DOCSLIB.ORG

Bluvector Threat Report

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Bluvector Threat Report BluVector Threat Report Q3 2018 Trojans are still winning. Out of the 12 Threat Reports over Q3, six were trojans. While the results from the Threat Report quarterly from Q2 2018 were pretty even in terms of the volume of threats being spread out between APTs, ransomware and trojans, Q3 2018 showcased the depth and breadth of trojan diversity and malicious innovation. TABLE OF CONTENTS 3. Threat Report Q3 2018 Threat Chart 4. Summary 5. Summary Continued 6. APT: Turla 7. APT: APT28 8. APT: Lojax 9. RANSOMWARE: Magniber 10. RANSOMWARE: Gandcrab 11. RANSOMWARE: BitPaymer 12. TROJAN: AZORult 13. TROJAN: Windows/Android App 14. TROJAN: Dark Tequila 15. TROJAN: Delphi Crypters 16. TROJAN: Cobalt 17. TROJAN: RtPOS 18. About BluVector Lojax 47 Months in advance Q3 2018 Operation GhostSecret 30 Months in RIG Exploit APTs advance FILELESS Kit 41 Months in APT28 advance 42 Months in advance Turla 38 Months in Kwampirs advance 11 Months in advance Invisimole 3 Months in 50 40 30 20 10 advance MONTHS MONTHS MONTHS MONTHS MONTHS THREAT FIRST PUBLICLY IDENTIFIED RtPOS 8 Months in RANSOMWARE Windows/ advance Android App 17 Months in advance TROJANS BitPaymer Gh0st RAT 50 Months in 10 Months in advance advance GZipDe 28 Months in advance RadRAT Gandcrab 26 Months in 43 Months in advance advance Grobios Dark Tequila 50 Months in Cobalt advance 23 Months in 33 Months in advance advance Matrix KillDisk SynAck 52 Months in advance 44 Months in 43 Months in Magniber advance Delphi advance AZORult 56 Months in 55 Months in Crypters advance advance 45 Months in advance DBGer/ Satan 57 Months in advance BluVector runs all discovered malware samples through historical classifiers to KEY identify when our machine learning engine Discovered in Q2 2018 would have first detected the named threat. BluVector currently supports over 35 file- Discovered in Q3 2018 specific machine learning classifiers. © 2018 BluVector, Inc. 3 SUMMARY First, the biggest story was the threat that wasn’t. KEY FINDINGS Yet it illustrates clearly how prevalent malware has become and how those who should be the most protected aren’t. The discovery of Windows- targeted trojan code in 145 apps in Google’s FIRST UEFI Android Play Store might be easily overlooked by ROOTKIT those who didn’t understand the context. FOUND IN While there was no threat to Windows from an THE WILD Android application file (APK), the existence of the code showed that the app’s developers were infected. Through the development process, the code inserted itself into the app. It also illustrates TWO THREATS an infrequently reported attack vector as USING DELPHI developers of popular applications might become LANGUAGE bigger targets for malware that deliberately, and secretly, inserts code into programs before they’re compiled. However simple, without several obfuscation Oh Trojan, How You’ve Evolved methods that are commonly designed with newer threats, some malware detection solutions might As the most successful attacks, trojans are not pick it up. getting smarter as their developers are getting more organized or, in several apparently state- Many malware creators use crypters to hide their sponsored attacks, more multi-layered. In Q3, we malicious ways and they’re discovering old ways saw the growth of multi-layered attacks as well to build new threats. A new crypter, built in the as several attacks designed to infect computing older Delphi (née Pascal) language, is making devices in particular regions. the rounds as the compiled executable is harder to reverse engineer than some other coding Dark Tequila, unlikely to be a world-spanning languages. A similar approach also showed up in mega threat, targeted Spanish-speaking users in APT28’s Roman Holiday campaign, where Delphi South America and attempts to grab credentials code was used in the attack’s dropper. for web hosting panel access, Office 365, Lotus Notes, etc. When captured, that data is encrypted Spear phishing still works and the group behind and uploaded to a command and control (C2) Cobalt has been reported by Europol to have server. Interestingly, if the user isn’t using a stolen US$1.2 billion from 100 banks in over 40 Spanish keyboard, the malware simply uninstalls countries. Originally targeted towards Russian and itself. Romanian banks, emails were cleverly disguised as coming from the EU-based intrabank credit Other threats, such as RtPOS, came with Russian processor, Interkassa. In the U.S., Cobalt attacks language in the code but might be a plug-in used showed up in restaurant chains including Arby’s, with other malware, as it doesn’t encrypt data from Chili’s, Chipotle and Red Robin. POS machines. It simply writes the information to a text file, which might be more of a functional part of a bigger attack and not an attack itself. © 2018 BluVector, Inc. 4 APT:SUMMARY OperationKwampirs GhostSecret Potentially the meanest attack of Q3, AZORult (“Marina Militare”) with a cleverly named C2 that 