Monthly Threat Report March 2024: A Busy Cybersecurity News Cycle with High-Impact Events

Monthly Threat Report March 2024: A Busy Cybersecurity News Cycle with High-Impact Events

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of February.

Executive Summary

  • There was a very slight decrease in the amount of email threats this month. That said, the email security landscape remains dangerous.
  • PDF, HTML, and Archive files were the top three most used file types in email for the delivery of malicious payloads during the data period.
  • Mining, Manufacturing, and Media organizations were the most targeted industry verticals during the last month, according to our data.
  • Top impersonated brands in email attacks during this data period were Fedex, DHL, and Facebook.
  • The well known Lockbit ransomware group was heavily impacted by international law enforcement, and has seemingly made a return days later. It remains to be seen if the group is still as impactful as before the law enforcement crackdown.
  • A critical CVSS 10 vulnerability in the popular MSP tool ScreenConnect from Connectwise is already seeing exploit in the wild. An URGENTLY needed patch is available for those organizations running ScreenConnect On-Prem
  • A ransomware attack on Optum/Change Healthcare has brought patient healthcare services within the US to a grinding halt.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for February 2024​ compared to January 2024.
Unwanted Emails By Category
Overall there was little change in the overall threat-landscape during this data period when compared with last month. Overall threats are slightly down, but the danger level of the email security ecosystem remains at a high level. NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity. Other categories in the image are described in the table below:
Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.
Clean These emails were free of threats and delivered

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.
Top File Types in Email Attacks
​Threat actors notably use email attachments as one possible method to get their malicious payload on an end-user’s machine. Thus, this is an important metric that we track from month to month which provides insight into threat trends. During this data period we observed a significant increase in the amount of malicious PDF files, and archive files. These are two file types that are adaptable and available to open on just about every platform on the planet, which drives their popularity amongst attackers. We also observed an increase in the amount of executable files as well. That all said, PDF, HTML, and Archive files remain in the top three slots during this data period.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index
The Mining, Manufacturing, and Media verticals remain in the top three slots this month as the most targeted industries. We see the media industry as being heavily targeted in the coming year as threat actors will look to spread disinformation with large elections coming up within the next 10 months. Manufacturing and Mining continue to be a frequent target due to the fact that many organizations in these verticals have enough capital that they’re an enticing target. Additionally, there is a large subset of these organizations that don’t operate in heavily regulated sectors, and as a result are unlikely to have increased budgets for stronger security measures.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.
Impersonated Brands
​Fedex, DHL, and Facebook were the top 3 most impersonated brands in email attacks during the data period for this report. For DHL, and Fedex, it’s quite common to see shipping brands high on the list of brand impersonation attempts simply due to the fact that there is a high volume of emails associated with both of these brands. This includes shipping notices, delivery notifications, etc. That said, we did see a noted decrease in these occurrences during the last month. Facebook, along with Amazon saw noted increases in brand impersonation attempts. Also of note are the small increases in brand impersonation attempts for Mastercard, Paypal, and DocuSign. This is common as we approach tax season for some countries, including the US.

Major Incidents and Industry Events

The Takedown and Reemergence of Lockbit

The well known ransomware group Lockbit was heavily disrupted by international law enforcement agencies during the month of February. Multiple known Lockbit associates are in custody and as a part of this effort, law enforcement came into the possession of more than 1000 decryption keys. These keys will potentially help victims of the group recover impacted data. While this was good news, days afterwards things took a turn. It appears that Lockbit has already re-emerged with new servers and new encryptors. It remains to be seen whether this group has been severely impacted or if they’ve simply shifted operations elsewhere in light of recent law enforcement actions.

CVSS 10 ConnectWise ScreenConnect Vulnerability

The industry is prepping for potentially large supply chain attack as security and IT teams race to patch a critical CVSS 10 bug in Connectwise ScreenConnect, which is a popular remote access software primarily used by managed service providers. CVE-2024-1709 is a easily exploited remote authentication bypass bug that showed signs of use in the wild quickly after the news became public. Thankfully, a fix has been released for those organizations running ScreenConnect on-prem, while those organization using the cloud-hosted version are already remediated. This issue brings to light the question of whether it’s a good security practice to include remote access software on every managed endpoint. While the MSP model leans on remote support capabilities heavily we’ve seen time and again how supply chain attacks can have a domino effect on the entire industry when applications such as ScreenConnect are impacted. It’s likely we haven’t heard the last of the news regarding this incident.

