network visibility), or have weak administration passwords.

They then upload the ransomware, which encrypts valuable data and sends a ransom note. Using information such as the firm’s size, turnover and profits, the attackers will then estimate the amount the company can afford and tailor their ransom demand accordingly. Payment is typically requested in crypto currency and usually between 35 and 100 bitcoins.

According to the police officers we spoke to, another popular attack method is “spear phishing” or “big game hunting”. This involves researching specific people who handle finances in a company and sending them an email that pretends to be from another employee. The email will fabricate a story that encourages the recipient to open an attachment, normally a Word or Excel document containing malicious code.

These kind of targeted attacks are typically carried out by professional groups solely motivated by profit, though some attacks seek to disrupt businesses or infrastructure. These criminal groups are highly organised and their activities constantly evolve. They are methodical, meticulous and creative in extorting money.

For example, traditional ransomware attacks ask for a fixed amount as part of an initial intimidating message, sometimes accompanied by a countdown clock. But in more targeted attacks, perpetrators typically drop a “proof of life” file onto the victim’s computer to demonstrate that they control the data. They will also send contact and payment details for release of the data, but also open up a tough negotiation process, which is sometimes automated, to extract as much money as possible.

According to the police, the criminals usually prefer to target fully-digitized businesses that rely highly on IT and data. They tend to favor small and medium-sized companies and avoid large corporations that have more advanced security. Big firms are also more likely to attract media attention, which could lead to increased police interest and significant disruptions to the criminal operations.

How to protect yourself

So what can be done to fight back against these attacks? Our work is part of the multi-university research project EMPHASIS, which studies the economic, social and psychological impact of ransomware. (As yet unpublished) data collected by EMPHASIS indicates that weak cyber security in the affected organisations is the main reason why cyber criminals have been so successful in extorting money from them.

One way to improve this situation would be to better protect remote computer access. This could be done by disabling the system when it’s not in use, and using stronger passwords and two-step authentication (when a second, specially generated code is needed to login alongside a password). Or alternatively switching to a virtual private network, which connects machines via the internet as if they were in a private network.

Email filters and anti-virus software containing dedicated ransomware protection are vital. Companies should also regularly backup their data so it doesn’t matter if someone seizes the original. Backups must be tested and stored in locations that are inaccessible to ransomware.

These kind of controls are crucial because ransomware attacks tend to leave very little evidence and so are inherently difficult to investigate. As such, targeted ransomware attacks are not going to stop any time soon, and attackers are only likely to get more sophisticated in their methods. Attackers are highly adaptive so companies will have to respond just as smartly.


read more

From proof-of-concept to exploitable

Exploitability assessment of vulnerabilities is important for both defenders and attackers. The ultimate way to assess the exploitability is crafting a working exploit. However, it usually takes tremendous hours and significant manual efforts. To address this issue, automated techniques can be adopted. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (PoC) inputs triggering vulnerabilities, and assess exploitability by finding exploitable states along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.

In this paper, we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit. Technically, we utilize oriented fuzzing to explore diverging paths from vulnerability point. For userspace programs, we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit. For kernel UAF, we leverage a lightweight symbolic execution to identify, analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.

We have developed a prototype system and evaluated it on a set of 19 CTF (capture the flag) programs and 15 realworld Linux kernel UAF vulnerabilities. Experiment results showed it could generate exploit for most of the userspace test set, and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.


Due to the success of automated vulnerability discovery solutions (e.g., fuzzing), more and more vulnerabilities are found in real world applications, together with proof-of-concept (PoC) inputs. As a result, more and more human resources are spent on assessing vulnerabilities, e.g., identifying root causes and fixing them. It thus calls for solutions to automatically assess the severity and priority of vulnerabilities.

Vulnerability assessment, especially exploitability assessment, is important for both defenders and attackers. Attackers could isolate exploitable vulnerabilities and write exploits to launch attacks. On the other hand, defenders could prioritize exploitable vulnerabilities to fix first, and allocate resources accordingly. Moreover, defenders could learn from the exploits to generate IDS (Intrusion Detection System) signatures, to block future attacks.

