In the first part of our little blog series on the basics of malware, we’ve been dealing with the terminology of viruses, worms, etc. We discovered that the types of cyberattacks have changed considerably over the years. Until a few years ago, relatively simple spam messages and viruses were widely distributed according to the minimax principle (minimum effort at maximum range). Today, attacks are more sophisticated and unique. This is because defense mechanisms have adapted and the detection of waves of mass spam and viruses has been significantly improved. But before this multi-part series explores how malware can be analyzed and fended off, let’s shed light on who’s behind all these attacks.
The stereotype of a hacker looks something like this: A pale, hoodie-wearing, single man sits in a dark basement while eating pizza and drinking cola. From here, he is hacking code into a computer and attacks his targets. The reality of it is much more complex.
Nowadays, cyber-attackers are acting like small businesses – they consist of teams whose members specialize in subtasks and who professionally distribute their “goods”. After all, this industry has become a highly lucrative field of activity and cybercrime revenues are said to be even higher than in worldwide drug trafficking.
More than just nerds sitting in basements
To security professionals’ dismay, there are a large number of varying cybercrime groups. To complete the list thematically, we therefore also have to include the field of cyberwar. The goals of this group of people are often not monetary, but ideological.
The following list shows some groups that most cybercriminals can be divided into:
This group includes all those who pursue purely economic goals with their cyber-attacks. Their aim is to generate the highest possible amount of money – in whatever form. In addition to banking trojans and spyware, they also use ransomware attacks or crypto mining malware. The sale of stolen data and information should also be mentioned: Selling lists of emails or other personal information, botnets and other content can be highly profitable. Even the sale of malware itself falls into this category: attacks are offered as a service, so that even technically less experienced or less-equipped people can launch attacks. This could be in form of a new ransomware, but also in form of a simple DDoS attack on companies, organizations and government agencies.
These are actors that can be attributed to national governments. One of their main goals is to improve the situation for their own country, be it through hacker attacks or through sabotage, classic espionage or the infiltration of opponents. Although these activities are not openly communicated by individual countries, they are still an open secret. As a result, individual countries repeatedly blame each other for these attacks – currently the American FBI and the British National Cyber Security Center (NCSC) accuse Russia of being responsible for a large-scale cyberattack in which hackers have infiltrated network infrastructures on a large scale. By the way, the two authorities are using the cyber kill chain as an explanation.
To combat crime and terrorism, authorities are actively using certain programs to spy on target persons and obtain information relevant to investigations. The Federal Trojan, which is allegedly already in use, is such an example. Officially, the state organs are subject to the legislative and judiciary, but in reality, this control has gaps.
Some state institutions even gather their own knowledge about security holes without allowing them to be closed so that they may be able to exploit them for themselves. The problem is that if these so-called zero-day exploits fall into the wrong hands they can then be misused – as it happened in the ransomware attack WannaCry, in which an exploit that was probably lost by the NSA, was used by North Korean hacker groups.
Activists, political groups
This group of cyber criminals, also known as “hacktivists”, conducts cyberattacks based on their ideological views. Victims can include private companies, politicians or state organs. They try to enforce their political, social or other ideas through their attacks. In addition to classic hacking, DDoS attacks are used as well.
Hacktivists include the groups Anonymous, WikiLeaks and LulzSec.
The private sector is not immune to the activities of cybercrime. Generalized as industrial espionage, the goal of this group of attackers is to spy on their competitors, gain information, and use it for their own benefit.
Vandal / “jesters”
These attackers do not set strategic goals for their cyber-attacks – they are more concerned with satisfying their curiosity, trying out new ideas, and gaining recognition for their achievements. It might also be the pure pleasure of destruction that drives this group of people.
There are also people who are actively looking for vulnerabilities in IT infrastructures to increase the security of IT systems. These experts can be found in public institutions such as universities and public authorities, but also in private companies in so-called “security labs”. The difficulty sometimes lies in cybercriminals being able to misuse and exploit these published findings for their own purposes.
Money is the main driver
The main motivation behind the attacks is highly interesting: According to a recent survey by telecommunications provider Verizon, 76% of all security breaches last year were financial in nature, followed by espionage activities, “fun motives” and personal aversions. Another very interesting statistic from the Verizon study: 28% of all data breaches were carried out by internal staff.
The next part of our series will explore how malware analysis works and how to develop defense strategies based on these findings.
San Francisco, April 16, 2018 – Cyber Defense Magazine has awarded Hornetsecurity with a 2018 InfoSec “Cutting Edge” award in the category of Advanced Persistent Threat.
The award will be accepted by CEOs Oliver Dehning, Daniel Hofmann and Daniel Blank at the annual RSA Conference tonight in San Francisco.
“We’re honored and humbled to receive this recognition for the first time.” Dehning said. “With the constant and evolving cybersecurity threats to companies around the world, finding ‘cutting edge’ solutions is no longer a luxury. It’s a requirement for any company that aims to provide true value for its clients.”
