Nuspire recently released its latest Threat Landscape Report, and it’s safe to say Q2 2022 was one of the more active quarters we’ve seen in quite some time. The report, which outlines new cybercriminal activity and tactics, techniques and procedures (TTPs), was reviewed by Nuspire’s Josh Smith, Cyber Threat Analyst, and Justin Heard, Manager of Threat Intel and Rapid Response, in our quarterly threat webinar.
Nuspire’s data reveals a significant increase in overall threat activity across malware, botnet and exploits. Malware events increased over 25%, botnets doubled over the first quarter and exploit activity grew by nearly 150%, buoyed by the Log4j vulnerability. Let’s dive into the data.
Malware events jumped 28.1% over Q1 2022, driven by top malware variants including CoinMiner, Injectors, Microsoft Excel Trojans and password-protected Office trojans. Notably absent from the list of popular variants was VBA agents.
“We predicted in Q1 that we’d see a significant decrease in VBA agents, and that’s exactly what we saw in Q2,” said Josh. “When Microsoft realized how popular this attack vector was, they took proactive measures to make it much harder to enable macros.”
Because threat actors always evolve, they moved to CoinMiner, which took over as Nuspire’s top witnessed malware. CoinMiner installs itself on a machine to leech resources from the victim machine and mine cryptocurrency. Its goal is to be as quiet and undetectable as possible to avoid detection.
One way you might notice this malware is via performance issues, as CoinMiner uses the CPU and GPU for mining processes, which could slow down your computer.
Botnets saw a stunning rise in Q2, more than doubling in activity over Q1. The biggest offenders were a lot of the same ones we saw in Q1, with Torpig Mebroot rising to the top. A banking trojan, Torpig Mebroot is designed to scrape and collect credit card and payment information from infected devices. It is particularly difficult to detect and remove, as it infects the victim machine’s master boot record.
We also saw STRRAT maintain its tempo throughout Q2. Typically deployed by phishing, STRRAT seeks to steal information, log keystrokes, and harvest credentials from browsers and email clients.
“In May, Microsoft tweeted it detected a massive email campaign conducted by STRRAT,” said Josh. “The campaign included an image that looked like a PDF attachment – once the victim opened it, a malicious domain in the image would download STRRAT.”
Exploits also put up big numbers, increasing activity by a whopping 144.87% over Q1. DoublePulsar saw a resurgence, most likely related to the rise in CoinMiner. Variants of CoinMiner have been witnessed using DoublePulsar to worm their way into a network and spread the infection.
Apache Log4j also continued to strike in Q2. A powerful vulnerability that, according to Josh, “shook the cybersecurity community to its core,” Log4j has been added to a number of threat actors’ arsenals, including Karakurt. Once the group has accessed an organization’s network, it will steal data and threaten to auction victims’ data unless they pay a ransom.
“Manufacturing became world’s most attacked vertical, overtaking insurance and finance,” said Josh. “We can surmise it’s because when shutdowns happen in manufacturing, those costs are extremely detrimental to the business and they’re more likely to pay a ransom.”
Two of the biggest threat groups within manufacturing are LockBit Ransomware Gang and Dynamite Panda.
LockBit Ransomware Gang
LockBit is the most active ransomware right now, having developed LockBit, LockBit 2.0 and LockBit 3.0 ransomware, as well as StealBit information-stealing malware. By leveraging ransomware-as-a-service (RaaS), they’re able to get a cut of any ransom paid using their ransomware. Their typical methods of attack including phishing, purchasing stolen credentials, purchasing access to compromised organizations from other threat actors and exploiting exposed vulnerabilities.
Dynamite Panda (APT18)
Dynamite Panda is a Chinese nation state-sponsored advanced persistent threat group that has been around since 2009. They perform espionage operations to steal intellectual property, as well as deploy financially driven attacks. Their favorite tactics include phishing, exploiting exposed vulnerabilities, using stolen credentials to log into remote services, and harvesting and stealing sensitive information and intellectual property.
According to Justin, phishing and exploiting exposed vulnerabilities continue to be incredibly popular methods of attack because they’re easy to do.
“Threat actors are looking to expend the least amount of effort, so they’ll continue to use phishing and exploits because all they have to do is send out the attack and wait for someone to fall for it,” said Justin. “While threat actors are always evolving, there are a number of things we can do to make sure we’re not part of the low-hanging fruit.”
According to Justin, the things to focus on include: