The IT Nerd

Trend Micro, the leader in cloud security, announced the findings of a new global study indicating that while organizations across the globe are struggling to define and secure an expanding cyber-attack surface, in Canada, 81% of organizations have at least somewhat defined it.

Trend Micro surveyed 6297 IT and business decision makers across 29 countries to compile the study. To read a full copy of the report, please visit: https://www.trendmicro.com/explore/trend_global_risk_research_2/the-challenge-of-man

The study revealed that 88% of respondents in Canada believe their organization have a well-defined way to assess the risk exposure of its digital attack surface, and more than half (53%) would describe their organization’s digital attack surface as being “complex but controlled.”

Despite the above, over two-thirds (69%) of Canadian respondents are concerned about having a broadening attack surface, and only 42% plan to invest in security tools and technologies to combat it this year.

Visibility challenges appear to be the main reason organizations struggle to manage and understand cyber risk in these environments.

The research shows that almost two-thirds (60%) of Canadian respondents said they have blind spots that hamper security, with cloud environments cited as the most opaque (41%). On average, respondents estimated having just 57% visibility of their attack surface.

These challenges are multiplied in global organizations. Two-fifths (40%) of respondents in Canada claimed that being an international enterprise that spans multiple jurisdictions makes managing the attack surface harder. 

Yet more than a quarter (27%) are still mapping their systems manually, and 20% outsource this task —which can create further silos and visibility gaps.

The study also revealed that over one-third (36%) of Canadian organizations don’t believe their method of assessing risk exposure is sophisticated enough. This is borne out in other findings:

• 58% of organizations currently have a moderate risk exposure
• Nearly half (48%) of respondents consider cloud service misconfigurations of cloud assets as the biggest risk exposure when it comes to their organization’s attack surface
• 8-in-10 (84%) of organizations review/update their risk exposure in relation to their digital attack surface at least once a month
• Just 18% review risk exposure on a daily basis
• One-third (34%) of organizations feel fully exposed to the cyber risk of phishing
• 44% of respondents consider phishing or email attacks as the primary way of a cyber-attack starting against their organization

Trend Micro researchers have discovered a new variant of AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. This is the first sample observed from the US with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file. The ransomware is also capable of scanning multiple endpoints for Log4Shell.

Chris Olson, CEO of The Media Trust had this to say:

“Like many other ransomware attacks from recent memory, the new AvosLocker variant targeted a vulnerable third-party service (in this case, a web-based password locker). As organizations come to rely more and more on digital tools and services to run their business, they should learn about the dangers of digital supply chain attacks and continually monitor their partners to enforce trust and safety standards. Just as AvosLocker evades detection in the course of a breach, Web and mobile apps are increasingly targeted by cyber actors using sophisticated techniques such as obfuscated and polymorphic code to dodge blockers or URL filters.”

The fact that this new variant leverages Log4Shell, and takes such evasive action shows how dangerous this variant is. Thus it means that you should make sure you are completely updated in terms of any security patches and antivirus definitions so that you don’t become the next victim of this variant.

Trend Micro has been recognized as a leader in cyber security solutions by two prestigious industry reports:

• According to the Forrester Wave Report Trend Micro is one of only three vendors to be named a Leader and have received a five out of five score in investigation capabilities, ATT&CK alignment, extended capabilities, innovation roadmap, and five other criteria. 
• This recognition is reinforced by the MITRE Engenuity ATT&CK Evaluations, in which Trend Micro Vision One™ ranked #1 in the protection category after being tested against simulated breaches inspired by real-world attacks to ensure customers can appropriately visualize and address today’s threats.  

Once more, Trend Micro has demonstrated it is dedicated to serving on customers’ current and evolving security needs, by providing comprehensive threat detection and response across the industry.

To read a full copy of The Forrester Wave™: Detection and Response (EDR), Q2 2022 the report, please visit: https://www.trendmicro.com/explore/forrester-wave-edr

Trend Micro Incorporated has announced the launch of Trend Micro One, a unified cybersecurity platform with a growing list of ecosystem technology partners that enables customers to better understand, communicate, and lower their cyber risk.

Organizations are battling on all fronts to face mounting cyber risks from their complex and growing attack surface with stretched teams and siloed security products. The unified security platform approach delivers a continuous lifecycle of risk and threat assessment with attack surface discovery, cyber risk analysis, and threat mitigation and response.  

Inaugural partners of the Trend Micro One technology ecosystem include: Bit Discovery, Google Cloud, Microsoft, Okta, Palo Alto Networks, ServiceNow, Slack, Qualys, Rapid7, Splunk, and Tenable.

According to Gartner®, “vendors are increasingly acquiring or developing these adjacent technologies and integrating them into a single platform. The benefits are best realized when this integration minimizes consoles and configuration planes and reuses components (e.g., endpoint agents) and information.”