3.2, rips off cryptocurrency, exfiltrates browsers was similar to its Italian language name, “marina- histories from non-Microsoft browsers (yet, who info.net”. really uses Edge?) and any data to get admin access. Targeted at North America, the attack The scariest APT of the quarter easily goes begins with password-encrypted Zip file enclosed to Lojax, known for attacking the Democratic in an email that tells the recipient the password. National Committee, with a new campaign Inside is a Word file filled with malicious macros. that’s been deployed in Central and Eastern EU After stealing all that data, it then downloads counties. Rather than going file or fileless, the Hermes ransomware for a final coup-de-grace. new attack writes itself into the UEFI (the modern version of a BIOS) of the device. Removing Ransomware Still Getting Paid the threat would require reflashing the UEFI, something that most non-technical people would Rather than count how much ransomware not know how to do. The threat does seem to creators are earning, the Threat Report team be more limited, attacking Intel-based controller prefers to observe changes that are going on chips prior to the Intel Series 5, released in 2008. in the malware underworld. Gandcrab isn’t new but the group behind it is accelerating its efforts. Q4 Holiday Attacks Just two days after Gandcrab 4.0 was released, version 4.1 was released with new encryption, As with years prior, we expect to see an increase a unique method for hardcoding C2 URLs and in attacks in Q4 2018. Seasonally, this can be has several trojan-like functions that grabs partly due to holiday vacations of security staff, information, including installed AV software, and which can mean a delayed response to an attack. sends it back to a C2. With a reported $600,000 From the end user side, shoppers, looking for in ransom payments, Gandcrab isn’t going away bargains, are often a prime target for email-related anytime soon. Yet, BitPaymer could easily top that breaches. This is where user education proves amount with its high 53 bitcoin ransom request its worth in the real world. Remind your users to (roughly $337,000). be mindful about the emails they’re receiving, checking the links and reporting any activities APTs, The Choice for State-run Attacks that they believe might constitute a breach. Despite fewer APTs this quarter, APTs are the weapon of choice for state-run or state- targeted attacks. The Turla group, believed to Q3 FINDINGS be Russia-based, has attacked the U.S. State Department, U.S. Central Command, embassies MONTHS IN ADVANCE IN in EU countries and the German Federal Foreign EARLIEST DETECTION office. Attacks included a PDF file that includes a fileless PowerShell script. Once breached, the malware places the acquired information into an encrypted Outlook email back to its attackers. Yet, the APT28 group, known for attacking NEW THREATS FOUND southeast Asian countries jumped to Italy for THIS QUARTER its “Roman Holiday” attack on the Italian Navy © 2018 BluVector, Inc. 5 APT: OperationKwampirsTurla GhostSecret What Is It? Firstly, the backdoor logs information related to each legitimate email sent or received by the Researchers from security company ESET user (sender, recipients, subject and attachment have released a report detailing their analysis filenames). This information is encrypted and of malware used by the Advanced Persistent periodically sent to the attackers in a PDF Threat (APT) group Turla (also known as file attached to an email. Incoming emails Waterbug, Venomous Bear and KRYPTON). The containing PDF files are scanned to see if malware is currently using a novel technique they contain commands common to bots and for its C2 communication, it utilizes specially- backdoors, such as downloading and executing formatted PDF files in emails being sent to and files, running commands and exfiltrating data from Microsoft Outlook clients. via PDF files attached to outgoing emails. The The Turla APT group is Russia-based and has malware attempts to remain undetected by been active since 2007, targeting various blocking notifications of incoming C2 emails and governmental organizations and military removing them from the inbox and sent folder. contractors. Previous targets have included the It is believed to be the only malware using email U.S. Department of State, U.S. Central Command exclusively for its C2 communication. (CENTCOM) and embassies located in European countries. How Does It Propagate? Recent breaches attributed to Turla include the The malware does not contain the necessary German Federal Foreign Office, where several code to self-propagate. There are no details systems were backdoored for nine months in available regarding the initial infection vector, 2017 before the malware was discovered. however the Turla APT group have proven themselves adept at utilizing social engineering Previous attacks have shown Turla to have to their advantage, which may include malicious excellent social engineering and technical skills, documents in spear phishing emails.