Change Healthcare / Optum Cyberattack

One of the biggest news stories to hit in the last month was the ransomware attack on Optum / Change Healthcare, a subsidiary of UnitedHealth by the BlackCat Ransomware Gang. The attack has left one of the largest US healthcare payment and processing organizations frozen for more than a week now, impacting healthcare in the US, and preventing patients from filling much needed prescriptions. The attack includes the theft of 6TBs of sensitive healthcare data, and it even appears that UnitedHealth may have paid a $22 Million USD ransom to get things back up and running. While this seems to be your standard ransomware attack with the initial reports stating the breach stemmed from the above mentioned ScreenConnect Vulnerability (claims now debunked), it was far from from the standard ransomware attack in it’s impact. In fact, this attack could be seen as something of an escalation to the scale of the Colonial Pipeline ransomware attack some years ago. It’s an escalation in the fact that instead of just a monetary or reputation impact, the impact of this attack has a clear and present impact on the healthcare wellbeing of people. It’s not a stretch to say that if it hasn’t happened yet, we’re likely to see patient deaths in relation to this attack due to a loss of access to medication for some patients. This attack has also had the effect of highlighting some key failure points within the US healthcare system. If the temporary absence of one organization has a ripple effect throughout the entirety of the US health system, then that is what we would call in the tech world – “A single point of failure”. This has lead to a joint #stopransomware advisory from CISA, the FBI, and the US Dept. of Health and Human Services (HHS). Whether this will be enough to shock the US healthcare industry to action remains to be seen. Finally the story get’s weirder in that the alleged group (BlackCat) behind the attack appears to have short-changed one of the affiliate “Partner” groups that helped launch the attack and now appears to be pretending that they’ve been shut down by “the feds”. It appears BlackCat has taken their payday and run for now. Further applicable updates to this situation in next month’s report.

Predictions for the Coming Months

  • Brand Impersonations for services like DocuSign are likely to increase moving into the Tax Season in the US.
  • The Connectwise ScreenConnect Vulnerability will have a domino effect throughout the industry. Int he coming months and weeks we’re going to see a number of breached organizations impacted by this vulnerability.
  • Further info will come out regarding the Optum/Change Healthcare breach, hopefully leading to some positive change in the healthcare system with regards to security posture and single points of failure.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!
From Andy Syrewicze, Security Evangelist, on The Optum / Change Healthcare Breach: The situation with Change Healthcare is one of those cases where it becomes really clear that issues with our digital estates can have a very real and severe impact on human life. Yes, there’s no denying that the financial and reputation losses we see in your average ransomware attack are bad, but when I look at this attack, and the direct impact it has had on human wellbeing, it’s an entirely different scale. When the impact from an attack is the potential loss of life (due to loss of access to medication and health services in this case), the burden of defensive security starts to feel quite heavy. We can only hope that our lawmakers, executive leadership teams, and society will provide the resources necessary to fight this escalation in the future.
From Matt Frye, Head of Presales and Education, on the Seeming Ease of Recent Attacks: The ease of attacks is what has hit me in recent months, not only the availability of tools on the public internet, but also the SaaS availability of attack methods, (which is not new), These are a growing concern. The sheer amount of monthly data breaches shows that the arms race is escalating, and only by implementing a comprehensive cybersecurity strategy, alongside a comprehensive BCP can businesses help to mitigate the risks.

Monthly Recommendations from the Hornetsecurity Security Lab

  • If you’re organization uses the On-Prem version of ScreenConnect from Connectwise, you’re URGENTLY advised to apply the latest update ASAP. Info can be found HERE.
  • The high profile ransomware attack by BlackCat this month is a good reminder to reassess you disaster recovery plan if you haven’t in some time. Make sure to run though a full recovery test and insure that you’re protecting your backups from ransomware using a feature such as immutable storage.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 75,000 customers.
Monthly Threat Report February 2024: A Month for Breaches and Ransomware

Monthly Threat Report February 2024: A Month for Breaches and Ransomware

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data gathered from the month of January.

Executive Summary

  • Low-effort – high-volume email attacks continue to abate, while more targeted complex email attacks are on the rise.
  • There has been a near universal increase in the use of malicious file attachments, likely driven by the noted increase in more complex attacks.
  • HTML, PDF, and Archive files were the top 3 most used file types for malicious payloads over the data period.
  • Most targeted industries for the month of January were Mining, Media, and Manufacturing, with the Research industry coming in at a VERY close 4th place.
  • FedEx was the single most impersonated brand during this month’s report, while we also saw notable increases in brand impersonation for both Amazon and Facebook.
  • The threat actor group dubbed “Midnight Blizzard” by Microsoft was able to access and ex-filtrate Microsoft executive team emails. The industry has been reacting with some questioning Microsoft’s response to the breach.
  • Remote Access Provider AnyDesk has reported a breach that led to the theft of code signing keys. Customers need to apply the latest patches ASAP to ensure the continued safe operation of the application.
  • Johnson Controls fell victim to a significant ransomware attack with costs to recover totaling $27 Million USD.
  • The Midnight Blizzard breach of Microsoft highlights the dangers of malicious OAuth applications and it’s recommended that system admins review their currently used OAuth apps in M365 as well as the settings associated with who is able to approve OAuth apps within the environment.
  • M365 users looking to enable Co-Pilot for the first time are urged to review permissions within their M365 tenant (including for SharePoint Online, Teams, and OneDrive for Business) before enabling the feature. The ease with which Co-Pilot can surface information could lead to potential data leaks within the company in the presence of permission misconfiguration.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for December 2023 compared to January 2024.

