Cybercriminals often like to rely on the same tried-and-true tricks but update them with a fresh spin based on current events. Naturally, attackers have been taking advantage of COVID-19 and its many repercussions to target organizations and individuals with virus-related malware. A report released Wednesday by Nuspire describes some of the latest malware threats and offers tips on how to defend against them.
SEE: Security Awareness and Training policy (TechRepublic Premium)
For its “Quarterly Threat Landscape Report,” Nuspire analyzed more than 90 billion traffic logs from its customers for the first quarter of 2020. Breaking down the threats into the three main areas of malware, botnets, and exploits, the report highlights the most prolific and popular ones.
For the first quarter, Nuspire detected more than 2.4 million pieces of malware with more than 1,200 unique variants. Though the overall volume of malware actually dropped from the fourth quarter of 2019, the level rose by 7% during the first quarter as the coronavirus took hold. One spike came from a phishing campaign that used Microsoft Word macros to spread trojans. Phishing attacks also exploited financial invoices, IRS tax documents, and COVID-19 information.
Emotet led the way among the most detected malware variants last quarter. Often hidden in an email masquerading as an invoice or bank statement, Emotet was used in a spear-phishing campaign against the United Nations. A new variant found in February contained a Wi-Fi spreader module that allowed it to scan for wireless networks and infect connected devices.
Over the quarter, Nuspire also found Executable and Linkable Format (ELF) variants targeted at Internet of Things (IoT) devices to spread the Mirai botnet. In this campaign, attackers scan for IoT devices with open Secure Shell (SSH) or Telnet ports as a way to brute-force access.
To protect your organizations against these latest malware strains, Nuspire offers the following advice:
- Endpoint Protection Platforms (EPP). Implement security-in-depth while utilizing Advanced, Next-Gen AntiVirus (NGAV) technology. Next-Gen AV will detect malicious software not only through signatures but through heuristics and behavior. Legacy AV is strictly signature based, which can only detect already known variants of malware.
- Network Segregation. Segregate higher risk devices like IoT devices from your organization’s internal network. This will minimize the ability of attackers to laterally move throughout a network.
- User Awareness. User awareness training is a critical part of any security program as most infections start through email and interaction with a malicious attachment. Also, administrators should block email attachments that are commonly associated with malware such as .dll and .exe extensions to prevent these from reaching end users.
In the first quarter, Nuspire found more than 1.2 million botnets with 46 unique ones discovered. The good news here is that the quarter saw a healthy decrease in botnet activity as the top three botnet threats and their associated traffic have all been disrupted or abandoned.
In March, Microsoft took control of the infrastructure used by the Necurs botnet, which had accounted for more than nine million infections across the globe. At the same time, the company worked with its partners to stop the registration of any new domains that could be used for attacks. In 2017, the command and control servers for the Andromeda botnet were shut down, leading to a drop in traffic that continued into the first quarter.
Despite the battles won against botnets, organizations should still take certain measures to defend against them.
Leverage Threat Intelligence. Threat Intelligence will help organizations identify if devices are reaching out to known malicious hosts with command and control (C2) communication. C2 communications can contain commands or could be used to download additional malware. The correlation of networking logs and threat intelligence is critical to identify when this activity occurs so that administrators can block malicious traffic and remediate infected machines.
Last quarter, Nuspire identified more than 23 million security exploits with 404 unique ones. The volume of exploits rose across the board compared with the fourth quarter. The DoublePulsar exploit was the most attempted one observed as it creates a backdoor in infected devices that paves the way for additional malware. A new signature was discovered last quarter that scans for the use of default credentials over Telnet.
An exploit known as Apache Tomcat GhostCat takes advantage of a flaw in the Tomcat AJP protocol that could let an attacker execute code remotely. In February, Operation Fox Kitten emerged as a campaign from Iranian Espionage targeting VPN vulnerabilities. Further, Nuspire noted a new signature exploiting default Telnet credentials as a way to hack into IoT devices.
To combat security exploits, organizations should heed the following tip from Nuspire:
Mitigation and detection. Exploitation activity is a race against the clock for all parties involved. Attackers are attempting to exploit vulnerabilities before vendors have an opportunity to patch them and to continue exploiting them before the consumer patches them. It is important for consumers to monitor vulnerabilities that relate to their tech stack and apply vendor patches as soon as feasible. In addition to keeping systems and applications updated, a firewall with an IPS can monitor, alert, and stop attack signatures targeting your environment.
Finally, Nuspire offers additional security recommendations for organizations.
- User awareness is one of the most powerful and cost-effective ways to prepare your organization against cyberattacks. Teach your users how to identify phishing emails and to have a level of suspicion with email attachments. Create procedures to verify sensitive business email requests (especially ones involving financial transactions) with a separate form of authentication in case an email account becomes compromised or is spoofed.
- A layered approach to security will better protect businesses than can a single cybersecurity product. It ensures that every individual defense component has a backup to counter any gaps in other defenses of security.
- Advanced malware detection and protection technology, such as Endpoint Prevention and Response (EPR) can track unknown files, block known malicious files, and prevent the execution of malware on endpoints. Network Security such as Security Device Management (SDM) can detect malicious files attempting to enter a network from the Internet or move within a network.
- Organizations can further harden defenses by segregating higher-risk devices from their internal network (like IoT devices that are internet facing). Administrators should ensure that the default passwords for these devices are changed as attackers are actively searching for devices that provide them easy access into a network. Furthermore, administrators should ensure that vendor patches are applied as soon as feasible within their environments as these critical patches can secure vulnerabilities from attackers.