As a unified platform, Trend Micro One delivers powerful risk assessment capabilities, but the ecosystem partners extend that to make it the most complete in the industry. Joint customers benefit from truly connected visibility, better detection and response capabilities, and comprehensive protection across security layers and systems.

Trend Micro One supports this approach by enabling customers to:

• Discover the attack surface: Identify, monitor, and profile cyber assets in customers’ environments.
• Understand and continuously assess risk: Analyze risk exposure, the status of vulnerabilities, the configuration of security controls, and types of threat activity.
• Effectively mitigate risk: Ensure the right preventative controls and take swift action to mitigate risk and remediate attacks across the enterprise by leveraging Trend Micro’s threat and risk intelligence. 

Trend Micro One unified cybersecurity platform is available now. To see how it works and find out more, please visit: https://www.trendmicro.com/en_us/business/products/one-platform.html

Trend Micro Incorporated today announced the findings of its latest global Cyber Risk Index (CRI) for the second half of 2021, standing globally at -0.04, which is an elevated risk level with North America being at -0.01. Canada received a score of 0.16, which shows that the country has a moderate cyber risk level in comparison to global and North American (NA) organizations. The research also found that Canada is more prepared than all of North America to handle cyber risk (at a score of 5.41 vs. 5.35 in NA). However, respondents revealed that nearly three-quarters (74%) of Canadian organizations think they’ll be breached in the next 12 months, with 30% claiming this is “very likely” to happen.

The biannual CRI report asks pointed questions to measure the gap between respondents’ preparedness for attacks and their likelihood of being attacked*. In Canada, 83% of organizations claimed to have suffered one or more successful cyber-attacks in the past 12 months, with 32% saying they’d experienced seven or more.

Ransomware, phishing/social engineering, denial of service (DoS) and botnets top the list of key concerns, with negative consequences of a breach including stolen or damaged equipment, lost revenues and costs of outside consultants/experts.

When it comes to IT infrastructure, Canadian organizations are most worried about security risks in relation to mobile/remote employees (score of 7.55/10), third-party applications (score of 7.25/10), and mobile/ smart phone devices (6.55/10). 

While digital investments were necessary to support remote working and drive business efficiencies during the pandemic, this report brings to light the increasing corporate attach surface and ongoing challenges business face securing such investments.

In Canada, the highest levels of risk were around the following statements:

• My organization’s IT security function strictly enforces acts of non-compliance to security policies, standard operating procedures, and external requirements 
• My organization’s IT security function supports security in the DevOps environment
• My organization makes appropriate investments in leading-edged security technologies such as machine learning, automation, orchestration, analytics and/or artificial intelligence tools. 
• My organization’s IT security function complies with data protection and privacy requirements.
• My organization’s IT security leader (CISO) has sufficient authority and resources to achieve a strong security posture.

This clearly indicates that more resources must be diverted to people, processes, and technology to enhance preparedness and reduce overall risk levels.

As organizations and security teams struggle to manage the increasing complexity introduced by digital transformation, data privacy, compliance, and more, the need for a platform-based approach will be critical.

* An index value is calculated from this information based on a numerical scale of -10 to 10, with -10 representing the highest level of risk. In this report, the Canada CRI stood at 0.16 versus -0.01 for North America and -0.04 for global, indicating a moderate level of risk.  

As ransomware continues to be a security concern, a new variant named AvosLocker was discovered as an emerging threat. A recent report from Trend Micro titled “Ransomware Spotlight: AvosLocker” details this:

AvosLocker is one of the newer ransomware families that came to fill the void left by REvil. While not as prominent or active as LockBit or Conti, it is slowly making a name for itself, with the US Federal Bureau of Investigation (FBI) releasing an advisory on this threat. According to the report, AvosLocker has been targeting critical infrastructure in different sectors of the US, with attacks also observed in other countries like Canada, UK, and Spain. Although detections are low, its clever use of familiar tactics makes it a ransomware variant worth monitoring today.

Of interest, the report found that Canada was among the top two countries for AvosLocker detections between July 2021 to February 2022.Moreover, the top three industries affected in Canada were energy, healthcare and the financial sectors.

While AvosLocker is a comparatively newer ransomware family with a low detection rate compared to LockBit or Conti, it is slowly making a name for itself, with the US Federal Bureau of Investigation (FBI) releasing an advisory on this threat. 

Although detections are low, its clever use of familiar tactics makes it a ransomware variant worth monitoring today.

