Monthly Threat Report February 2024: A Month for Breaches and Ransomware

Monthly Threat Report February 2024: A Month for Breaches and Ransomware

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data gathered from the month of January.

Executive Summary

  • Low-effort – high-volume email attacks continue to abate, while more targeted complex email attacks are on the rise.
  • There has been a near universal increase in the use of malicious file attachments, likely driven by the noted increase in more complex attacks.
  • HTML, PDF, and Archive files were the top 3 most used file types for malicious payloads over the data period.
  • Most targeted industries for the month of January were Mining, Media, and Manufacturing, with the Research industry coming in at a VERY close 4th place.
  • FedEx was the single most impersonated brand during this month’s report, while we also saw notable increases in brand impersonation for both Amazon and Facebook.
  • The threat actor group dubbed “Midnight Blizzard” by Microsoft was able to access and ex-filtrate Microsoft executive team emails. The industry has been reacting with some questioning Microsoft’s response to the breach.
  • Remote Access Provider AnyDesk has reported a breach that led to the theft of code signing keys. Customers need to apply the latest patches ASAP to ensure the continued safe operation of the application.
  • Johnson Controls fell victim to a significant ransomware attack with costs to recover totaling $27 Million USD.
  • The Midnight Blizzard breach of Microsoft highlights the dangers of malicious OAuth applications and it’s recommended that system admins review their currently used OAuth apps in M365 as well as the settings associated with who is able to approve OAuth apps within the environment.
  • M365 users looking to enable Co-Pilot for the first time are urged to review permissions within their M365 tenant (including for SharePoint Online, Teams, and OneDrive for Business) before enabling the feature. The ease with which Co-Pilot can surface information could lead to potential data leaks within the company in the presence of permission misconfiguration.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for December 2023 compared to January 2024.

Unwanted Emails by Category

Our data from this data period continues the expected trend of the overall number of email attacks decreasing after the holiday season. That said, the number of targeted email attacks (those classified as “Threats” and “AdvThreats”) saw a slight increase for the month. This is indicative of the fact that with the holidays over, threat-actors are relying less on low-effort, high-volume email attacks (typically classified as “Rejected” in our data) and have moved to more targeted campaigns.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.
Clean These emails were free of threats and delivered

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

File Types Used in Attacks

Along with the increase in targeted attacks, we’ve also seen an increase in the use of HTML, PDF, and Archive files for the delivery of malicious payloads. Targeted attacks are often more complex, with the attacker looking to more complex methods, including malicious attachments. With that in mind, it’s not surprising to see an increase in the use of malicious attachments when we see an increase in more advanced threats during the same data period.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percentage values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

Our data for this month has shown that some industries have seen an increase in the amount of malicious/unwanted email vs clean emails. The Mining, Media, and Manufacturing industries topped the list this month, with the research industry in a very close 4th place. The core story that the data shows this month, is that despite a decrease in overall email threat volume, the email security landscape remains dangerous.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

In terms of top impersonated brands, we have some interesting changes this month when compared with last month’s report. The shipping company DHL was long the topmost impersonated brand, but a recent impersonation campaign involving FedEx has seen the number of FedEx brand impersonation emails skyrocket. In other changes, Facebook and Amazon saw notable impersonation increases, while Mastercard saw a decrease during this data period, likely due to the end of the holiday season. Also worth noting is the slight increase in DocuSign brand impersonations. As tax season nears in the US, threat actors know that more eyes will be on DocuSign emails in the coming months and threat actors are pivoting predictably.

Major Incidents and Industry Events

Midnight Blizzard

According to this MSRC blog post, Microsoft detected a nation-state attack on its corporate systems on January 12th, 2024. The threat actor was identified as the Russian State-Sponsored actor Nobelium and given the code name “Midnight Blizzard”. In a notice providing a bit more detail on the attack, Microsoft states:

Midnight Blizzard utilized password spray attacks that successfully compromised a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled.

This statement has brought up a number of questions for security professionals over the past couple of days.

  1. Why was this “Legacy, Non-Production Test Tenant” still being used?
  2. Why was MFA not enforced on this tenant leading it to be compromised by a password spray attack?
  3. Why did this test tenant have any rights to the Microsoft corporate tenant?
  4. How did internal red teaming processes NOT discover the linkage between the two tenants?
  5. How did Midnight Blizzard accomplish infiltration from the “Test Tenant” to the corporate network?

We at least got an answer to one of these four questions later in the same article:

Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.

This attack method highlights the risk of OAuth applications that we’ve talked about here at Hornetsecurity, including the podcast episode embedded below. Microsoft themselves have even cited the risk posed by malicious and uncontrolled OAuth apps but seems to have fallen victim themselves in this case.

Ultimately this incident has led to the ex-filtration of Microsoft Executive team emails, and there are those in the security community that are speculating that the blast radius will become larger in the coming days. The possibility of a proper cultural shift in security at Microsoft seems to be woefully needed.

The Security Swarm Podcast – The Dangers of Malicious OAuth Applications

YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

AnyDesk Breach

Popular Remote Access solution creator AnyDesk has also experienced a major breach. According to an article from Bleeping Computer, this breach led to the theft of source code and private code signing keys. In their official statement AnyDesk stated that situation is under control and that the application is safe to use with the latest update which provides an updated code signing certificate. AnyDesk claims that no passwords were stolen as part of the attack but is recommending that AnyDesk users change passwords if they have not done so already.

This incident highlights the fact that any and all IT toolkits are under attack by threat actors in an attempt to pull off another impactful supply chain attack like the Solarwinds supply chain attack years ago. It’s also worth highlighting the fact that source code was stolen in this incident. With this in mind it’s feasible we could see other AnyDesk targeted attacks in the coming days once threat-actors have a chance to look over code.

Johnson Controls Ransomware Attack Cost the Company $27 Million

The cost associated with ransomware attacks continue to rise. So, it’s sadly becoming more common that we see successful ransomware attacks associated with an eye-watering dollar amount. The good news (if there is any to be had in this story) is that $27 Million USD was not used for paying a ransom. According to reports on the web, the $27 Million was used to restore affected systems while also taking cyber insurance payouts and external cybersecurity professional services into account.

This story was worth including in this month’s report for one simple reason. So often the monetary damage associated with a ransomware incident is attributed to a ransom payout. So often the astronomical cost of a ransomware incident is caused by the mere act of having to address the damage of the attack. This is one of the reasons that cyber insurance has become so expensive in the past couple of years. It is EXPENSIVE to deal with an extensive and targeted ransomware attack. A fact that far too many organizations realize once it’s too late.

