A recent vulnerability known as Aikido demonstrated how some EDR technologies could be used as data wipers on the installed hosts. Yair, a security researcher at SafeBreach, released the proof-of-concept at 2022’s Blackhat conference showing how unprivileged user access could manipulate an EDR sensor into wiping files on the system. Bitdefender was one of the tested solutions and was not found vulnerable to this attack. However, since EDR sensors have become widely accepted security technology, this means that every host has a singular technology that could be used or avoided in an attack. Additional capabilities of the EDR sensors, like remote shell access, isolation capabilities, or even preventative capabilities, would be highly sought after by attackers looking to use native tools.
Attackers are looking for ways to defeat EDR capabilities or mask their behavior enough to go undetected. In one example, the Blackbyte ransomware group used CVE-2019-16098 to load the clean driver, then used this trusted driver to disable callback routines used by EDR tools. The same group also used other EDR bypass techniques to deactivate the Microsoft-Windows-Threat-Intelligence ETW provider. Blackbyte’s tactics showed them actively interacting with EDR capabilities to limit or stop its ability to detect and report activity that is happening on the infected host. If one group is using it, chances are that more are using or developing similar tactics, proving that attackers are actively taking steps to reduce EDR capabilities.
Bitdefender’s security stack was designed to be resilient, with multiple overlapping security layers. The core antimalware engines scan any new driver saved to disk and compare it against the database of known vulnerable drivers. Alert is generated if a known vulnerable driver is written in a suspicious way. Even if an EDR sensor is shut down, there are additional sensors and technologies that can detect and report tampering. Important protection is provided by Advanced Threat Control (ATC), real-time detection that monitors the behavior of all processes. ATC tracks the active usage of drivers, checking if a loaded driver is suspicious and reporting it to our GravityZone platform. Finally, ATC also includes protection capabilities called Callback Evasion Detection (CBE). CBE monitors when kernel-mode callbacks are removed and generates an alert if it detects tampering attempts.
Knowing that attackers are actively looking for vulnerabilities to defeat EDR capabilities, we must look at what other capabilities EDR sensors give an MDR and security analysts. An EDR strength is not just about the detections, it’s the data that is collected and capability paired with an MDR service. Trained security analysts will notice the suspicious activity and use the data from the EDR sensor to investigate and understand the activity seen. An attacker actively using tools or accessing file locations that would diminish the capabilities of an EDR will stand out as suspicious behavior to security analysts.
- EDR tools are necessary and needed technology that collects information from the kernel, logs, file details, running processes, and configuration data creating valuable signatures that are used to detect and respond to security events.
- An MDR service will use more than just the detections to identify suspicious activity. EDR telemetry is critical for an MDR. The telemetry, ingested into a SIEM, compounds the capability of an EDR by creating baseline signatures or adding additional criteria to the detections created by the EDR sensor. The level of access to that raw telemetry may be the difference between finding or not finding malicious activity on a host.
- Attackers will continue to use EDR vulnerabilities or look for EDR vulnerabilities. This will allow attackers to go undetected or use the EDR sensor capabilities for their benefit (Living off the Land).
- Attackers may try to disable EDR sensors from sending telemetry. MDR services should have multiple signatures in place to look for attackers that will remove or reduce EDR capabilities. Raw telemetry allows for base-lining environments and producing anomaly signatures that look for things like sensor counts or heartbeats, telemetry traffic flow, regular files, and folder access to name a few.
Spear phishing attacks are often used as an initial attack vector and ransomware infection is often the final stage of the kill chain. For this report, we analyzed malware detections collected in November 2022 from our static anti-malware engines. Note: we only count total cases, not how monetarily significant the impact of infection is. Opportunistic adversaries and some Ransomware-as-a-Service (RaaS) groups represent a higher percentage compared to groups that are more selective about their targets since they prefer volume over higher value.
When looking at this data, remember these are ransomware detections, not infections.
Top 10 Ransomware Families
We analyzed malware detections from November 1 to November 30. In total, we identified 205 ransomware families. Number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries.
Top 10 Countries
In total, we detected ransomware from 155 countries in our dataset this month. Ransomware continues to be a threat that touches almost the entire world. Below is a list of the top 10 countries most impacted by ransomware. Many ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections.
Below are the top 10 trojans targeting Android we have seen in our telemetry during November 2022.
Downloader.DN – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.
Banker.ACT, ACI, YI - Polymorphic applications that impersonate legit apps (Google, Facebook, Sagawa Express ...). Once installed, it locates banking applications on the device and tries downloading a trojanized version from the C&C server.
SMSSend.AYE - Malware that tries to register as the default SMS application on the first run by requesting the consent of the user. If successful, it collects the user's incoming and outgoing messages and forwards them to a Command & Control (C&C) server.
HiddenApp.AID - Aggressive adware that impersonates AdBlock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher.
Banker.XJ - Applications that drop and install encrypted modules. This trojan grants device admin privileges, and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive command and upload sensitive information.
Triada.LC – Malware that gathers sensitive information about a device (Device IDs, Subscriber IDs, MAC addresses) and sends them to a malicious C&C server. The C&C server responds by sending back a link to a payload that the malware downloads and executes.
SpyAgent.EM - Applications that exfiltrate sensitive data like SMS messages, call logs, contacts, or GPS location.
Banker.ACX - Applications that impersonate Korean banking applications to record audio and video, collect sensitive information (SMS messages, contacts, GPS location…) and upload it to a C&C server.
Homograph Phishing Report
Homograph attacks work to abuse international domain names (IDN). Threat actors create international domain names that spoof a target domain name. When we talk about “target” of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. You can read more about this type of attack in one of our previous reports.
Below is the list of the top 10 most common targets for phishing sites.
About Bitdefender Threat Debrief
The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.
Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 150 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.
We would like to thank bitdefenders Tyler Baker, Alin Damian, Mihai Leonte, Andrei Mogage, Sean Nikkel, Nikki Salas, Rares Radu, Ioan Stan, Marius Tivadar, and Horia Zegheru (sorted alphabetically) for their help with putting this report together.