• It uses the remote administration tool AnyDesk. One of the notable characteristics of AvosLocker campaigns is its use of AnyDesk, a remote administration tool (RAT) to connect to victim machines. Using this tool, the operator can manually operate and infect the machine.
• It runs on safe mode. Another key element of AvosLocker is running itself on safe mode as part of its evasion tactics. The attacker restarts the machine, disables certain drivers, and runs on safe mode, thus avoiding certain security measures that are unable to run in this mode. Operators also set up certain drivers to make sure that AnyDesk would run even in safe mode. It is important to note that this was a tactic previously employed by the now defunct REvil.
• Operators auction stolen data. AvosLocker again takes a leaf from REvil’s page by auctioning stolen data on its site, on top of its double extortion scheme. This could be the group’s way of further monetizing a single successful attack or salvaging a failed one.

Operating as a RaaS, the actors behind AvosLocker coordinate their attacks and choose their targets based on their ability to pay the demanded ransom, pursuing critical infrastructure in different industries.

I would read this Trend Micro report and see if your defences against this ransomware measure up.

Trend Micro today announced a new report revealing a fierce, hour-by-hour battle for resources among malicious cryptocurrency mining groups.

To read a full copy of the report, A Floating Battleground Navigating the Landscape of Cloud-Based Cryptocurrency Mining, please visit: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/probing-the-activities-of-cloud-based-cryptocurrency-mining-groups

Threat actors are increasingly scanning for and exploiting these exposed instances, as well as brute-forcing SecureShell (SSH) credentials, in order to compromise cloud assets for cryptocurrency mining, the report reveals. Targets are often characterized by having outdated cloud software in the cloud environment, poor cloud security hygiene, or inadequate knowledge on how to secure cloud services and thus easily exploited by threat actors to gain access to the systems. 

Cloud computing investments have surged during the pandemic. But the ease with which new assets can be deployed has also left many cloud instances online for longer than needed—unpatched and misconfigured.

On one hand, this extra computing workload threatens to slow key user-facing services for victim organizations, as well as increasing operating costs by up to 600% for every infected system.

Crypto mining can also be a precursor to more serious compromise. Many mature threat actors deploy mining software to generate additional revenue before online buyers purchase access for ransomware, data theft, and more.

The Trend Micro report details the activity of multiple threat actor groups in this space, including:

• Outlaw, which compromises IoT devices and Linux cloud servers by exploiting known vulnerabilities or performing brute-force SSH attacks.
• TeamTNT, which exploits vulnerable software to compromise hosts before stealing credentials for other services to help it move around to new hosts and abuse any misconfigured services.
• Kinsing, which sets up an XMRig kit for mining Monero and kicks any other miners off a victim system.
• 8220, which has been observed fighting Kinsing over the same resources. They frequently eject each other from a host and then install their own cryptocurrency miners.
• Kek Security, which has been associated with IoT malware and running botnet services.

To mitigate the threat from cryptocurrency mining attacks in the cloud, Trend Micro recommends organizations to:

• Ensure systems are up-to-date and running only the required services
• Deploy firewall, IDS/IPS, and cloud endpoint security to limit and filter network traffic to and from known bad hosts
• Eliminate configuration errors via Cloud Security Posture Management tools
• Monitor traffic to and from cloud instances and filter out domains associated with known mining pools
• Deploy rules that monitor open ports, changes to DNS routing, and utilization of CPU resources from a cost perspective

New research from Trend Micro Incorporated warns of spiraling risk to digital infrastructure and remote workers as threat actors increase their rate of attack on organizations and individuals.

Ransomware attackers are shifting their focus to critical businesses and industries more likely to pay, and double extortion tactics ensure that they are able to profit. Ransomware-as-a-service offerings have opened the market to attackers with limited technical knowledge – but also given rise to more specialization, such as initial access brokers who are now an essential part of the cybercrime supply chain.

Threat actors are also getting better at exploiting human error to compromise cloud infrastructure and remote workers. Trend Micro Cloud App Security (CAS) detected and prevented 25.7 million email threats in 2021 compared to 16.7 million in 2020, with the volume of blocked phishing attempts nearly doubling over the period. Research shows home workers are often prone to take more risks than those in the office, which makes phishing a particular risk.

In the cloud, incorrectly configured systems continue to plague organizations. Services such as Amazon Elastic Block Store and Microsoft Azure’s Virtual Machine were among the services that had relatively high misconfiguration rates. Trend Micro also found that Docker REST APIs are frequently misconfigured, exposing them to attacks from groups like TeamTNT that deploy crypto-mining malware on affected systems.

Business email compromise (BEC) saw detections drop 11%. However, CAS blocked a higher percentage of advanced BEC emails, which could be detected only by comparing the writing style of the attacker with that of the intended sender. These attacks comprised 47% of all BEC attempts in 2021 versus 23% in 2020.

While 2021 was a record year for new vulnerabilities, Trend Micro research shows that 22% of the exploits sold in the cybercrime underground last year were over three years old. Patching old vulnerabilities remains an essential task alongside monitoring for new threats to prevent cyber-attacks and ensure strong security posture.

To learn more about Navigating New Frontiers: Trend Micro 2021 Annual Cybersecurity Report, please visit: https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report