According to Cybersecurity Ventures, the damage related to cybercrime is projected to reach $6 trillion annually by 2021. The majority of the cyberattacks are directed at financial institutions as this reduces the number of intermediaries that the attacker needs to attack to reach the target - monetary proceeds. Research has shown that malware is the preferred attack vector in cybercrimes targeted at banks and other financial institutions. In light of the above, this paper presents a Bayesian Attack Network modeling technique of cyberattacks in the financial sector that are perpetuated by crimeware. We use the GameOver Zeus malware for our use cases as it’s the most common type of malware in this domain. The primary targets of this malware are any users of financial services. Today, financial services are accessed using personal laptops, institutional computers, mobile phones and tablets, etc. All these are potential victims that can be enlisted to the malware’s botnet. In our approach, phishing emails as well as Common Vulnerabilities and Exposures (CVEs) which are exhibited in various systems are employed to derive conditional probabilities that serve as inputs to the modeling technique. Compared to the state-of-the-art approaches, our method generates probability density curves of various attack structures whose semantics are applied in the mitigation process. This is based on the level exploitability that is deduced from the vertex degrees of the compromised nodes that characterizes the probability density curves.

The devasting effects of ransomware have continued to grow over the past two decades which have seen ransomware shift from just being opportunistic attacks to carefully orchestrated attacks. Individuals and business organizations alike have continued to fall prey to ransomware where victims have been forced to pay cybercriminals even up to $1 million in a single attack whilst others have incurred losses in hundreds of millions of dollars. Clearly, ransomware is an emerging cyber threat to enterprise systems that can no longer be ignored. In this paper, we address the evolution of the ransomware and the associated paradigm shifts in attack structures narrowing down to the technical and economic impacts. We formulate an attack model applicable to cascaded network design structures common in enterprise systems. We model the security state of the ransomware attack process as transitions of a finite state machine where state transitions depict breaches of confidentiality, integrity, and availability. We propose a ransomware categorization framework that classifies the virulence of a given ransomware based on a proposed classification algorithm that is based on data deletion and file encryption attack structures. The categories that increase in severity from CAT1 to CAT5 classify the technical prowess and the overall effectiveness of potential ways of retaining the data without paying the ransom demand. We evaluate our modeling approach with a WannaCry attack use case and suggest mitigation strategies and recommend best practices based on these models.

Cyber attacks in cloud computing more often than not tend to exploit vulnerabilities and weaknesses found in the underlying structural components of the cloud. Such vulnerabilities and weaknesses have drawn interest from various attack profiles ranging from script kiddies to APTs. Regardless of the attack profile, cyber attackers have come to leverage the interdependencies exhibited amongst these vulnerabilities by chaining exploits together to effectuate complex interlinked attack paths. Such chaining of vulnerabilities in cloud components results in multi-stage attacks where the attacker traverses different segments of the cloud residing in different layers to reach the target. In this paper, we partition the cloud into three different layers to show how multi-stage attacks on Confidentiality, Integrity and Availability (CIA) interleave with the SaaS, PaaS and IaaS cloud computing service models. Further, we generate multi-stage attack paths based on the vulnerabilities exhibited in the components across the partitioned cloud layers. Furthermore, we model the constituents of multi-stage attack events as discrete random Bernoulli variables to characterize the attack path pursued by a given attack profile. We generate probability density curves of the associated resultant attack paths to infer on the nature of the attack and recommend a hierarchical security mitigation process based on the nature of the attack nodes.

Crypto ransomware has earned an infamous reputation in the malware landscape and its sound sends a lot of shivers to many despite being a new entrant. The media has not helped matters even as the myths and inaccuracies surrounding crypto ransomware continue to deepen. It’s been purported that once crypto ransomware attacks, the victim is left with no option but to pay in order to retrieve the encrypted data, and that without a guarantee, or risk losing the data forever. Security researchers are inadvertently thrown into a cat-and-mouse chase to catch up with the latest vices of the aforesaid in order to provide data resilience. In this paper, we debunk the myths surrounding loss of data via a crypto ransomware attack. Using a variety of crypto ransomware samples, we employ reverse engineering and dynamic analysis to evaluate the underlying attack structures and data deletion techniques employed by the ransomware. Further, we expose the data deletion techniques used by ransomware to prevent data recovery and suggest how such could be countered. From the results, we further present observed sandbox evasion techniques employed by ransomware against both static and dynamic analysis in an effort to obfuscate its operations and subsequently prevent data recovery. Our analyses have led us to the conclusion that no matter how devastating a crypto ransomware attack might appear, the key to data recovery options lies in the underlying attack structure and the implemented data deletion methodology.

Advanced Persistent Threat (APT) actors seek to maintain an undetected presence over a considerable duration and therefore use a myriad of techniques to achieve this requirement. This stealthy presence might be sought on the targeted victim or one of the victims used as pawns for further attacks. However, most of the techniques involve some malicious software leveraging the vulnerability induced by an exploit or leveraging the ignorance of the benign user. But then, malware generates a substantial amount of noise in form of suspicious network traffic or unusual system calls which usually do not go undetected by intrusion detection systems. Therefore, an attack vector that generates as little noise as possible or none at all is especially attractive to ATP threat actors as this perfectly suits the objective thereof. Malware-free intrusions present such attack vectors and indeed are difficult to detect because they mimic the behavior of normal applications and add no extra code for signature detection or anomaly behavior. This paper explores malware-free intrusions via backdoors created by leveraging the available at pre-authentication system tools availed to the common user. We explore two attack vectors used to implant the backdoor and demonstrate how such is accessible over the network via remote access while providing the highest level of system access. We further look at prevention, detection and mitigation measures which can be implemented in the case of compromise.