Written by: Jay H.
Cybercriminals have been taking advantage of the coronavirus pandemic to target individuals and organizations. A report released by cybersecurity vendor Nuspire details the latest cybersecurity threats and how to protect yourself against them.
Nuspire analyzed more than 90 billion traffic logs from the first quarter of 2020 and found malware, botnets, and exploits as the most prevalent threats.
The Latest Cybersecurity Threats
During the first quarter of 2020, malware saw an overall increase of 7 percent. This is attributed to a phishing campaign that used Microsoft Word macros to spread trojans, in addition to the start of coronavirus-related phishing attacks. The campaign themes mostly exploited IRS Tax documents, financial invoices, and COVID-19 information.
Emotet took the lead as the highest-detected variant in the first quarter. A targeted spear-phishing campaign against the United Nations spread this malware, typically hidden in an email as a fake financial statement. Using Word documents that requested the user to enable editing or enable content, it executed macros that loaded Emotet onto the victim’s device. Once it has infected the user’s device, Emotet can steal sensitive information such as banking credentials and install more malware.
There was also an increase in Executable and Linkable Format (ELF) variants targeting the Internet of Things (IoT) devices to spread the Mirai Botnet. Attackers would scan for IoT devices with open Secure Shell (SSH) or Telnet ports to brute-force access. Once they gained shell access, the assailants would download a payload of the ELF-based Mirai malware and add the device to the botnet.
How To Fight Malware
- Endpoint protection platforms (EPP). Implement security-in-depth while utilizing Advanced, Next-Gen Anti-Virus (Next-Gen AV). Next-Gen AV will detect malicious software not only through signatures but through heuristics and behaviour. Legacy AV is strictly signature-based, which can only detect already known variants of malware.
- Network segregation. Segregate higher risk devices from the organization’s internal network, like IoT devices. This will minimize the ability of attackers to move throughout a system laterally.
- User awareness. User awareness training is a critical part of any security program, as most infections start through email and interaction with a malicious attachment. To prevent malicious attachments from reaching their end-users, email attachment extensions commonly associated with malware, such as .dll and .exe, should be blocked by administrators.
In the fourth quarter of 2019, there was a decrease in botnet activity carried over into the first quarter of 2020. Overall in the first quarter, there was a decrease in the activity of 13 percent. Furthermore, the top three botnet threats have been disrupted or abandoned, and a continual decline is expected.
In March, Microsoft took control of the Necurs infrastructure. The Necurs infrastructure had been responsible for over nine million botnet infections worldwide. Moreover, Microsoft and its partners worked to prevent the registration of new domains that attackers could use.
Protect Yourself from Botnets
- Leverage Threat Intelligence. Threat Intelligence will help organizations identify if devices are reaching out to known malicious hosts with C2 communication. C2 communications can contain commands or be used to download additional malware. Correlation of networking logs and threat intelligence is critical to identify when this is happening to allow administrators to block malicious traffic and remediate infected machines.
Detected during the first quarter of 2020 was an increase in exploit activity, with 23.4 million exploits and 404 unique ones. The most prominent exploit activities detected were DoublePulsar, Apache Tomcat ‘GhostCat,’ Telnet Default Credential Scans, and Operation Fox Kitten. A new signature that scans for attempts to use default credentials over Telnet was discovered this quarter.
‘GhostCat,’ announced in February 2020, highlighted a flaw in the Tomcat AJP protocol. An attacker could execute code using a Remote Code Execution (RCE) attack; however, the attempts remained very low after the announcement. Despite this, there could be an increase in GhostCat attempts in the second quarter as it becomes easier to exploit.
In February, a widespread campaign linked to multiple advanced persistent threat groups was targeting vulnerabilities in VPNs. As more of the workforce moves to a remote environment, this highlights the importance of applying vendor patches and upgrading to non-affected firmware.
How To Stay Safe from Exploits
- Exploitation activity is a race against the clock for all parties involved. Attackers attempt to exploit vulnerabilities before vendors have an opportunity to patch them and before the consumer patches them. Consumers need to monitor vulnerabilities that relate to their tech stack and apply vendor patches quickly. In addition to keeping systems and applications updated, a firewall with an IPS can monitor, alert, and stop attack signatures targeting your environment.
How to Protect Your Organization Against Cybersecurity Threats
- User awareness is one of the most productive and cost-effective ways to protect your organization against cybersecurity threats. Train your users on identifying phishing emails and having a level of suspicion with email attachments. Create procedures to verify sensitive business email requests with a separate authentication form in-case an email account becomes compromised.
- A layered approach to security will better protect businesses than a single cybersecurity product. It ensures that every individual defense component has a backup to counter any gaps in other defenses of security.
- Advanced malware detection and protection technology (such as EPR) can track unknown files, block known malicious files, and prevent malware’s execution on endpoints. Network Security, such as Security Device Management (SDM), can detect malicious files attempting to enter a network from the Internet or move within a system.
- Organizations can further harden defences by segregating higher-risk devices from their internal network (like IoT devices that are Internet-facing). Administrators should ensure these devices have default passwords changed as attackers are actively searching for easy access into a network. Furthermore, administrators should apply vendor patches as soon as possible as these critical patches can secure vulnerabilities from attackers.
To download the full report, click here.
To protect your organization from cybersecurity threats, consider working with network security experts to build a comprehensive plan for your business.