'Spyware,' Ransomware Top Threats but Defenders Slowly Improve

Nearly half of firms have encountered spyware, according to Cisco’s semi-annual cyber-security report.


Business email compromise, ransom-seeking criminals and questionable programs that collect information are three of the major threats facing companies in 2017, according to Cisco's Midyear Cybersecurity Report, published on July 20.

Malware and denial-of-service attacks aimed at forcing victims to pay a ransom—known as ransomware and ransom denial-of-service (RDoS), respectively—affect 49 percent of companies, according to the report, citing a study by Cisco research partner Radware. Part of the increase is due to attacks as a service—such as distributed DoS (DDoS)-as-a-service and ransomware-as-a-service—becoming the de facto approach for many cyber-criminals.

“We are seeing tools going away, and instead we are seeing a lot of as-a-service models,” Francisco Artes, security business group architect at Cisco, told eWEEK.

The report forecasts that attacks will become more destructive and focus more on easy-to-hack internet of things (IoT) devices. Combining both trends, destruction-as-a-service will become more popular, with permanent DoS attacks, such as BrickerBot, attempting to erase data and then flash the motherboard of targeted devices.

The 90-page report brings together data from a variety of sources: Cisco internal research, government data and research from nearly a dozen partners, including RSA, Radware and Qualys.

One major trend highlighted by the report is the danger of borderline spyware. Programs that seem legitimate but contain extensive spyware capabilities are becoming a larger problem, Cisco stated in the report. In a study of the network traffic of approximately 300 companies, Cisco found that more than 20 percent had at least one spyware infection. The most prevalent spyware were seemingly legitimate programs that exceed their expected behavior—a description that could apply to many of the tracking services used by advertisers.

“Although operators may market spyware as services designed to protect or otherwise help users, the true purpose of the malware is to track and gather information about users and their organizations—often without users’ direct consent or knowledge,” Artes said. “Spyware companies are known to sell or provide access to the data they collect, allowing third parties to harvest information with relative anonymity.”

Six out of every 10 firms showing signs of spyware, for example, had a client compromised by the Hola service, which is advertised as a peer-to-peer virtual private network but allows remote code execution and the ability to download files while bypassing antivirus checking. Another prevalent spyware program is RelevantKnowledge, a browser plugin that collects information on the user’s browsing habits and is often installed through software bundling without the user’s knowledge.

The developers behind malware are continuously modifying their programs and techniques to attempt to avoid detection. A new vector was introduced for each of the top four programs—Kryptik, Ramnit, Nemucod and Fereit—approximately every day. While the number of vectors focused on the Web gradually declined over the study period, the number of vectors through email increased.

Overall, companies seem to be improving their defensive efforts. Firms focused on quickly fixing vulnerabilities have made great strides in reducing their attack surface area, according to the report. In 2017, companies took an average of 62 days to eliminate 80 percent of the known Adobe Flash vulnerabilities in their organizations, according to Cisco partner Qualys, a vulnerability management firm. While there seems to be little to celebrate in that response time, it used to take 308 days to reach the same benchmark in 2014.

In addition, companies are getting better at detecting incidents in their networks. The average incident took 3.5 hours to be detected in May 2017, down from 39 hours in November 2015. The median time to detection (TTD) is the period between when a compromise happens and when the company’s security detects the incident.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...