Nuspire’s Q1 2022 Threat Data Show Resurgence in Older Attack Methods

Nuspire’s latest threat report data showed an increase in all three of the threat classifications it studies – malware, botnets and exploits – with many threat actors leveraging older tactics. In Nuspire’s webinar reviewing its findings, Josh Smith, Cyber Threat Analyst for Nuspire, and Justin Heard, Threat Intel & Rapid Response for Nuspire, reviewed the key data and trends they uncovered and offered actionable tips to combat current cybersecurity threats.

Download the latest report

Malware Activity Increased 4.76%

Nuspire saw nearly 3.5 million malware events in Q1 2022, an increase of 4.76% over the previous quarter. While the company was able to isolate 1,342 unique variants, two rose to the top in terms of prominence: VBA agent and JavaScript activity.

Top Malware Detections: VBA & JavaScript

VBA agents imitate legitimate Microsoft Word or Excel files with a lure attempting to trick the end-user into enabling macros. Once enabled, the macros activate a malicious script that contacts the command-and-control server to download an additional payload on the victim’s machine.

“VBA agents are one of the top issues we’ve seen for a while, accounting for nearly 30% of all malware variants we witnessed,” said Josh. “However, Microsoft recently announced plans to block macros by default on Office products files from the internet, and coincidentally, we saw VBA agent activity decrease at the same time.”

Josh added that in the same time period, the Nuspire team saw an increase in the use of JavaScript agents.

“This could potentially be a result of the decrease in VBA agent usage, and that cyber attackers are shifting tactics” he said.

JavaScript agents are a type of malware loader that typically deploy via drive-by download. When a user visits either a legitimate website that has been compromised or a malicious site, a payload is silently downloaded and installed on the victim’s machine, giving the threat actors access. These loaders can additionally be packaged up with the appearance of a legitimate email attachment and deployed during malicious spam campaigns.

“While malware being on the rise is concerning, it’s important to remember that we can do something about it,” said Justin. “By leveraging endpoint protection platforms and network segregation practices, you can significantly limit your exposure. Plus, it’s always important to conduct regular cybersecurity awareness trainings to ensure your employees are up-to-date on the latest tricks that cyber attackers are using.”

Botnets Saw a 12.21 Increase in Activity

Botnets are also on the rise, increasing 12.21% over Q4 2021, comprising 812,941 events in total. Forty-five unique botnets were detected, including STRRAT and the notorious Mirai.

STRRAT malware focuses on information stealing, keystroke logging and credential harvesting from browsers and email clients. Nuspire witnessed a significant increase in STRRAT activity following identification of a new STRRAT phishing campaign, and ultimately, STRRAT comprised 24% of activity among the five top botnets.

Mirai, known for co-opting IoT devices to launch DDoS attacks, showed a spike in activity in February 2022. This corresponded with the discovery of Spring4Shell, a zero-day attack on popular Java web application framework, Spring Core. The attack allows for unauthenticated remote code execution, and data show Mirai exploited this vulnerability.

To mitigate these threats, Justin recommended employing threat intelligence to provide insight on botnets’ command-and-control infrastructures and alert you when your organization is communicating with things it shouldn’t be. He also added the importance of using next-generation antivirus to prevent botnet communication from happening, as well as the need for threat hunting for abnormal activity within your environment.

Exploits Grew by 3.87%

In Q1 2022, Nuspire clocked nearly 20,000,000 total exploits, an increase of 3.87% over the prior quarter. Out of the 639 unique exploits it found, the two most aggressive included bruteforcing and Apache Log4j.

Bruteforcing continues to be a prevalent attack vector if provided to threat actors. In fact, bruteforcing comprised 61% of the top five exploit attempts. Cyber attackers are always scanning for exposed services such as SMB and SSH, and if found, will immediately attempt to gain access.

Apache Log4j was also at the top of the list. As an open-source product provided by Apache Software Foundation, it is used in numerous programs and technologies.

“Log4j is one of the biggest exploits in terms of activity,” said Josh. “Discovered by a security researcher who was playing around with a Minecraft server, it revealed a wide-sweeping vulnerability that bad actors started exploiting immediately.”

Nuspire saw activity spike in December 2021 and then again in March 2022.

“We anticipate Apache Log4j will remain a highly-attempted exploit,” added Josh. “What we can learn from this is the importance of staying on top of tech stacks, understanding what’s being utilized and get patches applied immediately.”

Industry Spotlight: Automotive Threats

The automotive industry is always a favorite target of threat actors because it yields multiple vectors of attack. Popular attacks include ransomware and cyber espionage.

When it comes to ransomware, Conti is one of the most prevalent. Once Conti gains access to an organization, by leveraging spearphishing, bruteforcing, fake software updates and/or exploits, they exfiltrate data, encrypt a network and publish the data on their extortion site if the ransom isn’t paid.

“Conti is very organized,” said Josh. “They have tiered structure and robust support system and operate like a business – which is a big factor in why they’ve been so successful. They’re also very mobile, meaning that once a location is found and shut down, another one pops up.”

Mofang (Superman) is another big threat to the automotive industry. A nation state backed by the Chinese government, it seeks to steal intellectual property from potential competitors. Mofang typically uses social engineering to gain entrance to the network, including spearphishing emails that contain a Microsoft Office file or malicious PDF.

Get the Threat Report

To access all the data and recommendations from Q1 2022 Threat Report, you can download it here.

You can also view the webinar to hear Josh and Justin break down the data.

Have you registered for our next event?