Bitdefender Threat Debrief | March 2023

MDR Insights

When reviewing ransomware data from this month, it did not come as a big surprise that the Education sector is in the top 3 industries affected. To better understand the social engineering threats (leading infection vector) to the Education industry, our threat intelligence team released a full report on Social Engineering Threats to Education. 

Typosquatting and business email compromises (BEC) are older cyber threat tactics that continuously evolve to trick unsuspecting victims. Specifically, in the Education sector containing users with different experience levels (often motivated to bypass implemented security controls), assets spread over many physical locations and a mix of various legacy technologies. 

Moreover, these types of attacks are happening more frequently. Since 2021, there has been a marked increase in typosquatting and credential leaks, indicating that phishing and social engineering are still working. Education customers make up 17% of these alerts, but in 2022, that number jumped to 45% of credential leak investigations. As far as typosquatting activity, our threat intelligence team investigated over 1,000 typosquatting alerts since the beginning of 2022, and that number is steadily growing with the addition of similar domain monitoring. 

Credentials are often stolen from outside applications and accounts when users don't follow best practices and use the same email from their business and/or school. When those accounts are hacked, credentials are leaked on the dark web, and threat actors now have specific emails or usernames—or, worse, passwords—to start doing their reconnaissance and formulating their attack plan. Using information from a variety of sources, attackers can then phish with compelling, time-sensitive action, or pose on a phone call as an internal user with enough insider information that will afford them further access. 

Threat actors will continue using these forms of attacks because they prey upon user errors and bypass normal cybersecurity detection methods. Defense-in-depth, combining tooling and best practices, can provide the security posture needed to stop attacker advances. 

The Bitdefender MDR team recommends: 

1. Patch software and hardware regularly and update to the latest versions to prevent exploitation.
   
2. Reviewing and implementing the Center for Internet Security’s Critical Security Controls (CSC) for standard best practices. 
3. Implement strong (multi-factor) authentication and apply the least privilege policies for users. 
4. Identify high-risk employees or teams who may be targeted in social engineering campaigns and provide them with additional situational training. 
5. Check credentials against public databases such as HaveIBeenPwned, or threat intelligence feeds, and enforce regular password changes that use complexity and guard against reuse. 
6. Adopt acceptable use policies on official email addresses. 
   
7. Use industry-specific information-sharing frameworks, such as information sharing and analysis centers (ISAC), or intelligence feeds to stay aware of suspicious or malicious activity reported by the security community.
   
8. Install security tooling that monitors and blocks activity on user devices and ensures all assets on the network have some level of security visibility.

Ransomware Report

Spear phishing attacks are often used as an initial attack vector and ransomware infection is often the final stage of the kill chain. For this report, we analyzed malware detections collected in February 2023 from our static anti-malware engines. Note: we only count total cases, not how monetarily significant the impact of infection is. Opportunistic adversaries and some Ransomware-as-a-Service (RaaS) groups represent a higher percentage compared to groups that are more selective about their targets, since they prefer volume over higher value. 

When looking at this data, remember these are ransomware detections, not infections. 

Top 10 Ransomware Families

We analyzed malware detections from February 1 to February 28. In total, we identified 231 ransomware families. Number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries. 

Top 10 Countries

In total, we detected ransomware from 127 countries in our dataset this month. Ransomware continues to be a threat that touches almost the entire world. Below is a list of the top 10 countries most impacted by ransomware. Many ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections. 

Android trojans

Below are the top 10 trojans targeting Android we have seen in our telemetry during February 2023.  

SMSSend.AYE - Malware that tries to register as the default SMS application on the first run by requesting the consent of the user. If successful, it collects the user's incoming and outgoing messages and forwards them to a Command & Control (C&C) server.  

Downloader.DN – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants. 

HiddenApp.AID - Aggressive adware that impersonates AdBlock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher. 

Triada.LC – Malware that gathers sensitive information about a device (Device IDs, Subscriber IDs, MAC addresses) and sends them to a malicious C&C server. The C&C server responds by sending back a link to a payload that the malware downloads and executes. 

Banker.XJ,YM - Applications that drop and install encrypted modules. This trojan grants device admin privileges, and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive command and upload sensitive information. 

Banker.ACX - Applications that impersonate Korean banking applications to record audio and video, collect sensitive information (SMS messages, contacts, GPS location…) and upload it to a C&C server. 

InfoStealer.YY - Remote Administration Tool for mobile devices that allows an attacker to take control of a victim's device without needing root access. Once the malware is installed on the phone, the attacker can carry out various attacks that compromise the confidentiality and privacy of the victim's data. The tool has ability to capture the screen content, stream live video from the phone's cameras, upload and download files from the device, track the user's location and even capture authentication credentials from Facebook and Google platforms. 

Banker.ZF - Applications that disguise themselves as banking apps and can imitate conversation with customer support. When the malware runs for the first time, it asks for permissions to access contacts, microphone, geolocation, and camera. Once the permissions are granted, the malware can receive commands from the C&C server to exfiltrate sensitive data from the phone. 

Banker.ACI - Polymorphic applications that impersonate legit apps (Google, Facebook, Sagawa Express ...). Once installed, it locates banking applications on the device and tries downloading a trojanized version from the C&C server. 

Homograph Phishing Report

Homograph attacks work to abuse international domain names (IDN). Threat actors create international domain names that spoof a target domain name. When we talk about “target” of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. You can read more about this type of attack in one of our previous reports. 

Below is the list of the top 10 most common targets for phishing sites. 

About Bitdefender Threat Debrief

The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.  

Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 150 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape. 

 

We would like to thank bitdefenders Tyler Baker, Alin Damian, Mihai Leonte, Andrei Mogage, Sean Nikkel, Nikki Salas, Rares Radu, Ioan Stan, Marius Tivadar, and Horia Zegheru (sorted alphabetically) for their help with putting this report together.