Threat Summary - Week 37, 2019
Reports / Surveys
Over 99% of email-based attacks require human interaction
Email is still the top cyberattack vector, but email-based campaigns cannot succeed without human interaction, according to a recent study by Proofpoint. Over 99% of emails delivering malicious code are ineffective unless recipients click on a link, open an attachment, accept a security warning, or perform another risky action. The research also shows that attackers mostly target shared accounts and employees whose identity can easily be uncovered via search engines, corporate websites, social media accounts and other resources.
Virtually all major websites are vulnerable to sophisticated attacks
Practically all of the Alexa 1000 websites are vulnerable to sophisticated client-side attacks that take advantage of the increasingly complex ‘website supply chain,’ a new report by Tala shows. Companies are putting themselves at risk by making their websites dependent on external services, with the average Alexa 1000 website relying on 31 third-parties. This provides threat actors with a host of potential vectors for carrying out attacks like cross-site scripting (XSS), formjacking, ad injection, content injection, web skimming (Magecart) and cyptojacking. Nearly all (99%) websites use components like inline JavaScript that could enable attackers to inject malicious code if the website is not properly configured. Another potentially vulnerable element is external JavaScript code, 63% of which is written and/or managed by third-parties.
BEC scams lead to billions in global losses
New figures released by the FBI Internet Crime Complaint Center (IC3) show that over the past three years, a total of 166,349 business email compromise (BEC) incidents were registered, accounting for over $26 billion in actual and attempted global losses. Many scams targeted US citizens, resulting in more than $10 billion in exposed losses for 69,384 victims.
Companies are still failing to protect their endpoints
Despite increased corporate spending on endpoint solutions, companies remain vulnerable to endpoint attacks, a new report by Absolute reveals. At any given moment, 28% of endpoints in a corporate environment are not adequately protected against malware threats. While 21% of endpoints run outdated anti-malware solutions, the remaining 7% are not protected at all. Things are even worse when it comes to endpoint encryption, with encryption failures leaving 42% of endpoints vulnerable at any point. Moreover, companies should be constantly replacing encryption agents since the decay rate of these solutions is 2% per week.
Employees are reluctant to report suspicious insiders
Insider threat detection is falling short in most firms because employees are dramatically under-reporting suspicious behavior by colleagues, friends and senior staff, research[pdf] by Red Goat Cyber Security indicates. The study presented workers with five scenarios describing suspicious employee behavior. While most respondents were willing to report contractors (all scenarios) and new employees (4 out of 5 scenarios), they would only report friends in the most extreme scenario where they would start working at unusual hours or bring unauthorized people into the office. Shockingly, the vast majority of workers would give colleagues (64%) and senior staff (86%) a free pass even in this scenario.
Remarkable
City of New Bedford refused to meet $5.3M ransomware demand after attack
In July of this year, the city of New Bedford, Massachusetts suffered a ransomware attack affecting 4% of the City’s computers. New Bedford initially decided to negotiate with the attackers, offering them $400,000 instead of the $5.3 million mentioned in the ransom demand. When the attackers did not accept the offer, the City chose not to pay at all.
Freaky Infosec Fact of the Week
Hackers once stole 10GB of data from a casino by hacking a fish tank
In 2017, threat actors breached the network of a Casino in North America by attacking an Internet-connected fish tank the Casino had just installed. They managed to exfiltrate 10GB of sensitive data.
What You Can Do
To help combat phishing attacks, organizations should consider implementing a game within their user awareness program, rewarding individuals for reporting suspicious incidents. Incentivizing employees for identifying security threats could be a cheap expense when compared to being faced with a data breach. As we mentioned on LinkedIn just recently, this is something that is starting to gain more popularity and is proving to be very effective at reducing attacks, particularly social engineering attacks.
On another note – this week's freaky infosec fact of the week emphasizes the need for organizations to ensure they have a disaster recovery plan in place. In the event your organization is targeted for ransom, you should ensure that a plan exists and has been tested. Given the high increase of such attacks, organizations are faced with a matter of when, and not if, they will become a target.
About Vonahi Security
Vonahi Security is a cybersecurity consulting firm that offers modern consulting services to help organizations achieve both compliance and security best practices. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit www.vonahi.io
Stay Informed