After enterprises beefed up work-from-home security in the midst of a pandemic, threat actors saw diminishing returns and looked elsewhere for opportunities. In Q3, they zeroed in on the education sector and the U.S. elections. At the same time, attackers continued to assault companies in all industries – and especially healthcare and manufacturing – often through internet-connected devices. Nuspire’s Q3 Threat Landscape Report summarizes the quarter’s most active malware, botnets and exploits and provides recommendations to protect your organization.
When conditions change, threat actors regroup and refine their techniques. In Q3, assailants turned to public entities already burdened by pandemic concerns. Schools, colleges and universities were forced into online or hybrid learning models, a move that created new vulnerabilities. Attackers leapt into action using malware and ransomware. An Education Week article describes massive disruptions in several states.
A top elections target was the U.S. Election Assistance Commission (EAC). The Nuspire team observed phishing attempts to guide victims to fake voter registration pages to harvest information. The EAC confirmed that phishing emails used EAC graphics in an attempt to trick recipients into providing their name, date of birth and other personal information into a malicious web form….
According to Nuspire analysts, total malware activity increased 128% compared to Q2, which decreased 12% compared to Q1. Q3 activity trended upward throughout the quarter and peaked at a 670% increase from the beginning of the quarter. While Emotet remained a top offender, the largest contributor was Visual Basic for Applications (VBA) agents. This trojan utilizes Microsoft Office applications to deploy malspam campaigns that encourage users to open attachments in which malicious macros are embedded.
Botnet total activity decreased by 6% in Q3 compared to Q2, with phishing the most common spreader. The most active botnet observed by the Nuspire team was the H-Worm, which can execute files, reboot machines, conduct keylogging and steal information from web browsers. And it can customize communication ports for the C2 server to establish contact and provide visibility of operating systems, system users and attached USB devices.
Total exploit activity increased less than 2% from Q2, and the most active exploit was DoublePulsar. This exploit enables attackers to search for and gather exposed remote desktop protocol (RDP) connections that are sold in bulk on the dark web. In Q3, the Nuspire team noted more than 2,000 sales. Additionally, an HTTP Server Authorization Buffer Overflow attack successfully exploited a GitStack vulnerability, for which there is now a patch.
Threat actors aren’t going to let up, so keep your eye on two things: preparation and incident response. Both should be customized for your organization and industry. Having the right security controls minimizes the risk of breach, and the right incident response shortens dwell time and limits damage.
In every industry, cybersecurity awareness training should be a priority because most infections start through email when users interact with malicious attachments. Strengthen security further by following these best practices:
Simple actions make a big difference in protecting what’s valuable in your environment. Not sure about the security status of your network and every endpoint? Do a remote breach assessment.
For more information on the current threat landscape, including a list of indicators of compromise, download the Nuspire Q3 Threat Landscape Report. Education Week, Cyberattacks Disrupt Learning Even More During COVID-19, September 14, 2020.  U.S. Election Assistance Commission News Alert – False Voter Registration Phishing Email.