Did you know that an average of 50 targeted ransomware events are happening globally per week? This has contributed to an 82% increase in ransomware-related data leaks in 2021 compared to the previous year, according to cybersecurity firm CrowdStrike.
To worsen things, a new class of cyberthreat is gaining prominence. Menlo Security — a cloud security platform provider — reported an 224% increase in highly evasive adaptive threats (HEAT) attacks globally in the second half of last year.
HEAT attacks leverage web browsers as the attack vector and employ various techniques to evade multiple layers of detection in current security stacks. For example, criminal groups associated with the Lazarus hacker group were using the Google Chrome CVE-2022-0609 vulnerability and HEAT techniques earlier this year to target many organisations, especially those in the financial, government, and critical infrastructure sectors.
Both charts: Menlo Security
See also: 80% of AI projects are projected to fail. Here's how it doesn't have to be this way
Amir Ben-Efraim, Menlo Security’s co-founder and CEO, explains that HEAT attacks tend to use one or more of the following techniques to bypass legacy network security defences:
- Dynamic file downloads
This technique constructs the malicious file at the browser with no request for a remote file that can be inspected. This consequently transfers the malware and effectively bypasses various firewalls and network security solutions, including sandboxes and anti-virus in legacy proxies. Moreover, file types assumed to be blocked by secure web gateway and firewall policies can still make it to endpoints without any user interaction.
- Alternative phishing avenues
In a HEAT attack, users are targeted (or speared) with malicious links via communication channels outside of email, such as social media or shared documents. These malicious links are increasingly used to steal corporate credentials to deliver malware to corporate endpoints and bypass corporate security.
- Ephemeral or compromised domains
HEAT attacks evade web categorisation using obsolete websites, either by compromising them or creating fake ones. Threat actors use them for malicious purposes for a short amount of time before either reverting the web- sites to their original content or simply deleting them.
- Dynamically generated or obscure content
Malicious content — such as phishing kit codes and images impersonating known brand logos — are generated by JavaScript in the browser, making any detection prior to the web page execution or rendering useless. The top three brands impersonated for malicious purposes are Microsoft, PayPal and Amazon.
Feeling the HEAT
See also: Responsible AI starts with transparency
While it has been around for years, the accelerated move to the cloud to support hybrid work and digital transformation has made it easier for bad actors to execute HEAT attacks.
“HEAT attacks are an evolution of previous cyberattacks as cybercriminals have figured out that the web browser [enabled by the cloud] is essentially the new “office”. These actors have modified their attacks to infiltrate the browser in new ways and adopt new methods for established attacks to prevent detection within the organisation,” says Ben-Efraim. He continues: “In many cases, HEAT-based attacks lead to the delivery of ransomware. With the accessibility of Ransomware-as-a-service via the dark web, ransomware will continue to fuel the rise of HEAT attacks.”
Organisations are also not adequately equipped to deal with ransomware, and by extension HEAT. CrowdStrike’s 2021 Global Security Attitude Survey found that 53% of businesses in Asia Pacific did not have a comprehensive ransomware defence strategy in place.
“We also see organisations investing in security solutions that are not fit for purpose. Legacy anti-virus solutions that rely on signature-based technology are still being used to try to stop traditional malware attacks. Coupled with security teams that are under-resourced, overworked and struggling with alert-fatigue; it’s clear why ransomware is still a problem,” says Sherif El Nabawi, CrowdStrike’s vice president of engineering for Asia Pacific (APAC) and Japan.
Liam Ryan, APAC vice president at IT software company Ivanti, agrees. “Security teams are strapped for time and resources, and vulnerability management has been a waterfall when it comes to planning and executing remediation strategies.”
“The cat-and-mouse game that is information security is asymmetric. Attackers only need one successful exploit to breach an organisation’s security perimeter and wreak havoc, [while] organisations face the very large task of having to continuously monitor attack surfaces. This requires an agile methodology to remediate vulnerabilities faster,” he says.
AI-based cybersecurity solutions, he adds, are one aspect of a multi-pronged approach needed to successfully defend against threats and attacks. However, organisations should note that threat actors are also leveraging automated toolkits to exploit vulnerabilities and penetrate deeper into compromised networks.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
Threat hunting and patching
Given the ever-changing threat landscape, proactive threat hunting is necessary to combat cyberattacks. “Proactive threat hunting has become a necessity as adversaries continue to evolve their tactics, techniques and procedures — utilising techniques beyond malware. Threat intelligence and proactive hunting can provide a deeper understanding of adversaries’ motives, objectives and activities — information that can empower swift proactive countermeasures to better defend valuable data now and in the future,” says El Nabawi.
Organisations should also have a robust cybersecurity posture to complement their deep understanding of the adversaries. One way of doing so is by taking a Zero Trust approach, wherein all users must be authenticated, authorised, and continuously validated for security configuration and posture before being granted access to applications and data.
“Coupled with in-depth defence measures, today’s preventative security measures involve taking a Zero Trust approach to security that protects productivity where it occurs —when it is applied close to the user, application, and data. Overall, leaders must assess organisational needs and identify the gaps in their overall security infrastructure to take the proper preventative measures,” adds Ben-Efraim.
For example, Hong Kong public transport operator MTR Corporation is leveraging Menlo Cloud Security Platform to provide secure web access to its 2,000 mobile employees. Since MTR’s mobile employees are now isolated from all web traffic, it eliminates the chance of malware reaching their laptops, protecting them against HEAT attacks.
Organisations should also prioritise patching the vulnerabilities that ransomware groups are actively targeting. While this sounds simple, a recent Ivanti survey revealed that 71% of IT and security professionals found patching to be overly complex and time-consuming. More than half (53%) also said that organising and prioritising critical vulnerabilities take up most of their time.
However, Ryan illustrates the importance of patching through the case of Globe Telecom, a major provider of telecommunications services in the Philippines. By deploying Ivanti Endpoint Security, the telco can patch critical zero-day vulnerabilities with agility, resulting in zero ransomware executions despite several hundred infections during the global WannaCry ransomware outbreak.
The move also enables Globe Telecom to now centrally manage automated IT security capabilities — such as patching, application control and asset management — improving its overall security posture.
As the surface attack area continues to expand as businesses become more digitalised, everyone has a part to play in improving an organisation’s cybersecurity posture.
Says Ben-Efraim: “Organisations must work with their employees to mitigate [cyber threats including ransomware and HEAT attacks]. Leaders should [provide employees with] mandatory cybersecurity training and the necessary tools and solutions to be cybersmart.”
“They should also have contingency and backups in place in the case of a breach or attack. Taking all the necessary precautions and shifting the mindset from ‘if I am a target’ to ‘when I am a target’ will help organisations be better prepared.”