The InfoSec Awards are the culmination of Cyber Defense Magazine’s annual review of the hottest, most innovative, best, market leading, next-generation and cutting-edge InfoSec (information security) companies. The winners were evaluated from nearly 3,000 companies worldwide.
“With Cybercrime continuing to gain momentum, surpassing global drug crimes last year and totaling more than $600 billion in theft and damages, we are proud to honor Hornetsecurity as an award-winning innovator offering a new approach to defeat these criminals,” said Pierlugi Paganini, Editor-in-Chief, Cyber Defense Magazine.
Hornetsecurity’s award coincides with a move into the United States, where it recently opened a base of operations in the rapidly growing tech community of Pittsburgh. Revenue has skyrocketed since the introduction of the company’s Advanced Threat Protection software in 2016. The expansion also aligns with the company’s continued focus on innovative solutions that are defined as much by customer service as they are by the software itself.
“At Hornetsecurity, we believe a paradigm shift is necessary in the IT community.” Dehning said. “We need more encryption instead of open data, we must assume overall responsibility for the security of the systems and solutions we offer and we must fight the imbalance between attackers and defenders by using more cloud-based security solutions.”
Hornetsecurity has been focused on cloud computing since 2007, when the company was founded by Oliver Dehning and Daniel Hofmann in Hannover, Germany, where it maintains its global headquarters. Today, Hornetsecurity has grown to more than 70 employees, offering comprehensive security solutions in the fields of email security, web security and data storage to more than 30,000 business customers around the world. In 2017, Hornetsecurity opened a United States base of operations in Pittsburgh.
About Cyber Defense Magazine
With more than 1.2 million annual readers and growing, Cyber Defense Magazine is the premier source of IT Security information. We are managed and published by and for ethical, honest, passionate information security professionals. Our mission is to share cutting-edge knowledge, real-world stories and awards on the best ideas, products and services in the information technology industry. We deliver electronic magazines every month online for free, and limited print editions exclusively for the RSA conferences and our paid subscribers. Learn more about us at http://www.cyberdefensemagazine.com. CDM is a proud member of the Cyber Defense Media Group.
Malware, cyber-attacks and how to protect yourself and your company – are top of mind for both employees and IT managers. To help understand and tackle the issues of malware and cyber-attacks, we would like to provide a series of basic information on this topic in a loose succession. In this first post we give a definition and classification of malware, this is by no means complete, but covers some of the most important types of malware.
Viruses have been around for millions of years. but have only been known to humanity for a blink of an eye since there was no scientific evidence of viruses until the end of the 19th century. Viruses are responsible for a variety of diseases and in nature there is an eternal struggle between the evolution of viruses and the defense against them.
It is almost the same situation in the field of Information Technology. There are numerous types of malicious software and IT security companies are constantly developing new defense methods to prevent intrusions and negative impacts on IT systems and sensitive data. When conceptually naming these malicious codes, the term “virus” is usually used.
This is perfectly understandable from the historical point of view, as originally only viruses and worms emerged as a threat. However, this terminology is insufficient because of the great variety of threats. Therefore, we would like to shed some light on the subject and give an overview of which terminologies are actually correct and which malicious codes are the most common.
The term “virus” is often used incorrectly because it is usually symbolic of the more general term “malware”. However, this is not correct since malware includes all malicious software.
The word “virus” refers only to the specific distribution path of a particular type of malware. This malware infects a defined file type and injects its part of the malicious code into it. The infected file then carries the virus on by recognizing other files of the same type and infecting them again.
However, viruses do not spread actively from computer to computer. This rather happens through external storage media, emails or within networks.
Just like the “virus”, the term “worm” stands for a certain type of distribution. Unlike the computer virus, the malicious code spreads actively and independently by exploiting existing security gaps. A current example is a worm that spreads via open Android debugging ports, especially in the area of Internet of Things (IoT), or Internet-enabled devices.
In contrast to a ransomware, or software that is clearly aiming at encrypting computer data and demanding a ransom, a computer worm does not have a clearly defined goal. For example, it can compromise and make changes to the system itself, ensure a very high utilization of the Internet infrastructure or trigger DDoS attacks.
Trojans / Trojan horses
Much of the malware that is used today can be described as “trojan horses.” The term is quite generic stating that the malware disguises itself as benign. This means that the user only sees the positive side of the application without recognizing that it has a negative impact and intention. Therefore, the user cannot influence the effects of the application.
The name “trojan horse” goes back to the legendary strategy of Greek mythology, in which the Greek invaders tricked the inhabitants of Troy with the help of a wooden horse. For this reason, the common terminology “trojan” is incorrect, since the Trojans were the inhabitants of the city and the ones that were attacked in this historic example. The horse, in fact, was the attacker.
In addition to these most commonly used malware terminologies, there is still a large number of malware that can be broken down into the following categories.