Unwanted Emails by Category

Our data from this data period continues the expected trend of the overall number of email attacks decreasing after the holiday season. That said, the number of targeted email attacks (those classified as “Threats” and “AdvThreats”) saw a slight increase for the month. This is indicative of the fact that with the holidays over, threat-actors are relying less on low-effort, high-volume email attacks (typically classified as “Rejected” in our data) and have moved to more targeted campaigns.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.
Clean These emails were free of threats and delivered

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

File Types Used in Attacks

Along with the increase in targeted attacks, we’ve also seen an increase in the use of HTML, PDF, and Archive files for the delivery of malicious payloads. Targeted attacks are often more complex, with the attacker looking to more complex methods, including malicious attachments. With that in mind, it’s not surprising to see an increase in the use of malicious attachments when we see an increase in more advanced threats during the same data period.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percentage values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

Our data for this month has shown that some industries have seen an increase in the amount of malicious/unwanted email vs clean emails. The Mining, Media, and Manufacturing industries topped the list this month, with the research industry in a very close 4th place. The core story that the data shows this month, is that despite a decrease in overall email threat volume, the email security landscape remains dangerous.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

In terms of top impersonated brands, we have some interesting changes this month when compared with last month’s report. The shipping company DHL was long the topmost impersonated brand, but a recent impersonation campaign involving FedEx has seen the number of FedEx brand impersonation emails skyrocket. In other changes, Facebook and Amazon saw notable impersonation increases, while Mastercard saw a decrease during this data period, likely due to the end of the holiday season. Also worth noting is the slight increase in DocuSign brand impersonations. As tax season nears in the US, threat actors know that more eyes will be on DocuSign emails in the coming months and threat actors are pivoting predictably.

Major Incidents and Industry Events

Midnight Blizzard

According to this MSRC blog post, Microsoft detected a nation-state attack on its corporate systems on January 12th, 2024. The threat actor was identified as the Russian State-Sponsored actor Nobelium and given the code name “Midnight Blizzard”. In a notice providing a bit more detail on the attack, Microsoft states:

Midnight Blizzard utilized password spray attacks that successfully compromised a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled.

This statement has brought up a number of questions for security professionals over the past couple of days.

  1. Why was this “Legacy, Non-Production Test Tenant” still being used?
  2. Why was MFA not enforced on this tenant leading it to be compromised by a password spray attack?
  3. Why did this test tenant have any rights to the Microsoft corporate tenant?
  4. How did internal red teaming processes NOT discover the linkage between the two tenants?
  5. How did Midnight Blizzard accomplish infiltration from the “Test Tenant” to the corporate network?

We at least got an answer to one of these four questions later in the same article:

Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.

This attack method highlights the risk of OAuth applications that we’ve talked about here at Hornetsecurity, including the podcast episode embedded below. Microsoft themselves have even cited the risk posed by malicious and uncontrolled OAuth apps but seems to have fallen victim themselves in this case.

Ultimately this incident has led to the ex-filtration of Microsoft Executive team emails, and there are those in the security community that are speculating that the blast radius will become larger in the coming days. The possibility of a proper cultural shift in security at Microsoft seems to be woefully needed.

The Security Swarm Podcast – The Dangers of Malicious OAuth Applications

YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

AnyDesk Breach

Popular Remote Access solution creator AnyDesk has also experienced a major breach. According to an article from Bleeping Computer, this breach led to the theft of source code and private code signing keys. In their official statement AnyDesk stated that situation is under control and that the application is safe to use with the latest update which provides an updated code signing certificate. AnyDesk claims that no passwords were stolen as part of the attack but is recommending that AnyDesk users change passwords if they have not done so already.

This incident highlights the fact that any and all IT toolkits are under attack by threat actors in an attempt to pull off another impactful supply chain attack like the Solarwinds supply chain attack years ago. It’s also worth highlighting the fact that source code was stolen in this incident. With this in mind it’s feasible we could see other AnyDesk targeted attacks in the coming days once threat-actors have a chance to look over code.

