Daily new malware count plunges as cybercriminals look to save money

The year 2015 marked the moment when demand for new malicious programmes reached saturation point, as the number of new malware files detected every day by its products fell by 15,000, from 325,000 in 2014 to 310,000, according to Kaspersky Lab.

Kaspersky Lab’s experts believe this is mainly due to the fact that coding new malware is expensive and cybercriminals have realised that they can get equally good results using intrusive advertising programmes or legitimate digital signatures in their attacks. This approach appears to be working, as results show that despite the cost-cutting in malware creation in 2015, the number of users attacked by cybercriminals increased by 5%.

Between 2012 and 2013, there was a rapid increase in the number of new malicious files detected by Kaspersky Lab, from 200,000 new files every day in 2012 to 315,000 in 2013. Thereafter, things started to slow down. In 2014, the total increased by just 10,000 files a day and in 2015 the overall number has declined from 325,000 to 310,000.

Cybercriminals in search of a quick return appear to have decided that complex coding tools such as rootkits, bootkits or replicating viruses may bring results at a cost, reducing their overall margins and revenue. Moreover, these complex malicious programmes, that can cost tens of thousands of dollars to develop, do not protect the malicious programme from increasingly sophisticated antivirus software accustomed to detecting and analysing far more complicated malware.

For this reason, 2015 saw adware, essentially harmless but often intrusive, become more prominent among overall anti-virus detections. This marks an evolution in cybercriminal tactics, with many now acting almost as businesses, engaged in selling quasi-legitimate commercial software, activity and other “essentials.”

Another trend is for cybercriminals and even advanced, state-sponsored threat actors to make greater use of legal certificates for digital products. With the help of bought or stolen certificates, attackers deceive security software, which trusts an officially-signed file more than a regular one. The value of the certificate may be only a few tens of dollars.

"Cybercrime has lost the last touch of romance. Today, malware is created, bought and resold for specific tasks. The commercial malware market has settled and is evolving towards simplification. I think will we no longer see malicious “code for the code”. This trend is also observed among the operators of targeted attacks," says Vyacheslav.

Cyberspy group repurposes 12-year-old Bifrose backdoor

A group of hackers that primarily targets companies from key industries in Asia is using heavily modified versions of a backdoor program called Bifrose that dates back to 2004.

The group, which researchers from antivirus vendor Trend Micro call Shrouded Crossbow, has been targeting privatized government organizations, government contractors and companies from the consumer electronics, computer, healthcare, and financial industries since 2010.

The group's activities are evidence that engaging in cyberespionage doesn't always require huge budgets, stockpiles of zero-day vulnerabilities and never-before-seen malware programs. Old cybercrime tools can be repurposed and improved for efficient attacks.

This toolset used by the group includes backdoors such as Kivar and Xbow, which are based on or inspired by Bifrose and which in the past have been sold on underground markets for about $10,000.

"What we think happened is that the group purchased the source code of BIFROSE, and after improving its functions, the group then designed a new installation flow, developed a new builder to create unique loader-backdoor pairs, and made more simple and concise backdoor capabilities," the Trend Micro researchers said in a blog post.

This allowed them to remain effective in their operations, despite Bifrose being a very well known and understood threat in the antivirus industry as well as one that is easily detectable.

One interesting aspect about the group is that it is organized in at least two, but possibly three or more teams, according to the Trend Micro researchers. One is the development team, which has at least 10 people who develop new builds of the backdoor. The number of people involved was determined from version strings customized with unique developer IDs.

A second team is responsible for target selection, configuring the malware parameters for each intended victim and building the spear-phishing emails that are used as delivery mechanism. The rogue emails have malicious attachments and masquerade as news reports, resumes, government data or meeting requests.

A third team might be in charge of maintaining the group's extensive command-and-control infrastructure, which includes over 100 servers whose IP addresses and domains are updated in an organized fashion. New domains are being registered all the time, the Trend Micro researchers said.

France looking at banning Tor, blocking public Wi-Fi

Leaked docs from Ministry of Interior show worryingly illiberal trend for France.

According to leaked documents France's Ministry of Interior is considering two new proposals: a ban on free and shared Wi-Fi connections during a state of emergency, and measures to block Tor being used inside France.

The documents were seen by the French newspaper Le Monde. According to the paper, new bills could be presented to parliament as soon as January 2016. These proposals are presumably in response to the attacks in Paris last month where 130 people were murdered.

The first proposal, according to Le Monde, would forbid free and shared Wi-Fi during a state of emergency. The new measure is justified by way of a police opinion, saying that it's tough to track people who use public hotspots.

