Categories
Security

Business email compromise cost businesses $1.8B in 2020

I know looking back at 2020 for any reason can be a less-than-appealing thought. But in the case of business email compromise (BEC), it would not only be a dangerous oversight, but a costly one. In fact, last year BEC cost organizations nearly $2B.

That’s what the FBI discovered (among many other unsavory finds) in its annual Internet Crime Report released March 17. The report states that businesses suffered losses totaling $1.8B, a more than threefold increase from the $54 million lost in 2019. And although the FBI received the most complaints about phishing scams, BEC far outpaced phishing in financial damage, underscoring its tremendous cost — and the need for more awareness.

Last week, the FBI issued another warning to state, local, and tribal governments about BEC — unfortunately, the BEC attacks do not appear to be slowing in 2021.

BEC a growing problem for organizations

People complained to the FBI about business email compromise (BEC) 19,369 times in 2020. That sounds like a hefty number… until you stack it up against the $1.8B in collective losses caused by BEC, according to the FBI’s annual Internet Crime Report. If we divide the cost of BEC losses among the 19,000+ victims evenly, that’s an average of a little less than $100,000 per business. That’s not a loss many businesses could take on the chin lightly.

While BEC might have barely cracked the top 10 most-reported cybercrimes in 2020, it blew away the competition in victim losses. The second-most costly crime was confidence fraud/romance scams at around $600,000, over $1B less than BEC, and it’s not a cybercrime particularly targeted to businesses.

Yet how many could tell what business email compromise looks like? How to spot a BEC scam and properly report it? The best methods to protect against it? Last year, BEC was the most expensive cybercrime, and it was reported far less phishing and its counterparts — vishing, smishing, and pharming — which ensnared nearly 250,000 in 2020, according to the FBI report.

If you’re wondering why I didn’t mention ransomware, it’s because the $29 million in losses reported to the FBI do not paint an accurate picture of the total devastation ransomware wreaked on businesses last year. The FBI’s record is so low because it doesn’t reflect estimates of lost business, time/productivity, wages, customer and company data, equipment, or any third-party remediation services acquired. Which makes the $4.2B in total losses reported from cybercrime in 2020 that much more nauseating.

Getting back to BEC, last week, the FBI warned state and local governments that the onslaught of BEC attacks is not slowing in 2021. The organization issued a Private Industry Notification stating that these smaller government organizations are being targeted by BEC attackers because they have inadequate resources and cybersecurity controls. The FBI cites two risks contributing to these attacks: the move to remote work and the failure to provide sufficient training to the workforce.

So what does business email compromise, or email account compromise (EAC) as some call it, actually look like? BEC/EAC is a sophisticated scam that targets both businesses and individuals that are transferring funds. BEC typically happens when a threat actor compromises a legitimate business email account through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.

But as cybercrime has evolved, so have BEC/EAC attacks. In 2013, BEC/EAC scams routinely began with the hacking or spoofing of CEO or CFO email accounts. Fraudulent emails were sent to unknowing recipients requesting wire payments. Not wanting to question the directions of their superiors, employees typically responded by sending the money first, asking questions later.

Over the years, BEC has evolved to include compromising not just business emails, but personal, vendor, and lawyer email accounts as well. Fraudulent requests have expanded to include W-2 information, large amounts of gift cards, and other personally identifiable information (PII).

In 2020, the IC3 (branch of the FBI researching cybercrimes) observed an increase in the number of BEC/EAC complaints related to sophisticated, multi-pronged cyberattacks. In these variations, an initial victim is first scammed via extortion, tech support scam, romance scam, etc. into providing the criminal with PII. The PII is then used to establish a bank account that will receive stolen BEC/EAC funds, which are then exchanged for cryptocurrency.

Try getting out of that mess! Actually, as with most cybercrime, the best protection is prevention. Here are a few tried and true tips for protecting against BEC/EAC.