Johnson Controls Ransomware Attack Cost the Company $27 Million

The cost associated with ransomware attacks continue to rise. So, it’s sadly becoming more common that we see successful ransomware attacks associated with an eye-watering dollar amount. The good news (if there is any to be had in this story) is that $27 Million USD was not used for paying a ransom. According to reports on the web, the $27 Million was used to restore affected systems while also taking cyber insurance payouts and external cybersecurity professional services into account.

This story was worth including in this month’s report for one simple reason. So often the monetary damage associated with a ransomware incident is attributed to a ransom payout. So often the astronomical cost of a ransomware incident is caused by the mere act of having to address the damage of the attack. This is one of the reasons that cyber insurance has become so expensive in the past couple of years. It is EXPENSIVE to deal with an extensive and targeted ransomware attack. A fact that far too many organizations realize once it’s too late.

Predictions for the Coming Months

  • With the holiday season well behind us now, we’re likely to see a return to “business as usual” for threat actors. That said, with tax season coming up in the US we’ll likely see attackers make a more targeted effort to inject themselves into the tax season to capitalize on the exchange of Monday and sensitive info.
  • We expect the fallout of this most recent Microsoft breach to become clearer in the coming days. As that process plays out, more details will emerge about threat-actor activities leading to the breach, as well as how other entities have been impacted as a part of this incident.
  • Co-Pilot for Microsoft 365 has been released and provides tremendous capabilities in surfacing stored M365 data to end users in prompts. We’re likely to see emerging cases where misconfigured permissions in SharePoint Online, Teams, and OneDrive for Business lead to the accidental exposure of data within organizations using Co-Pilot for the first time, raising the concern of insider threats.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Andy Syrewicze, Security Evangelist, on Microsoft’s Security Culture:

I want to start by saying that I’m often the first to give the benefit of the doubt in these situations – especially so with Microsoft due to my involvement with the Microsoft MVP program over the years. However, the recent breach of Microsoft executive emails by Midnight Blizzard paired with other recent security lapses such as that caused by Storm-0558, really brings the security culture at Microsoft into question. There have been repeated security issues at Microsoft over the past several years now and the community has been waiting for clear acknowledgement that there is a systemic problem to be solved. While the SFI (Secure Future Initiative) is a step in the right direction, it still lacks the impact of the trustworthy computing memo that came directly from then CEO Bill Gates some 20+ years ago. Time will tell if the SFI has the same level of impact within the organization.

From Yvonne Bernard, CTO Hornetsecurity on Copilot:

Walled-off generative AI like Copilot is the often searched for possibility to enhance productivity with a well-defined training data scope. Nearly every business I am talking to nowadays is currently testing it. I believe this is just the beginning and future applications are endless to help employees and companies work more efficient. However, the risk of misconfiguration, hacked accounts etc is probably not in everyone’s mind yet so I strongly advice to invest into employee training on AI and data protection and the definition of proper AI policies prior to rollout.

Monthly Recommendations from the Hornetsecurity Security Lab

  • The Midnight Blizzard breach shows us that now is a good time to re-evaluate your current list of OAuth applications within your M365 environment. Remove any apps that your organization no longer uses and verify that the users allowed to approve OAuth applications are tightly controlled and configured for least possible access, given business needs.
  • If you use AnyDesk within your organization, make a plan to apply the latest patches ASAP if you have not already done so.
  • If you plan on enabling Co-Pilot for M365 within your M365 environment discuss and make a plan around the potential governance and data safety issues that this new product may surface. If you’re looking for an easy solution to this problem, a trusted permissions management tool like 365 Permission Manager can help.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Monthly Threat Report January 2024: Holiday-Focused Attacks on the Decrease, but Danger Remains

Monthly Threat Report January 2024: Holiday-Focused Attacks on the Decrease, but Danger Remains

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of December 2023.

Executive Summary

  • More advanced email threats are down during this data period, while we’re seeing slightly more low-effort email attacks that are ultimately rejected due to external indicators.
  • We saw a reduction in the use of most file types for the delivery of malicious payloads. Despite the noted decreases, HTML, PDFs, and Archive files remain the top three offenders.
  • The Mining, research, and entertainment industries were the most targeted industries during the data period.
  • Brand impersonations are down, with DHL remaining the number one most impersonated brand.
  • The MOVEit supply chain attack continues to rack up victims, and now that a considerable amount of time has passed, the industry is starting to get a clearer picture of the true scope of the damage
  • The Albanian government and One Albania Telecom are currently under active attack by the Iranian hacking group “Homeland Justice.”
  • We’re seeing new phishing campaigns targeting both Instagram and Twitter (X) users with the goal of account takeover or access to crypto wallets and other account assets.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for December 2023 compared to November 2023.