Load more

Recommended publications
  • Ransom Where?
    Ransom where? Holding data hostage with ransomware May 2019 Author With the evolution of digitization and increased interconnectivity, the cyberthreat landscape has transformed from merely a security and privacy concern to a danger much more insidious by nature — ransomware. Ransomware is a type of malware that is designed to encrypt, Imani Barnes Analyst 646.572.3930 destroy or shut down networks in exchange [email protected] for a paid ransom. Through the deployment of ransomware, cybercriminals are no longer just seeking to steal credit card information and other sensitive personally identifiable information (PII). Instead, they have upped their games to manipulate organizations into paying large sums of money in exchange for the safe release of their data and control of their systems. While there are some business sectors in which the presence of this cyberexposure is overt, cybercriminals are broadening their scopes of potential victims to include targets of opportunity1 across a multitude of industries. This paper will provide insight into how ransomware evolved as a cyberextortion instrument, identify notorious strains and explain how companies can protect themselves. 1 WIRED. “Meet LockerGoga, the Ransomware Crippling Industrial Firms” March 25, 2019; https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/. 2 Ransom where? | May 2019 A brief history of ransomware The first signs of ransomware appeared in 1989 in the healthcare industry. An attacker used infected floppy disks to encrypt computer files, claiming that the user was in “breach of a licensing agreement,”2 and demanded $189 for a decryption key. While the attempt to extort was unsuccessful, this attack became commonly known as PC Cyborg and set the archetype in motion for future attacks.
    [Show full text]
  • Monthly Threat Report November 2020
    NTT Ltd. Global Threat Intelligence Center Monthly Threat Report November 2020 hello.global.ntt report | GTIC Monthly Threat Report: November 2020 Contents Feature article: Security in the app economy 03 Spotlight article: The Trickbot takedown 07 Spotlight article: Snapshot of threats to retail 08 About NTT Ltd.’s Global Threat Intelligence Center 09 2 | © Copyright NTT Ltd. hello.global.ntt report | GTIC Monthly Threat Report: November 2020 Security in the app economy Lead Analyst: Zach Jones, Sr. Director of Detection Research, WhiteHat Security, US It used to be simple; a retailer Attack vectors and security spending when organizations are trying to enable was a retailer and a bank was are misaligned customer access in our ‘there’s an app for that’ world. The problem is that a bank. Initially, the role of According to our 2020 NTT Ltd. represents a pipeline where benign and Global Threat Intelligence Report, 33% software in non-technology malicious traffic alike enter networks of observed attacks globally were sectors stayed behind the straight through firewalls and DMZs. The application-specific and 22% of attacks protocol was never designed for secure scenes, supporting the core were web-application based. This means application delivery so building HTTP competencies of that industry, a total of 55% of attacks detected globally applications is prone to error. Threat like inventory management occurred at the application layer. for retailers and account actors will continue to abuse these virtual According to Gartner Group, the 2020 front doors and windows. They are easy management for banks. Security Market Segment spend is to access and are often the weakest link This is no longer the case.