Predictions for the Coming Months

  • With the holiday season well behind us now, we’re likely to see a return to “business as usual” for threat actors. That said, with tax season coming up in the US we’ll likely see attackers make a more targeted effort to inject themselves into the tax season to capitalize on the exchange of Monday and sensitive info.
  • We expect the fallout of this most recent Microsoft breach to become clearer in the coming days. As that process plays out, more details will emerge about threat-actor activities leading to the breach, as well as how other entities have been impacted as a part of this incident.
  • Co-Pilot for Microsoft 365 has been released and provides tremendous capabilities in surfacing stored M365 data to end users in prompts. We’re likely to see emerging cases where misconfigured permissions in SharePoint Online, Teams, and OneDrive for Business lead to the accidental exposure of data within organizations using Co-Pilot for the first time, raising the concern of insider threats.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Andy Syrewicze, Security Evangelist, on Microsoft’s Security Culture:

I want to start by saying that I’m often the first to give the benefit of the doubt in these situations – especially so with Microsoft due to my involvement with the Microsoft MVP program over the years. However, the recent breach of Microsoft executive emails by Midnight Blizzard paired with other recent security lapses such as that caused by Storm-0558, really brings the security culture at Microsoft into question. There have been repeated security issues at Microsoft over the past several years now and the community has been waiting for clear acknowledgement that there is a systemic problem to be solved. While the SFI (Secure Future Initiative) is a step in the right direction, it still lacks the impact of the trustworthy computing memo that came directly from then CEO Bill Gates some 20+ years ago. Time will tell if the SFI has the same level of impact within the organization.

From Yvonne Bernard, CTO Hornetsecurity on Copilot:

Walled-off generative AI like Copilot is the often searched for possibility to enhance productivity with a well-defined training data scope. Nearly every business I am talking to nowadays is currently testing it. I believe this is just the beginning and future applications are endless to help employees and companies work more efficient. However, the risk of misconfiguration, hacked accounts etc is probably not in everyone’s mind yet so I strongly advice to invest into employee training on AI and data protection and the definition of proper AI policies prior to rollout.

Monthly Recommendations from the Hornetsecurity Security Lab

  • The Midnight Blizzard breach shows us that now is a good time to re-evaluate your current list of OAuth applications within your M365 environment. Remove any apps that your organization no longer uses and verify that the users allowed to approve OAuth applications are tightly controlled and configured for least possible access, given business needs.
  • If you use AnyDesk within your organization, make a plan to apply the latest patches ASAP if you have not already done so.
  • If you plan on enabling Co-Pilot for M365 within your M365 environment discuss and make a plan around the potential governance and data safety issues that this new product may surface. If you’re looking for an easy solution to this problem, a trusted permissions management tool like 365 Permission Manager can help.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Monthly Threat Report January 2024: Holiday-Focused Attacks on the Decrease, but Danger Remains

Monthly Threat Report January 2024: Holiday-Focused Attacks on the Decrease, but Danger Remains

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of December 2023.

Executive Summary

  • More advanced email threats are down during this data period, while we’re seeing slightly more low-effort email attacks that are ultimately rejected due to external indicators.
  • We saw a reduction in the use of most file types for the delivery of malicious payloads. Despite the noted decreases, HTML, PDFs, and Archive files remain the top three offenders.
  • The Mining, research, and entertainment industries were the most targeted industries during the data period.
  • Brand impersonations are down, with DHL remaining the number one most impersonated brand.
  • The MOVEit supply chain attack continues to rack up victims, and now that a considerable amount of time has passed, the industry is starting to get a clearer picture of the true scope of the damage
  • The Albanian government and One Albania Telecom are currently under active attack by the Iranian hacking group “Homeland Justice.”
  • We’re seeing new phishing campaigns targeting both Instagram and Twitter (X) users with the goal of account takeover or access to crypto wallets and other account assets.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for December 2023 compared to November 2023.

Unwanted Emails By Category

The past several months saw a recurring increase in malicious mail traffic, which we see every year around this time. We can attribute this increase to the holiday shopping season. With the holidays now over, it’s no surprise that we’ve seen the trend nearly plateau. Those emails categorized as “threats” and “AdvThreats” saw a decrease. The slight increase in those emails categorized as “rejected” drove a slight decline of 0.4% in “clean” emails. During the lead-up to the holidays, we see an increase in low-effort email attacks in the hope of capitalizing on holiday traffic. These types of attacks are frequently rejected outright due to external indicators. With the holidays now over, we expect this downward trend to continue for the time being.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.
Clean These emails were free of threats and delivered

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

File Types Used in Attacks

During this data period, we saw a net reduction in nearly every category. We attribute this to the observed reduction in the number of more sophisticated email attacks during the data period. Even so, HTML, PDFs, and Archive files remain the top three most used attachment types for delivering malicious payloads.

The noted increase in Excel files may seem like a noted campaign, but it’s not. We saw fewer attacks involving Excel documents during the data period when we looked at specific numbers. That said, when accounting for all file types in this category, Excel files saw a much smaller reduction, and due to the massive decreases in other categories, it appears as a percentage point increase in the data due to emails with malicious Excel files simply comprising a larger piece of the data set this month. Hence, it appears as an increase.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

 Industry Email Threat Index

As expected, we saw a decrease in the threat index across all industries during the month of December. This lines up with our other data regarding the decrease in the amount of threats. In terms of the top targeted industries, the mining, research, and entertainment industries remained at the top.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Company Brands and Organizations

Like our other data sets listed above, we see evidence here of a decrease in the number of threats. Nearly every brand in our top ten most impersonated brands saw a decline with a few exceptions – notably Paypal and Sparkasse. According to our data, DHL remains at the top of the list as the most impersonated brand used by threat actors.

Major Incidents and Industry Events

MOVEit – The Damage So Far

We’ve discussed the MOVEit zero-day attack in several of these monthly reports. The damage is apparent, and the real-world harm is VERY real. That said, it takes time to get an accurate scope of large supply-chain attacks of this nature. Thankfully, enough time has passed for some gathered data regarding the event to start showing an interesting picture. Kon Briefing has compiled a data collection regarding the MOVEit supply chain attack. The report includes several useful data points, including:
  • Victims
  • Impacted Individuals
  • Most targeted countries
  • Affected organizations
  • Links to official disclosures
  • And more
US-based companies are at the top of the list for exploiting this vulnerability. Impacted US organizations number 2290, with the following most targeted country being Canada with 152 affected organizations. Perhaps the most jaw-dropping statistic is the fact that upwards of 90 MILLION individuals have been directly impacted as a result of exploitation. Yes, A fix exists, but it’s clear that many impacted organizations have been slow to roll out the needed patches. Whether this is due to negligence or overburdened IT departments remains to be seen. Time will tell; in the meantime, we expect the MOVEit supply-chain attack to remain an issue in the industry for some time.

Albanian Government and Telecom Hit By Cyberattacks

We always take note of major cyber attacks, especially when the target is a nation-state government. It’s been reported that both the Albanian government and One Albania Telecom have been under active attack in a cyber attack of unknown size/scope. This is notable due to the impact size (1.5 million in just one Albania Telecom). Still, it also serves as further confirmation of the trend we’re seeing where nations states’ digital infrastructure is under attack at a level we haven’t seen before. As of the time of this writing, the attack is ongoing, with the Iranian hacker group Homeland Justice taking responsibility for it.

Attacks will draw the attention of world governments as it becomes increasingly apparent that government regulation may ultimately be required to help stave off the wave of rising cybercrime. We’ve discussed the topic of government technology intervention in previous editions of this report and will continue to report on it in future instances as needed.

