In-depth analysis and recommendations of the threats you need to know about
We are living in unprecedented times. Over 30,000 CoVID-19 themed domains were registered in April and May 2020 with many of these sites potentially being used to support phishing and malware campaigns.
In the midst of a global healthcare crisis, economic downturn and civil rights movements, cyber attackers continue to relish in the chaos and seek to exploit the current crises to disrupt and undermine a company’s security. Because of current events, around 60% of cyberattacks are targeted towards healthcare, retail and government entities.
Whether or not you are a current Fidelis user, this blog aims to inform you of advanced threats and attacks that our Threat Research Team has seen throughout the month of May 2020. The Fidelis Threat Research Team (TRT) monitors and collects information on external threats which may pose a risk to any entity. Collection and analysis efforts are driven by criticality and relevance as prescribed by TRT’s Priority Intelligence Requirements and Specific Intelligence Requirements (SIRs).
The purpose of the Fidelis Graphical Intelligence Summary is to provide you with timely information and situational awareness of ongoing relevant threats and an overall intelligence assessment of the potential risk from these threats. The information and intelligence presented also contributes to the overall threat landscape as observed by Fidelis TRT collection and analysis efforts and telemetry data pertaining to threat actor and adversary activity, tools, tactics, techniques, and procedures (including malware, infrastructures, and vulnerabilities exploited), and observed or assessed impact to organizations and business verticals being targeted.
If you read our past blog on How Cyber Attackers are Exploiting COVID-19 to Undermine Your Security, you’ll recall that they’re doing so via phishing and ransomware attacks, nation-state sponsored attacks and disinformation campaigns. Outlined in this blog are more of the trends and observations summarized from the full report from the TRT. Stay vigilant of these attacks and follow the Fidelis TRT’s recommendations on how to secure your enterprise to gain the decisive advantage against your enemies.
Vulnerabilities in VPN products and older, popular software packages
As more employees are working from home, attractive targets may include products and services being used by these employees including VPN clients and software, web browsers, consumer-grade routers, networked and cloud storage, and even specific software like OWA, Microsoft Sharepoint, and video conferencing/communication software (e.g.: Zoom, WebEx, RingCentral, etc.). These vulnerabilities will be leveraged to deliver commodity malware like remote access tools and spyware as well as ransomware. Exploitation of browser and browser extension vulnerabilities in web browsers will also increase in risk. It is imperative to ensure browsers remain up to date and patched when available, and browser extensions and plug-ins are downloaded from reputable sources and patched when available.
New Topics in Phishing Attempts
Cyber-criminals and nation-state actors will continue to leverage the COVID-19 situation in phishing attempts; however, they will begin to utilize new topics and events as they arise including government stimulus programs, vaccine and treatment developments, unemployment concerns (using fake job postings or government employment and welfare schemes), and fake retail and shopping lures as major retailers face bankruptcy and businesses begin to reopen.
The recent protests/rioting as a result of the death of George Floyd also provides ransomware operators an opportunity to exploit the ongoing events and sentiment, and local and municipal Government entities may be viewed as potential targets. Protest-related phishing themes may include news and updates related to Black Lives Matter movement, riot tracking apps, or police support/brutality. Our recommendation is to stay vigilant from such threats.
Malware Trends Observed
Ransomware, commodity malware and exploit kits remain popular malware leveraged by cyber-criminals and nation-state sponsored groups. Over 20% of malware attacks came from Gh0stRAT, with other attacks coming from njRAT, FareIT/Pony, Conficker, Trickbot and others. Fidelis TRT strives to ensure updated indicators of compromise and protocol behaviors are up to date to protect customers, however proper security awareness and hygiene should be followed to limit a successful attack.
Nation-State sponsored APT adversaries are leveraging critical browser vulnerabilities in Mozilla Firefox, Internet Explorer, and Linux-based email servers. Ensuring that browsers are up to date and patched will help limit adversaries from gaining a foothold in your environment via browser-based exploits and plugins.
Even if you are not a Fidelis customer yet, we recommend you ensure that software packages and VPN products are patched and updated, that you stay vigilant against phishing or disinformation campaigns, and that you determine how to keep your company assets and remote workforce safe and secure during this time. If you would like more information, read what our CISO has to say about Maintaining Your Cybersecurity Focus as You Work from Home.
Stay safe, stay secure, and reach out to us if you’d like to know more about how Fidelis can help you detect, hunt and respond to these most advanced threats.