    [Show full text]
  • Virtual Currencies and Terrorist Financing : Assessing the Risks And
    DIRECTORATE GENERAL FOR INTERNAL POLICIES POLICY DEPARTMENT FOR CITIZENS' RIGHTS AND CONSTITUTIONAL AFFAIRS COUNTER-TERRORISM Virtual currencies and terrorist financing: assessing the risks and evaluating responses STUDY Abstract This study, commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the TERR Committee, explores the terrorist financing (TF) risks of virtual currencies (VCs), including cryptocurrencies such as Bitcoin. It describes the features of VCs that present TF risks, and reviews the open source literature on terrorist use of virtual currencies to understand the current state and likely future manifestation of the risk. It then reviews the regulatory and law enforcement response in the EU and beyond, assessing the effectiveness of measures taken to date. Finally, it provides recommendations for EU policymakers and other relevant stakeholders for ensuring the TF risks of VCs are adequately mitigated. PE 604.970 EN ABOUT THE PUBLICATION This research paper was requested by the European Parliament's Special Committee on Terrorism and was commissioned, overseen and published by the Policy Department for Citizens’ Rights and Constitutional Affairs. Policy Departments provide independent expertise, both in-house and externally, to support European Parliament committees and other parliamentary bodies in shaping legislation and exercising democratic scrutiny over EU external and internal policies. To contact the Policy Department for Citizens’ Rights and Constitutional Affairs or to subscribe to its newsletter please write to: [email protected] RESPONSIBLE RESEARCH ADMINISTRATOR Kristiina MILT Policy Department for Citizens' Rights and Constitutional Affairs European Parliament B-1047 Brussels E-mail: [email protected] AUTHORS Tom KEATINGE, Director of the Centre for Financial Crime and Security Studies, Royal United Services Institute (coordinator) David CARLISLE, Centre for Financial Crime and Security Studies, Royal United Services Institute, etc.
    [Show full text]
  • CYBER ATTACK TRENDS Mid Year Report 2021 CONTENTS
    CYBER ATTACK TRENDS Mid Year Report 2021 CONTENTS 04 EXECUTIVE SUMMARY 07 TRIPLE EXTORTION RANSOMWARE—THE THIRD-PARTY THREAT 11 SOLARWINDS AND WILDFIRES 15 THE FALL OF AN EMPIRE—EMOTET’S FALL AND SUCCESSORS 19 MOBILE ARENA DEVELOPMENTS 2 22 COBALT STRIKE STANDARDIZATION 26 CYBER ATTACK CATEGORIES BY REGION 28 GLOBAL THREAT INDEX MAP 29 TOP MALICIOUS FILE TYPES—WEB VS. EMAIL CHECK POINT SOFTWARE MID-YEAR REPORT 2021 31 GLOBAL MALWARE STATISTICS 31 TOP MALWARE FAMILIES 34 Top Cryptomining Malware 36 Top Mobile Malware 38 Top Botnets 40 Top Infostealers Malware 42 Top Banking Trojans 44 HIGH PROFILE GLOBAL VULNERABILITIES 3 47 MAJOR CYBER BREACHES (H1 2021) 53 H2 2021: WHAT TO EXPECT AND WHAT TO DO 56 PREVENTING MEGA CYBER ATTACKS 60 CONCLUSION CHECK POINT SOFTWARE MID-YEAR REPORT 2021 EXECUTIVE SUMMARY CHECK POINT SOFTWARE’S MID-YEAR SECURITY REPORT REVEALS A 29% INCREASE IN CYBERATTACKS AGAINST ORGANIZATIONS GLOBALLY ‘Cyber Attack Trends: 2021 Mid-Year Report’ uncovers how cybercriminals have continued to exploit the Covid-19 pandemic and highlights a dramatic global 93% increase in the number of ransomware attacks • EMEA: organizations experienced a 36% increase in cyber-attacks since the beginning of the year, with 777 weekly attacks per organization • USA: 17% increase in cyber-attacks since the beginning of the year, with 443 weekly attacks per organization • APAC: 13% increase in cyber-attacks on organizations since the beginning of the year, with 1338 weekly attacks per organization In the first six months of 2021, the global rollout of COVID-19 vaccines gave hope that we will be able to live without restrictions at some point—but for a majority of organizations internationally, a return to pre-pandemic ‘norms’ is still some way off.
