Emotet, Trickbot, Buer Among Malware Campaigns Infoblox Tracks

During the first quarter, the Infoblox Cyber Intelligence Unit (CIU) has published original research reports on malware campaigns naming these threats: Valyria Trojan Drops Emotet, Snake Keylogger, Italian Emotet, Buer Loader Trojan, RuRAT Trojan, BazarStrike, Warezov Worm, Dridex Banking Trojan, Hancitor Downloader, Trickbot Loader, and Burkina Trojan.

One of the leading causes of cloud breach vulnerability is errors in cloud administration, configuration, and setup, including too many points of administration and different dashboards and too many policies to propagate, synchronize, and maintain consistently, Infoblox states.

Architecture requirements for large enterprises and government remain committed to hybrid as they have on-premises and cloud resources to protect. New controls to secure container-based workloads, lockdown cloud configurations, and encrypt data in the cloud are still being deployed.

As noted last quarter, many organizations use security stacks that don’t scale easily, if at all, from on-premises to the cloud. With new points of administration and management, plus a new front-end configuration, come increased opportunities for error and a potential data breach.

There has been considerable coverage and research into the SolarWinds breach. CISA’s analysis of the attack on SolarWinds concluded the threat actors added a malicious version of the binary SolarWinds.Orion.Core.BusinessLayer.dll into the SolarWinds software lifecycle. This version was digitally signed by a legitimate SolarWinds code signing certificate. The malicious code became trusted once it was signed digitally, defeating the purpose of code signing: providing reassurance to users that the code an organization distributes can be trusted.

Crafting a strategy to breach a software provider’s most secured continuous integration/continuous delivery (CI/CD) pipeline means threat actors are aiming for the heart of cyber defenses. By breaching the CI/CD pipeline, threat actors would assume a mantle of trust and are capable, virtually unhindered, of using an organization’s reputation to distribute malware across its user base, potentially enabling serious and widespread damage.

With many organizations allowing users to use home broadband connections for work use, the corporate attack surface has grown substantially, with sensitive data being strewn and exposed everywhere. None of this changed in Q1 2021.

Data supporting the incremental risk of WFA environments is circulating from a growing variety of sources. For example, the ed-tech advocacy group the Consortium for School Networking (CoSN), creates and publishes surveys on cyber technology issues.

According to Keith Krueger, CEO of CoSN, cybercriminals are using phishing scams to target remote students and educators, which often appear to come from recognizable email addresses at first glance. “In a school environment, about 3 percent of teachers click inappropriately on phishing scams,” Krueger said. “That was jumping to 15 to 20 percent from home, so a lot of cybercriminals are getting into the network.”

Email remains the top threat vector used to attack government and businesses of all sizes. Email delivers 75 to 90 percent of malware. Despite training and widespread warnings against spam, users continue to open suspicious emails in their business and personal accounts. They click on malicious email attachments and URLs, as well as view websites not generally associated with business use.

The Infoblox CIU continues to observe widespread threat actor use of email campaigns employing social engineering tactics to propagate a variety of attacks. In some instances, these attacks are targeted to one individual or organization, a technique known as spear-phishing, but larger campaigns are more common.

The widespread use of ransomware continues unabated into Q1 2021, with ransomware tools increasing in sophistication. Ransomware-as-a-service (RaaS) platforms that can be deployed by even the least technical ransomware threat actor. As threat actors become more skilled and capable at using ransomware, they are executing increasingly more damaging attacks, often against enterprises and government organizations.

COVID-19 has continued to present threat actors with new opportunities. Over the past year, there has been an endless progression of COVID-related phishing attacks. As these attacks ramped up through 2020, Google blocked a reported average of 18 million daily malicious COVID-19 messages to Gmail users. Beyond malware and phishing email, Google also blocked more than 240 million spam messages related to COVID-19.

This new opportunity saw threat actors successfully impersonating government authorities such as the World Health Organization (WHO). You can see Infoblox report on Trickbot WHO?, which used a fraudulent coronavirus alert from the WHO to deliver Trickbot banking malware.

Other emails impersonated UNICEF and attempted to leverage psychological manipulation by posing as a children’s charity.

For these reasons and more, the cyberthreats remain alive and well. As before, threat actors will innovate, adjust and sustain proven methods as 2021 unfolds. Rogue nation-states and organized crime will continue to build on their offensive capabilities. Accurate intelligence about timely, relevant threats enables an organization to make thoughtful, targeted improvements to its defenses and lower its risk.