A straightforward way to assess a vulnerability is analyzing the program state at the crashing point, i.e., the instruction leading to program crashes or security violations, which could be caught by a sanitizer . For example, Microsoft’s !exploitable tool inspects all instructions in the crashing point’s basic block, and searches for known exploitable patterns, e.g., control transfer instructions with tainted targets. HCSIFTER takes an extra step to recover the data corrupted by heap overflow, enabling the program to execute more code after the crashing point, and thus provides more reliable assessments. However, these solutions rely on heuristics to determine the exploitability of vulnerabilities, and thus are inaccurate sometimes. Moreover, they could not provide exploit inputs to prove the exploitability.

The ultimate way to assess the exploitability of a vulnerability is generating a working exploit. But crafting an exploit is typically regarded as a time-consuming manual process requiring security knowledge.

Several prototype approaches to automatically generating exploits have been proposed. Sean Heelan proposed a prototype in his thesis, using dynamic analysis and symbolic execution to generate exploits for classic buffer overflow vulnerabilities. AEG and Mayhem provide end-to-end systems to discover vulnerabilities and automatically generate exploits when possible, for source code and binary respectively. Q (Schwartz et al. 2011) and CRAX  could generate exploits for binaries given PoC inputs. However, these solutions are insufficient and could only solve a small number of problems. For example, machines developed in CGC could only solve in total 26 out of 82 challenge programs in the Final Event. Most solutions could not exploit heap-based vulnerabilities.

For OS kernel which has higher complexity and scalability, it is not suitable for fully-automated exploit generation. This is mainly due to the fact that state-of-the-art program analysis techniques have many limitations. However, we can still use semi-automated techniques to facilitate exploitability evaluation by easing the process of exploit crafting.

There are several challenges need to be addressed for both fully-automated and semi-automated exploit generation:

Challenge 1: Exploit derivability issue As pointed in , once memory corruption vulnerabilities are triggered, the victim program’s state machine turns into a weird (state) machine. Exploitation is actually a process of programming the weird machine to perform unintended behavior. It is extremely important to set up the initial state of this weird machine in order to exploit it.

However, PoC inputs (e.g., provided by fuzzers) could corrupt some data and lead weird machines to non-exploitable initial states. For example, the program may exit soon after the crashing point due to some sanity checks. So, AEG solutions have to search for exploitable states not only in crashing paths taken by PoC inputs, but also in alternative diverging paths. In OS kernel, the diverging paths cause different kernel panic. Generating an exploit for a kernel UAF vulnerability also needs to vary the context of a kernel panic and explore exploitability in them.

This is known as exploit derivability, one of the core challenges of exploitation

Challenge 2: Symbolic execution bottleneck Existing solutions heavily rely on symbolic execution to explore program paths (e.g., for vulnerability discovery), or perform reasoning (e.g., for test case and exploit generation). AEG and Mayhem utilize symbolic execution to explore paths reachable from the vulnerability point and search for exploitable states, able to mitigate the aforementioned exploit derivability issue. However, symbolic execution has scalability issues and performs poorly in exploit generation.

First, it faces the path explosion issue when exploring paths, and consumes too many resources even when analyzing only one path. Second, it gets blind to certain exploitable states after concretizing some values. For example, it has to concretize symbolic arguments of memory allocations and symbolic indexes of memory access operations in a path, in order to model the memory states and enable exploring following sub-paths. But the concretized values could lead to non-exploitable memory states.

To solve the exploit derivability issue, we must search exploitable states in diverging paths not only crashing paths. However, symbolic execution which is heavily used in existing solutions has several severe challenges, and is not suitable for path exploration or exploitable state searching, especially for heap-based vulnerability or UAF in OS kernel So instead of symbolic execution, we use fuzzing to explore diverging paths.

