Hackers will attack your systems using local admin tools and continue to spread malware through macro-infected Office documents in 2019, according to Sophos’ 2019 Threat Report.
The report lauds the cyber security industry for blocking a number of common hacker techniques in recent years, but warns that cybercriminals are continuing to come up with inventive new ways to breach our systems, steal or render our data unintelligible and swindle us out of money.
Using macro-infected Word documents and Excel spreadsheets isn’t a new tactic; in fact, it was integral to one of the most far-reaching strains of ransomware yet, Locky. Crooks would send an email with a macro-infected Word document with a wingdings-style cryptic font, which prompted the users to “unscramble” the text by enabling macros. Of course, the text was never scrambled or encrypted and boom, you’ve got yourself a ransomware virus.
Security experts were able to lock down these threats by disabling macros in Office documents or opening documents in preview or protected mode. But that hasn’t stopped the hackers, and they’ve moved away from older, Locky-esque techniques almost entirely. The SophosLabs report found that only 3% of macro-infected attacks use exploits built before 2017. The devil works hard, but hackers work harder.
2019 macro attacks use a variety of tactics to either encourage users to enable the infected features or, sometimes, launch the attacks simply by opening the document. In Excel, for example, a number of vulnerabilities in the equation editor functionality allow an attack to run as soon as a spreadsheet is opened.
As you’d expect, Microsoft released a number of patches to combat these insidious attacks, but the report notes that a vast number of businesses could be without these essential updates due to a lack of patching. If you need a reminder of how essential installing these patch updates are, just remember that this was the main factor in the wildfire-like spread of the global WannaCry infection.
Unsurprisingly, email still remains the primary vehicle for malware distribution. Attacks are more targeted and convincing than ever before, spoofing your colleagues or a service you use daily to convince you to click a malicious link or download a document. Sophos advises that you be aware of the file types you share every day as well as the more traditionally suspicious attachments like zip files.
As technology has advanced for the good, it has also advanced for the bad. Hackers have been able to automate attacks for a number of years, but they’re switching back to good ol’ manual hacking and malware distribution. Why? Because automation was getting predictable.
Cybercriminals are now once again breaking into individual machines, networks or systems and distributing their attacks that way. A common inroad is the theft of login credentials via a common method like phishing, or the use of brute-force attacks to crack commonly-used passwords. If the logins they steal aren’t admin credentials – essential to spreading attacks across your network – then the hackers can use public domain tools to crack them.
Once in your system, the hackers can easily distribute their malware to your entire network. With admin privileges, they can execute any number of attacks, but Sophos found that they’re particularly partial to using local Windows tools to infect your systems. Rather than downloading malware or additional tools to help its spread, cybercriminals are using tools including Windows Scripting Host, the Windows Management Instrumentation Command line and the old favourite, PowerShell.
Once a hacker is inside your system, it’s difficult to get them out; it can even be difficult to spot them. The Marriott data breach disclosed late last year, which is the second-biggest in history and has quickly gained notoriety, was due to unauthorised people having access to its database for over four years.
To stop the fiends getting into your systems in the first place, it’s essential to look at your logins. Strong passwords make manual system infiltrations much harder, and often a business’ folly is an individual with an easy-to-guess password or a colleague who falls for a phishing scam. It’s essential to understand what constitutes a strong password – and, spoiler alert, adding numbers and symbols to your one-word password won’t cut it.
Our security expert Grant Campbell wrote a blog on choosing the perfect password, with everything you need to know to keep your logins secure.
A tool like Sophos Phish Threat is also an effective way to not only test how clued-up your workforce is on email-borne threats, but to also raise awareness of this persistent and still-effective hacker tactic and train those who fall victim.
Ransomware is like a bad smell; it just won’t go away. And for every strain that’s thwarted, a new one emerges, more insidious and stickier than the last one. The global WannaCry attack that hit the NHS brought ransomware into the mainstream and, arguably for the first time, made it a household name. But coverage has died down as businesses recovered, and its followers Petya/NotPetya and Bad Rabbit were talked about, but just didn’t quite make a big enough name for themselves.
A strain that’s been incredibly fruitful for cybercriminals in the wake of the big-name attacks is SamSam. Utilising the manual attack detailed above, it’s getting into systems and encrypting far more than your files; it’s also getting its hands on your system configuration and data files that are essential to running your apps, making it much harder to recover from and thus proving a goldmine for hackers. It’s already generated $6 million in ransom payments, with that number continuing to sharply increase.
So successful is SamSam, it’s generated a number of copycat strains, meaning if you’re not targeted with SamSam, you could be targeted with a very similar breed of ransomware.
With these new families of ransomware being developed at an alarming rate, it can feel like fighting a losing battle in keeping them at bay. Fear not, because Sophos Intercept X is just as clever as the malware developers and, thanks to deep learning, continues to learn and adapt. If you needed any convincing, take a look at its cabinet of awards, which is bursting at the seams:
It’s essential to be aware of the tactics that cybercriminals will use to infiltrate your business, lock down your data and infect your systems. But, notably, a lot of these newer tactics can be easily prevented by age-old advice.
Passwords are becoming a sticking point for a lot of people because of the misguided requirements from a number of services. By requiring passwords that are complex to remember – did you replace the s in your word with $ or 5? – but still easy to crack, you’re struggling to remember a host of different passwords, meaning you probably resort to re-using passwords or using easy-to-remember ones.
The good news is that there’s a method that can help you generate a password that’s both memorable and uncrackable: the secret is the length. By creating a password using a phrase which is important to you – or, even better, a sequence of random words – you can ensure a memorable password that hackers won’t have a chance of getting at. If you struggle with remembering multiple, long passwords, consider a password manager.
Vigilance when it comes to email is also essential – but nothing new. But as hackers get more targeted, it can be harder to spot these threats. That’s why Sophos Phish Threat is such a good tool; you can create fake phishing campaigns based on real-life successful examples, and if an employee clicks a link, they’re directed to training material. An important rule of thumb is if you aren’t expecting an email from someone, speak to them in person or on the phone.
Ransomware continues to be one of the fastest-advancing malware technologies out there, which is why you need a solution that adapts and advances alongside of it. Intercept X’s deep learning is a neural network based on how the human brain works, becoming predictive and proactive with each attack that hits it.
Our experts deal with these threats day-in, day-out, and can work with your business to provide a comprehensive solution that protects it from the entire, expanding cyberthreat landscape. Get in touch with us today to find out more.