Malware family monitoring in October reflected the month-long back-and-forth between public and private sector cybersecurity entities attempting to strike blows at Wizard Spider’s Trickbot infrastructure as US elections drew near. However, the concerted effort may have instigated a wave of Ryuk ransomware attacks executed with frightening speed as a counterpunch of sorts. Additional noteworthy trending malware includes a unique rootkit, some mobile malware, and an update on a botnet discovered last year.
BlueVoyant analysts also gathered and constructed the monthly snapshot of breach and incident news from around the globe. Drilling down deeper, breaches at a Finnish psychotherapy practice may represent the next phase of escalating extortion tactics wherein threat actors target an organization after a breach as well as threaten individual clients whose sensitive information was compromised. A potential breach at Nitro Software highlights communication challenges organizations must face when dealing with the aftermath of unsavory news.
Finally, there was wide reporting of Advanced Persistent Threat (APT) activity in October and BlueVoyant spotlights two actors. In-depth reporting of the Bahamut hack-for-hire group by BlackBerry and Bellingcat researchers show a highly capable threat actor active throughout the Middle East and South Asia. Attention was focused on the Velvet Chollima APT as well after US agencies warned of their activity in late October.
Attack vector trend analysis in October 2020 showed the main culprits treading water for the most part compared to previous months. Phishing and DDoS continued their reign with phishing being far and away the main attack vector of choice. Cross-site scripting saw a slight dip and disinformation attacks ticked upward.
The relative spike in disinformation is likely due to the US election season building to its 3 November crescendo. In fact, a disinformation campaign involving Iranian threat actors pushed threatening emails to US voters (in Florida, Pennsylvania, Arizona, and Alaska) between 20 and 21 October claiming to be from the far-right group Proud Boys. The emails threatened the recipient had better vote for Trump or they would face consequences. A media storm ensued following initial reporting and the FBI Director and Director of National Intelligence conducted a joint press conference to report the emails were the work of Iranian information operations.
In mid-October, Rapid7 researchers teamed with independent researcher Rafay Baloch to publish the details on several vulnerabilities affecting mobile device browsers. Among the 7 browsers impacted was Apple’s Safari and the popular Opera Touch browser (other browsers are UCWeb, Yandex Browser, Bolt Browser, and RITS Browser). The vulnerabilities have all been categorized as user interface misrepresentation of critical information and have historically been employed in phishing attacks to dupe victims.
In his blog on the browser bugs, Rapid7’s Tod Beardsley outlines that “[b]y messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website.”
The surge, according to their stats, really began to take shape in May 2020 and Akamai researchers believe the COVID-19 pandemic began to really influence threat actor behavior at that time. Akamai observed the main technique used by threat actors to be content escaping; it is also the most basic. Among the other popular techniques noted from the study were eval execution obfuscation, Hex encoding variables name obfuscation, Base64 encoding, and AES encryption.
BlueVoyant is an analytics-driven cybersecurity company whose mission is to protect businesses of all sizes against agile and well-financed cyber attackers by providing unparalleled visibility, insight, and responsiveness. BlueVoyant provides advanced Threat Intelligence capabilities, Managed Security Services, and effective Incident Response.