The field of cybersecurity is constantly adapting to new threats and counterattacks. Cybercriminals test new ways to breach security systems, while security providers react with new protective and preventive measures to handle more and more advanced attack vectors.
As the Finland-based cybersecurity firm F-Secure highlights in their 2020 Attack Landscape Update, there are currently three trending threat types:
- Ransomware 2.0
- Info stealers and automated recon
- Dodging detection
In this article, we’ll look at each of these threats in more detail.
Table of Contents
As highlighted in this guide to trends in ransomware, one of the most noteworthy (and nefarious) trends in 2020 – which has continued at a record pace in 2021 – was the growth in “double extortion”—a feature that enables attackers to steal a victim’s data before encrypting it. This adds a second level of extortion for hackers as they are able to threaten the victim with revealing or selling the data if a ransom is not paid.
F-Secure notes that 40% of ransomware attacks and their unique variants tracked in 2020 included this second layer of extortion, which allows them to steal the data before it is locked. Hackers have even taken this a step further and demanded a second payment after the first ransom was paid to ensure that the exfiltrated data would be deleted. Of course, the victim has no way of knowing if this promise will be upheld; the attackers may well keep the data for further use.
Info stealers and Automated Recon
A currently trending malware variant is a trojan called an “info stealer” that enables a hacker to automatically gather various types of information on the victim. This can include stealing login credentials that may provide access to servers containing more information, which in turn, can enable a cybercriminal to download data and map network topology.
One of the most common malware threats of 2020 is “Lokibot”, an info stealer capable of stealing login credentials from a number of sources as soon as it gains access to a specific system. This threat also includes a keylogger that can assist in stealing additional credentials.
Network micro-segmentation has become essential for mitigating the ongoing info stealer threats since it minimizes the damage an attacker can do if they successfully breach a company’s network.
Another trend that emerged in 2020 and has continued into 2021 is attackers finding ways to avoid detection via sandboxes. F-Secure identified five ways that sandbox detection can be avoided:
- Audio and keyboard settings: Hackers, of course, want their trojans to evade detection through attempts to operate in a sandbox. Therefore, they design malware to first check for mouse or keyboard activity before running to determine if it’s in a sandbox. If no activity is detected, it will not run.
- Execution time: Some malware will check execution times since faster speed may indicate a sandbox. Conversely, slower than expected execution time may indicate that the file is awaiting review.
- Password protection: Malware is often (and ironically) password-protected to ensure that it will not automatically run in a sandbox.
- Avoiding DNS filtering with Google: Many companies use DNS filtering to block malware. Since filtering will not block Google, some hackers will first send DNS requests to Google to request that a domain be associated with the malware. Google’s reply will then contain the malware and avoid the DNS filter.
- Fileless attacks: Antivirus software will typically inspect files and remove those that it deems suspicious. To avoid this, some malware is stored using split registry keys.
These are just a few examples of how sophisticated attackers are able to bypass antivirus and malware detection software. To protect themselves from these types of attacks, new approaches based on a strategy known as Zero Trust security is being embraced by many organizations.
How to Protect Against Detection Evasion
Since sophisticated cybercriminals have developed techniques to avoid detection, it’s more important than ever to rely on security measures that don’t rely solely on detection. Zero Trust is an approach that assumes 100% of internal and external traffic is suspicious. It leverages micro-segmentation, identity and access management, and least privilege access to minimize the impact of an attack by limiting the data and resources that any purported user can actually access.
One technique that minimizes the need for detection is called Remote Browser Isolation (RBI). RBI prevents threats from the web from reaching organization networks as all browser traffic is run in a cloud-based isolated container. This means that website content never actually reaches the user device—instead only a safe rendering reaches the endpoint browser, while the content is confined to the virtual browser in the cloud-based container. Users experience and interact with the website content exactly as they would if it ran directly on their device browser. As the cybersecurity company, Palo Alto writes :
RBI solutions provide a way to implement zero-trust browsing by assuming all websites could contain malicious code. They also alleviate the burden on IT teams of constantly reconfiguring AUP, which negatively impacts user experience. Configuring access control policies for high-risk categories and suspicious sites is relieved by RBI’s ability to render web content in its remote secure container environment – simply send that traffic to remote isolation for safe access.
In summary, with cybercriminals’ increasing sophistication, the reality is that traditional defenses are inadequate to defeat modern threats. Zero Trust provides an approach that allows organizations to stay ahead of the cybersecurity cat and mouse game without having to rely on detection, which cannot address emerging threats.
Simon Moran is VP of Business Development at Ericom Software. He is responsible for Ericom’s global technology partner business development efforts, including defining the company’s partnership strategy and execution for strategic relationships. He joined Ericom from Symantec.