At ESET Laboratories, we are constantly analyzing and studying how cybercriminals propagate their threats all over the world. Day after day, we receive many different kinds of malicious code created for a variety of purposes. Some are aimed at home users, while others are focused on attacking the business world.
Looking back at what we have documented in our Trends papers, we can see the evolution and the changes that companies have had to undergo. Last year we were talking about the corporate world as our central objective, while this year we are putting the rise of the Internet of Things on the table – not just in the home, but also in the workplace.
“From a corporate standpoint, security is a process that requires management and support for key areas of the organization.”
From a corporate standpoint, security is a process that requires management and support for key areas of the organization. The challenge is never ending, and security teams have to cover different fronts through which malicious code can infiltrate a network, counting on the use of proactive detection technology, management and education as part of their defense plan.
If we take into account the fact that organizations have finite resources, and that IT staff are responsible for information security (among other things), it is important to develop a clear and concise incident response plan. At the same time, it would help to identify the most common points of infection as a way of preparing for any situation.
Below we will take a look at the most common threats facing companies, their impact, and some significant recent cases.
#1 Emails that carry threats
Email has an almost central role in companies today, forming a core part of communication with customers, providers, services, etc. It also enables workers to share information within the company. Corporate email accounts are usually one of the main channels for receiving malicious code, and we have already examined cases of the spread of various types of threats that use this form of communication.
One of the most recent email threats is Win32/Bayrob, which spreads in separate waves, masquerading as an Amazon coupon. In less than a month, it became one of the most commonly detected threats in countries such as Argentina, Chile, Colombia, and Mexico, among others.
On top of this, malware received through attached files created huge problems, as seen in the case of CTB-Locker a little over a year ago, in which different waves of attacks in different languages spread a trojan detected by ESET as Win32/TrojanDownloader.Elenoocka.A. This installed ransomware to encrypt the victim’s files, demanding a ransom payment to make the files accessible again.
To protect corporate email accounts, we need not only an endpoint security solution that detects malicious attachments, but we also need to protect the email server, and filter these elements before they arrive in people’s inboxes. One recommendation for security teams is to use management tools to generate reports on which threats employees are receiving over email, thereby adjusting their response to incidents if any issue arises.
#2 External devices which can make files disappear
The use of USB memory sticks and other types of external devices is also a very common vector in the spread of malicious code. This is especially the case in Latin America, where we have witnessed a large number of families of malicious code using this technique, which, over the years, has been more than a headache for everyone.
The main method of this type of infection is the abuse of direct access links (LNK), where, by connecting the USB device to an infected machine, all the files and directories disappear and are replaced by direct access links. If the same USB device is inserted into a new machine, when the user double-clicks on these links, they infect the system (and the folders open so the victim does not realize).
Some malware families over the years have used this technique to spread Win32/Dorkbot, Python/Liberpy.A, JS/Bondat, VBS/Agent.NDH, and even variants of Win32/IRCBot.
It is important that organizations set out usage policies for external digital storage devices, primarily because this can also pave the way for information theft. Depending on the business or the decisions taken by the organization, using a solution which enables the selective blocking of their use is highly recommended.
The exploitation of software vulnerabilities is another way that malicious code is spread, mainly through office applications, browsers, and websites. The challenge regarding flaws in applications or browsers is that if users fail to update a vulnerable application, or where no patch yet exists, companies can remain exposed to threats.
A few days ago, we shared a study on vulnerabilities reported in Microsoft operating systems. This is the most commonly used OS in the world – especially in the corporate world. This report tells us that Internet Explorer was one of the applications with the most incidents. The risk of an exploit is mainly associated with the installation of malicious code. This is remotely executed code which, in layman’s terms, enables an attacker to remotely control a system.
Exploits do not only affect the endpoint. Web servers and other devices directly connected to the internet can be subject to these kinds of flaws. To combat this type of threat, we firstly need proactive security solutions with functionalities such as the ESET Exploit Blocker. These help to prevent the execution of exploits, and protect users from such famous examples of these threats as 0-day exploits. As for other services such as web servers, databases, and various devices on which security solutions are not often installed, regularly running pentesting services helps prevent all kinds of incidents.
Ransomware is one of the most frustrating threats to face large, medium, and small companies across the globe. An infection with this type of malicious code can leave a lot of an organization’s vulnerable points exposed. Whether companies perform the configuration of antivirus solutions or undergo frequent security reviews, an attack of this kind means the very continuation of the company’s business is under threat, depending on what information is hijacked.
Any company seeking to implement a proactive security policy will try to avoid any kind of infection, but when such things occur, damage recovery tools are of vital importance. Before any ransomware infection occurs in a company, the time needed to obtain a backup of the information and get the business up and running again is key for minimizing the impact.
#5 Unprotected mobile devices
Another factor of renewed concern to companies are their mobile devices. Last year, we noted in an ESET security report that just one in every 10 companies in Latin America had security solutions for their mobile devices. If we take into account that these devices, in many cases, connect to the same network as the company’s computers – and are not protected – they can be a vector for attack, opening the doors to information leaks.
Protecting mobile devices not only protects against infection by malicious code, but also helps to continue to protect the internal network when these devices are connected to it. In relation to this point, mobile devices can be managed from a single management console for the endpoints.
It is possible for companies to have effective policies for mobile devices and therefore have clear rules governing the use of smartphones and other devices.
What can we do?
The challenge for company security teams is to protect the organization, ensuring that no equipment in their network is infected and, in the event that any infection does arise, that they can respond as quickly as possible to minimize the impact on business. It is a difficult challenge, but not impossible if we take the decision to confront it proactively.
To do this, a good starting point would be to know which threats to an organization will do them the most harm. This may take some time to achieve, but understanding what detections are made by the security solutions on a day-by-day basis will help bolster a support plan to run alongside a company’s security policies. Taken together, all this will help to keep businesses – and above all their information – safe.
by Pablo Ramos, ESET Latin America