According to Verizon's 2015 Data Breach Investigations Report, nearly one million new malware threats were released each day last year, with approximately 90% of attacks exploiting vulnerabilities that have been around since the early 2000's. Antivirus and antimalware products, while necessary, can't shoulder all of the responsibility. The only way to correct these flaws, thereby bolstering malware protection, is to patch them. Lucky for users, Microsoft proactively seeks to fix its own deficiencies, releasing a monthly security update known as Patch Tuesday. But what about other malware bugs that may have slipped under the radar?
In this monthly malware roundup, we're serving up December's biggest headlines and most disconcerting trends in the world of malware, as well as sharing key Microsoft security patches worthy of consideration.
Recall from the glossary of our MSPedia article, Cybercrime & Security Overview: Terms, Trends, Statistics, and Takeaways, that we define malware as:
Malware—An overarching term describing hostile and/or intrusive software including (but not limited to) viruses, worms, Trojans, ransomware, spyware, adware, scareware, and other more, taking the form of executables, scripts, and active content.
Malware Stories and Trends in the News
1. Hyatt Hotels Attacked with Payment-Card Stealing Malware
This headline comes to us straight from Reuters. Usually the only thing you have to worry about when you stay at a hotel is whether they have a pool/gym facility and how much a room costs per night. For many holiday travelers this month, however, it wasn’t just that can of Pringles they impulsively charged to the room that may have been added to their credit card bill.
On December 23, 2015, Hyatt Hotels Corp announced that their payment processing system had been attacked with payment-card stealing malware. It is also worth noting that Hyatt is the fourth hotel chain to be compromised in the last three months. The threat, itself, is a form of ModPOS, a new strain of malware recently discovered by cyber intelligence company iSight Partners. As Reuters reports, ModPOS is particularly troublesome since it has a reputation of being undetected by security software.
While it remains to be seen how many, if any, lodgers had their financial information compromised, the hotel’s customers are encouraged to seek additional details around the breach here: www.hyatt.com/protectingourcustomers
Takeaway: Credit card data must be encrypted at all points in the transaction process. As an MSP, it is crucial that you offer PCI compliance if you have any clients who process payment card information. Furthermore, encourage these clients to become EMV compliant and help them embrace smart chip technology.
2. Malware with Intent to Steal Classified Data Found in Christmas-Themed Apps
Talk about reindeer games you want no part of! Just in time for the holidays, CloudSek researchers uncovered this scheme on December 15, 2015. Traced back to a South Asian Advanced Persistent Threat (APT) group, known as the "Santa-APT" group, the attackers had laced Christmas mobile apps with information-stealing malware. CloudSek had originally discovered the group selling desktop malware that captured screenshots and files, but found additional mobile malware distributed by the group via seemingly harmless Christmas game apps. Upon further investigation, experts determined the attackers had been looking for sensitive documents from software companies and federal organizations. According to the CloudSek post, the mobile malware aimed at collecting users' contacts, SMS, call records, location info, calendar, photos and browser history, has already infected approximately eight thousand devices.
Takeaway: Stress that end users think twice before downloading any apps, no matter how credible they appear. Teach them to look for reviews that verify an app's legitimacy and check which permissions that app will have after downloading.
3. Internet Users are 28 Times More Likely to be Infected by Malware if They Use Content Theft Sites
We originally found this unsettling RiskIQ stat in an Infosecurity Magazine article centered around the malware risk of TV piracy websites. When the temperature drops and you have the time, it's tempting to watch all of your favorite guilty pleasure shows. For those who don't pay for video streaming services like Netflix, often, pirating the latest episode of Game of Thrones is the best alternative. Malware pushers are wise to these bad habits, but unfortunately, users are unsuspecting until it's too late. As Infosecurity Magazine reports, "nearly half (45%) of the malware is delivered without requiring the user to click on anything on the site." That means that the malware infections are invisible. The damage is done upon visiting the corrupted site, and attackers could be remotely accessing victims' devices, stealing and selling credit card information and other sensitive data that could be used to commit identity fraud.
Takeaway: Even the savviest of users can be blind-sighted. Your clients could think they're protected from malware by refusing to click on spammy malvertisements. Again, teach them that visiting certain sites can be just as dangerous as unknowingly downloading a malicious attachment.
4. New Malware Called "Pro POS" Targets Payment Systems and Evades Antivirus Detection
Our last malware news story comes courtesy of the security software company, Tripwire. At the beginning of the month, when the holiday shopping season was just gaining momentum, threat intelligence firm InfoArmor ID'd a new point-of-sale malware family, "Pro POS." A nightmare to retailers everywhere, this newcomer steals financial information from principal operating systems and "is also known to implement rootkit functionalities and other mechanisms to avoid detection from common antivirus systems." In a more sinister take on charitable giving, the malware developers offered their creation on underground forums for the low, low price of $2,600 for half a year's use. Like ModPOS described above, this malware is yet further evidence that POS threats that are becoming increasingly frequent and sophisticated.
Takeaway: You need to prioritize PCI compliance as of yesterday. Keep reading to find out how you can begin offering PCI assessment, remediation and compliance services! Also, it goes without saying for all of these examples of malware, you should have a reliable backup and disaster recovery (BDR) solution in place so clients may be able to recover their sensitive data with minimum downtime.
Patch Tuesday & Microsoft Malware Protection Center's Latest Update
In its 1.213.1155.0 update, Microsoft has released new definitions on existing threats ranging from moderate to severe. Covering malware such as viruses and spyware, the security memo shares detailed information on variants of adware, browser modifiers, backdoors, ransomware, trojans, worms and more. All system administrators are advised to familiarize themselves on Microsoft's malware findings here: https://www.microsoft.com/security/portal/definitions/whatsnew.aspx
This month, Microsoft's Patch Tuesday fell on December 8, 2015 with twelve security updates listed in the security bulletin. Designed to fix vulnerabilities in the Windows operating system (OS) and Microsoft software - like Microsoft Silverlight - these latest patches must be tested and deployed once they're determined to be safe, in order to protect client systems. If your clients haven't yet migrated from Windows XP, take this opportunity to show them the list of security updates they're ineligible to receive.
What critical updates should you flag? Here are a few:
- Cumulative Security Update for Internet Explorer (3116180)
- Security Update for Silverlight to Address Remote Code Execution (3106614)
- Security Update for Microsoft Office to Address Remote Code Execution (3116111)
For all the latest information regarding new and emerging malware threats, we highly recommend you consult the following two antimalware blog resources:
Did you find this post helpful? Would you like us to publish a monthly malware recap, or would you prefer to collect this information on your own? Leave your feedback below!
By Lily Teplow
By Brian Downey
By Dave LeClair