Threat activity in Q3 continued to surge following Q2, one of the most active quarters in recent history. According to Nuspire’s Q3 Threat Landscape Report, the company’s researchers noted that threat actors remain opportunistic, preying on organizations that are slow to patch against new vulnerabilities. They also continue to launch widespread phishing campaigns, hoping to lure a victim into interacting with their malicious payloads.
These researchers – Josh Smith, Cyber Threat Analyst, and Justin Heard, Threat Intelligence Manager – spent time reviewing their findings during a recent webinar. Read on for a recap of the key data points, attack vectors and mitigation strategies Josh and Justin shared.
Malware saw an overall decrease in Q3 of 15.73%, however Nuspire witnessed surges in info stealer malware variants like Kryptik.
“Kryptik is a type of trojan malware that seeks to steal credentials from browsers and applications, as well as cryptocurrency wallets, files and SSH keys,” said Josh. “We saw a 236% increase over Q2, which is indicative of a rising usage of information-stealing malware.”
CoinMiner was a top malware in Q2, and while its usage decreased in Q3, it still remained a top variant.
“CoinMiner activity decreased almost 40% in Q3, which could have to do with the struggles we’re seeing in the cryptocurrency arena,” said Josh. “Perhaps this malware isn’t as attractive as it used to be, however I don’t see it going away, because this is a passive income strategy, meaning threat actors don’t have to do a lot of work to reap their rewards.”
There are several ways to combat malware threats to protect your environment from a breach.
“Next generation antivirus is great because it’s not only looking for a specific signature, but also, it can detect certain behaviors that are indicative of a threat,” said Justin. “Another strategy is network segmentation, where you segregate devices in a way that disallows a threat actor to get into other areas of your network.”
Botnets shot up over 100% in Q2, and continued spiking in Q3, increasing by 35.39%.
A repeat offender on the Nuspire Threat Report’s top botnet list, Torpig Mebroot again resurfaced in Q3. But Nuspire also saw spiking among some lesser-known botnets.
“ZeroAccess is a remote access trojan that configures command-and-control infrastructure on infected devices,” said Josh. “Being a kernel-mode rootkit, ZeroAccess can be especially difficult to remove or detect.”
A kernel-mode rootkit involves the kernel, which is a computer program at the core of a computer’s operating system and generally has control over everything in that system. A rootkit that runs in a kernel can alter the operating system, and they’re hard to identify because of how well they can be concealed.
“We also saw activity from Xtreme RAT, which is an older remote access trojan first witnessed in 2010,” said Josh. “It has multiple capabilities such as stealing data, manipulating processes and services, worming capabilities, keylogging and more.”
Threat intelligence is an important tool in mitigating botnet activity in your environment.
“Threat intelligence provides insight on botnet command-and-control infrastructure, alerting you when your organization is communicating with things it shouldn’t be,” said Justin. “We recommend you combine it with threat hunting, which, while a more manual process, can help identify command and control infrastructures that may not be part of your current threat intelligence list.”
Brute forcing remained the top exploit tactic for threat actors, pushing exploits to a .84% increase in Q3. While that figure may not seem significant, it’s important to remember that exploits jumped nearly 150% in Q2, which means exploits are continuing to operate at elevated levels.
Other exploits raising concerns in Q3 were VMware Workspace One Access and Identity Manager and Zimbra Collaboration Suite.
“The VMware vulnerability is a critical one because it contains remote code execution,” said Josh. “We’ve seen this vulnerability associated with multiple malware and ransomware families such as Conti, Sodinokibi (REvil), Chaos and more.”
Zimbra Collaboration Suite (ZCS) is a software suite that includes an email server, web client, and productivity and collaboration tools.
“Near the beginning of September, Nuspire saw an increase of attempts against the ZCS vulnerabilities, which lasted until the end of Q3,” said Josh. “These vulnerabilities allow authentication bypass and directory traversal when paired, and have been associated with remote access trojan families and ransomware groups.”
Both VMS and ZCS are clear examples of why administrators must understand their technology stacks and monitor for vulnerabilities,” said Justin. “Threat actors are always preying on unpatched systems, so patch as soon as you can.”
Justin also advised to use a firewall with an intrusion prevention system (IPS), monitor security news for new vulnerabilities and make sure to disable unused services, which unnecessarily expand your attack surface.