Attackers finding new ways to to deliver malware: Netskope

Dubai: Netskope, a leader in Secure Access Service Edge (SASE), today unveiled new research confirming that attackers are finding new ways to evade detection and blend in with normal network traffic using HTTP and HTTPS to deliver malware. In its latest Cloud & Threat Report: Global Cloud and Web Malware Trends, Netskope identified that on average, five out of every 1,000 enterprise users attempted to download malware in Q1 2023, and new malware families and variants represented 72% of those malware downloads.Social Engineering and Search Engine Data Voids on the RiseIn the research, Netskope uncovered that nearly 10% of all malware downloads in Q1 were referred from search engines. These downloads mostly resulted from weaponized data voids, or combinations of search terms that have very few results, which means that any content matching those terms is likely to appear very high in the search results. This represents just one of many social engineering techniques that attackers are accelerating.Social engineering as a whole continues to dominate as a leading malware infiltration technique with attackers abusing not only search engines, but email, collaboration apps, and chat apps to trick their victims. As the top two malware types, Trojans accounted for 60% of malware downloads in Q1 and phishing downloads accounted for 13%.Evaluation of Primary Communication Channels for AttackersFor the first time in its quarterly cloud and threat reporting, Netskope analyzed attacker communication channels. Researchers found that attackers, in order to consistently evade detection, have used HTTP and HTTPS over ports 80 and 443 as their primary communication channel. In fact, of the new malware executables analyzed by Netskope that communicated with external hosts, 85% did so over port 80 (HTTP) and 67% did so over port 443 (HTTPS). This approach enables attackers to easily go unnoticed and blend in with the abundance of HTTP and HTTPS traffic already on the network.Additionally, to evade DNS-based security controls, some malware samples sidestep DNS lookups, instead reaching out directly to remote hosts using their IP addresses. In Q1 2023, most malware samples that initiated external communications did so using a combination of IP addresses and hostnames, with 61% communicating directly with at least one IP address and 91% communicating with at least one host via a DNS lookup.“Job number one for attackers is finding new ways to cover their tracks as enterprises put more resources into threat detection, but these findings indicate just how easy it still is for attackers to do so in plain sight,” said Ray Canzanese, Threat Research Director, Netskope Threat Labs. “As attackers gravitate towards cloud services that are widely used in the enterprise and leverage popular channels to communicate, cross-functional risk mitigation is more necessary than ever.”Extended Look into Global Cloud and Web Malware TrendsOther notable findings uncovered by Netskope’s research team include:55% of HTTP/HTTPS malware downloads came from cloud apps, up from 35% for the same period one year earlier. The primary driver of the increase is an increase in malware downloads from the most popular enterprise cloud applications, with Microsoft OneDrive tracked as the most popular enterprise app by a wide margin.The number of applications with malware downloads also continued to increase, reaching a high of 261 distinct apps in Q1 2023.Only a small fraction of total web malware downloads were delivered over web categories traditionally considered risky. Instead, downloads are spread out among a wide variety of sites, with content servers (CDNs) responsible for the largest slice, at 7.7%.As enterprises work to defend against the onslaught of malware, cross-functional collaboration across multiple teams is required, including network, security operations, incident response, leadership, and even individual contributors. Some of the additional steps organizations can take to reduce risks include:Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your networkEnsure that security controls recursively inspect the content of popular archive files and that high-risk file types are thoroughly inspectedConfigure policies to block downloads from apps that are not used in your organization to reduce risk surface.Get the full Netskope Cloud & Threat Report: Global Cloud and Web Malware Trends here.For more information on cloud-enabled threats and our latest findings from Netskope Threat Labs, visit Netskope’s Threat Research Hub.