The second proposal is a little more gnarly: the Ministry of Interior is looking at blocking and/or forbidding the use of Tor completely. Blocking people from using Tor within France is technologically quite complex, but the French government could definitely make it difficult for the average user to find and connect to the Tor network. If the French government needs some help in getting their blockade set up, they could always talk to the only other country in the world known to successfully block Tor: China, with its Great Firewall.

Forbidding the use of Tor through legislative means is another option: France could simply make it illegal for people to access Tor. The difficulty there, though, is in the policing of that new law: the country's ISPs would have to snoop on its users to find out who is using Tor, and then report back to the police. In the UK, where the new Snooper's Charter may require ISPs to log the last 12 months of user activity, a lot of resistance is being met.

The main problem with such a ban on Tor is that it wouldn't achieve a whole lot. Would-be terrorists could still access Tor from outside the country, and if they manage to access Tor from within France I doubt they're concerned about being arrested for illegal use of the network. There is evidence to suggest that the recent Paris attacks were planned via unencrypted channels, too: the Bataclan "go" message was sent in the clear via SMS.

On the other hand, criminalising and/or blocking Tor might affect many other legitimate users of the network, such as whistleblowers, journalists, and anyone else who wants to surf the Web privately.

The proposal to block Wi-Fi hotspots during a state of emergency is slightly more feasible, and you can see where the French government is coming from—but again, it would be technologically very difficult to implement, and the collateral damage would be huge. Millions of people would have to go without public Wi-Fi access, potentially for weeks at a time.

On November 20, a week after the attacks in Paris, France introduced new legislation that extended the current state of emergency to three months. At the same time, new laws were also introduced to make it easier for the Minister of the Interior to block any terrorism-related website, and to dramatically increase police powers for searching seized devices. The French prime minister suggested that they may soon make it illegal to merely visit a terrorism-related website, too.

Come January 2016 we'll see if the French government actually goes ahead with these new Tor and Wi-Fi blocking measures. Hopefully cooler heads will prevail: France is one of the most powerful and influential Western democracies, but it's also rapidly becoming one of the most illiberal. If France rolls out its own Great Firewall, it would then be whole lot easier for the UK, Germany, and other neighbouring countries to do the same thing.

Five security must-dos for first time cloud users

What do Apple, Amazon and Microsoft have in common?

The answer: All three technology giants, considered the gold standard among cloud computing providers, have suffered the ignominy of being breached by hackers.

Apple’s “celebgate” incident exposed personal photos of its celebrity iCloud users and made unwelcome news headlines last year. UK technology provider Code Spaces was forced out of business last year after hackers tried to blackmail it and subsequently deleted crucial data from its Amazon Web Services-hosted cloud storage. In 2013, an expired SSL certificate in Microsoft's Azure cloud service gave hackers the chance to bring down the Xbox Live and a raft of other cloud-hosted services.

Cloud security risks are rising, with attacks growing at 45% year-on-year globally, according to cloud security firm Alert Logic. In the next five years, US$2 billion will be spent by enterprises to shore up their cloud defences, according to Forrester Research.

First time cloud users can be most at risk, simply because of unfamiliarity with the new environment and the added burden of having to grapple with a new way of managing users, data and security.

Here are five security must-do’s before taking the plunge.

1. Know the cloudy areas
There are three main segments in any cloud deployment - the cloud vendor, network service provider and enterprise. Given that the cloud should be treated like an extension of the enterprise data centre, the question to ask is therefore: can a common set of security services and policies be applied across the three segments? What are the security gaps?

During vendor selection, ask the cloud vendor what security services it provides and which security vendors it works with. The cloud is a dynamic environment and requires regular updates to the security architecture to stay up with the latest threats. How does the cloud vendor guard against new security exploits and zero-day vulnerabilities?

Also find out where the boundaries are in the shared security models that come with the cloud service. Understand the extent of your cloud provider’s responsibilities - and your own. In some cloud services, such as IaaS, it is the responsibility of the enterprise to secure its applications and data in the cloud. It is therefore important to know what security appliances and vendors the cloud provider offers/allows the enterprise to deploy in the cloud to do just that.

2. New apps, new fortifications
Ready to move an application into the cloud? Before you do, consider adding new fortifications to the existing security measures you have built around your application’s authentication and log-in processes.

To fortify the access to your cloud application, you should have a granular data access scheme. You can do so by tying access privileges to roles, company positions and projects.  This will add an additional layer of protection when attackers steal your staff’s login credentials.

Account hijacking may sound basic but this age old breach has been flagged by Cloud Security Alliance as a continuing top threat for cloud users. To fortify your login process, consider implementing two-factor authentication, posture checking and the use of one-time passwords. A good tip is requiring user IDs to be changed at initial logins.

3. Embrace encryption
Data encryption is one of your biggest security ally in the cloud, and it should be non-negotiable when it comes to file transfers and emails. While it may not prevent hacking attempts or data theft, it can protect your business and save an organization from incurring hefty regulatory fines when the dreaded event happens.

Ask your cloud vendor about their data encryption schemes. Find out how it encrypts data that is at rest, in use, and on the move. To understand what data should be encrypted, it helps to get a handle of where they reside - whether in your cloud vendor’s servers, the servers of third-party companies, employee laptops, office PCs or USB drives.

4. Wrestling with the virtual
Moving into the cloud lets businesses reap the benefits of virtualization, but a virtualized environment can present challenges to data protection. The main issue has to do with managing the security and traffic in the realm of multi-tenancy and virtual machines.

Physical security appliances are typically not designed to handle the data that is in the cloud. This is where virtual security appliances come in - to secure traffic as it flows from virtual machine to virtual machine. Such appliances are built to handle the complexities of running multiple instances of applications, or multi-tenancy.

They therefore let businesses exert fine security control over their data in the cloud. Ask your cloud provider how it safeguards its virtual environment and find out what virtual security appliances it is using. If you are building your own private or hybrid cloud, consider getting virtual security products that focus on granular control.

5. Don’t be in the dark about shadow IT
There is no shortage of anecdotes and reports out there that point to how the unauthorised use of applications and cloud services, or shadow IT, is on the rise among businesses. The uncontrolled nature of this poses a security threat and governance challenge.

Your new cloud application will be at risk because of this. Consider the simple scenario in which your employees use their smartphones to open a file on their device. It is likely that the phone will make a copy of the file, which could then be sent to an unapproved online storage destination when the phone does its routine automatic backup. Your secure corporate data has just been moved to an insecure location.

Preventing access to shadow IT is unlikely to stop its growth in any given organization. It is more effective to educate your users and use technology to manage the issue. Encryption, network monitoring and security management tools can help defend your first cloud app against the risks of the shadow IT.

Symantec doubles APAC presence with new SOC in Singapore

Symantec Corp. has announced plans to beef up its Cyber Security Services business globally with an investment of more than US$50 million. A portion of this investment has been leveraged to build a new dedicated Security Operations Center (SOC) in Singapore, inaugurated yesterday, doubling Symantec’s Cyber Security Service expertise in the Asia-Pacific region.

Now more than ever, organizations require a deeper security understanding and strong proactive security measures to gain the upper hand on adversaries. Symantec’s SOCs analyze 30 billion logs worldwide each day to provide enterprise-wide protection to help organizations strengthen their defenses and respond to new threats as they emerge 24 hours a day, 7 days a week, 365 days a year.

With the launch of the SOC in Singapore, businesses will have access to intelligence, accurate threat detection and proactive notification of emerging threats to ensure their most sensitive data is protected. The new SOC will also enable businesses to shorten the time between detection and response, reduce operational costs and proactively counter emerging threats.

“Today, technology alone may not stop advanced threats. Organizations need security experts on hand to interpret and prioritize the critical events that need action. By investing in people and security IQ in Singapore and the Asia-Pacific, Symantec is expanding its visibility into the region, enabling us to bolster customers’ security operations capabilities, and protect their critical information and assets,” said Samir Kapuria, SVP and general manager of Cyber Security Services at Symantec.

“The Asia-Pacific region is incredibly diverse and multi-cultural. This allows us to attract highly educated multi lingual security professionals who bring expertise and experience from many vertical industries and global security organizations and are well-versed in the security landscape,” added Kapuria.

Last year Symantec’s team of cyber professionals protected organizations from more than half a million web attacks per day, according to the 2015 Internet Security Threat Report.

The investment will enable the company to expand its Chennai, India SOC as well as the Tokyo, Japan SOC. The next phase of the company’s SOC expansion will take place in Europe, with more facilities expected to open within the next 12 months. Once complete, Symantec will have eight SOCs worldwide, extending their current team of 500+ certified cybersecurity professionals to address every stage of the cyber-attack lifecycle.

Symantec has also invested significantly in its cyber services-enabling technology, including big data analytics and distributed computing. With an increasing demand to manage customers’ security environments with Security as a Service, Symantec Cyber Security Services offers a strong portfolio, including Managed Security Services, DeepSight Intelligence, Incident Response and Security Simulation training.

This announcement follows a US$20 million investment in existing SOCs across Australia, India and Japan in the past year.