Positive Technologies reports that targeted attacks were up in Q3 as hackers continued to rely on malware and social engineering to steal data from companies and individuals.

Targeted attacks rose to 65% in Q3, up from 47% in Q1, according to the company’s Cybersecurity Threatscape Q3 2019 update. In the Q3 report, Positive Technologies noted that 81% of malware infections of corporate infrastructure started with a phishing message.

Positive Technologies cited APT groups for the increase as hackers focused these attacks on governments, industrial companies, the financial sector, and science and education organizations. APT hackers pretend to represent governmental institutions, military entities, and telecom companies to attack organizations in South Asia.

Cybercriminals used social engineering in 69% of attacks on organizations in the third quarter, up from 37% in the second quarter. Business email compromise (BEC) was the weapon of choice, as hackers “present themselves as belonging to a trusted company (such as a vendor) and send an invoice with their own bank account number.”

According to the FBI’s Internet Crime Complaint Center, worldwide losses from BEC fraud are more than $26 billion over the last three years.

In the third quarter of 2019, TA505, an APT group, expanded its targets to include more countries and additional industries. Phishing messages are the group’s main method for penetrating target networks.

SEE: Fighting social media phishing attacks: 10 tips (free PDF)

In September, the PT Expert Security Center noticed that TA505 was sending phishing messages to European and African banks. The emails included Office documents with macros that extract a DLL, save it, and run the new FlawedAmmyy loader.

Hackers are finding new ways to get around anti-phishing defenses. In Q3, hackers used a compromised SharePoint site to trick bank employees into sharing usernames and passwords. The initial SharePoint link made it through to bank inboxes because SharePoint links had been whitelisted.

The group’s arsenal includes:

  • Dridex, a banking trojan
  • Cryptomix, ransomware signed with certificates issued to dummy legal entities
  • ServHelper, a remote desktop agent and a downloader
  • FlawedAmmyy, remote administration trojans
  • Upxxec, a plugin that detects and disables a large range of antivirus software

Positive Technologies reports that with each new wave of attacks, “the group has made qualitative changes to its toolkit and advanced to more sophisticated techniques for maintaining stealth.”

The Q3 2019 update also found that that mining software now represents only 3% of attacks on organizations because attackers are gradually switching to malware with “multifunction capabilities.”

The Clipsa trojan is one example of this multitasking malware which includes mining cryptocurrency, stealing passwords, tampering with addresses of cryptocurrency wallets, and launching brute-force attacks against WordPress sites.”

In late August, Emotet started sending malicious spam again after several months of inactivity. The botnet’s operators offer other hackers access to Emotet-infected computers so that these “customers” can install more malware.

The botnet sends out malicious mailings disguised as invoices, financial documents, and even a free version of Edward Snowden’s book. The attachments infect the victim with the Emotet trojan. This allows the botnet operators to place more malware on compromised devices, such as the Trickbot trojan or Ryuk ransomware, which are frequently found together on infected machines.

At the end of the report, Positive Technologies reminds readers that the majority of attacks are not made public because companies don’t want to admit to losing control of their data and IT systems. Positive Technologies and offers this advice to improve IT security:

  • Make sure that insecure resources do not appear on the network perimeter <
  • Filter traffic to minimize the number of network service interfaces accessible to an external attacker
  • Use two-factor authentication where possible, especially for privileged accounts
  • Improve security awareness among clients

In Q3, hackers used a compromised SharePoint site to trick bank employees into sharing usernames and passwords.
Image: Positive Technologies