New Emerging Instagram Phishing Campaign

The industry saw a new Instagram Phishing campaign emerge just in time for Christmas. Target recipients are shown several convincing UIs that walk them through entering one of their 2FA backup authentication codes which the threat-actor then uses to take over the account. Marketing and social media departments will especially want to be on the lookout for this over the coming days.

The phishing email will claim that the account in question is “infringing on copyright.” The sender’s email address, instagram@contact-helpchannelcopyrights.com, even directly supports that claim. As the article states, the convincing UIs and the sense of urgency can make this a tough spot for some novice users.

Twitter’s (X) Status ID handling is Being Used to Forge Phishing Links

A new round of phishing attacks are making their way around the net. This time via Twitter (Now known as X). Due to how X handles status IDs, the username portion of an X URL can be replaced with any string, and the post that the status ID pertains to will still be opened regardless of the username change in the URL.

For example, if you got to the URL: https://twitter.com/hornetsecurity/status/1733207135247303132#, you would think you’d be navigating to the official Hornetsecurity X Page right? However, you’ll quickly find that it takes you to a post from our security evangelist Andy Syrewicze’s X profile. This is apparently a “feature” of how X works, but it can lead to phishing attacks by bad actors.

Many phishing attempts are making the rounds that use this technique to make the target think they’re being directed to a legit X post from large brands like Binance, the Ethereum Foundation, Chainlink, and other cryptocurrency-related entities. The goal for threat actors here is to gain access to the target user’s crypto wallet and drain it of assets. This is just another area where your average Joe user needs to be trained to make sure the page (or X profile) they’ve ended up at is indeed the legit profile they expect it to be.

Thankfully, most users capable of playing crypto tend to be tech-savvy, but even the most experienced user can be caught off guard. This type of phishing attempt via X could be used for other things as well, such as phishing credentials from other (non-crypto) services to be then used as part of credential stuffing attacks. This is not to mention the potential use for misinformation as well. Time will tell how threat actors make use of this method.

Predictions for the Coming Months

  • While we expect the danger of the email threat landscape to remain high, the number of email-based attacks is likely to decrease somewhat as we move away from the holiday season.
  • With the number of potential targets looking for holiday shopping and shipping emails decreasing, it’s feasible that the number of sophisticated email-based attacks will increase over the coming months as threat actors return to their “regularly scheduled programming.”
  • The targeting of nation-state governments will continue, driving the international conversation about the government’s role in the security community.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Yvonne Bernard, CTO Hornetsecurity, on Instagram and Twitter(X) attacks:

It is interesting to see that attackers do not take vacation but rather tailor their attacks to the Christmas season: fake Instagram and Twitter(X) emails catch users when they are more active on social media, DHL and other transport industry phishing attempts use the greediness of the holiday shopping season – no surprise as everyone is waiting for their presents to arrive! It is good to know that our Security Lab is alert and protecting our customers 24/7 – if evil does not take a vacation neither do we!

From Umut Alemdar, Head of Security Lab, on Phishing and Fake Online Stores:

Looking back at December 2023, we witnessed a significant increase in phishing threats, capitalizing on the holiday shopping season. Scammers cleverly created fake online stores, targeting last-minute holiday shoppers. As we move into January, it is crucial to maintain vigilance. The risk of encountering these scams does not vanish with the holidays; leftover fake deals and cleverly disguised emails may still circulate. Therefore, it is advisable to remain skeptical of overly attractive offers and always verify the legitimacy of online stores before making purchases or sharing personal information. The start of a new year is a good time to reinforce safe online practices to protect against phishing threats.

 

Monthly Recommendations

  • It’s a good time to revisit security awareness training with end-users. After the holidays and extended vacations, a friendly reminder of the dangers that lurk in mailboxes can help get workers on the defensive again as we move into the new year.
  • Train your social media and marketing teams about the newly emerging phishing threats on both Instagram and X.
  • If your organization uses the MOVEit file transfer software and you still need to apply the patches to fix last year’s major supply chain attack, plan to do so now.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Monthly Threat Report December 2023: Holidays Bring Malicious Email and Lots of Patches to Apply

Monthly Threat Report December 2023: Holidays Bring Malicious Email and Lots of Patches to Apply

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of November.

Executive Summary

  • While those email threats categorized as “Threats” and “AdvThreats” are down, the amount of low-effort, easily-detected email threats is up. That said, the overall email threat landscape remains dangerous with a high volume of malicious traffic, which is common for this time of year.
  • The usage of HTML and PDF files to deliver malicious payloads in email attacks is up for this reporting period.
  • Every industry, except for the transport industry, has seen an increase in email-based threats over this data period.
  • DHL remains the most impersonated global brand in email attacks.
  • We’ve seen a noted increase in M365 brand impersonations, likely driven by the increased popularity of reverse-proxy phishing kits like EvilProxy.
  • Hacktivists breached the US Department of Defense-run Idaho National Laboratory and many employee records were leaked on the dark web. This continues to add weight to international conversations about regulating cybersecurity practices.
  • Microsoft fixed 63 security vulnerabilities during its monthly patch on Tuesday. This includes five zero-day vulnerabilities. Organizations are urged to apply fixes as soon as possible.
  • Major vulnerabilities in Intel and AMD CPUs put multi-tenant deployments at risk. Patches are available.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for October 2023 compared to November 2023.

Unwanted Emails by Category

This month’s report shows that the email threat landscape is quite similar to the previous data period. The number of email threats remains high, but we’re seeing a slight increase in “low-effort” email attacks that quickly get categorized as “Rejected.” This is likely because we’re currently in the middle of the holiday season, and threat actors are looking to sustain high amounts of simple attacks to catch people unaware. This is a common trend we see every year around this time.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

File Types Used in Attacks

Despite the subtle change in the categorization of email traffic over this data period, the file types in email attacks have notably changed compared to the previous month. The usage of HTML and Archive files has risen, with HTML files accounting for nearly 40% of all malicious file types during the reporting period.

HTML and archive files are both file types usable on several different platforms. Regardless of the target’s operating system or platform, the victim can most likely interact with the malicious payload somehow, making these file types popular amongst threat actors.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

Except for the transport industry, our data shows more threats were levied against EVERY industry vertical during November than the previous month. Again, this trend indicates the holiday season in which we see the number of email-based threats increase.

That said, we have observed that the amount of threats has increased for some industries more than others. For example, Mining, Manufacturing, and media organizations saw the most significant increases. Manufacturing and mining can both be seen as focused targets because it is the end of the year, and many organizations are attempting to make quotas, driving the need for orders and raw materials. On the other hand, the media industry is often a prominent target of nation-state actors looking to influence global discussion and standing through misinformation.

Regardless of your industry, however, our data shows that it DOES NOT matter what industry vertical you’re in. If you can pay a ransom, your organization is a potential target.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

The data regarding impersonated brands in email attacks has also shown some stark differences this month. We’ve observed a significant increase in malicious emails targeting German banking and German telecom company 1&1. More interestingly, though, we’ve seen a noted uptick in M365 brand impersonations.

