Threat Landscape Report Q2 2019

QUARTERLY THREAT LANDSCAPE REPORT Q2 2019

nuspire.com Table of Contents

About Nuspire...... 3

Methodology and Overview...... 4

Datasets at a Glance...... 5

Highlights from the Headlines...... 6

Trending Malware...... 7

Trending Botnets...... 12

Trending Exploits...... 16

Conclusions and Recommendations...... 20

www.nuspire.com 2 About Nuspire

Nuspire is the Managed Security Services (MSS) provider of choice, delivering the greatest risk reduction per cyber-dollar spent. The company’s 24x7 Security Operations Centers (SOCs) and managed detection and response (MDR) service combines award-winning threat detection and response technology with human intervention and analysis, providing end-to-end protection across the gateway, network and endpoint ecosystem. Nuspire pioneered distributed, managed security services within the enterprise and franchise market and today protects thousands of locations globally.

www.nuspire.com 3 METHODOLOGY AND OVERVIEW

Data referenced throughout this report is gathered from thousands of devices at Nuspire customer sites from across the globe. This equates to more than 90 billion traffic logs through the second quarter of 2019. Log data is ingested using the power of Nuspire’s cloud-based SIEM. Aggregated and correlated data from our enterprise and mid-market client set provides a unique vantage point to threat vectors targeting the automotive, franchise, manufacturing, construction and healthcare markets.

The report begins with an overview of the most prevalent cybersecurity headlines throughout the quarter. Reported breaches and the headlines they generate play a crucial role in trend identification, as evidenced by findings highlighted throughout the report.

Nuspire’s threat report is divided into three main vector datasets; Malware, Botnet and Exploit. These datasets are then analyzed where the most prolific and prevalent threats throughout the quarter are identified.

MALWARE BOTNET EXPLOIT

www.nuspire.com 4 Q2 2019 DATASETS AT A GLANCE

MALWARE 4.6M+ 1198 UNIQUE VARIANTS DETECTED DETECTED 355K+ VARIANTS DETECTED PER WEEK 51K+ VARIANTS DETECTED PER DAY 29% DECREASE IN TOTAL ACTIVITY FROM Q1

BOTNET 3.5M+ 41 UNIQUE BOTNETS DETECTED DETECTED 264K+ INFECTIONS PER WEEK 37K+ INFECTIONS PER DAY 17% DECREASE IN TOTAL ACTIVITY FROM Q1

EXPLOITS 55M+ 406 UNIQUE EXPLOITS DETECTED DETECTED 4.3M+ DETECTIONS PER WEEK 615K+ DETECTIONS PER DAY 46% INCREASE IN TOTAL ACTIVITY FROM Q1

nuspire www.nuspire.com 5 HIGHLIGHTS FROM THE HEADLINES IN Q2 2019

In the second quarter of 2019 we saw some significant headlines about major threats and reported breaches affecting both businesses and consumers alike. We found that many of these threats are older with variants that cannot be protected by signature-based protection.

Multiple flaws found in Verizon Fios Routers that could allow remote attackers to take complete control over the affected routers, exposing every other device connected APRIL 9 to it. A team of security researchers discovered several vulnerabilities in various implementations of OpenPGP APRIL 30 and S/MIME email signature verification that could allow attackers to spoof signatures on over a dozen of popular email clients.

Hackers Found Exploiting Oracle WebLogic RCE Flaw to Spread Ransomware. MAY 1

A critical remote code execution vulnerability has been MAY 2 discovered in the Dell SupportAssist utility that comes pre-installed on most Dell computers.

A ransomware attack on the Baltimore City Hall infected the city’s technology systems causing the entire MAY 8 Baltimore City to shut down most of its servers.

MAY 14 Microsoft releases fix for critical RDP Vulnerability.

Hacker Discloses 4 New Microsoft Zero-Day Exploits in 24 Hours that are affecting Microsoft’s Windows Error MAY 23 Reporting service and Internet Explorer 11.

New Brute-Force Botnet Targeting over 1.5 Million RDP JUNE 7 Servers.

GandCrab Ransomware releases a decryption tool that could allow millions of affected users to unlock their JUNE 18 encrypted files for free!

Two Florida Cities Paid 1.1 Million in Ransom This Month JUNE 26 to recover encrypted files from two separate ransomware attacks.

www.nuspire.com 6 TRENDING MALWARE

Studying malware aids in detection and response of attacks and proves to be beneficial in identification of new attacks and techniques when they surface. New attack vectors or techniques are being discovered that traditional measures can’t stop. Ransomware is becoming so common that customers are most likely to just deal with it, which results in system downtime, financial impact and often, lost data.

nuspire www.nuspire.com 7 MALWARE BY THE NUMBERS

MALWARE

4.6M+ DETECTED 1198 UNIQUE VARIANTS DETECTED 355K VARIANTS DETECTED PER WEEK 51K+ VARIANTS DETECTED PER DAY 63% INCREASE IN UNIQUE VARIANTS DETECTED FROM LAST QUARTER

The image below shows average malware activity throughout Q2 as a dashed line, whereas the solid line represents spikes and dips in activity, which in some cases relates to the headlines that we outlined in the beginning of the report. This aids in identifying abnormal activity that is trending throughout our dataset. The dips in activity may showcase malicious actors changing the malware delivery to a different payload.

500K

450K

400K

350K

300K

250K

200K

150K

100K

50K

K Apr 1 Apr 16 May 1 May 16 Jun 1 Jun 16

Malware Activity vs. Q2 Average

www.nuspire.com 8 MALWARE DELIVERY METHODS

The most common Malware activity we saw throughout the quarter were generic detections for VBA/Agent, W32/ Kryptik, PDF/phishing and AutoIt/Injector. These signatures are generic detections for Trojan malware which perform activities without the user’s knowledge. These activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware onto the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.

VBA is delivered via email in the form of Microsoft Office macro-based documents. These office documents typically rely on social engineering in order to trick unsuspecting users into running their malicious VBA scripts. Once the script is executed, the infection process begins and typically can lead to a wide variety of infections. Because VBA scripts have proven to be a successful approach for attackers, this has continued to be a large-scale threat for businesses across all industries.

Although we saw a 29% decrease in overall malware activity, we did have a significant 63% increase in unique variants detected. This increase could signify attackers retooling their approach in order to become more sophisticated in their delivery with additional obfuscation to avoid detection.

Malware Trends Based on Type

W32

PDF Other VBA AutoIt

www.nuspire.com 9 MALWARE DELIVERY METHODS (CONTINUED)

The image below shows a significant spike in AutoIt from the beginning of April into May with majority of this activity being related to Nanocore RAT. Using AutoIt as a top-level wrapper for its main .NET compiled binary, the AutoIt script constructs the .NET binary, and in turn carries out the infection.

Nanocore has been around since 2013 and is known to perform a variety of functions. Some of these functions include installing a keylogger which can pass information to the malware operator and has the ability to tamper with webcams, and download additional files. Although the author was arrested in late 2016 and sentenced in 2018, the Nanocore RAT has continued to make its rounds throughout organizations.

Significant Increase in AutoIt Activity

40K

35K

30K

25K

20K

15K

10K

K January February March April May June

www.nuspire.com 10 MALWARE DELIVERY METHODS (CONTINUED)

We saw a 193% increase in PDF Phishing detections from March to May. Through our technology, we were able to identify a phishing campaign related to this spike in which fraudulent emails were sent to recipients to encourage them to view or download a document in Microsoft OneDrive. The link in the email directs the user to an authentic looking OneDrive login designed to harvest their credentials. Once the credentials have been collected, the user is redirected to the real Microsoft page. With the victim’s credentials in hand, the attacker can do many things such as, identity theft, financial loss on the user or business, prevent users from accessing their own accounts, or launch additional business email compromise attacks.

193% Increase in PDF Delivery

100K

90K

80K

70K

60K

50K

40K

30K

20K

10K

K January February March April May June

This phishing campaign could affect numerous industries and can target any individual within an organization. 30% of the most targeted phishing attacks were directed at generic email accounts, which are typically shared by two or more employees within an organization. Generic addresses like ‘[email protected]’ can be valuable to attackers because they reach multiple targets, they are easy to obtain and usually public facing, and they are harder to protect with multi factor authentication due to multiple people monitoring the account.

WHAT TO DO: MITIGATION AND DETECTION Malware comes in all shapes and sizes. It can be email attachments, fraudulent websites, or even malicious files. Mitigating this threat can be done in several ways via spam email filters, endpoint protection, and even a Next-Generation Firewall (NGFW) with support for AV detection and mitigation. As with all things in IT, two is one and one is none. A layered security approach should be a priority for every corporation. In addition, it is always important to educate employees on the security best practices. Businesses can mitigate phishing scams like the PDF phishing campaign when employees are regularly trained on these types of threats.

www.nuspire.com 11 TRENDING BOTNETS

Botnet detection typically refers to post exploitation of a successful attack. Once a system has been infected with malware, it typically attempts to reach out and connect to a Command and Control (C2) server in order to gather additional commands or to install additional malware. Identifying these communications in a corporate environment indicate something went wrong and additional investigation may need to take place.

nuspire www.nuspire.com 12 BOTNETS BY THE NUMBERS

BOTNETS

3.5M+ DETECTED 41 UNIQUE BOTNETS DETECTED 264K+ INFECTIONS PER WEEK 37K+ INFECTIONS PER DAY 17% DECREASE IN TOTAL ACTIVITY FROM LAST QUARTER

The image below shows average botnet activity throughout Q2 as a dashed line, whereas the solid line represents spikes in activity. This aides in identifying abnormal activity that is trending throughout our dataset. Again, we saw an overall decrease in botnet activity, which is a good thing, however, there is still quite a bit of botnet traffic that attempts to spread from outside the network. Although that traffic is usually blocked, it still impacts these numbers.