  • Keep an eye on the usual phishing red flags, such as odd formatting, bad grammar, or false email addresses.
  • Mind the money: BEC emails typically target someone with access to financial records/finances and may make strange payment requests, such as wiring money to an unknown location.
  • Pay special attention to emails sent by people claiming to be accountants, lawyers, or executives, especially those with a sense of urgency. They may be trying to convince you to wire money in support of a business deal, such as an acquisition. Even if the deal is real, the request may not be.
  • Watch out for vendor email compromise, especially an attack where a threat actor has successfully infiltrated a vendor’s email account. The sender’s domain name is genuine and the transaction may seem legitimate, often with proper documentation attached (because the account has been hacked, not spoofed). However, the processing details direct payment to a different account controlled by the scammer.
  • Add BEC/EAC awareness to your company’s security training regimen. Your IT/security team should be able to recognize a standard phish from BEC, and your other employees should at least get a sense that something’s not right with this email. Anyone working directly with vendors, processing payments, or handling financial records should sit for this training as well.
  • Training alone isn’t enough. Compliance is required to head off BEC/EAC. Employees targeted by BEC are typically mid-level and might be nervous approaching an executive, lawyer, or other purported requester to verify unless there is an accepted protocol for reporting potential fraud.
  • Build a layered defense with technical controls, including multi-factor authentication, encryption, virtual private networks (VPNs), and enterprise security software, like Malwarebytes Endpoint Detection and Response.

For more on the FBI’s Internet Crime Report and the impact of BEC in 2020, read our Malwarebytes Labs blog:
https://blog.malwarebytes.com/business-2/2021/03/report-reveals-the-staggering-scale-of-business-email-compromise-losses/

To read the full Internet Crime Report:
https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf

Categories
Security

Mac security and the need for endpoint protection

There’s been a lot going on in the Mac security world lately. Just after Apple dropped its Platform Security Guide on February 18, a mysterious new Mac malware named Silver Sparrow swooped in to infect 30,000 endpoints. In the same week, Forbes covered Corellium — the security research startup that Apple is suing — tracking their momentum after a December court win against Apple. Later, on March 9, Apple released a patch for iPhones, iPads, and MacBooks to fix a security flaw found by researchers at Google and Microsoft. 

And then there’s what we uncovered in our State of Malware Report, where Mac detections on business endpoints increased by 31 percent over the previous year. And Mac malware — primarily backdoors, data stealers, and cryptominers — was on the rise by 61 percent overall in 2020. 

All of this paints the picture of a Mac threat landscape primed to erupt.

Apple shines and buffs Mac security — but is it enough to stop today’s malware? 

Lately, it seems Apple aren’t the impenetrable fortress they’ve claimed to be. Just last week, the company released a patch for iPhone, iPad, and MacBook for a bug that could allow code execution through websites hosting malicious code. This means its browsers were vulnerable to exploits that could be launched from malicious website content. 

Apple didn’t comment on whether this vulnerability had been discovered by cybercriminals. However, the company released patches for three separate security bugs that were being actively exploited in January 2021. And just a couple weeks ago, there was Silver Sparrow. 

Silver Sparrow is a new Mac malware that was found on nearly 40,000 endpoints by Malwarebytes detection engines. While it’s not as dangerous a threat as initially believed (researchers now believe it’s a form of adware), Silver Sparrow is nevertheless a malware family that has mature capabilities, such as the ability to remove itself, which is usually reserved for stealth operations. One of its more advanced features is the ability to run natively on the M1 chip, which Apple introduced to macOS in November, and which is central to the apparent security paradigm shift happening within the company’s walls. 

And what paradigm shift is that? Macs running the M1 chip now support the same degree of robust security consumers expect from their iOS devices, which means features like Kernel Integrity Protection, Fast Permission Restrictions (which help mitigate web-based or runtime attacks), and Pointer Authentication Codes. There are also several data protections and a built-in Secure Enclave. 

In other words: Apple have baked security directly into the hardware of their Macs. 

Looking at the security improvements made to Macs over the last several months — the M1 chips, system extensions replacing external ones, an entirely new endpoint security framework — it appears Apple is making great strides. In fact, they should be commended for developing many beneficial technologies that help Mac users stay more secure. However, not all of the changes are for the better. For example: 

  • External validation of the security components of M1-based Macs are harder to analyze and verify.
  • Security researchers and the tools they develop/use may be thwarted by the relative opacity of the environment.
  • Threat actors with the right resources can develop or pay for a zero-day exploit and jump over Apple’s defenses — then be protected by them once inside.
  • System extensions enable potentially unwanted programs (PUPs) developers to apply for and be granted approval from Apple, which then gives them total protection by the macOS framework.