Reverse Proxy phishing kits, like EvilProxy, have become a popular tool amongst threat-actor groups as of late. These types of tools make it simple for threat actors to gain access to M365 session tokens. The victim believes they are signing into a legit M365 portal, and once they’ve entered their credentials, they’re directed to the real M365 portal, thinking nothing is amiss. The real nefarious thing about this attack style is that once the threat actor has a valid session token from Microsoft Entra from the victim, they can log in as that user while bypassing MFA protections.

This increase can be attributed to the rise in popularity of such tools.

Major Incidents and Industry Events

Hacktivists Breach INL (Idaho National Laboratory)

Upon first glance, some may think SiegedSec’s breach of INL was just another everyday cyber attack. That’s until you realize that INL is a nuclear research center under the purview of the US Department of Energy. Even though no research material is thought to have been pulled from INL’s network by the attackers (as yet report), staff and HR-related records were, in fact, exfiltrated and leaked online.

The breach of a government-sponsored entity isn’t a new occurrence. However, looking at this incident through the scope of other government-related breaches brings weight to the argument for government oversight in cybersecurity practices. We’ve discussed in this monthly report that the governments of the world are increasingly beginning to lose patience, and some early signs of government intervention and regulation are starting to look possible. This was most recently clear in the aftermath of the Storm-0558 breach that led to information being stolen from the US State Department. Other governments across the world from the EU to Australia have also started invoking additional cybersecurity regulations as well. Time will tell what impacts said regulation will have on the industry.

A Doozy of a Patch Tuesday

Many patch-Tuesdays from Microsoft come and go without much fanfare, but the November patch-Tuesday was significant. The November collection of patches from Microsoft addressed 63 vulnerabilities INCLUDING 5 Zero-Days with a CVSS score of 6.5 or higher.

A summarized list is shown below:

  • CVE-2023-36025 (CVSS 8.8): SmartScreen security bypass vulnerability, allowing attackers to bypass Windows Defender SmartScreen checks.
  • CVE-2023-36033 (CVSS 7.8): Windows DWM Core Library privilege escalation vulnerability allowing attackers to achieve SYSTEM level privileges.
  • CVE-2023-36036 (CVSS 7.8): A Cloud Files Mini Filter Driver elevation of privilege vulnerability. This CVE can also escalate the attacker to SYSTEM-level access.
  • CVE-2023-36038 (CVSS 8.2): ASP.NET Denial of Service Vulnerability.
  • CVE-2023-36413 (CVSS 6.5): A Microsoft Office Security Feature Bypass. It could potentially allow unauthorized access to Office applications.

Reptar and CacheWarp: New CPU Vulnerabilities in the Wild

There are a pair of new CPU vulnerabilities from this past month that are going to require the attention of security teams. Both Intel and AMD have issues that need to be addressed and have provided patches for the vulnerabilities. What’s so interesting about these particular flaws is that they both can impact dense multi-tenant deployments, like large cloud hosting services. That said, while the large cloud hosting platforms are applying patches, so should you if you’re running on-premises data centers.

More details below:

AMD CacheWarp

CacheWarp is an exploit that allows a threat actor to infiltrate virtual machines protected by AMD’s Secured Encrypted Virtualization technology and is being tracked under CVE-2023-20592. AMD has released a patch HERE.

Intel Reptar

Reptar is an exploit that not only allows an attacker to bypass CPU security boundaries but potentially causes denial of service along with privilege escalation as well. This vulnerability is being tracked as CVE-2023-23583 and a fix is available HERE.

Predictions for the Coming Months

Holiday-driven spam and malware campaigns will continue throughout the next month or two, with shipping and financial brands continuing to be impersonated in such attacks.

More information is likely to come out regarding the INL breach. It is expected to spur additional discussion within the US federal government regarding cybersecurity best practices within government agencies and related.

Recently disclosed Zero-Days are likely to see exploitation in the wild. Yes, patches are available, but they take time to apply, and the race is on between threat actors and defenders.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Umut Alemdar, Head of Security Lab, on the importance of proactive cybersecurity measures during the holiday season:

The holiday season often marks an escalation in cyber threats, a trend that becomes more challenging due to the reduced availability of security teams who might be on vacation. A prime example was the zero-day vulnerability CVE-2021-44228 (log4j), which emerged shortly before Christmas and caught many organizations and IT teams off guard. This incident highlights the need for organizations to remain on high alert during the holidays and promptly apply security patches, especially for critical vulnerabilities like zero-day exploits. It also helps to raise awareness against seasonal phishing attacks.

From Andy Syrewicze, Security Evangelist, on CPU Microcode Updates:

I come from a background of infrastructure management, so infrastructure security is always top of mind for me. When I see vulnerabilities like CacheWarp and Reptar show up in the industry I often think back to organizations I’ve advised in the past that haven’t put much emphasis on NON-OS patches (like a microcode update). I would urge admins to NOT delay on rolling out the fixes for CacheWarp and Reptar. These vulnerabilities are just as real and dangerous as an OS-level vulnerability. This is especially true, in this case, for multi-tenant environments. If you work with a hosting provider for IaaS services, make sure you check with them and ask about their plans for deploying the applicable fixes from AMD/Intel. Today’s threat-actors will use any and every vulnerability at their disposal to launch attacks, and CacheWarp and Reptar are no exception.

Monthly Recommendations

  • Continue to communicate with end-users regarding the holiday uptick in malicious email traffic and adopt a next-generation email security solution if you don’t have one in your environment today.
  • If your organization has not yet applied Microsoft’s security fixes from November, it is HIGHLY recommended that you do so.
  • Urgently take steps to apply the CPU microcode updates from Intel and AMD – especially if you are a hosting organization.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Monthly Threat Report November 2023: Holiday Email Threat Increases and More Zero-Days

Monthly Threat Report November 2023: Holiday Email Threat Increases and More Zero-Days

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from October.

Executive Summary

  • Spam messages are slightly up over the data period, while those emails classified as “Threats” and “AdvThreats” are slightly down. That said, the state of email security risks in the industry remains high.
  • The use of PDF files to deliver malicious payloads via email has risen over the last month. This is likely driven by post-QakBot botnets such as DarkGate.
  • The research industry has seen the most significant increase in attack targeting over the data period and is number one on our list of most targeted industries. The mining and entertainment verticals were second and third place, respectively.
  • Shipping and Finance brands have seen increases in brand impersonation attempts over the last month. This trend will continue due to the upcoming holiday shopping months.
  • Microsoft has started to roll out the promised logging changes in response to the cloud services attack by Storm-0558.
  • A significant vulnerability in Citrix NetScalers dubbed CitrixBleed has the industry scrambling to apply patches. The vulnerability has been exploited in the wild since at least August, according to Mandiant.
  • The Security and Exchange Commission has brought charges against SolarWinds and their CISO for fraud and security lapses regarding the late 2020 SunBurst incident.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for October 2023 compared to September 2023.