RAT: Remote Access Trojans
This type of malware allows attackers to take over computers and remotely control them. They allow attackers to execute commands on the victims’ systems and distribute the RAT to other computers with the goal of building a botnet.
A backdoor malware has a similar objective as a RAT but uses a different approach. The attackers use so-called “backdoors” which are mostly deliberately placed in programs or operating systems. However, they may also be installed in secret.
A special characteristic of backdoors is the fact that they can be used to bypass the existing defense mechanisms. For example, they are very attractive for cybercriminals to create botnets.
Botnets and Zombies
Botnets are large accumulations of infected computers that the attacker builds up over time. Each affected computer is called a zombie. The attacker can send commands to all computers at the same time to trigger activities such as DDoS attacks or to mine bitcoins with the help of individual zombie computers.
It is especially treacherous that owners of the affected computers do not notice that they are part of a botnet until they are already carrying out the externally controlled activities.
This is malware that collects information from the victim’s computer. These can be Credential Stealers which extract the login data from user accounts such as email mailboxes, Amazon or Google accounts., On the other hand Keyloggers record everything that users speak or write and often take screenshots. Bitcoin Stealers search for Bitoin Wallets and rob the cryptocurrency.
Downloader / Dropper
Downloaders or droppers are small programs that serve only one purpose – to reload more malware from the Internet. At first victims are not able to recognize which contents are being downloaded because only an URL is visible. The great advantage for an attacker with this method is being able to constantly provide new malware for download and distribute up-to-date and difficult-to-detect malware.
Rootkits are the most dangerous type of malware, even though is not even necessarily malware. Rather, a rootkit hides malicious code from discovery. In this form of attack, the attacker penetrates deeply into the computer system, gains root privileges and thus gains general access rights. The cybercriminals then change the system so that the user no longer recognizes when processes and activities are started. It’s very hard to locate attacks based on rootkit obfuscation.
Naturally, there are other categories and definitions of malware that are not listed here. It should be noted that the malware which is circulating nowadays is mostly a mixture of several types. For example, there are trojan horses that also include a backdoor.
Often, the different attack types can be put together dynamically according to a modular principle. Therefore, the malware found today can no longer be clearly assigned to one of the categories mentioned above.
In our next post, you will learn about the main players in terms of malware and cyber-attacks.
The challenges are high but rewarding for system houses that focus on cloud-based services.
It is still common belief by some CEOs that cloud computing is a side issue that only progresses slowly. In reality, cloud-based technology has rapidly progressed – it is already well-established in a large number of companies. And the market continues to grow. According to market researcher ISG, the German market for public cloud services has grown annually at about 26%. Resellers have already begun to feel the consequences of this development, especially those that still offer traditional IT services. They need to rethink their market strategy to keep pace with a shifting marketplace.
Many resellers are on the right track and have expanded their portfolios by including managed services like the Spamfilter Service or Advanced Threat Protection from Hornetsecurity. IT channels are also rapidly consolidating, as the buyout of Exabyters by Telcat prove (both are Hornetsecurity partners!). This merger represents the future of the IT channel which constantly needs to find new fields of business and offerings. Telcat plans to take over Exabyters‘ 30 employees and increase the managed service staff to 150 employees in the coming years.
Save costs, time and effort with cloud services
And there are good reasons for the growth of cloud-based solutions. Through cloud-based services, enterprises can drastically reduce both their internal hardware and software requirements which leads to saving time and money for IT administrators. IT managers are now able to concentrate on their core competences and projects. They can also develop their department to be more flexible by scaling their outsourced activities much more easily. Concerns about cloud services creating a lack in data security and losing control are minimized by waterproof contractual agreements and a continuous growth of professionalization of the providers.
While companies largely benefit from cloud services, resellers seeking to reorganize their portfolio will face massive changes in their organization, logistics and processes. First, there is the change from typical contracts with an annual or even multiannual duration to monthly contracts. Consequently, the cashflow will naturally change from large single payments to small monthly payments. This adjustment holds some advantages, as there will be a steady regular cashflow.
Changes can be hard but rewarding
Beyond that, resellers need to bring their service mentality to the next level, as customers are expecting a higher service quality when using cloud-based services. For example, they demand a very high quality of service, which ideally is available 24/7 on both a technical and sales level. For this, server capacities need to be created or increased, employees trained for the new services and possibly working in shifts. So, many challenges that require a huge amount of planning, assertiveness and even capital investment, wait for resellers.
Nonetheless, the struggle can pay off. Simply relying on existing technologies and not preparing for the future has rarely paid out, although in the future there will remain niches that resellers could occupy. The cloud with all its disruptions of prevalent technologies cannot be stopped. Channel executives should not evaluate the situation wrong, otherwise they will end like German emperor Wilhelm II., who is alleged to have said, “I believe in the horse. The automobile is only a temporary occurrence.“