That last bullet is great for legitimate third-party software programs, like Malwarebytes for Mac, especially in protecting against outside threats that might try to disable security software during an attack. But not every company that applies for system extensions is legitimate. We’ve already seen a few examples of developers with a long history of cranking out potentially unwanted programs (PUPs) get their extensions from Apple. Because of this, some PUPs can no longer be removed by Malwarebytes (or any other security vendor). And while there are some ways that users can manually remove these programs, they are by no means straight-forward or intuitive. 

And sure, you might be saying, “It’s only PUPs!” But PUPs and adware are a significant issue on Mac computers. While many like to trivialize them, PUPs actually open the door for more vulnerabilities, making an attack by malicious software even easier. Adware, for example, could host malicious advertising (malvertising), which often pushes exploits or redirects to malicious websites. If the most recent vulnerability patched by Apple wasn’t already being exploited, that would have been a perfect opportunity for cybercriminals to penetrate the almighty Apple defenses. 

As we found in our State of Malware Report, malware on Mac endpoints belonging to businesses increased by 31 percent in 2020. There may not be as many “actual” malware attacks on Mac endpoints as on Windows, but the share of Macs in business environments has been increasing, especially since the start of the pandemic. You really don’t want some targeted malware hitting your high-value Macs. 

Apple has developed some impressive armor for its Macs, but it doesn’t protect against the full scope of threats in the wild. In addition, Apple only uses static rules definitions for its anti-malware protection, which means it won’t stop malware it doesn’t already recognize. A security program that uses behavioral detection methods (heuristic analysis), like Malwarebytes Endpoint Detection and Response, has the potential to catch a lot of bad apples that Apple hasn’t seen yet. 

As time goes on, we’re increasingly in danger of a major attack waged against Macs. There are still a myriad of Mac users who don’t install any third-party security. Fundamentally, Macs still aren’t all that difficult to infect — even with all the bells and whistles. And by closing their systems, Apple is limiting the capabilities of additional third-party security layers to assist in stopping that major attack from doing major damage. 

For a deeper exploration of Mac threats, security changes, and the ways they thwart full protection, read the article in Malwarebytes Labs: 
https://blog.malwarebytes.com/mac/2021/03/apple-shines-and-buffs-mac-security-is-it-enough-to-stop-todays-malware/

To read more about Malwarebytes’ research with Red Canary on Mac malware Silver Sparrow: 
https://blog.malwarebytes.com/mac/2021/02/the-mystery-of-the-silver-sparrow-mac-malware/

Categories
Security

2021 State of Malware Report finds cyberthreats more evolved than ever

Last year, threat actors took advantage of the COVID-19 public health crisis in ways previously unimaginable, not only seizing on confusion and fear during the initial months of the pandemic, but retooling attack methods, reneging on promises, strengthening malware, and extorting victims to the tune of $100 million — in short, in 2020, cyberthreats evolved.

That’s what the Malwarebytes Labs team discovered in the 2021 State of Malware Report, which offers a comprehensive analysis of consumer and business malware detections, trends, and attacks over the last year. The report includes in-depth coverage of the impact of COVID-19 on the threat landscape, cybercriminal attack methods, and their growing enterprise.

By April 2020, half the world’s population had been ordered to stay home, and IT teams found themselves scrambling to switch entire workforces to full-time remote work practically overnight. New security “perimeters” were strung together as best as possible, but they were soon penetrated by threat actors who had ditched their old tactics and placed a new emphasis on gathering intelligence. The report found:

  • In 2020, malware detections on Windows business computers decreased by 24 percent overall, likely due to improved targeting by cybercriminals and far fewer people working in offices.
  • However, malware detections on Mac business computers increased by 31 percent last year.
  • Detections for hack tools and rogue tools on Windows business computers increased dramatically — by 173 and 158 percent, respectively, in 2020.
  • Spyware also increased by 51 percent on business computers in 2020, with 440,368 detections.

What began as a global health crisis soon became a global economic crisis too, with almost no business left unscathed. The fate of industry sectors was mirrored in the number of cyberattacks they suffered. As the manufacturing and automotive sectors contracted, attackers simply turned to agriculture and other essential industries instead. Ransomware gangs reneged on early promises to stay away from hospitals and hit new lows, attacking hospitals and medical facilities in organized campaigns.

  • More traditional enterprise targets, such as education, healthcare/medical, and automotive all experienced drops in detections by varying degrees — education fell 17 percent, healthcare dropped 22 percent, and the automotive industry decreased by 18 percent.
  • But the agriculture industry suffered through a 607 percent increase in malware detections, while malware detections in the food and beverage industry increased by 67 percent.

