Security Vision
Let's start by defining threats. Some of our readers will find it redundant, but let it stay here in case it comes in handy. So, a threat is any action or event that can lead to information security breaches, which can result in damage or violation of someone's interests.
According to the results of our research (based on a huge number of TI reports that we regularly study in the context of Threat intelligence) over the previous year, the threat landscape has not changed much in general, but there have been many quite interesting changes in particular.
By the way, we recommend ENISA Threat Landscape 2022/2023 as one of the documents to read - a rather thorough study that is released annually by the analytical agency, which covers most of the interesting topics in the context of modern threats and their examples. Which does not exclude, of course, familiarisation with threats via vendor reports, bulletins (IBM, Microsoft, Elastic, Acronis, SonicWALL, etc.) and via reports directly from researchers (such as The DFIR Report and others). In general, TI (Threat intelligence) is always a huge amount of information, and it is completely diverse in terms of specialisations (from network technologies, if the attack is on a weak protocol; from crypto, if the threat is related to custom encryption; and even programming, if we want to understand how rootkit works). That said, it's only through TI reports that we can get a handle on how aggregations work, rolling, how attacks from specific malware work, how techniques are used, and what's relevant now. So I'm sharing with you some of my aggregators of TI reports from around the world: https: //t.me/threatinteltrends and https://t.me/secvisionnews, you'll find a lot of interesting stuff there. So let's get started.
The most common threats of recent years
1. Malware
2. Ransomware.
3. Social engineering threats (including phishing) 4.
4. vulnerability exploitation
5. Threats to availability (DDoS attacks)
6. Attacks on IoT (Internet of Things)
7. Supply chain attacks
In the first of a series of articles on threats, we will look at the most common and sometimes devastating threats that have been trending for several years - malware and encryptors (malware and ransomware).
Malware
Malware, also called malicious code and malicious logic, is a general term used to describe any software or firmware designed to perform an unauthorised process that will adversely affect the confidentiality, integrity or availability of a system. Traditionally, examples of types of malicious code include viruses, worms, Trojans, or other code-based objects that infect a host. Spyware and some forms of adware can also be classified as malware. At this point in time, malware is one of the most common threats from an impact perspective (we'll talk about the most common threat from an initial access perspective in an article looking at social engineering threats). According to SonicWall's 2022 Cyber Threat Report, the number of malware attacks rose to 5.5 billion attacks for the first time since 2018, up 2% from last year(https://www.sonicwall.com/medialibrary/en/white-paper/2022-sonicwall-cyber-threat-report.pdf).
Attackers often use malware as part of their campaigns. The most common objectives accomplished by VPOs are: gaining and maintaining control of assets, defence evasion and deception, extortion, espionage and other post-complaint activities. Viruses, worms and Trojans differ in many ways, such as infection vector, replication, delivery method, propagation and control. From a technical point of view, components are differentiated by types of impact, such as payloads, droppers, post-compromise tools, backdoors, and packers.
The malware components used in an attack depend on the attacker's goals and can range from gaining control of systems and networks (initial access, botnets) to gaining and locking down data (ransomware agents, information theft). According to data from international analytical agencies over the last two years, ransomware has been identified as the most dangerous threat. We will look at them in more detail a little later.
During the pandemic, a global decline in malware was noticed. This drop was due to employees working from home, which limited malware infections commonly found in corporate infrastructures. Since ‘22, more people have started returning to offices, so there has been a significant increase in malware (according to vendor reports). However, the data shows that the increase in VPO incidents is not only due to more staff being in the corporate environment, but also to an increase in malware in general, such as the rise of malware for the Internet of Things.
However, most of the strains of VPO have been around for more than five years, confirming the thesis that malware development is a continuous endeavour and that active development of VPO pays off. For example, Emotet has been on the rise again in recent years, confirming this hypothesis. Or another real-life example: the leak of internal chat logs of the Conti RaaS cyber group. According to the analytical agency Enisa, the internal chat logs of the Conti RaaS group were leaked in February ‘22, providing unique information about the group's internal organisation, including the fact that it operates as a business company and an organised structure. Like any other company, the faction has middle managers, human resources managers, various technical, production teams with roadmap and releases. Judging by the company's correspondence, there are even all sorts of social perks and benefits for employees like insurance, sick leave and paid holidays.
Another trend I would like to note in the context of malware is the development and widespread use of the malware-as-a-service model. For example, the Warzone Trojan can be purchased on a subscription basis for $37 per month. Cybercriminals use it to download and upload various files, execute and uninstall software, send commands, view and terminate processes, browse web pages, steal stored passwords from browsers and email clients, and even access the victim's webcam data.
Ransomware
Among malware, ransomware stands out as a special type that holds and encrypts data or a system until the victim pays a ransom.
The threat has now evolved: in some cases, attackers have begun to steal an organisation's information and demand an additional payment in exchange for not disclosing information to authorities, competitors or the public. This is interesting and we should pay attention to the changing threat landscape of ransomware: the proliferation of new extortion techniques (blocking, encryption, deletion, theft) and the emergence of new targets beyond purely financial gain (political, industrial espionage, competitive, environmental and many others).
Another important point: the trend towards 0day, 1day threats remains as significant as ever. The fact is that according to global statistics, the average time of vulnerability exploitation is extremely short; depending on the analytical agency, we have seen figures ranging from 3-5 hours to eight days after the vulnerability was published. And the publication can be anywhere, on the vendor's site with the patch or on the Internet black markets. That is, you have not yet had time to update or maybe there is no secure patch, but the virus prototype already exists.
Examples of vulnerabilities that were very quickly exploited by virus writers:
1. Proxylogon (CVE-2021-26855)
2. Zerologon (CVE-2020-1472)
https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/
3. Printnightmare (CVE-2021-34527)
This trend highlights the importance of building the right approach to prioritising vulnerability remediation through threat intelligence technology.
A trend in recent years has also been the proliferation of encryptors through supply chain attacks. The most high-profile case confirming this is the attack on MSP provider Kaseya in 2021, when multiple companies using Kaseya's services fell victim to the REvil encryptor(https://cybernews.com/security/kaseya-ransomware-attack-heres-what-you-need-to-know/).
But the other trend of the 21st year - downloading the encryptor through compromising remote access services (RDP, VPN, etc.) started to decline and phishing took its place. But still this method of initial access is quite popular at the moment. The scheme works by cracking weak passwords when logging in via RDP, especially if two-factor identification is not enabled. RDP is a popular method of compromise because attackers use legitimate credentials, which allows them to remain undetected. However, brute force RDP credentials are noisy and organisations with reasonably mature security will quickly detect multiple authentication attempts. Whereas a phisher uses the access of a compromised insider, making it difficult for the IS department to detect malicious activity in a timely manner.
Here's what you can do to avoid malware attacks
- Antivirus protection tools as well as behavioural analysis tools (EDR, sandboxes)
- Two-factor authentication and strong passwords
- Perform pentests to identify vulnerabilities
- Timely updates
- Do not click on links from unknown sources
- Never use a USB stick that doesn't belong to you
- Use VPN on public networks
- Data backup
Hopefully, we have revealed to you the main interesting points on viruses, their trends, methods of penetration and ways to protect yourself. Next time we will discuss other threats such as social engineering techniques, phishing, DDoS attacks, attacks on the Internet of Things and AI. See you then!