First, we use dynamic analysis to analyze the vulnerabilities and collect some runtime information in the crashing path. In addition, we inspect corrupted memory objects (denoted as exceptional objects), and objects that can be used to locate the exceptional objects. Then we use oriented fuzzing to search alternative diverging paths for exploitable states based on the information collected before. Finally, we try to synthesize new EXP inputs to trigger both the exploitable states in diverging paths and vulnerabilities in crashing paths. In certain cases, we can directly generate working exploits. But it is not guaranteed. The complexity of OS kernel is far beyond the ability of current constraint solver. For OS kernel, it is not for the purpose of fully automating exploit generation. Rather, we leverage a lightweight symbolic execution to explore exploitability under different contexts.

Results We have build a framework Revery, able to generate working control-flow hijacking exploits for userspace programs. We also build a framework FUZE, able to evaluate the exploitability of kernel Use-After-Free vulnerabilities.

We evaluated Revery it on 19 CTF (Capture The Flag) programs. It demonstrated that Revery is effective in triggering exploitable states, and could generate working exploits for a big portion of them. More specifically, Revery could generate exploits for 9 (47%) out of 19 programs, while existing open source AEG solutions could not solve any of them. Furthermore, it could trigger exploitable states for another 5 (26%) of them.

We implement FUZE on a 64-bit Linux system by extending a binary analysis framework and a kernel fuzzer. Using 15 real-world kernel UAF vulnerabilities on Linux systems, we then demonstrate FUZE could not only escalate kernel UAF exploitability but also diversify working exploits from various kernel panics. In addition, we demonstrate FUZE could even help security analysts to craft exploits with the ability to bypass broadly-deployed security mitigation such as SMEP and SMAP.


read more

Anomaly Detection in SOC – Friend or Foe?

Lots of security vendors talk about integrating innovative techniques using Artificial Intelligence. In cybersecurity, this often boils down to supervised or unsupervised anomaly detection of measures attributes. However, in many cases there is a big gap between the identification of anomalies and transforming them into actionable data.

There are lots of buzzwords floating around cybersecurity: machine learning, artificial intelligence, supervised and unsupervised learning … In many cases these advanced technologies are based on anomaly detection. This makes a lot of sense since it’s hard – even impossible – to anticipate an attacker’s behavior. Also, in many cases there is not enough classified data to distinguish between benign and malicious events.

How Is Anomaly Detection Used in Cybersecurity?

Various behavioral anomaly detection techniques are used in almost every aspect of cybersecurity. For example, anomaly detection is extensively used in UEBA (User and Entity Behavioral Analytics), NTA (Network Traffic Anomaly), Endpoint operational anomalies etc. An anomaly can mean things like : “Too many failed logins” in UEBA, “A lot of traffic sent from A to B” (where typically it sends much less) in NTA, a process that executes another process that looks like a statistical anomaly in endpoint protection etc.

Anomalies can be strong indicators of malicious activity but, in many cases, anomalies can be triggered by unexpected but legitimate actions. While anomalies are a powerfully tool for threat-hunting they might be a burden on SOC analysts who are focused on addressing threats as part of their incident response.

Since there is a significant cost associated with false positive alerts, due to the time needed to investigate them, we should be very careful when flagging anomalies as security alerts in SOC. While some security devices do a great job of filtering out false positives, many simply dump all or many anomalies in the laps of security analysts for further investigation.

How Can SIEM Platforms Help Separate Valuable Anomalies From Noise?

When combining multiple sources of anomalies and other security signals such as alerts from IDS, EDR, mail security or any other product, the challenge is to automatically find the connections and merge those events into actionable information. Such information must separate the high-risk incidents from the noise. SIEMs that attempt to do so need to also show the evidence and provide analysts with the root-cause and the potential flow of an attack. This saves valuable time in the deeper investigation that will require the forensics data typically stored in the SIEM.