Through it all, there is one form of business that seems to have thrived in 2020 — the creation and operation of malicious software. The pace of innovation picked up as many older variants debuted with fancy upgrades while other entirely new malware families emerged. Deployment of custom intrusion tools, new exploits, and the use of commercial pen testing tools allowed criminals to map out and infect networks faster than ever before. Ransomware gangs continued to learn from each other and evolve too, with a new “double extortion” tactic emerging, which saw cybercriminal groups extorting more money with threats to leak sensitive data than from decrypting compromised computers. According to the report:

  • Despite decreasing in frequency by 89 percent in 2020, Emotet morphed one last time to drop its infection chain into existing email threads and managed to compromise 250 Universal Health Services (UHS) hospitals with Ryuk ransomware.
  • TrickBot dropped by 68 percent on business endpoints, but upgraded its primary bot functionality, as well as its distribution framework, adding the ZeroLogon exploit to its arsenal.
  • The top Windows malware variants aimed at businesses in 2020 included a hack tool called KMS that increased by over 2,000 percent!
  • New ransomware families released in 2020 that both encrypt and extort are Egregor, Sodinokibi, and Wasted Locker.

If 2020 taught us anything, it’s that cybercrime stops for nothing. There are no targets and no opportunities for exploitation that are beyond the pale.

Thankfully, the year had another lesson for us: There are heroes everywhere. Healthcare professionals, teachers, and other essential workers rightly deserve the loudest acclaim, but it was the folks in IT who got kids into their virtual classrooms and connected remote workers and families around the globe in 2020. I also want to offer an enormous thank you to the unsung army of sysadmins and security professionals who moved mountains to keep those millions of connected people safe online as the world turned upside down around them.

To learn more, check out the full 2021 State of Malware Report here: https://resources.malwarebytes.com/files/2021/02/MWB_StateOfMalwareReport2021.pdf

For a look back at the most enticing cyberattacks of 2020, check out this Labs blog: https://blog.malwarebytes.com/security-world/2020/12/the-most-enticing-cyberattacks-of-2020/

And for the strangest cyberattacks of 2020, take a look here: https://blog.malwarebytes.com/security-world/2020/12/the-strangest-cybersecurity-events-of-2020-a-look-back/

Categories
Security

Don’t drink the water — it’s been hacked

That’s a scary title, isn’t it? It could have been the headline in newspapers this week had it not been for the watchful eye of a water treatment plant operator in Oldsmar, Florida.

Last week, a hacker (or group of hackers) attempted to poison a Florida city’s water supply by accessing a dormant remote access software platform. If it hadn’t been caught in time, at least 15,000 people could have been affected.

Law enforcement, including the FBI, the Secret Service, and the Pinellas County Sheriff’s Office are currently investigating how the threat actor got in and who would want to do this. What we know so far is that a plant operator at the Oldsmar water treatment facility noticed someone remotely accessing the computer system he was monitoring — once at about 8:00am and again at 1:30pm — to open the function that controls the amount of sodium hydroxide (lye) in the water.

Lye is used to treat acidity in water by raising its pH levels and removing heavy metals. Too much lye in the water could cause skin burns and rashes — and the hacker changed the lye ration from about 100 parts per million to 11,100 parts per million. This is obviously a significant and potentially dangerous increase. After the attacker left the system, the operator quickly reduced the lye concentration level back to normal, so there was no adverse effect on the water. Importantly, the water treatment plant had redundancies in place, so if the operator had missed the hacker’s intrusion, the system would have caught the change in time.

So, what was this? A test by nation-state actors? An attempt to severely harm the townspeople of Oldsmar? As of this writing, there are no indications that this was targeted attack. The Pinellas County Sheriff’s office doesn’t have a suspect but is following leads — none of which point to terrorism. It may simply have been an act of vandalism. Vulnerable Internet-connected Industrial Control Systems (ICS) are not difficult to find.

In the case of the Oldsmar water treatment facility, the attack was neither successful nor sophisticated. A remote access software tool was either exposed to the open Internet or accessed via brute force/password. (Although law enforcement say they don’t know how hackers got onto the system, a CNN source counters that a password was required to operate the software remotely.) Unfortunately, a sophisticated attack isn’t required to render a dangerous result, and what happened at Oldsmar simply highlights how many critical infrastructure systems are vulnerable.