Unwanted Emails by Category

October saw a slight increase in the number of emails classified as “spam,” while “threats” and “AdvThreats” were down slightly. As we stated in last month’s report, the overall email threat landscape remains dangerous, with a high volume of current threats that will likely persist for some time, especially as we move into the holiday months.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

File Types Used in Attacks

The usage of HTML and Archive files is down over the data period, while the use of PDF and disk images is up. One reason for the suspected increase in PDF files is the fact that they are the preferred delivery mechanism for some of the newer (post-Qakbot) botnets such as DarkGate. While the vector of attack for DarkGate has pivoted somewhat towards instant messaging, the attacks can also be seen via email.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

During this data period, we have observed a net decrease in threat indices across all industries except for the research vertical. The research industry remains at (or near) the top of the list for this month’s report. According to our data, this industry has seen a consistent threat landscape for some time and is frequently in the top 3 targeted industry sectors. This is mainly due to the fact that research organizations are often working with sensitive intellectual property and supporting data, making them ripe targets for threat actors who can not only attempt to ransomware the organization but also threaten to release said data to the public via double extortion attacks.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

Shipping and finance brands continue to top our list of most impersonated brands for this month’s report. Even though the number of DHL brand impersonations is down, the global shipping vendor remains at the top of the list. Amazon, Mastercard, and PayPal also saw noted increases. Another trend we have observed this month is a significant increase in brand impersonation attempts for several German banks. Increases for shipping and finance organizations are not uncommon this time of year as many threat actors will try to capitalize on the holiday shopping season and attempt to sneak into end-users inboxes, posing as one of these organizations.

Major Incidents and Industry Events

Update on Storm-0558

Thankfully, there has been no further negative news surrounding the Storm-0558 breach that occurred earlier this year. For those who are unaware, Storm-0558 is the designation that Microsoft gave to a group of nation-state threat actors that managed to procure a Microsoft consumer signing key. The group then used that signing key to forge authentication tokens to gain access to Microsoft cloud services. We have covered this breach extensively through these monthly reports since the news broke.

That all said, Microsoft has made a new announcement regarding this case in that they confirmed they’ve begun to roll out some of the promised logging changes they had mentioned while they are postmortem analysis of the breach. Microsoft did not even detect the Storm-0558 breach. The US State Department is the entity that brought the breach to Microsoft’s attention, and this is ONLY because the State Dept. had the premium logging capabilities licensed and enabled for the applicable cloud services.

This was a HUGE point of criticism against Microsoft, as many security experts in the industry pointed out that adequate logging should not be placed behind a paywall of any kind. Thankfully, Microsoft has taken this criticism seriously and has started rolling out these logging capabilities as promised. Said changes included extended default retention policies, additional capabilities, and more. While this change is welcome and does help, the question of over-reliance on Microsoft for security continues to be asked in the security community. We’ll continue to provide updates on this case as new developments occur.

CitrixBleed

October 10th saw the industry add another major zero-day flaw to the list for 2023, this time from Citrix. CVE-2023-4966 (known as CitrixBleed) is a flaw in Citrix NetScaler devices and has seen exploitation in the wild since August, as reported by Mandiant. This vulnerability allows attackers to force the system to return system memory via a specially crafted HTTP GET message. The memory dump contains post-authentication session tokens that the attacker can use to log in to the device while bypassing MFA. Once an attacker gains access to the system, the goal is often lateral movement, privilege escalation, persistence, and data exfiltration. Thankfully, Citrix has released a patch, urges customers to install it ASAP, and also recommends taking the extra step to kill all existing sessions as outlined in their official notice.

This vulnerability is a stark reminder to the industry that comprehensive security involves more than just endpoints, servers, and cloud services. Network devices, IoT devices, and those often after-thoughts components can be easy stepping stones for threat actors to use to access critical data. If you still need to make a plan for patching these types of devices in your environment, make sure you get them on your schedule ASAP.

SEC Repercussions for SolarWinds

Even though not directly technical, the next item on this month’s list has some serious implications for the security industry. It’s been clear for some time now that various governments and business regulatory bodies have begun losing patience with the increase in security lapses in recent years. This can be seen, for example, in Australia, where steep fines are now levied against organizations that do not take relevant steps to provide proper cybersecurity. Or, another example is the Department of Homeland Security’s Cyber Safety Review Board investigation of the recent Microsoft Cloud issues.

The latest example of this comes from the US Securities and Exchange Commission (SEC), and it targets SolarWinds, and it’s Sunburst vulnerabilities from late 2020 specifically. While SunBurst is old news in the security space, the SEC has taken the unprecedented step of charging SolarWinds and their CISO with “Fraud and Cybersecurity Failures”. This can be seen as a clear escalation by governing bodies and agencies and would mark one of the first times that actual charges are being filed regarding alleged security negligence against an organization AND (more shockingly) a specific officer within said organization. Despite the charges being valid or not, many see this as a step too far, and some fear that this will keep talented and competent security professionals from stepping into the CISO role for fear of legal risk. It’s still early days regarding this case. Still, the security community is watching, and we’ll continue to monitor this in future reports as the impact on the security community could be significant.

Vulnerability in Curl

Thankfully, it has been found that making use of the exploit for a recently discovered curl vulnerability is quite difficult. That said, we felt it was worth mentioning the disclosed curl vulnerabilities here due to the vastness of those impacted. For those who are unaware, curl is a commonly used system utility for transferring data using a variety of protocols. It’s present in most operating systems, including Windows, MacOS, and Linux. Due to that fact, this vulnerability has a large potential blast radius.

The vulnerability is being tracked under two CVEs – CVE-2023-38545 and CVE-2023-38546. Those impacted organizations should apply the needed patches applicable to your operating system.

Predictions for the Coming Months

The Holidays Will Drive an Increase in Malicious Emails

The holidays bring an increase in shipping, family communication, and financial transactions during November and December every year. Threat actors know this and will seek to hide malicious emails amongst that holiday communication. This will take the form of brand impersonation emails (particularly that of shipping companies), financial scams, charity fraud, and others.

We’ll Start to See the Industry Fallout from the CitrixBleed Vulnerability

Like other large-scale attacks impacting a large number of enterprise customers, we won’t know the extent of the damage for some time. The fact that this vulnerability was actively being exploited for a month or more before disclosure means that many organizations may have been impacted and not yet know it. With the vulnerability publicly known now, the race is on for IT teams to get mitigations into place before threat actors can target them. The extent of the damage is likely to start making some small ripples in the news in the coming days.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Umut Alemdar, Head of Security Lab, on the SEC’s actions against cybersecurity failures and the holiday season:

The SEC’s actions against cybersecurity failures mark a significant shift in regulatory oversight. This development should prompt organizations to reassess their compliance and cybersecurity frameworks, ensuring they align with evolving legal and ethical standards. I am excited to see how company boards will adapt and enhance their governance structures in response to these regulatory changes. As we approach the holiday season, a predicted spike in malicious emails necessitates a heightened state of alertness. This is an excellent time for CISOs and security teams to reinforce security training, update phishing response protocols, and ensure that all systems are adequately protected against the latest threat vectors. Stay safe!

From Andy Syrewicze, Security Evangelist, on the security of network appliances:

The recent Citrix NetScaler vulnerabilities are a good reminder for all organizations to re-evaluate their security posture and patching strategies. I’ve sadly seen it happen too many times where an organization will make great efforts to secure their servers, endpoints, and cloud services while switches, routers, and network appliances go years without firmware updates or patching. This goes for IoT devices as well. Any connected system is a potential foothold for an adversary, and businesses will only have a holistic security posture once ALL connected devices are taken into consideration.

