Home Interviews “Attackers always look for and exploit trending topics”

“Attackers always look for and exploit trending topics”

Shyam Sundar Ramaswami, Lead Security / Threat Researcher, Cisco, Cisco Umbrella

CISO MAG met Shyam Sundar Ramaswami, Lead Security / Threat Researcher, Cisco, at the NULLCON event held in Goa, in February 2020. Ramaswami is a security researcher who uses superhero characters like Batman and Avengers to spread awareness about cybersecurity.  He leads the India team for Umbrella Research at Cisco. Ramaswami is also responsible for the Asia Pacific research at Cisco.

Ramaswami (Twitter: @hackerbat) is also a TEDx speaker and has presented his research on malware analysis in conferences such as Black Hat USA, Qubit, NULLCON, Cisco live, and in several IEEE forums. He also teaches “Advance attacks and defenses” for the Stanford Cyber Security program. When he isn’t speaking or teaching, he runs a mentoring program called “Being Robin,” where he mentors students across the globe on cybersecurity.

Shyam Sundar Ramaswami, Lead Security / Threat Researcher, Cisco, Cisco Umbrella

Tell us about Umbrella Research. And what is your contribution to the project?

Built into the foundation of the internet, Cisco Umbrella is a cloud security platform that provides a first line of defense against threats, wherever users access the internet — on or off the corporate network.  Umbrella is deployed enterprise-wide in minutes and gives your security team the threat intelligence and context they need to block threats before they become attacks.

Domain names are the carriers of malware today. Everything is domain-based today, be it your entertainment, grocery, or shopping.

As a research team, we build honeypots and trap samples by pasting the IP address where a honeypot is hosted; and also the website, which runs on a weak server in that IP address of our honeypots in several public forums and pages. We put the honeypot username in fake, free movie sites by registering as a username in that site. Attackers try to compromise our servers and host malware or phishing pages. This aids us in learning the entry mode, attacker behaviors, and type of malware that is about to trend the cyber world.

When a new (Avengers) movie launches, there is a lot of Google SEO spamming that takes place saying, “free Avengers movie download HD print” and people fall prey to it. “Free” always comes with a price. Attackers always look for trending topics and lure users to click on malicious ads.

So, we collect these samples and research the malware patterns and we feed this intelligence back to the product.

We also act as incident response. If the customer experiences a zero-day attack, they submit the sample back to us. We examine it and reverse the process, find out what domains it talks to, etc. This is a big opportunity for us. This is how we found out about Paradise ransomware, and there are very few articles on the internet about it. Since we got the samples from our customers, we were able to reverse it and figure out the full potential. This turned out to be an intelligent, evasive, and dynamic ransomware, which set the trend for the new age evasive malware.

We also work with our sales teams to show customers real attack scenes, and how we mitigate it during sales pitches. I interact with CIOs, CSOs, and CEOs and I show them real malware, phishing campaigns, and how Umbrella blocked it. Apart from this I also speak in public forums, and write blogs to spread awareness.

Umbrella Research offers me a tailor-made role as it involves different dimensions.

What trends are you seeing today in terms of the nature of the attacks? What types of attacks is Umbrella Research tracking these days? 

Email is the primary form of attack today. These are targeted and campaign-based attacks. The attacks are tailored to the events happening in that region. For instance, in India, citizens receive notices during the time of filing their returns, about taxes that are due. In the EU, it is about insurance premiums. The entertainment industry is the most targeted industry today with Netflix phishing. Also, for Microsoft Office 365 subscriptions. People receive phishing emails with links urging them to renew their subscriptions to these services. These come with invoices in the attached Word documents. And when you open those attachments it unleashes the embedded Trojans.

We also see a trend of evasive malware. There are many free online sandbox services (like Any run, Hybrid Analysis, and VirusTotal) to test the effectiveness of malware on security products.

A lot of APTs are surfacing and many government organizations and embassy websites are targeted for APT attacks.

The other target is WordPress sites. Attackers look for small scale industries. For instance, small traders in India’s computer bazaars have WordPress sites created years ago, and they have not bothered to update WordPress and the plugins. Attackers scan these sites and use these to serve malware.

Bulletproof hosting is another target. There are bulletproof hosting sites that host sites for low rates ($10-$20) and do not care what one puts on these sites, hence malware gets hosted on those sites.

Remote Monitoring Tools act as RATs – Remote Access Trojans. Hackers use RATs for keylogging. They can switch on the webcam and record what users are doing. And these recorded videos are used for blackmailing users, especially children and teens.

What type of attacks are trending today?  

Phishing and malwares are always trending. In the past few years Malwares have become extremely evasive, super smart in studying the environment it runs in, and changing the payload dynamically according to the environment. It even uninstalls AV services or endpoint detection services.

This could be due to the “availability” of resources on the internet. There is even the marketing trend of “Trail of security products for 90 days.” The attacker can try out security products or endpoint detections systems, tune the malware according to such systems and end up evading systems!

Are the legacy tools effective to counter all these threats? Enterprises have invested heavily in these tools. What are the adoption strategies of organizations?

Security companies are aware of the investments in products. And this is where the concept of feeds service comes in. Legacy products are moving to a model of “Listen, learn and adapt.” Their engine is not static anymore and is able to pair up with a lot of old, existing, and open source products. There are open-source feeds and paid feeds. If you subscribe to these feeds you get a categorized list of bad domains. Companies are also taking a multi-layered approach to security. They look at products that are open to all feeds: open source feeds, threat feeds, paired priced feeds. It should be hybrid. One device can learn from everything. And it’s all going to the cloud.

What are the biggest security challenges raised by organizations?

The internal tools that come with the operating system are being misused by the bad actors. Take PowerShell (a scripting language built on .NET), for instance. A careless click on a link will install malware on the user’s system. The malware then uses PowerShell to do an HTTP/HTTPS call which aids in the exfiltration of data or downloading tailor-made malware.

BYOD is also causing a lot of havoc. People are using their devices to watch free movies, listen to free songs, etc. They use torrents, go to free media websites and this compromises the device and infects it. Using free-Wi-Fi in public hotspots is another problem.

And the operating system is not updated. There are systems used in healthcare institutions that use old versions of Windows that are no longer supported. Hence, there is no security and these systems have vulnerabilities that are exploited. Most of the ransomware attacks in hospitals are due to the use of old, outdated Windows or even free Windows versions. The same has been the case with several ATMs.


CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.