Zeus and Conficker malware return to haunt UK companies

Old malware variants, the Zeus Trojan and the Conficker computer worm, remain a huge problem for most UK companies, according to CERT-UK's first annual report.

Zeus and Conficker malware return to haunt UK companies
Zeus and Conficker malware return to haunt UK companies

Released earlier this month, the CERT-UK annual report delves into data from CERT's 950 CiSP members, and it found that older malware variants are still the most prevalent within enterprise networks, whilst also warning of nation-state activity and the emergence of zero-day vulnerabilities like Heartbleed.

“Despite being active since 2011, almost half of all malware we observed last year was Zeus,” reads the report, which also placed Conficker and the Zeroaccess Trojan highly.

“The top three malware types are all several years old and have either had patches released or mitigation advice issued, yet they are the most prolific malware types we have seen this year. It is clear to us that we all need to do far more to protect systems and educate people to the dangers, starting with the most basic cyber security steps.” CERT-UK recommends that businesses follow the UK government's 10 Steps to Cyber Security guide, sign up for Cyber Essentials and CiSP membership, with the latter expected to pass 1,000 members later this year.

On state-level cyber-crime activity the report added: “The threat from nation states' use of malware is still very real. We are under no illusion that the UK is a target and the cyber-sphere is a growing opportunity for those who would harm the economy. Industry and government need to work more closely than ever to combat the threat.”

Fortunately, and perhaps a sign of things to come, CERT-UK said it hasn't seen sector-specific malware threats at this time.

The report also interestingly noted a growth in security incidents affecting academia and communication sectors, although the body said that this was likely “an indication of good communication with regard to reporting incidents, rather than that sector having poor cyber-security”.

CERT-UK said that an ‘open dialogue' was needed so that all businesses can share information on cyber-crime, citing its own partnerships with JANET and other UK CERTs, and pointed to low incidents in the Emergency Services, Food, Health, Water and Defence sectors as evidence to join CiSP – these sectors have the largest membership figures on the group.

CERT-UK, which launched last March, added that it didn't expect the sheer scale of the Heartbleed and Shellshock vulnerabilities, and believes we may well see another of such scale during 2015 to 2016. The group also predicts more mobile malware, the supply chain being ‘hit hard', consumers expecting better security, cyber-crime market becoming more accessible and the ‘largest data breach ever.

Alan Calder, founder and CEO of IT Governance, said in an email to SCMagazineUK.com that these findings were once more down to firms not getting the basics right.

“Report after report identifies malware as a major issue for UK organisations – have done for years. Organisations don't do the basics – which is a policy of systematically patching vulnerabilities as and when they're identified,” he said, adding that patching is a pre-requisite for the Government's Cyber Essentials certificate, and a core control in ISO/IEC 27001.)”

Citing PwC figures, he said that organisations spend on average only 3.8 percent of their IT budget on cyber-security, adding that most boards of directors are detached from the same issue – a scary thought considering Calder backed up CERT's findings that there is increasing evidence of state-sponsored cyber-attacks.

He urged companies to get their supply chains to adopt Cyber Essentials and obtain ISO27001 certification, and warned that firms will always be at risk if they don't get the basics right.

“All organisations, large and small, are at the mercy of the rent-a-cyber-attack industry for as long as they don't do the basics of patching vulnerabilities, training staff, preparing a response plan etc.”

He added: “Sustained failure to manage such a well-known, widely identified business risk – one which has such serious consequences for individual customers as well as for stakeholders in the business – should be called out as the dereliction of fiduciary duty it clearly is. Criminal convictions for directors, sooner or later (in much the same way as is now possible for Health and Safety breaches), are probably the only way this basic problem will be resolved.”

But Calder was more positive about the affect CERT-UK and CiSP have had in their short time. “I think CERT and CiSP are doing a good job in terms of helping tackling the issues”.