Unwanted Emails By Category

The past several months saw a recurring increase in malicious mail traffic, which we see every year around this time. We can attribute this increase to the holiday shopping season. With the holidays now over, it’s no surprise that we’ve seen the trend nearly plateau. Those emails categorized as “threats” and “AdvThreats” saw a decrease. The slight increase in those emails categorized as “rejected” drove a slight decline of 0.4% in “clean” emails. During the lead-up to the holidays, we see an increase in low-effort email attacks in the hope of capitalizing on holiday traffic. These types of attacks are frequently rejected outright due to external indicators. With the holidays now over, we expect this downward trend to continue for the time being.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.
Clean These emails were free of threats and delivered

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

File Types Used in Attacks

During this data period, we saw a net reduction in nearly every category. We attribute this to the observed reduction in the number of more sophisticated email attacks during the data period. Even so, HTML, PDFs, and Archive files remain the top three most used attachment types for delivering malicious payloads.

The noted increase in Excel files may seem like a noted campaign, but it’s not. We saw fewer attacks involving Excel documents during the data period when we looked at specific numbers. That said, when accounting for all file types in this category, Excel files saw a much smaller reduction, and due to the massive decreases in other categories, it appears as a percentage point increase in the data due to emails with malicious Excel files simply comprising a larger piece of the data set this month. Hence, it appears as an increase.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

 Industry Email Threat Index

As expected, we saw a decrease in the threat index across all industries during the month of December. This lines up with our other data regarding the decrease in the amount of threats. In terms of the top targeted industries, the mining, research, and entertainment industries remained at the top.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Company Brands and Organizations

Like our other data sets listed above, we see evidence here of a decrease in the number of threats. Nearly every brand in our top ten most impersonated brands saw a decline with a few exceptions – notably Paypal and Sparkasse. According to our data, DHL remains at the top of the list as the most impersonated brand used by threat actors.

Major Incidents and Industry Events

MOVEit – The Damage So Far

We’ve discussed the MOVEit zero-day attack in several of these monthly reports. The damage is apparent, and the real-world harm is VERY real. That said, it takes time to get an accurate scope of large supply-chain attacks of this nature. Thankfully, enough time has passed for some gathered data regarding the event to start showing an interesting picture. Kon Briefing has compiled a data collection regarding the MOVEit supply chain attack. The report includes several useful data points, including:
  • Victims
  • Impacted Individuals
  • Most targeted countries
  • Affected organizations
  • Links to official disclosures
  • And more
US-based companies are at the top of the list for exploiting this vulnerability. Impacted US organizations number 2290, with the following most targeted country being Canada with 152 affected organizations. Perhaps the most jaw-dropping statistic is the fact that upwards of 90 MILLION individuals have been directly impacted as a result of exploitation. Yes, A fix exists, but it’s clear that many impacted organizations have been slow to roll out the needed patches. Whether this is due to negligence or overburdened IT departments remains to be seen. Time will tell; in the meantime, we expect the MOVEit supply-chain attack to remain an issue in the industry for some time.

Albanian Government and Telecom Hit By Cyberattacks

We always take note of major cyber attacks, especially when the target is a nation-state government. It’s been reported that both the Albanian government and One Albania Telecom have been under active attack in a cyber attack of unknown size/scope. This is notable due to the impact size (1.5 million in just one Albania Telecom). Still, it also serves as further confirmation of the trend we’re seeing where nations states’ digital infrastructure is under attack at a level we haven’t seen before. As of the time of this writing, the attack is ongoing, with the Iranian hacker group Homeland Justice taking responsibility for it.

Attacks will draw the attention of world governments as it becomes increasingly apparent that government regulation may ultimately be required to help stave off the wave of rising cybercrime. We’ve discussed the topic of government technology intervention in previous editions of this report and will continue to report on it in future instances as needed.

New Emerging Instagram Phishing Campaign

The industry saw a new Instagram Phishing campaign emerge just in time for Christmas. Target recipients are shown several convincing UIs that walk them through entering one of their 2FA backup authentication codes which the threat-actor then uses to take over the account. Marketing and social media departments will especially want to be on the lookout for this over the coming days.

The phishing email will claim that the account in question is “infringing on copyright.” The sender’s email address, instagram@contact-helpchannelcopyrights.com, even directly supports that claim. As the article states, the convincing UIs and the sense of urgency can make this a tough spot for some novice users.

Twitter’s (X) Status ID handling is Being Used to Forge Phishing Links

A new round of phishing attacks are making their way around the net. This time via Twitter (Now known as X). Due to how X handles status IDs, the username portion of an X URL can be replaced with any string, and the post that the status ID pertains to will still be opened regardless of the username change in the URL.

For example, if you got to the URL: https://twitter.com/hornetsecurity/status/1733207135247303132#, you would think you’d be navigating to the official Hornetsecurity X Page right? However, you’ll quickly find that it takes you to a post from our security evangelist Andy Syrewicze’s X profile. This is apparently a “feature” of how X works, but it can lead to phishing attacks by bad actors.

Many phishing attempts are making the rounds that use this technique to make the target think they’re being directed to a legit X post from large brands like Binance, the Ethereum Foundation, Chainlink, and other cryptocurrency-related entities. The goal for threat actors here is to gain access to the target user’s crypto wallet and drain it of assets. This is just another area where your average Joe user needs to be trained to make sure the page (or X profile) they’ve ended up at is indeed the legit profile they expect it to be.

Thankfully, most users capable of playing crypto tend to be tech-savvy, but even the most experienced user can be caught off guard. This type of phishing attempt via X could be used for other things as well, such as phishing credentials from other (non-crypto) services to be then used as part of credential stuffing attacks. This is not to mention the potential use for misinformation as well. Time will tell how threat actors make use of this method.

Predictions for the Coming Months

  • While we expect the danger of the email threat landscape to remain high, the number of email-based attacks is likely to decrease somewhat as we move away from the holiday season.
  • With the number of potential targets looking for holiday shopping and shipping emails decreasing, it’s feasible that the number of sophisticated email-based attacks will increase over the coming months as threat actors return to their “regularly scheduled programming.”
  • The targeting of nation-state governments will continue, driving the international conversation about the government’s role in the security community.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Yvonne Bernard, CTO Hornetsecurity, on Instagram and Twitter(X) attacks:

It is interesting to see that attackers do not take vacation but rather tailor their attacks to the Christmas season: fake Instagram and Twitter(X) emails catch users when they are more active on social media, DHL and other transport industry phishing attempts use the greediness of the holiday shopping season – no surprise as everyone is waiting for their presents to arrive! It is good to know that our Security Lab is alert and protecting our customers 24/7 – if evil does not take a vacation neither do we!

From Umut Alemdar, Head of Security Lab, on Phishing and Fake Online Stores:

Looking back at December 2023, we witnessed a significant increase in phishing threats, capitalizing on the holiday shopping season. Scammers cleverly created fake online stores, targeting last-minute holiday shoppers. As we move into January, it is crucial to maintain vigilance. The risk of encountering these scams does not vanish with the holidays; leftover fake deals and cleverly disguised emails may still circulate. Therefore, it is advisable to remain skeptical of overly attractive offers and always verify the legitimacy of online stores before making purchases or sharing personal information. The start of a new year is a good time to reinforce safe online practices to protect against phishing threats.

 

Monthly Recommendations

  • It’s a good time to revisit security awareness training with end-users. After the holidays and extended vacations, a friendly reminder of the dangers that lurk in mailboxes can help get workers on the defensive again as we move into the new year.
  • Train your social media and marketing teams about the newly emerging phishing threats on both Instagram and X.
  • If your organization uses the MOVEit file transfer software and you still need to apply the patches to fix last year’s major supply chain attack, plan to do so now.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Monthly Threat Report December 2023: Holidays Bring Malicious Email and Lots of Patches to Apply

Monthly Threat Report December 2023: Holidays Bring Malicious Email and Lots of Patches to Apply

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of November.

Executive Summary

  • While those email threats categorized as “Threats” and “AdvThreats” are down, the amount of low-effort, easily-detected email threats is up. That said, the overall email threat landscape remains dangerous with a high volume of malicious traffic, which is common for this time of year.
  • The usage of HTML and PDF files to deliver malicious payloads in email attacks is up for this reporting period.
  • Every industry, except for the transport industry, has seen an increase in email-based threats over this data period.
  • DHL remains the most impersonated global brand in email attacks.
  • We’ve seen a noted increase in M365 brand impersonations, likely driven by the increased popularity of reverse-proxy phishing kits like EvilProxy.
  • Hacktivists breached the US Department of Defense-run Idaho National Laboratory and many employee records were leaked on the dark web. This continues to add weight to international conversations about regulating cybersecurity practices.
  • Microsoft fixed 63 security vulnerabilities during its monthly patch on Tuesday. This includes five zero-day vulnerabilities. Organizations are urged to apply fixes as soon as possible.
  • Major vulnerabilities in Intel and AMD CPUs put multi-tenant deployments at risk. Patches are available.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for October 2023 compared to November 2023.