For example, consider an indication of network anomaly where host A sent a lot of data to host B, when typically they do not communicate. This may be an indication of data exfiltration, but it can also be the result of various legitimate scenarios (e.g. unexpected but legitimate  file sharing). If following this event there is an indication that node B scanned the network, or there is indication that files were encrypted at an unusual rate, this should raise the severity of the security incident. If other indications are available for the entities involved, such as IDS alerts, of node A or B, this would strengthen the case that all these singular events together tell a truly high-risk attack “story.”

This automatic fusion of anomalies and other events must be a key feature in the next generation of SIEMs that will direct SOC teams to deal with high severity alerts, rather than investigate loads of anomalies.

read more

Security Predictions for 2020

In this year’s Cyber Security Predictions, the WatchGuard Threat Lab has imagined the top cyber attacks we’ll see in 2020 and has provided tips for simplifying your approach to stopping them. Even though the threats coming at you won’t be any less intense, complicated, or difficult to manage, 2020 will be the year of simplified security.

1. Ransomware Targets the Cloud


  • Ransomware is a billion-dollar industry.
  • Overall volume of ransomware is down, but targeted ransomware against vertical industries is on the rise.
  • In 2020, targeted ransomware now tries to infect consolidated cloud assets, such as file stores, S3 buckets, and virtual environments.

Ransomware is now a billion-dollar industry for hackers, and over the last decade we’ve seen extremely virulent strains of this malware wreak havoc across every industry. As with any big-money industry, ransomware will continue to evolve in order to maximize profits. In 2020, we believe ransomware will focus on the cloud.

Recently, untargeted “shotgun blast” ransomware has plateaued with attackers showing preference for targeted attacks against industries whose businesses cannot function with any downtime. These include healthcare, state and local governments, and industrial control systems.

Despite its far-reaching damages and soaring revenues, ransomware has largely left the cloud untouched. As businesses of every size move both their servers and data to the cloud, it has become a one-stop shop for all of our most important data. In 2020, we expect to see this safe haven crumble as ransomware begins targeting cloud-based assets including file stores, S3 buckets, and virtual environments.

Security Tips: Do you have cloud security? Virtual or cloud UTM? Asking these questions is where to start. Use advanced malware protection to detect evasive malware. More importantly, consider new security paradigms that allow you to implement security controls, like advanced malware protection, in cloud use cases. Finally, the cloud can be secured, but it requires work. Make sure you’ve hardened your cloud workloads. For instance, investigate resources for properly securing S3 buckets.

2. GDPR Comes to the United States


  • California has passed the California Consumer Privacy Act (CCPA).
  • A national Consumer Data Protection Act (CDPA will not pass in 2020).
  • In 2020, 10 or more states will pass laws like California’s CCPA.

Two years ago, the General Data Protection Regulation (GDPR) came into force, protecting the data and privacy rights of European Union citizens. As of yet, few places outside the EU have similar laws in place, but we expect to see the United States (U.S.) come closer to matching it in 2020.

GDPR boils down to placing restrictions on how organizations can process personal data, and what rights individuals have in limiting who may access that data, and it has already shown teeth. To date, companies have been fined millions of euros for GDPR violations, including massive €50 million and £99 million judgements in 2019 against Google and Marriott respectively. While the burden placed on companies can be intense, the protections provided to individuals are massively popular.

Meanwhile, the U.S. has suffered a social media privacy plague the last few years, with no real GDPR equivalent to protect local consumers. As organizations like Facebook leak more and more of our personal data, which bad actors have used in everything from targeted election manipulation to unethical bounty hunting, U.S. citizens are starting to clamor for privacy protections like those enjoyed by our European brothers and sisters. So far, only one state, California, has responded by passing their California Consumer Privacy Act (CCPA), which goes in effect in early 2020.

Though the same senator who passed CCPA in California has proposed a Federal Consumer Data Privacy Act (CDPA) bill, we don’t think it will gain enough support to pass nationwide in 2020. However, we do expect more and more states to jump onto California’s bandwagon, and pass state-level consumer privacy acts of their own. In 2020, we anticipate that 10 or more states will enact similar laws to California’s CCPA.

