From popular hacks like AshleyMadison to dangerous and hard to detect hacks like used by the Equation group and by Duqu 2.0, today’s cyber-espionage campaigns are nothing simple security teams are used to.
This Q&A with Bethwel Opil, the Channel Sales Manager, East Africa Kaspersky Lab takes us through the evolution of malware techniques and how to detect and prevent thme.
Q: What were some of Kaspersky Lab’s triumphs in cyber security in 2015?
A: Cyber-activity in 2015 was described by Kaspersky Lab’s Global Research and Analysis Team (GReAT) as “elusive”: full of cyber-criminals that are proving hard to catch, cyber-espionage actors that are even harder to attribute, and with privacy often the most elusive of all.
Kaspersky Lab is proud to have effectively detected the following in 2015, and announcing these in order to ensure protection:
- The evolution of malware techniques. In 2015, GReAT discovered previously unseen methods used by the Equation group, whose malware can modify the firmware of hard drives, and by Duqu 2.0, whose infections make no changes to the disk or system settings, leaving almost no traces in the system. These two cyber-espionage campaigns surpassed anything known to date in terms of complexity and the sophistication of techniques.
- The merger of cybercrime and advanced persistent threats. In 2015 the Carbanak cyber-criminal gang stole up to $1 billion from financial institutions worldwide using targeted attack methods.
- New methods of data exfiltration. Satellite Turla was found to use satellite communications to manage its command-and-control traffic.
- An APT arms race. French-“speaking” Animal Farm and Arabic-“speaking” Desert Falcons were two of many cyber-threats seen during the year.
- Targeting executives through hotel networks. This prediction was later modified to include any venue where a high-profile target could be targeted outside the protected corporate perimeter. For example, the Duqu 2.0 malware infections were linked to the P5+1 events and venues for high-level meetings between world leaders.
- Precise attacks merged with mass surveillance. Animal Farm’s targeted cyber-attacks merged with DDoS attacks from the same threat actor, which is rare for advanced targeted cyber-campaigns.
- Threat actors add mobile attacks to their arsenal. Desert Falcons targeted Android users.
Given what seems to be an ongoing rise in cybercrime and cybercriminal activity globally, Kaspersky Lab has, and continues to, create constant awareness of these realities by discussing the seriousness of the cybercriminal world. Through this, perhaps for the first time in history, issues relating to the security of the Internet and the protection of internal networks were discussed by, and became relevant to every sector of the economy as well as everyday life: from finance, manufacturing/industrial, automotive and aircraft to wearable devices, healthcare, dating services and more. We believe that this among our biggest triumphs in the cyber security space in 2015.
Further to this, Kaspersky Lab continuously provides the world with efficient, effective and economical preventative measures that will allow everyone to be cyber intelligent through different products that are on the market – to protect consumers and businesses from relevant cyber threats.
Q: How is Kaspersky Lab ready to deal with new tactics of cybercriminals?
A: Kaspersky Security Network (KSN), is Kaspersky Lab’s cloud-assisted service. It provides additional value to customers, protecting them even from, as yet, unknown threats by constantly monitoring the reputation of executed applications and accessed URLs. If the file reputation suddenly changes from ‘good’ to ‘bad’, KSN customers are informed within minutes and their corporate assets are immediately protected against them.
Q: Does Kaspersky Lab protect smart-connected home devices against cyber attacks?
A: Taking a random selection of the latest Internet-of-Things (IoT) products, Kaspersky Lab researchers have discovered serious possible threats regarding the ‘connected’ home. In fact, some real word examples, we tested is our own research labs demonstrated that even simple things can be exploited – for example; a coffeemaker can expose a homeowner’s Wi-Fi password, a baby video monitor can be controlled by a malicious third-party, and a smartphone-controlled home security system that can be fooled with a magnet.
Given the innovation of technology and the growth of broadband across the world and in Kenya, devices connected to the Internet pose a great platform for potential hackers. As a result, Kaspersky Lab has designed products that protect any device, which has access to the Internet to ensure it is protected from hacking, viruses and malware threats. However, this does not extend to smart-connected home devices (such as fridges or coffee makers).
Our experiment above, reassuringly, has shown that vendors of these types of products are considering cyber-security as they develop their IoT devices. Nevertheless, any connected, app-controlled device, is almost certain to have at least one security issue. Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues – even those that are not critical. Vulnerabilities need to be fixed before the product even hits the market, as it can be much harder to fix a problem when a device has already been sold to thousands of homeowners.
Q: How does user awareness and education help prevent or reduce the impact of cyber crime?
A: In our experience, users and organisations often uphold an ‘it will not happen to me’ attitude towards cyber security issues. In fact, too often people underestimate how vulnerable they can be and thus fail to properly protect their devices and data from theft or loss due to cybercriminal activity. Too many people still don’t know how to spot a fake or compromised website or fraudulent payment credentials.
As such, educating and supporting users to fully appreciate how valuable their identity, information, and their data, is important to Kaspersky Lab, as this allows users to make informed decisions about their own safety and that of the people they care about.
Q: Do you have any partnerships with law enforcement for swift legislation, takedowns, arrests, and convictions?
A: Kaspersky Lab has a history of participating with law enforcement globally. In fact, last year the Dutch police arrested two men (18 and 22 years old) from Amersfoort, The Netherlands, on suspicion of involvement in CoinVault ransomware attacks.
