McAfee Labs, a branch of Intel Security, recently released its McAfee Labs Threat Report: May 2015 analyzing the most common computer security problems in the first quarter of 2015. The report warns organizations and individuals need to be wary of ransomware and Adobe Flash malware, which saw a massive increase this quarter.
McAfee Labs addressed in-depth the topic of ransomware, a type of malware that holds a computer hostage until a ransom is paid, after seeing a 165 percent increase this quarter. The report indicated this increase is largely due to the new, hard-to-detect CTB-Locker ransomware family and its underground “affiliate” program that offers accomplices a percentage of ransom payments in exchange for flooding cyberspace with phishing messages.
According to statements monitored by McAfee Labs in underground forums discussing the success of ransomware campaigns, these campaigns mainly target victims in relatively rich countries, because users in those countries are the most willing to pay the ransoms.
CTB-Locker, which began to appear in December 2014, is distributed by Internet relay chat, peer-to-peer networks, newsgroup postings, email spam and more. It has been extensively localized to minimize suspicion from email recipients and is able to circumvent security products because the downloader is hidden in a .zip file that contains another .zip file and eventually unpacks to a screensaver file.
The success of CTB-Locker can be largely attributed to its use of “believable” phishing emails. Last year, McAfee Labs reported 2014 saw a significant uptick in both the total volume and sophistication of phishing attacks. The August 2014 McAfee Labs Threats Report, which contained the results of the McAfee Phishing Quiz, revealed that of the 16,000 business users tested, 80 percent failed to detect at least one of seven phishing emails.
McAfee Labs also saw a new ransomware family called Teslacrypt surface in the first quarter, as well as the emergence of new versions of CryptoWall, TorrentLocker and BandarChor.
Homeland Security Today previously reported that McAfee Labs predicted a surge in ransomware would occur in 2015 in its November 2014 Threats Report, stating that ransomware variants that manage to evade security software installed on a system will specifically target endpoints that subscribe to cloud-based storage solutions.
In the future, McAfee Labs said, “new variants and new families will appear, along with new techniques and functionality.” To protect against ransomware, the report provided a number of recommendations, including backing up data, performing ongoing user-awareness training, blocking unwanted or unneeded programs and traffic, keeping system patches up to date, employing anti-spam and protecting endpoints.
In addition to the increase in ransomware, McAfee Labs saw exponential growth in malware connected to Adobe Flash, which increased by 317 percent this quarter. McAfee Labs attributed this to a number of different factors, including the growing popularity of Adobe Flash, delays in downloading software patches, new methods to exploit product vulnerabilities, a steep increase in the number of mobile devices that can play Adobe Flash files and the difficulty of detecting some Adobe Flash exploits.
Forty-two new Adobe Flash vulnerabilities were submitted to the National Vulnerability Database this quarter, an increase of 50 percent from the 28 Flash vulnerabilities found in the fourth quarter of 2014. It is the highest-ever number of Flash vulnerabilities reported in a quarter.
“With the popularity of a product like Flash, there comes a tremendous responsibility to proactively identify and mitigate security issues potentially threatening millions of users,” said Vincent Weafer, senior vice president, McAfee Labs, in a statement.
To protect systems against Flash-based attacks, McAfee Labs recommends installing Flash patches as soon as they are available, enabling automatic operating system updates, configuring antivirus software to automatically scan all email attachments, and never opening unsolicited emails.
The report also addressed the sophisticated attack campaign known as the Equation Group. News of the Equation Group, so named because of its affinity for complicated encryption schemes, began spreading in February 2015. The report stated that the group’smalware is among the most sophisticated ever seen.
Part of what makes these viruses so difficult to eradicate is the use of hard disk drive and solid state drive firmware reprogramming. Through these strategies, malware can remain on the computer even if the hard drive is wiped or the computer is completely reformatted. Further, the reprogrammed firmware and associated malware is undetectable by security software.
“We have closely monitored both academic proofs of concept and in-the-wild cases of malware with firmware or BIOS [basis input/output systems] manipulation capabilities, and these Equation Group firmware attacks rank as some of the most sophisticated threats of their kind,” Weafer said.
Although it remains unclear who is behind the Equation Group and what other attacks they have supported, the group has been linked to Flame, Duqu, Stuxnet and Gauss. McAfee’s analysis shows similarities in the writing style and use of specific structures and methodologies in the code and infection patterns of these attacks.
The May 2015 report also identified a number of other developments in the first quarter of 2015:
- PC Malware Growth. The first quarter saw a slight decline in new PC malware, a development primarily due to the activity of one adware family, SoftPulse, which spiked in Q4 2014 and returned to normal levels in Q1 2015. The McAfee Labs malware “zoo” grew 13 percent during that time, and now contains 400 million samples.
- Mobile Malware. The number of new mobile malware samples jumped by 49 percent from Q4 2014 to Q1 2015.
- SSL-Attacks. SSL-related attacks continued in Q1 2015, although they tapered off in number relative to Q4 2014. This reduction is likely the result of SSL library updates that have eliminated many of the vulnerabilities exploited in prior quarters. Shellshock attacks are still quite prevalent since their emergence late last year.
- Spam Botnets. The Dyre, Dridex and Darkmailer3.Slenfbot botnets overtook Festi and Darkmailer2 as the top spam networks; pushing pharmaceuticals, stolen credit cards, and “shady” social-media marketing tools.
“This research nicely illustrates how the tech industry works together constructively to gain an advantage in the realm of cybersecurity – industry partners sharing threat intelligence, and technology providers acting on information quickly to help prevent potential issues,” Weafer stated.