September 2020: Threat Landscape Overview
“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.BlueVoyant’s s research of attack vectors employed in the general threat landscape throughout the month of September shows consistent trends with previous months in the quarter. There were some notable standouts throughout Q3 2020, but based on collection and reporting analysis, the numbers played out pretty-much as expected. Phishing and DDoS are by far the most employed attack methods among cyber criminals, but that doesn’t mean some other less-popular attack vectors should be overlooked. Web application attacks saw a large spike within the quarter with little to no information as to why. While the spike was largely the result of attacks on known honeypots, it is possible attackers are gearing up for larger web application attack campaigns in the near future. Additionally, a new attack vector made its way on the scene in September. The new method, dubbed Raccoon Attack, was discovered by university researchers in Germany and Israel. The Raccoon Attack exploits a timing vulnerability in the Transport Layer Security (TLS) protocol and essentially allows a man in the middle to snoop encrypted traffic. Although the researchers explained this attack vector is difficult to execute, it is not uncommon for advanced actors to employ complex attacks and could be a real threat going forward. While there were no changes in the top 10 malware trends this calendar year, some movers and shakers did mix things up a bit in September. Emotet firmly took the top spot in all three collection categories, but a lower ranking malware family is perhaps more notable. Ryuk ransomware, previously thought to be on the way out to make room for its successor Conti, was the suspected malware that took systems offline of a major US healthcare provider. Additionally, a newcomer to the top 10 list made its first appearance in September. KryptoCibule is a previously undocumented trojan that spreads via malicious torrents and uses multiple tricks to exfiltrate cryptocurrency. KrytpoCibule also employs some tricks under the hood to avoid detection and analysis. Yet another newcomer in September, CDRThief, targets Linux code and can steal phone call metadata - which analysts believe could be used for cyber espionage and VoIP fraud. Some notable breaches in September include a hospital victimized by the infamous DoppelPaymer ransomware. The devastating attack ultimately led to a patient death. Because the Dusseldorf University Clinic was not able to treat new patients due to the system outage, a patient who was unable to be treated lost her life on her way to another facility. In a bit of a head scratcher, Microsoft XP source code was leaked en masse in September. While the 20-year old source code might not seem like a big deal, researchers believe there could be underlying code still in use in modern operating systems which attackers could leverage to advance their attacks. Microsoft also suspended eighteen Azure Active Directory applications determined to be part of a malicious command and control infrastructure. Microsoft concluded APT40 was behind the malicious infrastructure involved. Around 46,000 U.S. veterans had the misfortune of their personal information divulged in a breach at the U.S. Department of Veterans Affairs. According to reporting, the Financial Service Center (FSC) determined one of its online applications was accessed by unauthorized users, who diverted payments to community healthcare providers. Furthermore, a new APT is breaking old rules. Dubbed OldGremlin, this threat actor group is confirmed to be Russian speaking, yet their attacks thus far have been directly targeted at Russia-based entities. This is quite unusual, and researchers are unclear as to why this is happening. One theory is the actors are testing things out in their own backyard before broadening their perimeter of attack. Finally, TeamTNT could be the first threat group caught using legitimate third-party software to target cloud infrastructure. The group is infiltrating Weave Scope, a trusted tool which gives users full control over their cloud infrastructure, and essentially using it as a backdoor to wreak havoc. BlueVoyant is an analytics-driven cyber security company whose mission is to protect businesses of all sizes against agile and well-financed cyber attackers by providing unparalleled visibility, insight, and responsiveness. BlueVoyant provides advanced Threat Intelligence capabilities, Managed Security Service, and effective Incident Response.