Nuspire Sees Dramatic Uptick in Q2 2022 Threat Activity

Nuspire recently released its latest Threat Landscape Report, and it’s safe to say Q2 2022 was one of the more active quarters we’ve seen in quite some time. The report, which outlines new cybercriminal activity and tactics, techniques and procedures (TTPs), was reviewed by Nuspire’s Josh Smith, Cyber Threat Analyst, and Justin Heard, Manager of Threat Intel and Rapid Response, in our quarterly threat webinar.

Nuspire’s data reveals a significant increase in overall threat activity across malware, botnet and exploits. Malware events increased over 25%, botnets doubled over the first quarter and exploit activity grew by nearly 150%, buoyed by the Log4j vulnerability. Let’s dive into the data.

Malware

Malware events jumped 28.1% over Q1 2022, driven by top malware variants including CoinMiner, Injectors, Microsoft Excel Trojans and password-protected Office trojans. Notably absent from the list of popular variants was VBA agents.

“We predicted in Q1 that we’d see a significant decrease in VBA agents, and that’s exactly what we saw in Q2,” said Josh. “When Microsoft realized how popular this attack vector was, they took proactive measures to make it much harder to enable macros.”

Because threat actors always evolve, they moved to CoinMiner, which took over as Nuspire’s top witnessed malware. CoinMiner installs itself on a machine to leech resources from the victim machine and mine cryptocurrency. Its goal is to be as quiet and undetectable as possible to avoid detection.

One way you might notice this malware is via performance issues, as CoinMiner uses the CPU and GPU for mining processes, which could slow down your computer.

Botnets

Botnets saw a stunning rise in Q2, more than doubling in activity over Q1. The biggest offenders were a lot of the same ones we saw in Q1, with Torpig Mebroot rising to the top. A banking trojan, Torpig Mebroot is designed to scrape and collect credit card and payment information from infected devices. It is particularly difficult to detect and remove, as it infects the victim machine’s master boot record.

We also saw STRRAT maintain its tempo throughout Q2. Typically deployed by phishing, STRRAT seeks to steal information, log keystrokes, and harvest credentials from browsers and email clients.

“In May, Microsoft tweeted it detected a massive email campaign conducted by STRRAT,” said Josh. “The campaign included an image that looked like a PDF attachment – once the victim opened it, a malicious domain in the image would download STRRAT.”

Exploits

Exploits also put up big numbers, increasing activity by a whopping 144.87% over Q1. DoublePulsar saw a resurgence, most likely related to the rise in CoinMiner. Variants of CoinMiner have been witnessed using DoublePulsar to worm their way into a network and spread the infection.

Apache Log4j also continued to strike in Q2. A powerful vulnerability that, according to Josh, “shook the cybersecurity community to its core,” Log4j has been added to a number of threat actors’ arsenals, including Karakurt. Once the group has accessed an organization’s network, it will steal data and threaten to auction victims’ data unless they pay a ransom.

Industry Spotlight: Manufacturing

“Manufacturing became world’s most attacked vertical, overtaking insurance and finance,” said Josh. “We can surmise it’s because when shutdowns happen in manufacturing, those costs are extremely detrimental to the business and they’re more likely to pay a ransom.”

Two of the biggest threat groups within manufacturing are LockBit Ransomware Gang and Dynamite Panda.

LockBit Ransomware Gang

LockBit is the most active ransomware right now, having developed LockBit, LockBit 2.0 and LockBit 3.0 ransomware, as well as StealBit information-stealing malware. By leveraging ransomware-as-a-service (RaaS), they’re able to get a cut of any ransom paid using their ransomware. Their typical methods of attack including phishing, purchasing stolen credentials, purchasing access to compromised organizations from other threat actors and exploiting exposed vulnerabilities.

Dynamite Panda (APT18)

Dynamite Panda is a Chinese nation state-sponsored advanced persistent threat group that has been around since 2009. They perform espionage operations to steal intellectual property, as well as deploy financially driven attacks. Their favorite tactics include phishing, exploiting exposed vulnerabilities, using stolen credentials to log into remote services, and harvesting and stealing sensitive information and intellectual property.

Conclusion/Recommendations

According to Justin, phishing and exploiting exposed vulnerabilities continue to be incredibly popular methods of attack because they’re easy to do.

“Threat actors are looking to expend the least amount of effort, so they’ll continue to use phishing and exploits because all they have to do is send out the attack and wait for someone to fall for it,” said Justin. “While threat actors are always evolving, there are a number of things we can do to make sure we’re not part of the low-hanging fruit.”

According to Justin, the things to focus on include:

1. Educate all users, often. User awareness is one of the most powerful and cost-effective ways to defend your organization from a cyberattack. Educate end users on how to identify suspicious attachments, social engineering and scams in circulation. Create procedures to verify sensitive business email requests (especially ones involving financial transactions) with a separate form of authentication in case an email account becomes compromised or is spoofed.
2. Take a layered approach to security. A comprehensive ‘defense in depth’ approach with an integrated zero trust cybersecurity program protects businesses by ensuring that every single cybersecurity product has a backup.
3. Up your malware protection. Advanced malware detection and protection technology (such as endpoint protection and response solutions) can track unknown files, block known malicious files and prevent the execution of malware on endpoints.
4. Segregate higher-risk devices from your internal network. Devices that are internet-facing are high-value targets. Make sure to change the default passwords on these devices, inventory IoT devices, and practice network segregation to help limit where an attacker can laterally move within an environment.
5. Patch everything. Make sure that vendor patches are applied as soon as possible within their environments. Once a vulnerability is discovered, attackers won’t hesitate to start exploiting it. Monitor security bulletins from your technology stack vendors to make sure you’re aware of any vulnerabilities so you can patch before the attackers get to you.

To view the webinar, click here. You can download the threat report PDF using this link.