Unwanted Emails by Category

This month’s report shows that the email threat landscape is quite similar to the previous data period. The number of email threats remains high, but we’re seeing a slight increase in “low-effort” email attacks that quickly get categorized as “Rejected.” This is likely because we’re currently in the middle of the holiday season, and threat actors are looking to sustain high amounts of simple attacks to catch people unaware. This is a common trend we see every year around this time.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

File Types Used in Attacks

Despite the subtle change in the categorization of email traffic over this data period, the file types in email attacks have notably changed compared to the previous month. The usage of HTML and Archive files has risen, with HTML files accounting for nearly 40% of all malicious file types during the reporting period.

HTML and archive files are both file types usable on several different platforms. Regardless of the target’s operating system or platform, the victim can most likely interact with the malicious payload somehow, making these file types popular amongst threat actors.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

Except for the transport industry, our data shows more threats were levied against EVERY industry vertical during November than the previous month. Again, this trend indicates the holiday season in which we see the number of email-based threats increase.

That said, we have observed that the amount of threats has increased for some industries more than others. For example, Mining, Manufacturing, and media organizations saw the most significant increases. Manufacturing and mining can both be seen as focused targets because it is the end of the year, and many organizations are attempting to make quotas, driving the need for orders and raw materials. On the other hand, the media industry is often a prominent target of nation-state actors looking to influence global discussion and standing through misinformation.

Regardless of your industry, however, our data shows that it DOES NOT matter what industry vertical you’re in. If you can pay a ransom, your organization is a potential target.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

The data regarding impersonated brands in email attacks has also shown some stark differences this month. We’ve observed a significant increase in malicious emails targeting German banking and German telecom company 1&1. More interestingly, though, we’ve seen a noted uptick in M365 brand impersonations.

Reverse Proxy phishing kits, like EvilProxy, have become a popular tool amongst threat-actor groups as of late. These types of tools make it simple for threat actors to gain access to M365 session tokens. The victim believes they are signing into a legit M365 portal, and once they’ve entered their credentials, they’re directed to the real M365 portal, thinking nothing is amiss. The real nefarious thing about this attack style is that once the threat actor has a valid session token from Microsoft Entra from the victim, they can log in as that user while bypassing MFA protections.

This increase can be attributed to the rise in popularity of such tools.

Major Incidents and Industry Events

Hacktivists Breach INL (Idaho National Laboratory)

Upon first glance, some may think SiegedSec’s breach of INL was just another everyday cyber attack. That’s until you realize that INL is a nuclear research center under the purview of the US Department of Energy. Even though no research material is thought to have been pulled from INL’s network by the attackers (as yet report), staff and HR-related records were, in fact, exfiltrated and leaked online.

The breach of a government-sponsored entity isn’t a new occurrence. However, looking at this incident through the scope of other government-related breaches brings weight to the argument for government oversight in cybersecurity practices. We’ve discussed in this monthly report that the governments of the world are increasingly beginning to lose patience, and some early signs of government intervention and regulation are starting to look possible. This was most recently clear in the aftermath of the Storm-0558 breach that led to information being stolen from the US State Department. Other governments across the world from the EU to Australia have also started invoking additional cybersecurity regulations as well. Time will tell what impacts said regulation will have on the industry.

A Doozy of a Patch Tuesday

Many patch-Tuesdays from Microsoft come and go without much fanfare, but the November patch-Tuesday was significant. The November collection of patches from Microsoft addressed 63 vulnerabilities INCLUDING 5 Zero-Days with a CVSS score of 6.5 or higher.

A summarized list is shown below:

  • CVE-2023-36025 (CVSS 8.8): SmartScreen security bypass vulnerability, allowing attackers to bypass Windows Defender SmartScreen checks.
  • CVE-2023-36033 (CVSS 7.8): Windows DWM Core Library privilege escalation vulnerability allowing attackers to achieve SYSTEM level privileges.
  • CVE-2023-36036 (CVSS 7.8): A Cloud Files Mini Filter Driver elevation of privilege vulnerability. This CVE can also escalate the attacker to SYSTEM-level access.
  • CVE-2023-36038 (CVSS 8.2): ASP.NET Denial of Service Vulnerability.
  • CVE-2023-36413 (CVSS 6.5): A Microsoft Office Security Feature Bypass. It could potentially allow unauthorized access to Office applications.

Reptar and CacheWarp: New CPU Vulnerabilities in the Wild

There are a pair of new CPU vulnerabilities from this past month that are going to require the attention of security teams. Both Intel and AMD have issues that need to be addressed and have provided patches for the vulnerabilities. What’s so interesting about these particular flaws is that they both can impact dense multi-tenant deployments, like large cloud hosting services. That said, while the large cloud hosting platforms are applying patches, so should you if you’re running on-premises data centers.