400K

350K

300K

250K

200K

150K

100K

50K

K Apr 1 Apr 16 May 1 May 16 June 1 June 16 Botnet Activity vs. Q2 Average

www.nuspire.com 13 BOTNET DELIVERY METHODS

This quarter, the two most prevalent botnets were the same as last quarter with Sora again being the heavy favorite with nearly double the amount of activity as Andromeda.

Sora was initially spotted in the beginning of 2018 for its ability to run on many architectures, including Android smart devices. Although the author behind Sora claimed he was abandoning the project to focus on OWARI, the source code was not forgotten, and detections have continued to rise since the beginning of this year.

For Andromeda, we saw a 58% increase in activity throughout the month of June. Andromeda is a modular botnet that installs components as needed on Windows machines and injects itself into known running processes in order to avoid detection. Andromeda has been associated with over 80 different malware families over the years and uses Command and Control (C2) servers to download modules and updates.

Last quarter we had a spotlight on Emotet where it showed a 70% increase in activity. However, this quarter we saw Emotet decline from the end of March to an almost nonexistent point. As widespread and well-known as this banking trojan was, we expect to see it resurface in the future with new tactics and techniques to avoid detection. This decline in activity could correlate with the retooling of attacker malware in order to find new and improved attacks as stated in the malware section.

Botnet Trends Based on Type

Andromeda

Necurs Other

Torpig Bladabindi

Sora Conficker Gh0st.Rat WINNTI Zeprox

Although Emotet was off the list, we saw the Necurs botnet take over its spot. Necurs has been around since 2012 and the operators have periodically diversified their methods to monetize activities. Necurs has been responsible for spreading the Zeus banking trojan back in 2013, it distributed CryptoLocker and CryptoWall in 2014 and launched campaigns associated with Locky ransomware in 2016. Most recently, Necurs was adding additions for mining cryptocurrency in order to cash in Monero on unsuspecting user’s CPU usage. That being said, we’re confident Necurs will continue to be a player in the threat landscape.

www.nuspire.com 14 BOTNETS BY THE NUMBERS (CONTINUED)

The image below shows some of the remaining botnet activity that comprised the rest of our list. Here, we can see names like Bladabindi, also known as njRAT, which is known to have multiple backdoor capabilities, keylogging, as well as carrying out DDoS attacks.

Emotet Activity Increase

Zeprox

WINNTI

Torpig

Gh0st .R at

Bladabindi

0 5000 10000 15000 20000 25000 30000 35000

June May April

Gh0stRat is a full featured RAT which has many capabilities, but there has been multiple sources reporting false positive activity from Shodan actively scanning the web attempting to identify Gh0stRat C2 servers. Organizations have been receiving alerts saying they are infected with Gh0stRat and although this could very well be the case, there is actually a strong chance the alert is a false positive and you may need to tune your signatures accordingly.

WHAT TO DO: MITIGATION AND DETECTION Botnet activity is typically detected post-infection. Once a system has been infected it will usually try to communicate with a Command and Control (C2) server in order to install additional malware or receive commands. These communications can be identified via endpoint detection and network firewalls. Although we saw Emotet decrease, a new Botnet arised. This is a prime example of how the threat landscape is consistently changing. Threat Intelligence plays a vital role in identifying these threats.

At Nuspire, our goal is to block these threats before they impact the network. Sometimes when added to the network, our security experts can find the infections that have been active and can provide instant ROI based on that. Without a dedicated team of experts monitoring the network 24x7, there would be no way to know this was happening.

www.nuspire.com 15 TRENDING EXPLOITS

Exploit detection helps us understand what adversaries are using to identify and compromise systems. This activity can range from scanning open ports, to targeted attacks that exploit a specific vulnerability. Triggering these signatures doesn’t necessarily mean the attack was successful, or that the vulnerabilities even existed in the environment.

nuspire www.nuspire.com 16 EXPLOITS BY THE NUMBERS

EXPLOITS

55M+ DETECTED 406 UNIQUE EXPLOITS DETECTED 4.3M+ DETECTIONS PER WEEK 615K+ DETECTIONS PER DAY 46% TOTAL ACTIVITY INCREASE FROM LAST QUARTER The image below shows average exploit activity throughout Q2 as a dashed line, whereas the solid line represents spikes in activity. This aides in identifying abnormal activity that is trending throughout our dataset.

