Threat Landscape Overview for October 2020

November 23, 2020 | 3 min read

BlueVoyant

BlueVoyant researchers continued close monitoring of the general threat landscape throughout October. In attack vectors for the month, there were no major movements among top attack vectors. A slight uptick in disinformation-styled attacks was likely linked to the culmination of U.S. election season. Additionally, new vulnerabilities in mobile browsers were linked to JavaScript shenanigans, of which there are plenty that generally improves the effectiveness of phishing/web-based attacks.

Malware family monitoring in October reflected the month-long back-and-forth between public and private sector cybersecurity entities attempting to strike blows at Wizard Spider’s Trickbot infrastructure as U.S. elections drew near. However, the concerted effort may have instigated a wave of Ryuk ransomware attacks executed with frightening speed as a counterpunch of sorts. Additional noteworthy trending malware includes a unique rootkit, some mobile malware, and an update on a botnet discovered last year.

BlueVoyant analysts also gathered and constructed the monthly snapshot of breach and incident news from around the globe. Drilling down deeper, breaches at a Finnish psychotherapy practice may represent the next phase of escalating extortion tactics wherein threat actors target an organization after a breach as well as threaten individual clients whose sensitive information was compromised. A potential breach at Nitro Software highlights communication challenges organizations must face when dealing with the aftermath of unsavory news.

Finally, there was wide reporting of Advanced Persistent Threat (APT) activity in October and BlueVoyant spotlights two actors. In-depth reporting of the Bahamut hack-for-hire group by BlackBerry and Bellingcat researchers show a highly capable threat actor active throughout the Middle East and South Asia. Attention was focused on the Velvet Chollima APT as well after U.S. agencies warned of their activity in late October.

Attack vector trend analysis in October 2020 showed the main culprits treading water for the most part compared to previous months. Phishing and DDoS continued their reign with phishing being far and away the main attack vector of choice. Cross-site scripting saw a slight dip and disinformation attacks ticked upward.

The relative spike in disinformation is likely due to the U.S. election season building to its 3 November crescendo. In fact, a disinformation campaign involving Iranian threat actors pushed threatening emails to U.S. voters (in Florida, Pennsylvania, Arizona, and Alaska) between 20 and 21 October claiming to be from the far-right group Proud Boys. The emails threatened the recipient had better vote for Trump or they would face consequences. A media storm ensued following initial reporting and the FBI Director and Director of National Intelligence conducted a joint press conference to report the emails were the work of Iranian information operations.

JavaScript Shenanigans for Phishing

In mid-October, Rapid7 researchers teamed with independent researcher Rafay Baloch to publish the details on several vulnerabilities affecting mobile device browsers. Among the 7 browsers impacted was Apple’s Safari and the popular Opera Touch browser (other browsers are UCWeb, Yandex Browser, Bolt Browser, and RITS Browser). The vulnerabilities have all been categorized as user interface misrepresentation of critical information and have historically been employed in phishing attacks to dupe victims.

In his blog on the browser bugs, Rapid7’s Tod Beardsley outlines that “[b]y messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website.”

Beardsley sums it up succinctly, noting the “[e]xploitation all comes down to, ‘JavaScript shenanigans.’” Along that same line of thought, Akamai researchers in October published the results of a 10-month study of JavaScript obfuscation techniques employed in phishing attacks and other web scams. Through their analysis of more than 10K URLs, they discovered a 70% increase in usage between November 2019 and Aug 2020.

The surge, according to their stats, really began to take shape in May 2020 and Akamai researchers believe the COVID-19 pandemic began to really influence threat actor behavior at that time. Akamai observed the main technique used by threat actors to be content escaping; it is also the most basic. Among the other popular techniques noted from the study were eval execution obfuscation, Hex encoding variables name obfuscation, Base64 encoding, and AES encryption.

Further examining the category of industries affected by such web scam JavaScript-based shenanigans, Akamai determined high-tech, financial, and social media sectors as the most impacted. The use of JavaScript obfuscation techniques increases the odds of success for threat actors and is likely to continue being used.

BlueVoyant is an analytics-driven cybersecurity company whose mission is to protect businesses of all sizes against agile and well-financed cyber attackers by providing unparalleled visibility, insight, and responsiveness. BlueVoyant provides advanced Threat Intelligence capabilities, Managed Security Services, and effective Incident Response.