12 Takeaways from Botconf 2019 Bordeaux, France
1) Social engineering is still being used to bypass even sophisticated two-factor authentication (2FA) systems. Many end-users still believe that 2FA is some form of bulletproof authentication – it’s not. If only they know how easily it can be spoofed…
2) The Pony password stealer is still alive and trotting, being used as an essential component in many exploit kits targeting Windows users.
3) The Azorult info stealer malware is also proving a hit with cyber-criminals. It generates a unique ID using the victim’s hardware or computer name. Once installed it can steal passwords saved in Chrome, Outlook and Thunderbird. It is even capable of taking screenshots and stealing browsing and Skype history.
4) Attackers are using tools like “Don’t Kill my Cat” to obfuscate malicious code within a seemingly harmless bitmap file. Users need to be made aware of how bitmap files purported to be a company logo (or fluffy kitten) attached to some emails or posted on websites can actually contain malcious executables. Not so cute after all…
5) Supply chain attacks on trusted software and hardware vendors continue to be used. So far, victims have included Teamviewer, Piriform (Ccleaner) and Asus. Gaming platforms are also a favourite target for this attack vector. Another reason not to lend your kids, your work laptop.
6) Malware developers continue to use clever techniques to outsmart signature-based detection controls. RC5-CBC encryption is being used to thwart detection. Moreover, the victim’s hard disk Volume ID is used to derive a unique hash. Just another reason why perimeter or end-point security software cannot be completely trusted to detect threats.
7) And talking about detection, one malware researcher discovered that Emotet malware is capable of executing file signature changes every 10 minutes while connecting to multiple C2 IP addresses. This sort of stealthy polymorphism makes Emotet and its variants very difficult to detect.
8) Users trying to bypass security controls is still an issue. One speaker told delegates the case of a rather unfortunate organisation which granted users just “standard” PC privileges to help thwart a malware infection. However, one user circumvented this control by downloading and running a tool called “Makemeadmin”. A couple of weeks later, the same user gets infected with a vicious ransomware attack which spread across the whole organisation. Users need to be educated on the potentially serious ramifications of disabling or bypassing security controls.
9) Some NAS devices have backdoors built into them which are capable of exfiltrating your data. With one brand of NAS, researchers found over 50 vulnerabilities. One of these was the ability of the NAS to surreptitiously dial up to a C2 server using its own hidden VPN. Be very prudent of what NAS brand you use for work or play or you could end up with a device that leaks more data than Mossack Fonseca… And always remember that, just like a computer, a NAS can be wiped out with ransomware.
10) The trend of real Android apps being “repackaged” with bespoke malware SDKs continues. Users need to made aware of this risk. Seemingly benign screensaver or gaming apps can be laden with data exfiltrating malware.
11) Compromising an email account using phishing or spear-phishing is still the easiest route for many cyber-criminals. Using a “trusted”, albeit hijacked, email account means controls like domain blacklisting, SPF, DKIM, DMARC and content filtering can all be bypassed with ease. The human is still the weakest link.
12) Web-scraping of email addresses is still a practice prevalent amongst cyber criminals. In just a few minutes they can collect 25,000 email addresses of potential victims. Don’t have your email address (or those of your employees) posted in a web-scrapable format on the world wide web.