K April 1 April 16 May 1 May 16 June 1 June 16

Exploit Activity vs. Q2 Average

www.nuspire.com 17 EXPLOIT DELIVERY METHODS

Although Q2 activity decreased for both malware and botnet, that was not the case for exploits. We saw a 46% increase in activity from last quarter between mid-May into early June. In spite the fact we had a large increase in overall activity, we still saw a 21% decrease in unique exploits throughout the quarter.

The highest detected exploit in Q1, DoublePulsar, has continued to increase in overall activity, which comes as no surprise since a cryptojacking campaign targeting enterprises called Beapy has been increasing since March. Beapy is a file-based coinminer and isn’t affected by the recent shutdown of the notorious Coinhive, which facilitated browser-based cryptojacking. This Python attack aims to drop a coinminer onto compromised machines in order to cash in on their computing power. Spam email is the primary delivery method, but it has also used the EternalBlue exploit, as well as stolen hardcoded credentials to spread to other machines on the compromised environment.

Even though cryptojacking has dropped over 50% since 2018, this campaign proves that it still remains an interest for cyber criminals. Cryptojacking might not be as disruptive as ransomware, but it can still have a negative impact on businesses by affecting device performance, reducing productivity, overheating batteries and rendering devices as unusable.

Information Disclosure SQL Command Injection Denial of Service Execution Security Bypass

Authentication Argument Injection Bypass Directory Traversal Brute Force Remote Access Trojan (RAT) Other Buffer Overflow Backdoor

Script Injection

Remote Code Execution Privilege Escalation

Exploit Attacks by Type

www.nuspire.com 18 EXPLOITS BY THE NUMBERS (CONTINUED)

The image above shows a large portion of the pie chart corresponding to Remote Code Execution (RCE) attacks. The surge in activity comes from two ThinkPHP RCE vulnerabilities. The first shows a 141% increase from the end of March into mid-April and another 98% increase from the end of May into early June. ThinkPHP is a PHP development framework that is very popular in the Chinese web development scene. Proof-of-concept code for this exploit was released in December 2018 and attacks significantly increased immediately after. Although we have monitored this type of activity since the release of exploit code, the rise in activity signifies attackers are continuing to actively scan for vulnerable systems. Successful exploitation of this vulnerability often leads to installation of a PHP backdoor, malware distribution, fueling of botnets and DDoS Attacks. Miori, a Mirai variant, has been known to exploit this vulnerability in order to download code to compromised devices and launch DDoS attacks. According to a recent Shodan search, there are currently over 45,800 servers running ThinkPHP based applications that are reachable via the web. Over 40,000 of those are hosted on Chinese IP addresses.

120K

100K

80K

60K

40K

20K

K Feb March April May June Increase in ThinkPHP RCE Attacks

www.nuspire.com 19 CONCLUSION AND RECOMMENDATIONS

Overall, we saw a decrease in botnet and malware activity with a significant increase in exploits as compared to last quarter. A lot of the top botnets and exploits we saw in Q1 continued to remain prevalent throughout Q2. LAYERED SECURITY APPROACH With more and more users opening malicious attachments and clicking suspicious links, businesses are faced with a higher risk of malware infections, account breaches and disclosures of sensitive information. With over 90% of successful attacks on enterprise networks originating from spam email, having a layered security approach that includes advanced spam filtering solution, firewall, and endpoint protection, should be implemented in order to prevent these messages from reaching your employees and detecting threats that get through. SECURE VULNERABLE DEVICES In addition, this quarter one of the highest threats we saw was ThinkPHP exploit that targets and scans businesses that have vulnerable systems. As companies in the industrial and healthcare sector begin to implement IoT devices, threats like ThinkPHP is a main concern. In order to secure and protect vulnerable devices, make sure that all the network traffic to and from devices and networks are monitored 24x7, segment networks when necessary, and conduct a regularly targeted vulnerability scan of networks containing IoT devices. For tips on how to do this for IIoT devices, visit our blog post on Managing IIoT security risks. EMPLOYEE AWARENESS TRAINING Lastly, we can’t stress this enough, make sure your business is implementing user training and awareness when it applies to cyber security threats. This directly correlates to 90% of malware being delivered via spam email. It is easier to exploit thousands of people rather than find a single vulnerability to breach an entire organization. Training your users on the most prevalent threats, such as Spam, Phishing, Spear Phishing, Malware, Ransomware, and Social Engineering provides every employee with a fundamental understanding that there are imminent and ongoing threats targeting them. For tips on how to host an employee awareness training, visit this blog post.

nuspire www.nuspire.com 20