The latest threat from cybercriminals has highlighted a potential vulnerability in many companies and one that could act as a vicious circle for IT teams across the country, says AJ Thompson, CCO, pictured, at the IT firm Northdoor plc.
Cybercriminals will always target what they perceive as weaknesses within businesses. A lot of the time this will be employees, who in a landscape of increasingly sophisticated and convincing threats will always be at risk of opening a malicious file or email. With new software updates popping up in emails all of the time, it is perhaps unsurprising that cybercriminals are increasingly using fake versions to tempt users into clicking on malicious links.
Magniber Windows 10 update threat
Fake Windows 10 updates are being used by cybercriminals to spread the Magniber ransomware strain. Magniber first appeared in 2017 and at the time almost exclusively targeted South Korean users, but has since spread to be more of a global threat. The fake Windows 10 updates are being distributed by cybercriminals with convincing file names that appear to be cumulative or security updates.
Once open, the Magniber strain encrypts data and redirects victims to a payment site where the ransomware demands around $2500 or 0.068 bitcoin. Unfortunately, there are currently no known ways of decrypting files for free.
However, this particular attack is just one in an increasing effort from cybercriminals to exploit updates in order to gain access to data and infrastructure.
Update threats an increasing tactic
We have seen over the past couple of years an increase in the attempts to use fake software updates to gain access to companies. It is not just Windows but a whole variety of updates, everything from antivirus software (which are the most common) to Flash Player updates. Some of these have been used by cybercriminals for years now, but unfortunately they are still all too successful.
Laptops, PCs and other desktop devices tend to be the main focus. However, there has also been recent evidence of cybercriminals targeting Android users with text messages claiming that a video upload they started couldn’t be completed without an update to the Flash Player.
By taking advantage of a regular pop-up update, cybercriminals can make the most of some users who will click the link without thinking. This particular malicious link takes the user to a site where the ‘update’ can be found. However, instead victims are taken to an Android banking trojan malware which steals login details by overlaying global banks.
Threat increases business reluctance to update
The results of this increasing threat are twofold. The first is we will undoubtedly see more businesses successfully attacked over the coming months as criminals up their efforts around fake update attacks. Secondly, as the threat associated with updates and patches increases and builds notoriety, so more companies will be reluctant to implement legitimate patches and updates, just in case.
Even before the threat of malicious update links became more common, some companies were reluctant or unable to implement updates.
There are a number of reasons for this reluctance.
Internal resource
One of the major issues for companies who are reluctant to implement updates or patches is a lack of internal resource. With IT teams stretched to capacity these updates can sometimes fall between the gaps. In a world where IT is playing a more critical role than ever before, most IT teams are focused on ensuring systems are running optimally, remote workers are able to communicate with each other and infrastructure is running to cope with the new hybrid working practices.
Therefore, ensuring that regular patching and updates are installed are not necessarily high up the list of priorities.
Impact on systems
Another major concern is the impact any update or patch might have of existing infrastructure. This is especially the case when companies are using complex systems of interacting software to run their operating systems and websites.
Time/delay
With any major update or patch, companies also have concerns about the amount of time each update takes. This of course has a further knock-on effect on stretched internal resources. So, with all of this already weighing on the minds of businesses the added threat of fake updates coming through, infected with malware, it is easy to see why some are continuing to delay or not install updates or patches.
However, by not installing updates or patches companies are increasing their risk of being hacked. Patches are issued by software providers to provide protection against known threats and updates will often also ensure that devices are fully protected. Therefore, companies can find themselves in a vicious circle. Nervous about implementing any updates that come through but leaving themselves at more risk by ignoring them.
Education and IT consultancies can help resolve issues
Ongoing, regular education of staff as to what the fake updates might look like is an important step for organisations. Staff members are seen as the weakest links by cybercriminals and so ensuring that they know what a potentially malicious update looks like is the best way of stopping bad players gaining access to data and infrastructure.
IT consultancies can also offer managed services that ensure patches and updates are installed on-time and with minimal disruption in terms of the impact on existing systems and how long it takes. Many companies are turning to IT consultancies to boost their already over stretched internal IT teams. As well as managing the process of installing updates, consultancies can also contribute to the education of staff and the monitoring of latest threats.
Cybercriminals have access to a huge number of tactics and tools that are increasing in sophistication all of the time. The hijacking of update emails is just one, but an effective one. Companies need to ensure that their staff are as up-to-date as possible as to what the threats look like, but most importantly not to put off installing legitimate updates and patches that can act as a critical barrier between data and the cybercriminal.
