QUARTERLY THREAT LANDSCAPE REPORT Q2 2019 nuspire.com Table of Contents About Nuspire.............................................................................. 3 Methodology and Overview............................................................4 Datasets at a Glance.....................................................................5 Highlights from the Headlines.......................................................6 Trending Malware.........................................................................7 Trending Botnets.......................................................................... 12 Trending Exploits..........................................................................16 Conclusions and Recommendations..............................................20 www.nuspire.com 2 About Nuspire Nuspire is the Managed Security Services (MSS) provider of choice, delivering the greatest risk reduction per cyber-dollar spent. The company’s 24x7 Security Operations Centers (SOCs) and managed detection and response (MDR) service combines award-winning threat detection and response technology with human intervention and analysis, providing end-to-end protection across the gateway, network and endpoint ecosystem. Nuspire pioneered distributed, managed security services within the enterprise and franchise market and today protects thousands of locations globally. CONTACT US TODAY TO DISCUSS YOUR UNIQUE SECURITY CHALLENGES. www.nuspire.com 3 METHODOLOGY AND OVERVIEW Data referenced throughout this report is gathered from thousands of devices at Nuspire customer sites from across the globe. This equates to more than 90 billion traffic logs through the second quarter of 2019. Log data is ingested using the power of Nuspire’s cloud-based SIEM. Aggregated and correlated data from our enterprise and mid-market client set provides a unique vantage point to threat vectors targeting the automotive, franchise, manufacturing, construction and healthcare markets. The report begins with an overview of the most prevalent cybersecurity headlines throughout the quarter. Reported breaches and the headlines they generate play a crucial role in trend identification, as evidenced by findings highlighted throughout the report. Nuspire’s threat report is divided into three main vector datasets; Malware, Botnet and Exploit. These datasets are then analyzed where the most prolific and prevalent threats throughout the quarter are identified. MALWARE BOTNET EXPLOIT www.nuspire.com 4 Q2 2019 DATASETS AT A GLANCE MALWARE 4.6M+ 1198 UNIQUE VARIANTS DETECTED DETECTED 355K+ VARIANTS DETECTED PER WEEK 51K+ VARIANTS DETECTED PER DAY 29% DECREASE IN TOTAL ACTIVITY FROM Q1 BOTNET 3.5M+ 41 UNIQUE BOTNETS DETECTED DETECTED 264K+ INFECTIONS PER WEEK 37K+ INFECTIONS PER DAY 17% DECREASE IN TOTAL ACTIVITY FROM Q1 EXPLOITS 55M+ 406 UNIQUE EXPLOITS DETECTED DETECTED 4.3M+ DETECTIONS PER WEEK 615K+ DETECTIONS PER DAY 46% INCREASE IN TOTAL ACTIVITY FROM Q1 nuspire www.nuspire.com 5 HIGHLIGHTS FROM THE HEADLINES IN Q2 2019 In the second quarter of 2019 we saw some significant headlines about major threats and reported breaches affecting both businesses and consumers alike. We found that many of these threats are older with variants that cannot be protected by signature-based protection. Multiple flaws found in Verizon Fios Routers that could allow remote attackers to take complete control over the affected routers, exposing every other device connected APRIL 9 to it. A team of security researchers discovered several vulnerabilities in various implementations of OpenPGP APRIL 30 and S/MIME email signature verification that could allow attackers to spoof signatures on over a dozen of popular email clients. Hackers Found Exploiting Oracle WebLogic RCE Flaw to Spread Ransomware. MAY 1 A critical remote code execution vulnerability has been MAY 2 discovered in the Dell SupportAssist utility that comes pre-installed on most Dell computers. A ransomware attack on the Baltimore City Hall infected the city’s technology systems causing the entire MAY 8 Baltimore City to shut down most of its servers. MAY 14 Microsoft releases fix for critical RDP Vulnerability. Hacker Discloses 4 New Microsoft Zero-Day Exploits in 24 Hours that are affecting Microsoft’s Windows Error MAY 23 Reporting service and Internet Explorer 11. New Brute-Force Botnet Targeting over 1.5 Million RDP JUNE 7 Servers. GandCrab Ransomware releases a decryption tool that could allow millions of affected users to unlock their JUNE 18 encrypted files for free! Two Florida Cities Paid 1.1 Million in Ransom This Month JUNE 26 to recover encrypted files from two separate ransomware attacks. www.nuspire.com 6 TRENDING MALWARE Studying malware aids in detection