Monthly Recommendations

  • Be aware of holiday spam and email scams and communicate the likely increase in malicious traffic to your end users. Also, consider investing in a trusted security awareness service to help educate your end users on these dangers.
  • Take advantage of new logging offered by Microsoft. As we discussed earlier in the report, Microsoft is offering some additional logging capabilities for cloud services. The extra visibility can help organizations keep an eye on their environments and is crucial to spotting anything out of the ordinary.
  • Apply Citrix NetScaler Patches and apply the proper mitigations if applicable to your organization.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Monthly Threat Report October 2023

Monthly Threat Report October 2023

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of September 2023.

Executive Summary

  • Email threats remained nearly the same as the previous month throughout the data period at an alarming level.
  • HTML file usage for delivery of malicious payloads is down, while PDF and archive usage is up. All common operating systems support these file types. Hence, attackers continue to arm them with malicious intent.
  • The Entertainment and Mining industries remain the two most targeted industries over the last 30 days.
  • There has been a notable increase in brand impersonation phishing emails over the data period, with marked increases for the Netflix, FedEx, DocuSign, and T-Mobile brands.
  • Microsoft continues to experience security incidents, which questions its security culture.
  • A critical vulnerability in the libwebp library that encodes and decodes WebP images has prompted many affected applications to rush out patches. We predict that threat actors will rush to capitalize on this.
  • We predict we will continue to see a trickle of information regarding the Storm-0558 breach due to US Government investigations. Recent reports highlight that threat actors managed to exfiltrate around 60,000 emails from 10 State Department accounts.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for September 2023 compared to August 2023.

Unwanted Emails by Category

The change in the amount of unwanted emails by category was nearly negligible for the data period. We saw a SLIGHT increase in the amount of threats and advanced threats but nothing noteworthy.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File Types Used in Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

File Types Used in Attacks

Top File Types in Email Attacks

  • Archive and PDF usage is up
  • HTML file usage is down

This month saw an increase in the usage of PDF files to deliver malicious payloads. One common malicious payload we have seen via this method during the data period is the DarkGate Malware. We suspect several threat actors that were previously shipping Qakbot via malicious PDFs have shifted to the DarkGate Malware instead, and we now see more malicious PDF files.

If you would like to read more of our commentary on the results of last month’s disruption of the Qakbot botnet, please see the report from the previous month.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

Overall, we observed a slight net increase in threats across most industries during the defined data period for this report. This correlates with the slight increase in threats, as discussed earlier in the report.

The top targeted industries continue to be the entertainment and mining sectors – the same as last month. That said, there was a noticeable increase in email threats levied at the research and manufacturing verticals. This is a trend we will continue to watch in the coming days.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

We observed major increases in brand impersonation attempts throughout the data period of this report. While DHL remains the most impersonated brand by a large margin, Netflix, DocuSign, LinkedIn, FedEx, and T-Mobile all saw significant increases over the previous month.

Continued Impersonation of Shipping Organizations

As we have reported during the previous two months, it is common to see shipping organizations near the top of the impersonated list simply because package shipment is quite common in our post-COVID world. If attackers can land a phishing message about your “pending package delivery” in your inbox at the right moment, you have a greater chance of interacting with it.

Significant Increase in T-Mobile Brand Impersonation Attempts

One possible reason for the T-Mobile increase could be attributed to yet another potential data leak from the US Telecom organization in that an application “glitch” allowed users to see the account details of multiple accounts, not just their own. It is common to see threat actors use information from such situations.

Variations of DocuSign Impersonation Phishing Emails

Also worth noting when it comes to recent DocuSign phishing messages is that some threat actors have fallen back to simply embedding a link behind images in their brand impersonation emails, as shown below:

DocuSign Brand Impersonation Phishing URL Image

That said, we continue to see the traditional method of brand impersonation attempts as DocuSign, where the attacker uses HTML to piece together the phishing email more accurately:

DocuSign Brand Impersonation Phishing HTML

Also of note is a current DocuSign impersonation campaign specifically targeting the US Department of Veterans Affairs (VA). We have included a screenshot of this particular vulnerability in the image below:

DocuSign Brand Impersonation with VA Branding

Major Incidents and Industry Events

Microsoft Storm-0558 Breach Update

As discussed in our two previous iterations of this monthly report, we have some additional commentary on the Storm-0558 Breach. If you are unaware of the background of this particular attack, please see the section in last month’s threat review where we provided several key details behind the breach. The short version is that Chinese Nation-State threat actors procured a Microsoft consumer signing key and used it to forge authentication tokens to gain access to Microsoft cloud services.

What is new this month is that we now have some confirmed reports as to the extent of the damage. Previously, we only had communications from Microsoft that “approximately 25 organizations” had been impacted. We now have confirmation that 60 thousand emails from the US State Department had been exposed as a result of this breach. In addition, the attackers took a complete list of the department’s email addresses. This makes the targeting of future attacks much more effective for threat actors.

We likely have not seen the end of news about this breach, so we will continue to watch for updates in the coming weeks.

Another Microsoft Data Breach Involving 38 TBs of Data

It has been a bad couple of years for Microsoft on the security front, and it is not improving. Even after the Storm-0558 fiasco mentioned above, there is already a net new cybersecurity incident with Microsoft. This time involving 38 TBs of private data. To quote Microsoft:

Microsoft investigated and remediated an incident involving a Microsoft employee who shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly permissive Shared Access Signature (SAS) token for an internal storage account.

The notice from Microsoft would have you believe said breach was quickly remediated and no damage done. While they claim this breach impacted no customers, it is worth noting that information regarding what was contained in the 38TB data trove is absent from Microsoft’s notice. Researchers from Wiz, who disclosed the breach to Microsoft, stated that the trove included the personal backups of two Microsoft employees and that said backup included:

The backup includes secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.

While, yes, customer data was likely not impacted, this is not a breach to be simply swept under the rug. All of the items contained within this breach will undoubtedly be used in other attacks, and it also provides some insight into the internal workings of Microsoft and its technology stack.
At the very least, it is another line item on a growing list of Microsoft security lapses in the past three years that continues to bring Microsoft’s commitment to ecosystem security into question.

Critical libwebp Vulnerability

One critical CVE that came to light during the data period that system admins and security professionals should be aware of is a vulnerability in the libwebp image encoding/decoding library. This vulnerability uses a specially crafted HTML page to cause a heap buffer overflow, allowing for arbitrary code execution or denial of service.

This CVE was originally tracked by Google as a Chrome-specific vulnerability, but it became quickly apparent that it was NOT a Chrome-only issue. The vulnerability is now being tracked as CVE-2023-4863 with a CVSS score of 8.8 and the reach of impacted applications is quite large. The below list are just some of the affected applications that have been listed as vulnerable:

  • Chrome
  • Firefox
  • Microsoft Edge
  • Skype
  • Electron-Based Apps (Like Microsoft Teams)
  • Signal
  • 1Password
  • Brave
  • Opera

It is also worth noting that there are some in the security space that see a potential link between this vulnerability and one for IOS and reported to Apple by security researchers Citizen Labs and tracked as CVE-2023-41064. It is believed that the NSO Group used this vulnerability and its pegasus spyware in an exploit chain called “BLASTPASS”.
The recommendation is to patch all affected software quickly.

Predictions for the Coming Months

It remains to be seen what malicious application will ultimately fill the void left by last month’s disruption of the Qakbot botnet. We expect to see several different malware variants in the coming days. Still, as of now, DarkGate is looking like a potential option for threat-actors. We will continue to monitor this in future reports.

We predict that the fallout from the Storm-0558 breach will continue for some time. While we heard numbers from the US State Department this month, more details will likely come to light in the coming days. This will be primarily driven by the ongoing DHS Cyber Safety Review Board investigation into the incident and US government consumption of cloud services in general. The result may be more information and new government policies on the usage of cloud services.

Finally, we also predict that threat actors will seek to capitalize on the libwebp vulnerability that was disclosed over the last month. With as far reach as this vulnerability is, it will take the industry time to roll out patches. There will likely be successful exploitation of this vulnerability in the wild before we see the end of it.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Andy Syrewicze, Security Evangelist, on further Microsoft Security Incidents:

There was a time where I couldn’t see Microsoft being the source of so many data incidents but the last 3 years are proof that it was an unrealistic expectation. It’s no secret, that when you’re a major cloud vendor, you become a target. However, the whole business model of the Microsoft Cloud is built around trust, and that trust is failing at this moment for many in the industry. With as crucial as Microsoft Cloud Services are to the general public, I don’t think there has ever been a time where the expertise of independent, third-party security vendors has been needed more. In light of all the recent breaches, Microsoft needs to win trust back, and they’re going to have to be open, transparent, and work with the vendor community in order to do so.

From Umut Alemdar, Head of Security Lab, on zero-day vulnerabilities in 2023:

The cybersecurity state in September 2023 is alarming, with the number of reported zero-day vulnerabilities increasing significantly from around 52 in 2022 to approx. 77 so far in 2023. One of the most critical zero-day vulnerabilities discovered in 2023 is CVE-2023-5129, a heap buffer overflow in the libwebp image library. This vulnerability is being actively exploited in the wild and allows attackers to execute arbitrary code on victim systems. Businesses should invest in cybersecurity measures to protect themselves from the increasing threat of zero-day vulnerabilities. By implementing a comprehensive cybersecurity strategy and regularly training employees on cybersecurity best practices, businesses can help mitigate the risk of being attacked. But remember, even with preventive measures, some zero-day vulnerabilities can still be exploited. Event logging and business recovery measures, such as backups for critical systems, are critical for detecting, investigating, and recovering from zero-day attacks.

Monthly Recommendations

  • Urgently get patches installed for applications in your environment that are affected by the libwebp vulnerability. The best place to start is to ensure web browser updates are handled first.
  • With the increase in brand impersonation attempts and cleverly disguised phishing messages, it is an excellent time to review your email security posture as well as your internal practices for security awareness training. These services will go a long way towards preventing end-users from falling prey to this noted increase.
  • Specifically, if you use DocuSign internally, ensure you communicate the best methods for spotting DocuSign phishing emails to those in your organization who are most likely to encounter them.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Monthly Threat Report September 2023: The Demise of Qakbot?

Monthly Threat Report September 2023: The Demise of Qakbot?

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of August.

Executive Summary

  • Our data shows that there was a slight decrease in threats for this report’s data period.
  • HTML files continue to be the most common file type used to deliver malicious payloads. This was correlated with a continued decrease in the use of malicious PDF and archive files, likely due to the disruption of Qakbot.
  • The entertainment and mining verticals were the most targeted industries over the past month
  • DHL continues to be the most impersonated brand in phishing attacks, with noted increases in Netflix, Mastercard, and others.
  • The FBI’s disruption of the Qakbot botnet will cause associated threat actors to use other botnets on the dark web.
  • Microsoft has yet to release more details regarding the Storm-0558 breach, and the US Government has taken steps to investigate the situation.
  • A French government agency and a software vendor in the gaming space both had breaches that accounted for the PII of roughly 14 million individuals being stolen by threat actors.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for August 2023 compared to July 2023. 

Unwanted Emails By Category

This month saw a negligible decrease in messages in the “Threat” and “AdvThreat” categories compared with July’s data. As a result, there was a slight increase in the “Rejected” emails for this data period. 

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity. 

Other categories in the image are described in the table below: 

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File Types Used in Attacks

The following table shows the distribution of file types used in email attacks throughout the data period. 

Top File Types in Email Attacks

HTML files continued to see an increased trend in usage from previous months, while there has been a significant reduction in malicious PDF files and archive files. This can likely be attributed to the disruption of the Qakbot Botnet by the FBI because Qakbot frequently used PDFs as a means to infect new machines.

We continue to see a decrease in the use of Excel and Word documents to deliver payloads. We continue to attribute this change to Microsoft’s decision to disable macros in Office applications by default, which is a positive change for the industry.

Other notable changes over the last month include a noticeable increase in malicious archive files and slight increases in the use of Excel files, Word docs, and executable files. With this in mind, we continue to attribute the current low usage of Office documents for payload delivery as a direct result of Microsoft’s decision to disable macros in Office applications by default.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

In a “reverse course” from the findings in our last report at the beginning of August, we saw a net decrease in the email threat index across all industry verticals during the month of August. This means fewer threats were targeted at businesses via email than the previous month. While we don’t see a specific reason behind this trend, it’s likely just a result of the usual ebb-and-flow of email-based threats throughout the summer months.

Regarding the top targeted industry, the entertainment sector remains in the number one spot from last month, with the Mining industry taking the second place. In a vast reduction compared to the previous report, we now see the research industry’s threat index coming in third place during the data period.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

While there have been some changes this month compared with the previous data set, the top category areas for brand impersonation attacks remain roughly the same. Shipping companies, social media, and finance all continue to be popular brands for impersonation. This makes sense, given the value we place on these services as a society. Shipping is still increasing, social media continues to see heavy use, and finance will ALWAYS be a target area for threat actors. 

That said, despite seeing a considerable reduction in DHL impersonation attempts during August, it remains the most impersonated brand BY FAR. Mastercard, Netflix, 1&1, Strato, and Santander all saw increases in brand impersonation attempts over the last month. Of particular note is a specific phishing attempt involving Netflix brand impersonation. The target is warned that their account has expired and that they should take action to extend their service “for free” for 90 days. Risk indicators for this attack are commonly the sender’s address (a Gmail address in the example below), and the associated link sends the user to a TinyURL address. 

Netflix Brand Impersonation

Major Incidents and Industry Events

As usual, there are several cybersecurity-related news items to discuss in this month’s report. 

The Disruption of Qakbot 

The most notable to discuss is the FBI’s disruption of the Qakbot Botnet. To quote the article:

The action represents the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.

For those who have followed Qakbot throughout its history, this really comes as no surprise. The FBI identified as many as 700,000 machines as having been infected by the Qakbot Malware. Of those, the FBI could use Qakbot’s software against itself because they sent uninstall signals to infected machines as part of the operation. Additionally, 9 million USD of cryptocurrency was seized as part of the operation.

To say this sounds like a resounding success would be an understatement. Qakbot is a botnet that threat actors have been using for years to launch attacks on various industry verticals and critical infrastructure, and it’s a botnet that we’ve kept a close eye on here at Hornetsecurity for some time as well. That said, there are two things to keep in mind:

  1. What new or existing botnet will threat actors turn to fill the gap left by Qakbot?
  2. Have all the command and control servers been taken down or been rendered ineffective by the FBI?

There are other botnets for threat actors to choose from, but only some have the reach and the capabilities that Qakbot did. Emotet malspam hasn’t been seen since April 2023, but knowing that botnet’s history and capabilities it’s possible we may see it emerge once again. It’s also entirely possible that a lesser known or completely new botnet will seek to fill the void as well. In either case we will continue to keep an eye on this space here at Hornetsecurity. If you’re interested in learning more about Emotet, we featured an episode on the Security Swarm Podcast. We’ve embedded the episode below if you’re interested:

The Security Swarm Podcast Episode 3 - Emotet Malware Returns

Finally, regarding the question of whether or not we’ve seen the last of Qakbot? Botnets with the reach of Qakbot are challenging to eradicate. It looks like the FBI has dealt with the needed command and control servers, but time will tell if there are other dormant command and control servers out there. At the very least, Qakbot’s capabilities have been severely diminished. 

More Data Breaches

It wouldn’t be a month in Cybersecurity without (at least) a data breach or two. Two worth noting, due to size, are PlayCyber Games and the French Government agency responsible for unemployment and financial aid both reported breaches that, when combined, accounted for nearly 14 million records containing PII. 

Yes, breaches happen frequently, but governments worldwide are getting increasingly impatient regarding the private sector’s history of leaked data. The excuse of “An attack of unprecedented scale and sophistication” will only work so long, and as more individuals and agencies become impacted, the push to impose penalties and fines on negligent businesses will continue to rise, for example, it was reported near the end of 2022 that the Australian Government would be imposing harsher penalties for organizations that fail to take sufficient measure to protect customer data. More recently, it has been reported that the US government’s Cyber Security Review Board (CSRB) will be looking into Microsoft’s handling of the Storm-0558 fiasco that lead to the breach of multiple US government entities. 

No organization likes the extra scrutiny from world governments, but the additional oversight can only be good in today’s cybersecurity ecosystem. 

Microsoft Cloud – Storm-0558 Incident Update

r

September 8 Update

On September 6th, additional details regarding this attack were released by Microsoft. While the update does answer the question of how the consumer signing key was compromised, the remaining points and criticisms below, stand. The short of it is, a crash dump from the consumer signing system had been moved to a debugging environment and was subsequently involved in a compromise of an internal user account. One other item to note from this most recent announcement is this statement:

“Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”

Amazingly, the needed logs had not been retained due to retention policies, so full verification of said exfiltration could not occur.

That all said, what other news is there in the Storm-0558 saga since our commentary last month? In terms of official disclosures from Microsoft, there has been nothing official since their statement back on July 11th except for a July 14 technical analysis of the attack and it’s actors. While the article does provide some helpful info on the attack, its also clear (from what the article DOESN’T say) that Microsoft wants to move on from this issue.

Two of the remaining core issues left unanswered are focused on the compromised consumer signing key and the fact that higher tier logging licenses were needed to identify the attack within Microsoft cloud services.

Regarding the signing key, Microsoft states, “The method by which the actor acquired the key is a matter of ongoing investigation.” When it comes to logging, Microsoft has stated on July 19th that, “Today we are expanding Microsoft’s cloud logging accessibility and flexibility even further. Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost.” 

This begs the question, why wasn’t this level of logging included to begin with? Should the logs needed to monitor their environments be kept from customers behind licensing paywalls? Regardless, when it comes to cloud-based systems used by millions of users worldwide, trust is important. Microsoft’s handling of this situation clearly brings trust to the fore, and this breach will continue to be a topic of debate in the security space for some time.

We’ll continue checking on this issue in future Monthly Threat Reports.

Predictions for the Coming Months

All eyes remain on Microsoft concerning the Storm-0558 breach and what changes, if any, will result as an effect of the US Government investigation. While investigations of this type drag on for some time, we anticipate some actionable items as a result. We may see some additional news from Microsoft on this case as well, but more likely, any additional communication will be in reaction to government findings.

We also see it likely for other botnets to see an uptick in traffic in the coming weeks and months. The dark web doesn’t stop, and former “customers” of Qakbot will need to get those services elsewhere. Emotet seems a possible candidate, but time will tell.

Even though there was little to report on in terms of AI-related security news from the past few weeks, investments and grant programs aimed at bringing AI to defensive cybersecurity tools are likely to produce results in the near future. We’ve heard so much recently about how threat actors can use AI, and it will be nice to see what the security vendors in the industry do with AI capabilities as well!

Note: If you’d like an example of how security vendors can make use of AI in their toolkits, we also recorded an episode of The Security Swarm Podcast that focused on the use of AI in defensive tools as well as the Emotet episode mentioned earlier in this report.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below! 

From Yvonne Bernard, CTO, on the FBI’s Disruption of Qakbot: 

The FBI’s disruption of the Qakbot botnet is a remarkable and impressive milestone in authorities’ countermeasures against Cyber Threats. However, history (E.g. with Emotet) has shown that this does not necessarily last forever. So, we must closely monitor Qakbot’s potential return while also keeping an eye out for the emergence of new botnets or any existing botnet with increasing popularity in the next weeks, months and years. 

From Jan Bartkowski, Team Lead Security Architecture & Engineering, on Recent Data Breaches: 

The recent amount of data breaches shows that the arms race between attackers and defenders is in full play as always. And more often than we all would like to see, the attackers succeed by being a step ahead or – maybe more often – some companies being a step behind. This highlights the constant necessity for companies to continuously invest into their information security posture. A defense in depth is mandatory to (hopefully) prevent the worst case scenario from happening in case that a single security measure fails. This includes not only IT systems but also the human workforce as even the most technically skilled engineers aren’t immune to making mistakes as e.g. Lastpass and Microsoft had to realize. 

Monthly Recommendations

  • Now is an excellent time to read up on common botnet threats like Emotet. With one of the major players (Qakbot) being removed from the space, we will likely see varied and potentially unknown botnet activity in the coming months. Following security best practices and partnering with a Trusted Security Vendor with a proven track record of identifying botnet threats can help mitigate the potential risks.
  • If you’re a Microsoft Cloud customer, stay up to date on the latest logging mechanisms and changes as announced by Microsoft. Microsoft has claimed the needed mitigations are in place. Still, identity logging will be critical to ensure no lingering damage from the Storm-0558 breach.
  • Impersonated brands continue to change monthly, making it difficult to defend against these types of phishing attempts. Keeping end-users updated with next-gen phishing simulation training can help keep your organization safe.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.