Piracy sites threaten users with malware attacks

 Visitors to piracy sites are bombarded with malicious ads that use scare tactics to trick them into downloading malware, including ransomware that takes over files to force victims to pay to regain access, a joint investigation by the Digital Citizens Alliance, White Bullet, and Unit 221B has found. The investigation also found that these malicious ads, called malvertising, are often enabled by ad intermediary companies that promote scare tactics and other dubious means to trick or entice users to click on dangerous ads. The Unholy Triangle report highlights how piracy operators, malvertisers, and ad intermediaries profit off Internet users lured to suspect sites by the prospect of free content. The starkest example of the cyber threat was a ransomware attack that occurred while visiting a piracy site. Investigators were prompted to click on an ad  – but instead found their files locked up, followed by a demand to make a payment to regain access: “All your files like pictures, databases, documents, and other important [sic]are encrypted with [sic]strongest encryption and unique key….Please note that you will never restore your data without payment.”“Ransomware is the most serious cyber threat that consumers, small businesses, governments, and corporations face,” said Tom Galvin, executive director of the Digital Citizens Alliance. “The revelations that piracy operators, malvertisers, and ad intermediaries are profiting by harming Internet users is a wake-up call that we need a concerted and coordinated response to combat this growing threat.”Previous Digital Citizens Alliance research estimates piracy is a $2 billion-plus ecosystem fueled by illicit access to movies, TV shows, and live entertainment. While investigations have previously shown how piracy is used to infect devices, the Unholy Alliance report is the first to detail the relationship between piracy operators, malvertisers, and certain players in the ad intermediary ecosystem.Digital Citizens, piracy advertising expert White Bullet, and cybersecurity firm Unit 221B undertook a months-long investigation that analyzed thousands of piracy sites, including well-known platforms such as Fmovies[.]to, Myflixer[.]to, and Dramacool9[.]co. The groups then conducted an in-depth analysis of advertising and threats on the most-visited piracy sites or those that had the most malvertising.The investigation, conducted over the last several months, found:Piracy operators generate an estimated at least $121 million in revenues by allowing malvertisers to victimize their users. Beyond ransomware, investigators found malicious ads containing malware that seek access to a user’s device to steal banking information, download spyware to track a user’s activities, or flag the device for a future attack. Malvertising generates enormous revenue for piracy operators. Malvertising accounted for 12 percent of the total ads on piracy sites. More than half of the $121 million generated ($68.3 million) came from U.S. visits to these sites – suggesting that U.S. Internet users are especially at risk.Malvertising is widespread on piracy sites. Nearly 80 percent of pirate sites served up malware-ridden ads to their users. And the volume of malvertising targeting pirate-site users is significant. Visitors to piracy sites faced an estimated 321 million ads designed to harm them.Instead of prohibiting harmful content, some ad intermediaries are willing to facilitate campaigns involving blatantly misleading ads, such as a false claim that the user has a computer virus, or coach illicit actors on effective tactics to frighten or otherwise entice users to click on ads. In one example, investigators approached ad intermediary RichAds to see if it would approve a proposed ad clearly designed to deceive users. RichAds approved it even though the ad falsely warned users that their device had a virus to trick them into downloading “a security tool” that is malware. While not every visit to a piracy site results in malware, the investigation found that -- on average -- 1 in 6 times a visit to a piracy site leads to an attempt to serve malware.As a follow-up to the report, a Digital Citizens survey found that Americans who visit piracy sites are two to three times more likely to report an issue with malware than those who say they haven’t visited these sites.“This report confirms what content owners have suspected for years – that using piracy services is likely to harm consumers through malware infection,” says Peter Szyszko, CEO and founder of White Bullet. “We collect vast amounts of advertising data on piracy services and track its value. Clearly it is not just brands who are to blame for funding piracy through ad placement; ad tech companies need to be vigilant about where they place ads and the type of ads they accept. Piracy services seek to make as much money as possible – whether from legitimate but misplaced ads or from malicious actors. The ad industry needs to stop funding piracy, or, as we can now see, content owners and consumers all suffer.”"The level of deception on pirate movie sites is alarming," said Shaun Gallagher, Chief Technology Officer at Unit 221B. "Threat actors with ties to Russia are using these sites to prey on American consumers. These malware pushers grab every ounce of profit they can with no regard for the damage they cause. A couple innocent clicks could lead to a severe violation of privacy and cost hundreds of dollars, as consumers are bombarded with malicious ads containing ransomware and adware."