and response of attacks and proves to be beneficial in identification of new attacks and techniques when they surface. New attack vectors or techniques are being discovered that traditional measures can’t stop. Ransomware is becoming so common that customers are most likely to just deal with it, which results in system downtime, financial impact and often, lost data. nuspire www.nuspire.com 7 MALWARE BY THE NUMBERS MALWARE 4.6M+ DETECTED 1198 UNIQUE VARIANTS DETECTED 355K VARIANTS DETECTED PER WEEK 51K+ VARIANTS DETECTED PER DAY 63% INCREASE IN UNIQUE VARIANTS DETECTED FROM LAST QUARTER The image below shows average malware activity throughout Q2 as a dashed line, whereas the solid line represents spikes and dips in activity, which in some cases relates to the headlines that we outlined in the beginning of the report. This aids in identifying abnormal activity that is trending throughout our dataset. The dips in activity may showcase malicious actors changing the malware delivery to a different payload. 500K 450K 400K 350K 300K 250K 200K 150K 100K 50K K Apr 1 Apr 16 May 1 May 16 Jun 1 Jun 16 Malware Activity vs. Q2 Average www.nuspire.com 8 MALWARE DELIVERY METHODS The most common Malware activity we saw throughout the quarter were generic detections for VBA/Agent, W32/ Kryptik, PDF/phishing and AutoIt/Injector. These signatures are generic detections for Trojan malware which perform activities without the user’s knowledge. These activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware onto the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes. VBA is delivered via email in the form of Microsoft Office macro-based documents. These office documents typically rely on social engineering in order to trick unsuspecting users into running their malicious VBA scripts. Once the script is executed, the infection process begins and typically can lead to a wide variety of infections. Because VBA scripts have proven to be a successful approach for attackers, this has continued to be a large-scale threat for businesses across all industries. Although we saw a 29% decrease in overall malware activity, we did have a significant 63% increase in unique variants detected. This increase could signify attackers retooling their approach in order to become more sophisticated in their delivery with additional obfuscation to avoid detection. Malware Trends Based on Type W32 PDF Other VBA AutoIt www.nuspire.com 9 MALWARE DELIVERY METHODS (CONTINUED) The image below shows a significant spike in AutoIt from the beginning of April into May with majority of this activity being related to Nanocore RAT. Using AutoIt as a top-level wrapper for its main .NET compiled binary, the AutoIt script constructs the .NET binary, and in turn carries out the infection. Nanocore has been around since 2013 and is known to perform a variety of functions. Some of these functions include installing a keylogger which can pass information to the malware operator and has the ability to tamper with webcams, and download additional files. Although the author was arrested in late 2016 and sentenced in 2018, the Nanocore RAT has continued to make its rounds throughout organizations. Significant Increase in AutoIt Activity 40K 35K 30K 25K 20K 15K 10K 5K K January February March April May June www.nuspire.com 10 MALWARE DELIVERY METHODS (CONTINUED) We saw a 193% increase in PDF Phishing detections from March to May. Through our technology, we were able to identify a phishing campaign related to this spike in which fraudulent emails were sent to recipients to encourage them to view or download a document in Microsoft OneDrive. The link in the email directs the user to an authentic looking OneDrive login designed to harvest their credentials. Once the credentials have been collected, the user is redirected to the real Microsoft page. With the victim’s credentials in hand, the attacker can do many things such as, identity theft, financial loss on the user or business, prevent users from accessing their own accounts, or launch additional business email compromise attacks. 193% Increase in PDF Delivery 100K 90K 80K 70K 60K 50K 40K 30K 20K 10K K January February March April May June This phishing campaign could affect numerous industries and can target any individual within an organization. 30% of the most targeted phishing attacks were directed at generic email accounts, which are typically shared by two or more employees within an organization. Generic addresses like ‘[email protected]’ can be valuable to attackers because they reach multiple targets, they are easy to obtain and usually public facing, and they are harder to protect with multi factor
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages20 Page
-
File Size-