IT and security professionals charged with securing vital infrastructure needn’t panic — the first priority here isn’t shielding against complex zero-days or advanced persistent threats. Instead, it’s the kind of grunt work facing all in cybersecurity today, such as patching, air-gapping, and enforcing two-factor authentication. My advice for anyone in infrastructure or others using remote access software:

  • Be careful with how much remote access software you deploy on your network. You should never leave this software unused for long periods, especially if it’s left open to the Internet.
  • Ensure that the remote access software you do have is configured properly. Open it only to staff that require remote access, and require they access it using a strong password and 2FA.
  • Remote Desktop Protocol (RDP) should be kept closed or used with protection, such as our Brute Force Protection module in Malwarebytes Nebula.

To learn more about the hack of the Florida city water facility, read our blog on Malwarebytes Labs:
https://blog.malwarebytes.com/hacking-2/2021/02/hackers-try-to-poison-florida-citys-drinking-water/

Categories
Security

Emotet bites the dust… or does it?

If I never hear the name “Emotet” again, I’d be a pretty happy guy. But it’s worth bringing up this bad boy one more time to announce its demise — or at least the beginning of its end.

On January 27, Europol announced that law enforcement agencies from eight countries seized control of the Emotet botnet in a coordinated effort, putting a stop to more than six years of torment from one of the world’s most dangerous forms of malware.

Although the culprit has been metaphorically locked up, the final blow won’t be delivered until April 25, when an update pushed out to all infected servers will wipe them clean of Emotet once and for all. How did law enforcement finally shut down this banking-Trojan-turned-beast? Why are they waiting until April to wipe it out? What are the ethical pitfalls of pushing code — even “good” code — onto these infected networks?

Law enforcement bests Emotet in TKO

The notorious Emotet botnet, which first appeared as a banking Trojan in 2014, is known for its consistent ability to shapeshift, which allowed it to avoid detection and drop other vicious malware in its wake. Over the more recent years, it wreaked havoc on organizations with other partners, including the equally dangerous TrickBot and Ryuk ransomware.

On January 27, Emotet met its match when agencies from the United States, United Kingdom, Germany, the Netherlands, and more gained control of its infrastructure and took it down from the inside. In a statement announcing the action, Europol described Emotet’s infrastructure as involving several hundred servers across the world, all of which had different functionalities: to manage computers of the infected victims, to spread to new ones, to serve other criminal groups, and to make the network more resilient against takedown attempts.

The global effort to bring down Emotet’s complex web of servers and controllers, dubbed Operation Ladybird, should not be underestimated. Law enforcement coordinated with security researchers from the private sector to take over Emotet’s C&C infrastructure — located in more than 90 countries — while simultaneously arresting at least two of the cybercriminal crew members behind it.

“Unlike the recent and short-lived attempt to take down TrickBot, authorities have made actual arrests in Ukraine and have also identified several other individuals that were customers of the Emotet botnet,” said Jérôme Segura, Director of Threat Intelligence for Malwarebytes. “This is a very impactful action that likely will result in the prolonged success of this global takedown.”

In its press release, Europol described the approach to Emotet’s take-down as “unique and new.” While details of how Operation Ladybird were able to disrupt the Emotet botnet are still emerging, we do know that infected machines have been redirected toward the law enforcement-controlled infrastructure. This effectively removes the threat posed by Emotet by preventing it from contacting the infrastructure it uses to receive updates and deliver malware.

Shortly after the Emotet infrastructure was seized, Dutch authorities deployed an update: a special cleanup payload with code to remove the malware from infected computers on April 25. Why so far away? The lengthy delay gives system administrators time for forensic analysis and to check for other infections that Emotet may have left behind. After Emotet uninstalls itself on April 25, these investigations will be harder to carry out.

But pushing code via botnet, even with the best of intentions, has always been a thorny topic. In this case, law enforcement took control of one of the most significant botnets of the decade — but instead of dismantling it, they pushed an update that will likely impact many thousands of organizations and endpoints — without consent. The end result is positive, of course. But what about the ramifications? The DOJ actually distanced itself from the update, stating in its affidavit that “foreign law enforcement agents, not FBI agents, replaced the Emotet malware, which is stored on a server located overseas, with the file created by law enforcement.”

What are your thoughts about the downfall of Emotet? Do you think this is the last we’ll hear of it? Do you believe it was a good idea to deploy the Emotet update, even without consent?

To read the Department of Justice’s official release on the operation that took down Emotet: https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation