The post Invisible resource thieves: The increasing threat of cryptocurrency miners appeared first on Stories.
The ransomware outbreak threat may be subsiding somewhat, but IT managers continue to shore up their defenses. Backup and disaster recovery is a key area of emphasis.
For much of 2017, the WannaCry and NotPetya ransomware outbreaks dominated cybercrime headlines. A new report from antimalware vendor Malwarebytes said ransomware detections last year increased 90% among businesses. But by the end of 2017, the “development of new ransomware families grew stale,” as cybercriminals shifted their focus to other forms of malware, such as banker Trojans that steal financial information, according to the report, “Cybercrime Tactics and Techniques: 2017 State of Malware.”
That said, organizations are looking to bolster their ransomware outbreak protections. Front-end measures often include antivirus software, firewalls and content scanners that can intercept email attachments that appear questionable.
IT departments, however, are also looking to strengthen back-end protections that can help them recover from ransomware attacks that lock up data via encryption. Here, the emphasis is on disaster recovery strategies that let a business restore its data from a backup copy. But even here, there are risks: IT managers must ensure the backups it makes are actually usable and consider how long a data restore will take in the event of an emergency.
Another level of security
The city of Milpitas, Calif., already has a number of security measures in place to defend itself from a ransomware outbreak. On the front end, the municipal government employs email filtering, spam filtering and email attachment scanning. On the back end, the city uses BackupAssist, a Windows server backup and recovery software offering for SMBs. A remote disaster recovery site provides an additional line of defense.
The city earlier this month said it layered on another element to its backup and recovery defense. Mike Luu, information services director for the city of Milpitas, said the city activated CryptoSafeGuard, a BackupAssist feature the vendor recently added to its product.
CryptoSafeGuard, according to the company, prevents infected files from being backed up and also prevents backups from becoming encrypted. Some ransomware attacks have succeeded in encrypting both an organization’s production and backup data.
“It’s just another method of trying to protect against [Ransomware],” Luu said of CryptoSafeGuard.
Luu said switching on CryptoSafeGuard was a simple matter of ticking a box on BackupAssist’s user interface. “It came along for the ride at no additional cost,” he added.
BackupAssist offers CryptoSafeGuard as part of the vendor’s BackupCare subscription package. Troy Vertigan, digital sales and marketing manager at BackupAssist, said 30% of the vendor’s customers running the latest versions of BackupAssist have activated CryptoSafeGuard since it became available in September 2017.
When backups fail
Backup plans can fall through when ransomware hits. TenCate, a maker of composite materials and armor based in the Netherlands, found that out a few years ago during the CryptoLocker ransomware outbreak. Malware entered the company’s U.S. operations through a manufacturing facility and made its way to the file server, recalled Jayme Williams, senior systems engineer at TenCate. Data ended up encrypted from the shop floor to the front office.
When TenCate attempted a data restore from Linear Tape-Open standard tape backups, the backup software the company used wasn’t able to catalog the LTO tapes — a necessary step for recovering files. Williams said some data had been copied off to disk media, but that backup tier was also unreadable. He contacted a data recovery service, which was able to extract the data from the disks.
The company’s disk-based backups weren’t frequent, so some of the data had become stale. The recovered data, however, provided a framework for rebuilding what was lost. It took two weeks to make data accessible again; even then, it wasn’t an ideal data restore because of the age of the recovered data.
One of the key lessons learned from the CryptoLocker experience was that TenCate’s security was lacking for the ransomware infection to penetrate as far as it did, Williams noted. In response, company managers have signed off on tighter security.
The other lesson: Backup and disaster recovery are different things.
Jayme Williamssenior systems engineer at TenCate
“Backup is not resilience,” Williams said.
That realization put TenCate on the path toward new approaches. Initially, the company, which is a VMware shop, considered the virtualization vendor’s Site Recovery Manager. But the company’s IT services partner recommended a cloud-based backup and disaster recovery offering from Zerto. The vendor replicates data from an organization’s on-site data stores to the cloud.
One factor in favor of Zerto was simplicity. Zerto helped TenCate set up a proof of concept (POC) in about 30 minutes to demonstrate replication and failover. When Williams received permission to purchase the replication service, TenCate was able to take the POC into production without reinstallation.
When a second ransomware outbreak struck TenCate, the updated security and disaster recovery system thwarted the attack. The company’s virtual machines (VMs) were shielded within Zerto’s Virtual Protection Groups and journaling technique, which Williams described as “the TiVo of the VM.” The Zerto journal lets administrators rollback a VM to a point in time before the ransomware virus hit — a matter of seconds, according to Williams.
Time is a critical consideration in devising a ransomware mitigation strategy, noted Michael Suby, Stratecast vice president of research at Frost & Sullivan.
A too lengthy data restore process leaves organizations vulnerable to ransomware demands, he said. A besieged organization may capitulate and pay the fee if a drawn out recovery time would result in a greater loss of revenue or threaten lives, as in the case of an attack against a hospital.
“Companies can still be exploited if the time to revert to those backup files is excessive,” Suby explained. “It’s not just having backup files. We have to have them readily accessible.”
The recently discovered security threat in CPUs from nearly a dozen manufacturers poses a low risk to corporate networking gear, so operators have time to test vendors’ patches thoroughly.
That’s the take of security experts contacted by SearchNetworking following the discovery last week of the Spectre and Meltdown vulnerabilities that affect Intel, AMD and ARM chips. In response, Cisco and Juniper Networks have released patches rated medium and low risk, respectively, for a variety of products.
The low risk of Spectre and Meltdown to switches and routers means network managers have the time to thoroughly test the patches to minimize their impact on hardware performance, experts said.
“If you’re getting a firmware update, you need to patch,” said Rob Westervelt, analyst at IDC. “[But] the issue is whether you just deploy the patch or test it thoroughly and make sure you don’t break any applications or anything else.”
Roughly 20 CSOs and IT security professionals interviewed by IDC were taking a methodical approach to applying Spectre and Meltdown fixes across all systems.
“While it is top of mind, it’s not something that they’re immediately jumping on to patch,” Westervelt said. “They are using established best practices and testing those patches first.”
Network performance at risk
Westervelt warned there is the possibility network performance will suffer. “In some cases, it could be very costly.”
Rob Westerveltanalyst at IDC
Indeed, Microsoft reported in a blog post patches for the PC and server versions of Windows would range from minor to significant, depending on the age of the operating system and the CPU. “I think we can expect a similar variety of performance impacts across other [vendors’] products,” said Jake Miller, a senior security analyst at IT consulting firm Bishop Fox, based in Tempe, Ariz.
Security pros expect hackers sophisticated enough to exploit the hard-to-reach vulnerabilities to target mostly servers in large data centers that host cloud computing environments. Because of the level of expertise needed to take advantage of the flaws, hackers working for nation states are the most likely attackers, experts said.
Exploiting the CPU holes would involve crafting code that takes advantage of how some processors anticipate features computer users will request next. In preparation for those requests, processors will load into memory valuable data and instructions that hackers can steal.
“The threat is significant, but currently is limited to highly sophisticated attackers and hacking groups with the means to carry out multi-staged targeted attacks,” IDC said in a research note. “Financially motivated cybercriminals are more likely to continue to use more accessible, time-tested methods to retrieve passwords and sensitive data.”
Nevertheless, even a low risk to networking gear is worth the time needed for fixing. “It’s better to be safe than sorry,” said Jonathan Valamehr, COO and co-founder of cybersecurity company Tortuga Logic Inc.
From the constant threat of ransomware attacks to looking ahead to the European Union’s General Data Protection Regulation, backup vendors had a lot to tackle in 2017. And there was even a lot of movement among vendors themselves, with several big names making acquisitions to gain footholds in important markets.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Here we run down the year’s top data protection trends and news.
Ransomware protection gains strength
The ransomware epidemic is not slowing down. While ransomware has been out there for some time now, it made international headlines in May when the WannaCry strain simultaneously hit 300,000 machines in 150 countries. Other strains have made big news and caused problems for organizations of all sizes this year. Statistics vary, but many organizations say ransomware attacks are on the rise.
While WannaCry didn’t end up pulling in as much ransom as the attackers likely anticipated, that attack and others had organizations scrambling and making data protection a top focus. Often, backup and recovery is the only way out after ransomware hits. And that focus was evident with backup vendors as well, as data protection trends in this area included adding ransomware-specific features.
- Acronis built a new version of its Active Protection technology — integrated into Acronis True Image backup software — that uses machine learning to help prevent ransomware viruses from corrupting data. It attempts to detect suspicious application behavior before file corruption. Active Protection is available in Acronis Backup software.
- BackupAssist launched CryptoSafeGuard, part of its data protection software for SMBs, which works with existing antimalware software. It scans and detects suspicious activity in source files that can be related to ransomware, then sends alerts and blocks backup jobs from running.
- Druva built ransomware monitoring and detection tools into its InSync endpoint data protection software. The software flags unusual activity occurring to data and helps identify the last good snapshot to recover the entire data set or individual files.
- Unitrends Recovery Series physical appliances and Unitrends Backup virtual appliances use predictive analytics to determine the probability that ransomware exists in an environment. The vendor alerts customers when it detects the virus, so they can immediately restore from the last legitimate recovery point.
Mergers and acquisitions aplenty
The data protection 2017 market saw a large amount of merger and acquisition activity, particularly in the second half of the year. Cloud backup provider Carbonite was especially busy.
Here are several major moves from the past year:
- Security and data protection vendor Barracuda is going private, following its purchase in November by equity firm Thoma Bravo for $1.6 billion.
- Vista Equity Partners in October acquired data protection vendor Datto and will merge it with IT management provider Autotask, in a play to bring several technologies under one roof for SMBs, including backup and disaster recovery, professional services automation and networking continuity. Earlier in the year, Datto bought cloud-based networking provider Open Mesh.
- Carbonite purchased Datacastle’s endpoint backup in August, which gives the growing cloud backup vendor better scalability and a bigger play in the SMB market. That same month, Code42 announced it is shutting down its consumer cloud backup product in 2018 to focus on other sectors and referring consumers to Carbonite. Earlier in the year, Carbonite bought Double-Take Software to improve its high-availability technology.
- Peak 10 closed on a $1.675 billion acquisition of ViaWest in August, which will lead to a data protection suite of services between the cloud services providers that includes storage, backup and replication.
- Axcient, which provides cloud-based disaster recovery and data protection, and EFolder, which offers cloud business continuity, cloud file sync and cloud-to-cloud backup, announced in July that they are merging.
- Data protection vendor Arcserve in July acquired Zetta and its cloud backup and disaster recovery, following its purchase earlier in the year of FastArchiver for on-premises or public cloud emails.
The convergence and hyper-convergence of data protection
As vendors like Cohesity and Rubrik continue to lead the converged secondary storage market, backup going hyper-converged is one of the top data protection trends of 2017. Several vendors this year launched backup for hyper-converged products, with at least one data protection product focused solely on the Nutanix Acropolis Hypervisor (AHV).
The Unitrends Recovery Series backup appliances and Unitrends Backup virtual appliances feature integration for AHV. The vendor also protects all hypervisors that run on Nutanix and supports VMware, Hyper-V and Citrix XenServer hypervisors. Veeam, Commvault and Rubrik are among the other data protection vendors that recently launched or will launch backup for AHV.
Comtrade Software in June launched its HYCU dedicated to AHV backup. The vendor later in the year updated its product with increased support for Nutanix storage and backup management features.
Commvault went to a place it didn’t originally plan on going: the hardware market. The vendor launched its first scale-out integrated hardware appliance for data protection as it attempts to compete with Rubrik and Cohesity, as well as traditional backup vendors. The HyperScale platform is part of Commvault’s product strategy to build out its data services with software-defined storage and convergence. Converged secondary storage — one of the data protection trends that continues to grow — handles such nonprimary tasks as backup, archiving, test and development, and disaster recovery.
Ready or not, here comes GDPR
Companies are scrambling to ensure compliance with the European Union’s General Data Protection Regulation, which goes into effect in May and covers data produced by EU citizens and data stored within the union. It consists of 99 articles, including a rule that gives individuals the right to force organizations to delete all personal data.
But the rule requiring companies to notify customers of a data breach within 72 hours struck a chord this year via the Equifax breach. The company discovered it in July and reported it publicly in September. Companies not in compliance with GDPR face millions of dollars in fines.
Surveys routinely show that companies are not adequately prepared for GDPR. Some vendors, though, are trying to help aid compliance. For example, Veritas’ Integrated Classification Engine uses machine learning to identify sensitive and personal data.
Data protection trends take on storage growth
Tape storage got a capacity bump with the release of LTO-8. The latest version, launched two years after LTO-7 hit the market, features 32 TB of compressed capacity per tape, sustained data transfer rates of up to 1,180 MBps for compressed data, uncompressed capacity of 12.8 TB and an uncompressed transfer rate of 472 MBps. Tape is seen as a safe, offline backup in the face of cyberattacks such as ransomware. Plus, the massive capacity can help with long-term retention of huge data sets that continue to grow.
“No business measures data storage in terabytes anymore,” analyst Jon Toigo wrote in a November SearchDataBackup article. “… So LTO-8, with its 32 TB capacity, seems to be just what the doctor ordered for companies most likely to make big use of tape technology: cloudies and data-intensive verticals, such as healthcare, surveillance, research labs, and oil and gas. These firms are putting tape back to use in an old, secondary storage role.”
What’s old has become new again.
Researchers claim a threat group they call Dragonfly 2.0 has been performing social attacks in order to infiltrate systems connected to critical energy infrastructure.
Symantec has been tracking a group they named Dragonfly since 2011, but Symantec claims the group started a new campaign in 2015 using new tactics and attack methods against organizations related to the energy industry, leading to the new designation of Dragonfly 2.0.
“The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations,” Symantec wrote in its analysis. “The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.”
Moreno Carullo, co-founder and CTO of Nozomi Networks, an ICS security company based in San Francisco, said that originally the group targeted pharmaceutical firms, while “Dragonfly 2.0 appears to have been weaponized to specifically target industrial control systems (ICS) field devices, and then feeds that information back to the command and control server which will be monitored by the attackers.”
“Rather than installing immediately on infection this latest iteration of Dragonfly bides its time, waiting eleven days before automatically installing a backdoor,” Carullo told SearchSecurity. “Using this new entrance, the attacker can then install or download applications to infected computers, particularly targeting Windows XP with known vulnerabilities, and even circumventing permission restrictions on user accounts.”
Symantec said it had observed Dragonfly 2.0 sending malicious emails and using watering hole attacks to gather network credentials, then using those stolen credentials in follow-up attacks against targeted organizations involved in the energy sector.
“In 2014, Symantec observed the Dragonfly group compromise legitimate software in order to deliver malware to victims, a practice also employed in the earlier 2011 campaigns. In the 2016 and 2017 campaigns the group is using the evasion framework Shellter in order to develop trojanized applications. In particular, Backdoor.Dorshel was delivered as a trojanized version of standard Windows applications,” Symantec explained in a blog post. “Symantec also has evidence to suggest that files masquerading as Flash updates may be used to install malicious backdoors onto target networks — perhaps by using social engineering to convince a victim they needed to download an update for their Flash player.”
Symantec said it’s clear “that Dragonfly is a highly experienced threat actor,” but said there wasn’t enough evidence to know if it is a nation-state group or even from where the group originates.
Dragonfly 2.0 succeeding with old exploit methods
Leigh-Anne Galloway, cyber security resilience officer at Positive Technologies, an enterprise security companybased in Framingham, Mass., said it was interesting that the group was making so much headway by using “relatively unsophisticated methods.”
“Usually with [supervisory control and data acquisition (SCADA)], the tactic of choice is to exploit zero-day vulnerabilities. In this case though, they’ve chosen to go for the older, but most effective methods of phishing and watering holes to get in,” Galloway told SearchSecurity. “As old as these techniques might be, this blunt instrument is proved as effective as ever, relying on the age-old ally of cyber criminals: human fallibility. These hackers have bet that, in spite of the critical importance of the systems, the people using them don’t have the security wherewithal to think before clicking on a link or opening an attachment. And in this case, they were right. In SCADA networks, the implications are life threatening, to personnel and the general public, and attackers could cause a short circuit disrupting safety mechanisms, or cause a complete outage.”
Leigh-Anne Gallowaycyber security resilience officer, Positive Technologies
Ken Spinner, vice president of field engineering at Varonis, agreed that it was “significant and startling that the attacks being attributed to Dragonfly 2.0 began with spearphishing emails.”
“The notion that there may be nation-state or rogue actors who have been resident in the networks of nuclear facilities, electrical grids, and dams isn’t far-fetched. Many of these infrastructure providers are relying on outdated security systems with limited detection capabilities,” Spinner told SearchSecurity. “We’ve seen malware impact energy systems dating as far back as 2003, when the Microsoft SQL Server Worm, Slammer, infected an Ohio-based nuclear power plant network in 2003, causing a temporary outage. The key difference today is that attackers are equipped with far more sophisticated malware that is designed specifically to infiltrate and damage things like electricity substation switches and circuit breakers.
The dangers of persistent ICS attacks
Omer Schneider, CEO and co-founder of CyberX, an ICS security company based in Framingham, Mass., said no one should be surprised by these findings.
“As early as 2014, the ICS-CERT warned that adversaries had penetrated our control networks to perform cyberespionage. Over time the adversaries have gotten even more sophisticated and now they’ve stolen credentials that give them direct access to control systems in our energy sector,” Schneider told SearchSecurity. “If I were a foreign power, this would be a great way to threaten the U.S. while I invade other countries or engage in other aggressive actions against U.S. allies.”
Spinner said it is especially dangerous when an advanced persistent threat group (APT) like Dragonfly 2.0 sets up shop on a network.
“APTs will try to remain undetected as long as possible to do the most damage. Attackers will often establish numerous footholds within a network and attempt to remain undetected while mapping systems and locating key documents, emails, and user accounts,” Spinner said. “One of the most effective defenses against large scale cyberattacks on critical infrastructure is to establish separate, air-gapped networks that provide a physical line of defense. Separating core power systems from each other and the greater Internet can help mitigate attacks.”
Microsoft stepped up its security game when it introduced Office 365 Advanced Threat Protection in 2015. The product brings more to the table than Exchange Online Protection, which provides antimalware protection. With more complex security threats appearing daily, customers need more protection.
Office 365 ATP is an optional email filtering service that blocks advanced threats, such as malicious URLs and new malware. Take this quiz to test your knowledge of the latest Microsoft Office 365 ATP features.
Powered by WPeMatico