MDR Insights - Patch all the things!
Ask any security professional what their advice is to organizations and patching is usually at the top of the list. Look, we get it, it’s not easy to do. Patching can interfere with productivity, slowing down or interrupting the primary business functions. Patching costs money, requires time, planning, and is usually done at late hours or over the weekend. In a recent discussion amongst our Security Operations Center (SOC) analysts, we discovered issues like the cost of new hardware or compatibility between updates and old hardware. Many companies delay patching, implement “temporary” workarounds, or simply ignore legacy workloads and let them linger indefinitely.
Threat actors understand these challenges well. In the last few years, we are seeing a new magic formula that is adopted by professional cybercriminal groups:
- Identify a vulnerability (preferably with public Proof of Concept code) that targets many companies
- Launch opportunistic attacks using vulnerability scanners (spray-and-pray tactic)
- After compromising a vulnerable system, deploy malicious payload (typically a webshell)
Even if most businesses patch quickly, threat actors are still left with tens of thousands of vulnerable servers. Attacks can be opportunistic –vulnerable servers are discovered and attacked automatically, but the scope of attacks is limited. We can compare this to well-known attacks like WannaCry – while these attacks can reach a wide range of machines, the impact remains limited (it’s wide, but not very deep). More sophisticated threat actors can use this initial compromise as an entry point to conduct a much larger operation.
We recently wrote about a 2-year-old VMware vulnerability with ESXi that continues to create problems for organizations, and there are still thousands of vulnerable servers. Microsoft Exchange is another popular target. Even after the low-hanging fruit is picked up, threat actors can target “immune” systems by tweaking an attack to bypass mitigations.
Cybersecurity and Infrastructure Security Agency (CISA) has a great resource that catalogs all the known exploited vulnerabilities. These vulnerabilities should be a top priority for every company. Besides developing a plan of action, make sure the patches get completed. In some incidents, we’ve seen customers hit by months-old exploits. The good news is that according to Verizon’s Data Breach Investigations Report, organizations are getting better at more timely patching, compared to just four years ago. The key idea here is: Don’t cripple the organization through inaction: have the plan to attack patching, based on input from the necessary stakeholders, with realistic timelines.
Spear phishing attacks are often used as an initial attack vector and ransomware infection is often the final stage of the kill chain. For this report, we analyzed malware detections collected in January 2022 from our static anti-malware engines. Note: we only count total cases, not how monetarily significant the impact of infection is. Opportunistic adversaries and some Ransomware-as-a-Service (RaaS) groups represent a higher percentage compared to groups that are more selective about their targets, since they prefer volume over higher value.
When looking at this data, remember these are ransomware detections, not infections.
Top 10 Ransomware Families
We analyzed malware detections from January 1 to January 31. In total, we identified 234 ransomware families. Number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries.
Top 10 Countries
In total, we detected ransomware from 153 countries in our dataset this month. Ransomware continues to be a threat that touches almost the entire world. Below is a list of the top 10 countries most impacted by ransomware. Many ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections.
Below are the top 10 trojans targeting Android we have seen in our telemetry during January 2023.
SMSSend.AYE - Malware that tries to register as the default SMS application on the first run by requesting the consent of the user. If successful, it collects the user's incoming and outgoing messages and forwards them to a Command & Control (C&C) server.
Downloader.DN – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.
Triada.LC – Malware that gathers sensitive information about a device (Device IDs, Subscriber IDs, MAC addresses) and sends them to a malicious C&C server. The C&C server responds by sending back a link to a payload that the malware downloads and executes.
HiddenApp.AID - Aggressive adware that impersonates AdBlock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher.
Banker.XJ - Applications that drop and install encrypted modules. This trojan grants device admin privileges, and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive command and upload sensitive information.
Banker.ACI, YI - Polymorphic applications that impersonate legit apps (Google, Facebook, Sagawa Express ...). Once installed, it locates banking applications on the device and tries downloading a trojanized version from the C&C server.
Banker.ACX - Applications that impersonate Korean banking applications to record audio and video, collect sensitive information (SMS messages, contacts, GPS location…) and upload it to a C&C server.
SpyAgent.GC –Applications that exfiltrate sensitive data like SMS messages, call logs, contacts, or GPS location.
Banker.ZF, ZX - Applications that disguise themselves as banking apps and can imitate conversation with customer support. When the malware runs for the first time, it asks for permissions to access contacts, microphone, geolocation, and camera. Once the permissions are granted, the malware can receive commands from the C&C server to exfiltrate sensitive data from the phone.
Homograph Phishing Report
Homograph attacks work to abuse international domain names (IDN). Threat actors create international domain names that spoof a target domain name. When we talk about “target” of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. You can read more about this type of attack in one of our previous reports.
Below is the list of the top 10 most common targets for phishing sites.
About Bitdefender Threat Debrief
The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.
Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 150 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.
We would like to thank bitdefenders Tyler Baker, Alin Damian, Mihai Leonte, Andrei Mogage, Sean Nikkel, Nikki Salas, Rares Radu, Ioan Stan, Marius Tivadar, and Horia Zegheru (sorted alphabetically) for their help with putting this report together.