Security Tips: There isn’t a specific security tip for this prediction, but you can still take action. Contact your local congressperson to share your opinion on regulations to protect your privacy. Meanwhile, consider the lack of regulation here when sharing your private information online and with social networks.

3. Voter Registration Systems Targeted During the 2020 Elections


  • Though voting machines are hackable, adversaries won’t spend much time targeting them.
  • However, external threat actors will go after state and local voter databases with the goal of creating voting havoc and triggering voter-fraud alerts during 2020 elections.

Election hacking has been a hot topic ever since the 2016 U.S. elections. Over the last four years, news cycles have covered everything from misinformation spread across social media to alleged breaches of state voter systems. During the 2020 U.S. presidential elections, we predict that external threat actors will target state and local voter databases with a goal of creating voting havoc and triggering voter fraud-alerts during the 2020 elections.

Security experts have already shown that many of the systems we rely on for voter registration and election day voting suffer from significant digital vulnerabilities. In fact, attackers even probed some of these weaknesses during the 2016 election, stealing voter registration data from various states. While these state-sponsored attackers seemed to draw the line by avoiding altering voting results, we suspect their previous success will embolden them during the 2020 election, and they will target and manipulate our voter registration systems to make it harder for legitimate voters to submit their votes, and to call into question the validity of vote counts.

Security Tips:

While there isn’t a specific cybersecurity tip for this prediction, we do have some voter preparedness tips in the event this prediction comes true. First, double-check the status of your voter registration a few days before the election. Also, monitor the news for any updates about voter registration database hacks, and be sure to contact your local state voter authority if you are concerned. Be sure to print out the result of a successful voter registration, and bring you ID on election day, even if technically unnecessary.

4. During 2020, 25% of All Breaches Will Happen Outside the Perimeter


  • While working remotely can increase productivity and reduce burnout, it comes with its own set of security risks.
  • A quarter of all network compromises or data breaches will involve off-network assets.

Mobile device usage and remote employees have been on the rise for several years now. A recent survey by WatchGuard and CITE Research found 90% of mid-market businesses have employees working half their week outside the office. While remote working can increase productivity and reduce burnout, it comes with its own set of security risks. Mobile employees often work without any network perimeter security, missing out on an important part of a layered security defense. Additionally, mobile devices can often mask telltale signs of phishing attacks and other security threats. We predict that in 2020, one quarter of all data breaches will involve telecommuters, mobile devices, and off-premises assets.

Security Tips: Make sure you’re as diligent implementing off-network protection for your employees as you are perimeter protection. Any laptop or device that leaves the office needs a full suite of security services, including a local firewall, advanced malware protection, DNS filtering, disk encryption, and multi-factor authentication, among other protections.

5. The Cybersecurity Skills Gap Widens


  • Universities and cybersecurity trade organizations are not graduating qualified candidates fast enough to fill the demand for new information security employees.
  • The cybersecurity skills gap grows by 15%.

Cybersecurity, or the lack of it, has gone mainstream. A day doesn’t seem to go by where the general public doesn’t hear of some new data breach, ransomware attack, company network compromise, or state-sponsored cyber attack. Meanwhile, consumers have also become intimately aware of how their own personal data privacy contributes to their own security (thanks, Facebook). As a result, it’s no surprise that the demand for cybersecurity expertise is at an all-time high.

The problem is, we don’t have the skilled professionals to fill this demand. According to the latest studies, almost three million cybersecurity jobs remained unfilled during 2018. Universities and cybersecurity trade organizations are not graduating qualified candidates fast enough to fill the demand for new information security employees. Three-fourths of companies claim this shortage in cybersecurity skills has affected them and lessened their security.

Unfortunately, we don’t see this cybersecurity skills gap lessening in 2020. Demand for skilled cybersecurity professionals keeps growing, yet we haven’t seen any recruiting and educational changes that will increase the supply. Whether it be from a lack of proper formal education courses on cybersecurity or an aversion to the often-thankless job of working on the front lines, we predict the cybersecurity skills gap to increase an additional 15% next year. Let’s hope this scarcity of expertise doesn’t result in an increase in successful attacks.

Security Tips: While the available cybersecurity workforce won’t appear immediately, you do have options to help create and manage a strong cyber defense. Taking a long-term view, you can work with your local educational institutes to identify future cybersecurity professionals so that you might fill your open roles first. In the short term, focus on solutions that provide layered security in one solution, or work with a managed services provider or managed security services provider to whom you can outsource your security needs.

6. Multi-Factor Authentication (MFA) Becomes Standard for Mid-sized Companies


  • 2020 will bring increased adoption of MFA among mid-sized companies.
  • We’ll also see wide-spread adoption among all service providers, and even privileged or admin accounts at all businesses.

We predict that multi-factor authentication (MFA) will become a standard security control for mid-market companies in 2020. Whether it’s due to billions of emails and passwords having leaked onto the dark web, or the many database and password compromises online businesses suffer each year, or the fact that users still use silly and insecure passwords, the industry has finally realized that we are terrible at validating online identities.

Previously, MFA solutions were too cumbersome for mid-market organizations, but recently three things have paved the way for pervasive MFA, both SMS one-time password (OTP) and app-based models, among even SMBs. First, MFA solutions have become much simpler with cloud-only options. Second, mobile phones have removed the expensive requirement of hardware tokens, which were cost-prohibitive for mid-market companies. And finally, the deluge of password problems has proven the absolute requirement for a better authentication solution. While SMS OTP is now falling out of favor for legitimate security concerns, app-based MFA is here to stay.

The ease of use both for the end user and the IT administrator managing these MFA tools will finally enable organizations of all sizes to recognize the security benefits of additional authentication factors. That’s why we believe enterprise-wide MFA will become a de-facto standard among all midsized companies next year.

Security Tips: This tip is simple – implement MFA throughout your organization. Everything from logging in to your laptop each day to accessing corporate cloud resources should have some sort of multi-factor authentication tied to it.


  • Wireless carriers that manage 4G and 5G networks often hand off calls and data to Wi-Fi networks to save bandwidth, particularly in high-density areas.
  • In 2020, flaws in this cellular to Wi-Fi handover process will allow attackers to access the voice and/or data of 5G mobile phones.

The newest cellular standard, 5G, is rolling out across the world and promises big improvements in speed and reliability. Unknown to most people, in large public areas like hotels, shopping centers, and airports, your voice and data information of your cellular-enabled device is communicated to both cell towers and to Wi-Fi access points located throughout these public areas. Large mobile carriers do this to save network bandwidth in high-density areas. Your devices have intelligence built into them to automatically and silently switch between cellular and Wi-Fi. Security researches have exposed some flaws in this cellular-to-Wi-Fi handover process and it’s very likely that we will see a large 5G-to-Wi-Fi security vulnerability be exposed in 2020 that could allow attackers to access the voice and/or data of 5G mobile phones.

Security Tips:

Most mobile devices don’t allow the users to disable cellular to Wi-Fi handover (also known as Hotspot 2.0). Windows 10 currently does, however. If unsure, individuals should utilize a VPN on their cellular devices so that attackers who are eavesdropping on cellular to Wi-Fi connections won’t be able to access your data. For businesses looking to enable Hotspot 2.0, make sure your Wi-Fi access points (APs) have been tested independently to stop the six known Wi-Fi threat categories detailed at http://trustedwirelessenvironment.com. If the APs block these threats, attackers cannot eavesdrop on the cellular to Wi-Fi handoff.

SOURCE: https://www.securitymagazine.com/articles/91442-security-predictions-for-2020

read more
Contact on Chat !
Would you like to have Threat ResQ !