What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Aug 17, 2022
Increase in Observations of Socgholish Malware
THE THREAT Starting in early August 2022 and continuing through the month, eSentire identified a significant increase in Socgholish (aka. FakeUpdates) malware incidents. Socgholish is a loader type…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Sep 20, 2022
eSentire Recognized as Top Global MDR Provider by MSSP Alert, CrowdStrike and G2
Waterloo, ON - September 21, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), celebrated multiple industry recognitions as the leading global MDR provider, over the last week: Named #9, and the top pure play MDR provider on MSSP Alert’s Top 250 MSSPs global rankingRecognized as the CrowdStrike 2022 Global MSSP Partner of the Year Earned G2’s industry-renowned status…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Company
News releases — Jun 27, 2018

91% of critical endpoint security events leverage PowerShell to cloak detection

eSentire Notes MSPS, Trusted Cloud Platforms, and Consumer-Grade Routers Also Pose Problems
4 minutes read

CAMBRIDGE, ONTARIO – June 27, 2018 – Opportunistic threat actors are leveraging trusted tools, like PowerShell, to retrieve and execute malicious code from remote sources. According to a new cyber threat report from eSentire, Inc., the largest pure-play Managed Detection and Response (MDR) provider, 91% of endpoint incidents detected in Q1 2018 involved known, legitimate binaries, such as PowerShell or mshta.exe. These processes are used by opportunistic and targeted threats alike, allowing them to circumvent basic controls to deliver and install malware.

“eSentire Threat Intelligence data shows heavy use of legitimate Microsoft binaries, such as PowerShell and mshta.exe, popular tools for downloading and executing malicious code in the initial stages of a malware infection,” said Eldon Sprickerhoff, Founder and Chief Innovation Officer, eSentire. “PowerShell can also be leveraged by adversaries to reduce their on-disk footprint and evade detective controls by operating in memory and obfuscating command-line parameters.”

In late January 2018, an eSentire advanced threat analytics operation (powered by machine learning and coined “Blue Steel”), detected an adversary leveraging an unknown exploit in Kaseya’s Virtual System Administrator (VSA) product to deploy crypto miners across the infrastructure of a small number of eSentire customers. The attack broadly targeted the trusted system of MSPs and cloud platforms through Kaseya VSA endpoint agents for initial access to deliver malicious scripts. eSentire discovered the threat and notified Kaseya of the intrusions, resulting in multiple security fixes.

539% Increase in Consumer-Grade Router Attacks

The report also indicates a dramatic increase in attacks targeting popular consumer-grade routers, like Netgear and Linksys (both of whom own a significant share of the consumer network device market, at 51% and 26% respectively*), – eSentire saw a 539% increase from Q4 2017 to Q1 2018.

Trending in router exploitations was first observed in late 2017 when the Reaper Botnet gained media attention. Additionally, intrusion attempts across industries grew 36%, mostly due to DNS manipulation in consumer-grade routers. These manipulations allow attackers to redirect victims to malicious infrastructure to achieve a variety of results, including malware and phishing landing pages. Other exploits focused on consumer-grade routers.

“The increase in attacks against consumer network devices can be attributed to the perceived value in recruiting devices for attacks against businesses, as opposed to leveraging them as potential network entry-points,” said Sprickerhoff.

Additional Report Findings:

“While industry sentiment is focused on the ever-changing threat landscape, the data suggests that it’s the cybercriminal landscape that’s shifting. As we continue to see successful efforts in disrupting malicious infrastructure and comprehensive threat blocking, cybercriminals are forced to diversify their hacking methods. They’re pivoting to use new methods for sustaining infrastructure,” said Sprickerhoff. “Technology is changing rapidly, and as it does, attackers are shifting their techniques to match. The increase in router-based attacks is a prime example.”

Methodology

The eSentire Threat Intelligence team used data gathered from 1,500+ proprietary network and host-based detection sensors distributed globally across multiple industries. Raw data were normalized and aggregated using automated machine-based processing methods. Processed data was reviewed by a visual data analyst applying quantitative analysis methods. Quantitative intelligence analysis results were further processed by a qualitative intelligence analyst resulting in a written analytical product.

eSentire’s 2018 Q1 Threat Report provides a quarterly snapshot, analyzing all cyber threat events investigated by the eSentire Security Operations Center (SOC) while addressing three key areas: threat types, threat volume, and attack types. Each topic is divided into multiple sections, including visual data analysis, written analytical analysis, practical recommendations, and key assumptions. The report concludes with takeaways and recommended actions that organizations can take to protect their business networks from compromise, including protecting against vulnerability exploit and router compromise, revisiting organizational awareness training programs to protect against phishing and protecting against an opportunistic threat like PowerShell-based attacks.

To access a complete copy of the Q1 2018 Quarterly Threat report, visit: esentire.com/resource-library/q1-2018-quarterly-threat-report/

About eSentire:

eSentire® is the largest pure-play Managed Detection and Response (MDR) service provider, keeping organizations safe from constantly evolving cyber attacks that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC), staffed by elite security analysts, hunts, investigates and responds in real-time to known and unknown threats before they become business disrupting events. Protecting more than $5.7 trillion AUM in the financial sector alone, eSentire absorbs the complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with growing regulatory requirements. For more information, visit www.esentire.com and follow @eSentire.

*Source: The NPD Group U.S. Monthly Retail Tracking Service, Routers, Multiband Transmission Speed: 1800 Mbps- 5400 Mbps, Wireless Technology: 802.11ac, 4Q16, based on dollar share.

Products, service names, and company logos mentioned herein may be the registered trademarks of their respective owners. All rights reserved.