    [Show full text]
  • North Korean Cyber Capabilities: in Brief
    North Korean Cyber Capabilities: In Brief Emma Chanlett-Avery Specialist in Asian Affairs Liana W. Rosen Specialist in International Crime and Narcotics John W. Rollins Specialist in Terrorism and National Security Catherine A. Theohary Specialist in National Security Policy, Cyber and Information Operations August 3, 2017 Congressional Research Service 7-5700 www.crs.gov R44912 North Korean Cyber Capabilities: In Brief Overview As North Korea has accelerated its missile and nuclear programs in spite of international sanctions, Congress and the Trump Administration have elevated North Korea to a top U.S. foreign policy priority. Legislation such as the North Korea Sanctions and Policy Enhancement Act of 2016 (P.L. 114-122) and international sanctions imposed by the United Nations Security Council have focused on North Korea’s WMD and ballistic missile programs and human rights abuses. According to some experts, another threat is emerging from North Korea: an ambitious and well-resourced cyber program. North Korea’s cyberattacks have the potential not only to disrupt international commerce, but to direct resources to its clandestine weapons and delivery system programs, potentially enhancing its ability to evade international sanctions. As Congress addresses the multitude of threats emanating from North Korea, it may need to consider responses to the cyber aspect of North Korea’s repertoire. This would likely involve multiple committees, some of which operate in a classified setting. This report will provide a brief summary of what unclassified open-source reporting has revealed about the secretive program, introduce four case studies in which North Korean operators are suspected of having perpetrated malicious operations, and provide an overview of the international finance messaging service that these hackers may be exploiting.
    [Show full text]
  • Global Security Report End Year 2020 Executive Summary
    Global Security Report End Year 2020 Executive Summary The Zix | AppRiver Global Security Report for 2020 highlights the threats and trends Zix | AppRiver Security analysts saw throughout the year. In 2020, analysts saw attackers shift their tactics to take advantage of the unprecedented situation the world faced due to the Covid-19 pandemic. These attacks: • Aimed to take advantage of uncertainty surrounding the pandemic and the shift to “work from home” throughout much of the year. • Leveraged other world events, like the contentious US election, to distribute their attacks. • Multiplied "living off the land” attacks across many new and otherwise legitimate services. • Continued shift from high volume email blasts to a much more focused and customized attack style. • Posed impersonation attacks as internal executive communications and were persistent throughout 2020. In this report, we will take a deep dive into many of the threats and trends we saw in email security as well as discuss examples of prevalent attacks and explore potential impacts. Introduction Threat actors have always leveraged both local and world events to help spread their attacks. Never more so than in 2020. Early in the year, as the global pandemic came to fruition, attackers began launching spam, phishing and malware attacks utilizing interest in the pandemic. It wasn’t long before they had begun crafting attacks centered around the surge in remote work. Later in the year they took advantage of the contentious US Election cycle to distribute attacks. In 2020, Attackers continued to embrace the use of more targeted attacks versus the large volume email blasts we have seen in the past.
    [Show full text]
  • 2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals
    THREAT REPORT 2015 AT A GLANCE 2015 HIGHLIGHTS A few of the major events in 2015 concerning security issues. 08 07/15: Hacking Team 07/15: Bugs prompt 02/15: Europol joint breached, data Ford, Range Rover, 08/15: Google patches op takes down Ramnit released online Prius, Chrysler recalls Android Stagefright botnet flaw 09/15: XcodeGhost 07/15: Android 07/15: FBI Darkode tainted apps prompts Stagefright flaw 08/15: Amazon, ENFORCEMENT bazaar shutdown ATTACKS AppStore cleanup VULNERABILITY reported SECURITYPRODUCT Chrome drop Flash ads TOP MALWARE BREACHING THE MEET THE DUKES FAMILIES WALLED GARDEN The Dukes are a well- 12 18 resourced, highly 20 Njw0rm was the most In late 2015, the Apple App prominent new malware family in 2015. Store saw a string of incidents where dedicated and organized developers had used compromised tools cyberespionage group believed to be to unwittingly create apps with malicious working for the Russian Federation since behavior. The apps were able to bypass at least 2008 to collect intelligence in Njw0rm Apple’s review procedures to gain entry support of foreign and security policy decision-making. Angler into the store, and from there into an ordinary user’s iOS device. Gamarue THE CHAIN OF THE CHAIN OF Dorkbot COMPROMISE COMPROMISE: 23 The Stages 28 The Chain of Compromise Nuclear is a user-centric model that illustrates Kilim how cyber attacks combine different Ippedo techniques and resources to compromise Dridex devices and networks. It is defined by 4 main phases: Inception, Intrusion, WormLink Infection, and Invasion. INCEPTION Redirectors wreak havoc on US, Europe (p.28) INTRUSION AnglerEK dominates Flash (p.29) INFECTION The rise of rypto-ransomware (p.31) THREATS BY REGION Europe was particularly affected by the Angler exploit kit.
