Positive Technologies cited APT groups for the increase as hackers focused these attacks on governments, industrial companies, the financial sector, and science and education organizations. APT hackers pretend to represent governmental institutions, military entities, and telecom companies to attack organizations in South Asia.
Cybercriminals used social engineering in 69% of attacks on organizations in the third quarter, up from 37% in the second quarter. Business email compromise (BEC) was the weapon of choice, as hackers “present themselves as belonging to a trusted company (such as a vendor) and send an invoice with their own bank account number.”
In the third quarter of 2019, TA505, an APT group, expanded its targets to include more countries and additional industries. Phishing messages are the group’s main method for penetrating target networks.
In September, the PT Expert Security Center noticed that TA505 was sending phishing messages to European and African banks. The emails included Office documents with macros that extract a DLL, save it, and run the new FlawedAmmyy loader.
Cryptomix, ransomware signed with certificates issued to dummy legal entities
ServHelper, a remote desktop agent and a downloader
FlawedAmmyy, remote administration trojans
Upxxec, a plugin that detects and disables a large range of antivirus software
Positive Technologies reports that with each new wave of attacks, “the group has made qualitative changes to its toolkit and advanced to more sophisticated techniques for maintaining stealth.”
The Q3 2019 update also found that that mining software now represents only 3% of attacks on organizations because attackers are gradually switching to malware with “multifunction capabilities.”
“The Clipsa trojan is one example of this multitasking malware which includes mining cryptocurrency, stealing passwords, tampering with addresses of cryptocurrency wallets, and launching brute-force attacks against WordPress sites.”
In late August, Emotet started sending malicious spam again after several months of inactivity. The botnet’s operators offer other hackers access to Emotet-infected computers so that these “customers” can install more malware.
The botnet sends out malicious mailings disguised as invoices, financial documents, and even a free version of Edward Snowden’s book. The attachments infect the victim with the Emotet trojan. This allows the botnet operators to place more malware on compromised devices, such as the Trickbot trojan or Ryuk ransomware, which are frequently found together on infected machines.
At the end of the report, Positive Technologies reminds readers that the majority of attacks are not made public because companies don’t want to admit to losing control of their data and IT systems. Positive Technologies and offers this advice to improve IT security:
Make sure that insecure resources do not appear on the network perimeter <
Filter traffic to minimize the number of network service interfaces accessible to an external attacker
Use two-factor authentication where possible, especially for privileged accounts
Improve security awareness among clients
Cybersecurity Insider Newsletter
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays