Monthly Threat Report March 2024: A Busy Cybersecurity News Cycle with High-Impact Events
Introduction
The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of February.
Executive Summary
- There was a very slight decrease in the amount of email threats this month. That said, the email security landscape remains dangerous.
- PDF, HTML, and Archive files were the top three most used file types in email for the delivery of malicious payloads during the data period.
- Mining, Manufacturing, and Media organizations were the most targeted industry verticals during the last month, according to our data.
- Top impersonated brands in email attacks during this data period were Fedex, DHL, and Facebook.
- The well known Lockbit ransomware group was heavily impacted by international law enforcement, and has seemingly made a return days later. It remains to be seen if the group is still as impactful as before the law enforcement crackdown.
- A critical CVSS 10 vulnerability in the popular MSP tool ScreenConnect from Connectwise is already seeing exploit in the wild. An URGENTLY needed patch is available for those organizations running ScreenConnect On-Prem
- A ransomware attack on Optum/Change Healthcare has brought patient healthcare services within the US to a grinding halt.
Threat Overview
Unwanted Emails By Category
Category | Description |
---|---|
Spam | These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients. |
Threat | These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing. |
AdvThreat | Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures. |
Rejected | Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further. |
Clean | These emails were free of threats and delivered |
File Types Used in Email Attacks
Industry Email Threat Index
The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.
Impersonated Company Brands and Organizations
Major Incidents and Industry Events
The Takedown and Reemergence of Lockbit
CVSS 10 ConnectWise ScreenConnect Vulnerability
Change Healthcare / Optum Cyberattack
Predictions for the Coming Months
- Brand Impersonations for services like DocuSign are likely to increase moving into the Tax Season in the US.
- The Connectwise ScreenConnect Vulnerability will have a domino effect throughout the industry. Int he coming months and weeks we’re going to see a number of breached organizations impacted by this vulnerability.
- Further info will come out regarding the Optum/Change Healthcare breach, hopefully leading to some positive change in the healthcare system with regards to security posture and single points of failure.
Expert Commentary from Hornetsecurity
Monthly Recommendations from the Hornetsecurity Security Lab
- If you’re organization uses the On-Prem version of ScreenConnect from Connectwise, you’re URGENTLY advised to apply the latest update ASAP. Info can be found HERE.
- The high profile ransomware attack by BlackCat this month is a good reminder to reassess you disaster recovery plan if you haven’t in some time. Make sure to run though a full recovery test and insure that you’re protecting your backups from ransomware using a feature such as immutable storage.