Their malware campaign started in May 2014, targeting users in more than 20 countries. Kaspersky Lab was instrumental in contributing important research to the investigation, which assisted the National High Tech Crime Unit (NHTCU) of the Dutch Police in locating and identifying the alleged attackers. Panda Security also contributed to the investigation by pointing towards several samples of the malware.
Winning the battle against CoinVault was a joint effort between law enforcement and private companies, and a great result was achieved: the apprehension of two suspects.
Q: What are the most common malicious tools used by cyber criminals?
A: When we speak about malicious tools, we mean malicious programmes that are intended to automatically create viruses, worms, or Trojans, conduct DoS attacks on remote servers, and hack other computers. These tools are always used differently by cyber criminals when perpetrating an attack. However, some examples include:
Q: How can orgainsations protect themselves from well-meaning but careless employees who may be more focused on productivity than protecting the company’s sensitive or confidential information?
A: Unfortunately, employees can unknowingly install rogue applications or unlicensed software into a company network, which not only violates compliance laws or enterprise licensing agreements, but compromises the network.
As a result, organisations should look to undertake the following to ensure that they are protected:
- Start with the basics: Anti-malware protection is a must, especially for Android devices that are being used in businesses by employees. Look for security products that go beyond basic malware protection. Look to use security solutions in the business that can stop “phishing” attacks, which use clever forgeries of legitimate websites and emails to trick users into entering sensitive information, like bank accounts and credit card numbers.
- Educate staff about the realities of cyber security and implement IT Security policies – don’t trust that staff knows all there is to know about cybercriminal activity and the steps needed to protect their devices. Educate staff on this and have a strong IT policy in place, that examines mobile devices for businesses proposes – to ensure staff and the business are correctly protected
Q: What are the latest high profile security incidents and what can security industry learn from them?
A: The recent global media headlines that centred on a group of hackers holding a hospital in Los Angeles, America, computers hostage, via a ransomware attack, is a worrying trend. And even more worrying were the latest reports that suggest the hospital paid the ransom.
Ransomware continues to threaten many organisations, as well as individuals. In 2015, ransomware programmes were detected on computers belonging to 753,684 Kaspersky Lab users; and 179,209 computers were targeted by encryption ransomware. Although it is interesting that the U.S. is not among the top targets for ransomware.
Our advice is to never pay the ransom – as this just entices cybercriminals to carry on with these types of attacks, due to the fact that they win by getting what they want.
Additionally, remembering the example of, Ashley Madison, an online organisation in America whose client list was hacked, further highlights the need for all companies to enact security measures to prevent cyberattacks and protect their customers’ personal data. Users entrust their private information into the care of a website and they should be safe in the knowledge that it is kept in a secure manner – all companies who handle private data have a duty to ensure this.
Companies, not matter whether they are based in the U.S. or Africa, must understand that anyone can be targeted by cybercriminals. While security solutions significantly mitigate the risk of a successful attack, there are also other measures to be taken to provide thorough protection. These measures include running fully updated software, performing regular security audits on the website code and ‘penetration’ testing the infrastructure. The best way to combat these types of cyberattacks is at the beginning; which means having an effective cybersecurity strategy in place before the company becomes a target.
Q: How do advanced persistent threats work and what characteristics do they exhibit so security teams can easily identify and tackle them?
A: With advanced persistent threats (APT), cybercriminals target individuals by employing malware to hunt and phish for highly personalised information, which is then used as part of a second stage attack. From there, the APT relies on individualised social-engineering techniques to infiltrate an organisation via it’s ‘Achilles heel’: the end-user.
During this attack phase, the APT targets a handful of key individuals with known access to the targeted accounts, enticing them with convincing emails that appear to come from HR or a trusted source. With one careless click, the cybercriminals then gains free access to an organisation’s most precious information, without anyone being aware.
Once in, the APT employs any number of sophisticated Trojans, worms and other malware to infect the network and establish multiple backdoors on systems, which will likely remain on desktops and servers indefinitely. During that time, the threat moves undetected from one host to the next with protracted stealth that enables
it to hunt for its assigned target.
Q: What are the most common techniques for combatting APTs, such as SSL visibility and analysis tools and as a security expert, how can security teams effectively mitigate the APT risk?
A: No ICT infrastructure can ever be 100% secure, but there are reasonable steps every organisation can take to significantly reduce the risk of a cyber-intrusion via APTs. Kaspersky Lab recommend the following measures to mitigate APTs:
- Whitelisting and heuristics – recommend whitelisting as the first endpoint-based protective measure to be taken against APTs. Along with timely OS and applications updating, effective user rights administration supported by whitelisting can mitigate up to 85% of Advanced Persistent Threats.
- Heuristic detection -for obvious reasons, previously unknown malware samples cannot be detected using reputational databases. But we do know the typical patterns, indications for such malware. Heuristic algorithms are based on this knowledge, allowing security software to detect even 0-days. So heuristics is a crucial part of a multi-layered comprehensive defense.
- Deploying a specialised security solution is a must
- Updating and patching – regularly updating to the latest version of Microsoft Office will help get rid of CVE-2012-0158 attacks and others like it. Timely patching like this can most easily be achieved using a Patch Management toolkit.
Based on Kaspersky Lab’s deep counter-APT expertise and analysis, we believe that this approach would be effective not only for government agencies or large enterprises, but for smaller commercial organisation as well.