    [Show full text]
  • Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2
    Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE OF CONTENTS 2016 Internet Security Threat Report 2 CONTENTS 4 Introduction 21 Tech Support Scams Go Nuclear, 39 Infographic: A New Zero-Day Vulnerability Spreading Ransomware Discovered Every Week in 2015 5 Executive Summary 22 Malvertising 39 Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015 8 BIG NUMBERS 23 Cybersecurity Challenges For Website Owners 40 Spear Phishing 10 MOBILE DEVICES & THE 23 Put Your Money Where Your Mouse Is 43 Active Attack Groups in 2015 INTERNET OF THINGS 23 Websites Are Still Vulnerable to Attacks 44 Infographic: Attackers Target Both Large and Small Businesses 10 Smartphones Leading to Malware and Data Breaches and Mobile Devices 23 Moving to Stronger Authentication 45 Profiting from High-Level Corporate Attacks and the Butterfly Effect 10 One Phone Per Person 24 Accelerating to Always-On Encryption 45 Cybersecurity, Cybersabotage, and Coping 11 Cross-Over Threats 24 Reinforced Reassurance with Black Swan Events 11 Android Attacks Become More Stealthy 25 Websites Need to Become Harder to 46 Cybersabotage and 12 How Malicious Video Messages Could Attack the Threat of “Hybrid Warfare” Lead to Stagefright and Stagefright 2.0 25 SSL/TLS and The 46 Small Business and the Dirty Linen Attack Industry’s Response 13 Android Users under Fire with Phishing 47 Industrial Control Systems and Ransomware 25 The Evolution of Encryption Vulnerable to Attacks 13 Apple iOS Users Now More at Risk than 25 Strength in Numbers 47 Obscurity is No Defense
    [Show full text]
  • Compromised Connections
    COMPROMISED CONNECTIONS OVERCOMING PRIVACY CHALLENGES OF THE MOBILE INTERNET The Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and many other international and regional treaties recognize privacy as a fundamental human right. Privacy A WORLD OF INFORMATION underpins key values such as freedom of expression, freedom of association, and freedom of speech, IN YOUR MOBILE PHONE and it is one of the most important, nuanced and complex fundamental rights of contemporary age. For those of us who care deeply about privacy, safety and security, not only for ourselves but also for our development partners and their missions, we need to think of mobile phones as primary computers As mobile phones have transformed from clunky handheld calling devices to nifty touch-screen rather than just calling devices. We need to keep in mind that, as the storage, functionality, and smartphones loaded with apps and supported by cloud access, the networks these phones rely on capability of mobiles increase, so do the risks to users. have become ubiquitous, ferrying vast amounts of data across invisible spectrums and reaching the Can we address these hidden costs to our digital connections? Fortunately, yes! We recommend: most remote corners of the world. • Adopting device, data, network and application safety measures From a technical point-of-view, today’s phones are actually more like compact mobile computers. They are packed with digital intelligence and capable of processing many of the tasks previously confined
    [Show full text]
  • Threat Landscape Report
    QUARTERLY Threat Landscape Report Q3 2020 NUSPIRE.COM THIS REPORT IS SOURCED FROM 90 BILLION TRAFFIC LOGS INGESTED FROM NUSPIRE CLIENT SITES AND ASSOCIATED WITH THOUSANDS OF DEVICES AROUND THE GLOBE. Nuspire Threat Report | Q2Q3 | 2020 Contents Introduction 4 Summary of Findings 6 Methodology and Overview 7 Quarter in Review 8 Malware 9 Botnets 15 Exploits 20 The New Normal 28 Conclusion and Recommendations 31 About Nuspire 33 3 | Contents Nuspire Threat Report | Q3 | 2020 Introduction In Q2 2020, Nuspire observed the increasing lengths threat actors were going to in order to capitalize on the pandemic and resulting crisis. New attack vectors were created; including VPN usage, home network security issues, personal device usage for business purposes and auditability of network traffic. In Q3 2020, we’ve observed threat actors become even more ruthless. Shifting focus from home networks to overburdened public entities including the education sector and the Election Assistance Commission (EAC). Many school districts were forced into 100% virtual or hybrid learning models by the pandemic. Attackers have waged ransomware attacks at learning institutions who not only have the financial resources to pay ransoms but feel a sense of urgency to do so in order to avoid disruptions during the school year. Meanwhile, the U.S. Elections have provided lures for phishers to attack. Nuspire witnessed Q3 attempts to guide victims to fake voter registration pages to harvest information while spoofing the Election Assistance Commission (EAC). Like these examples, cybercriminals taking advantage of prominent media themes are expected. We anticipate our Q4 2020 Threat Report 4 | Introduction Nuspire Threat Report | Q3 | 2020 to find campaigns leveraging more of the United report each quarter is a great step to gain that States Presidential election as well.
    [Show full text]
  • The Dark Reality of Open Source Spotlight Report
    SPOTLIGHT The Dark Reality of Open Source Through the Lens of Threat and Vulnerability Management RiskSense Spotlight Report • May 2020 Executive Summary Open sourCe software (OSS) has quiCkly transformed both And while Heartbleed and the Apache Struts how modern applications are built and the underlying code vulnerabilities are the household names of open source they rely on. Access to high-quality and powerful open vulnerabilities, they are far from the only examples. Open source software projects has allowed developers to quickly source software is increasingly being targeted by integrate new capabilities into their applications without cryptominers, ransomware, and leveraged in DDoS having to reinvent the wheel. As a result, it is now estimated attacks. Unfortunately, OSS vulnerabilities are often a that between 80% and 90% of the code in most modern blind spot for many enterprises, who may not always be applications is made up of open source components. aware of all the open source projects and dependencies Likewise, many of the very tools that have enabled the that are used in their applications. growth of DevOps and CI/CD such as Jenkins, Kubernetes, and Docker are themselves open source projects. With this in mind, we have focused this version of the RiskSense Spotlight report on vulnerabilities in some of OSS also allows organizations to reduce their software today’s most popular open source software, including costs, and is often key to digital transformation efforts more than 50 OSS projects and over 2,600 vulnerabilities. and the transition of services to the cloud. It is no We then used this dataset to provide a risk-based surprise then that a 2020 report from Red Hat found that analysis of open source software to reveal the following: 95% of organizations view open source software as strategically important to their business.
    [Show full text]
  • APT and Cybercriminal Targeting of HCS June 9, 2020 Agenda
    APT and Cybercriminal Targeting of HCS June 9, 2020 Agenda • Executive Summary Slides Key: • APT Group Objectives Non-Technical: managerial, strategic • APT Groups Targeting Health Sector and high-level (general audience) • Activity Timeline Technical: Tactical / IOCs; requiring • TTPs in-depth knowledge (sysadmins, IRT) • Malware • Vulnerabilities • Recommendations and Mitigations TLP: WHITE, ID#202006091030 2 Executive Summary • APT groups steal data, disrupt operations, and destroy infrastructure. Unlike most cybercriminals, APT attackers pursue their objectives over longer periods of time. They adapt to cyber defenses and frequently retarget the same victim. • Common HPH targets include: • Healthcare Biotechnology Medical devices • Pharmaceuticals Healthcare information technology • Scientific research • HPH organizations who have been victim of APT attacks have suffered: • Reputational harm Disruption to operations • Financial losses PII/PHI and proprietary data theft • HC3 recommends several mitigations and controls to counter APT threats. TLP: WHITE, ID#202006091030 3 APT Group Objectives • Motivations of APT Groups which target the health sector include: • Competitive advantage • Theft of proprietary data/intellectual capital such as technology, manufacturing processes, partnership agreements, business plans, pricing documents, test results, scientific research, communications, and contact lists to unfairly advance economically. • Intelligence gathering • Groups target individuals and connected associates to further social engineering
    [Show full text]