More details below:

AMD CacheWarp

CacheWarp is an exploit that allows a threat actor to infiltrate virtual machines protected by AMD’s Secured Encrypted Virtualization technology and is being tracked under CVE-2023-20592. AMD has released a patch HERE.

Intel Reptar

Reptar is an exploit that not only allows an attacker to bypass CPU security boundaries but potentially causes denial of service along with privilege escalation as well. This vulnerability is being tracked as CVE-2023-23583 and a fix is available HERE.

Predictions for the Coming Months

Holiday-driven spam and malware campaigns will continue throughout the next month or two, with shipping and financial brands continuing to be impersonated in such attacks.

More information is likely to come out regarding the INL breach. It is expected to spur additional discussion within the US federal government regarding cybersecurity best practices within government agencies and related.

Recently disclosed Zero-Days are likely to see exploitation in the wild. Yes, patches are available, but they take time to apply, and the race is on between threat actors and defenders.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Umut Alemdar, Head of Security Lab, on the importance of proactive cybersecurity measures during the holiday season:

The holiday season often marks an escalation in cyber threats, a trend that becomes more challenging due to the reduced availability of security teams who might be on vacation. A prime example was the zero-day vulnerability CVE-2021-44228 (log4j), which emerged shortly before Christmas and caught many organizations and IT teams off guard. This incident highlights the need for organizations to remain on high alert during the holidays and promptly apply security patches, especially for critical vulnerabilities like zero-day exploits. It also helps to raise awareness against seasonal phishing attacks.

From Andy Syrewicze, Security Evangelist, on CPU Microcode Updates:

I come from a background of infrastructure management, so infrastructure security is always top of mind for me. When I see vulnerabilities like CacheWarp and Reptar show up in the industry I often think back to organizations I’ve advised in the past that haven’t put much emphasis on NON-OS patches (like a microcode update). I would urge admins to NOT delay on rolling out the fixes for CacheWarp and Reptar. These vulnerabilities are just as real and dangerous as an OS-level vulnerability. This is especially true, in this case, for multi-tenant environments. If you work with a hosting provider for IaaS services, make sure you check with them and ask about their plans for deploying the applicable fixes from AMD/Intel. Today’s threat-actors will use any and every vulnerability at their disposal to launch attacks, and CacheWarp and Reptar are no exception.

Monthly Recommendations

  • Continue to communicate with end-users regarding the holiday uptick in malicious email traffic and adopt a next-generation email security solution if you don’t have one in your environment today.
  • If your organization has not yet applied Microsoft’s security fixes from November, it is HIGHLY recommended that you do so.
  • Urgently take steps to apply the CPU microcode updates from Intel and AMD – especially if you are a hosting organization.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Monthly Threat Report November 2023: Holiday Email Threat Increases and More Zero-Days

Monthly Threat Report November 2023: Holiday Email Threat Increases and More Zero-Days

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from October.

Executive Summary

  • Spam messages are slightly up over the data period, while those emails classified as “Threats” and “AdvThreats” are slightly down. That said, the state of email security risks in the industry remains high.
  • The use of PDF files to deliver malicious payloads via email has risen over the last month. This is likely driven by post-QakBot botnets such as DarkGate.
  • The research industry has seen the most significant increase in attack targeting over the data period and is number one on our list of most targeted industries. The mining and entertainment verticals were second and third place, respectively.
  • Shipping and Finance brands have seen increases in brand impersonation attempts over the last month. This trend will continue due to the upcoming holiday shopping months.
  • Microsoft has started to roll out the promised logging changes in response to the cloud services attack by Storm-0558.
  • A significant vulnerability in Citrix NetScalers dubbed CitrixBleed has the industry scrambling to apply patches. The vulnerability has been exploited in the wild since at least August, according to Mandiant.
  • The Security and Exchange Commission has brought charges against SolarWinds and their CISO for fraud and security lapses regarding the late 2020 SunBurst incident.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for October 2023 compared to September 2023.

Unwanted Emails by Category

October saw a slight increase in the number of emails classified as “spam,” while “threats” and “AdvThreats” were down slightly. As we stated in last month’s report, the overall email threat landscape remains dangerous, with a high volume of current threats that will likely persist for some time, especially as we move into the holiday months.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

File Types Used in Attacks

The usage of HTML and Archive files is down over the data period, while the use of PDF and disk images is up. One reason for the suspected increase in PDF files is the fact that they are the preferred delivery mechanism for some of the newer (post-Qakbot) botnets such as DarkGate. While the vector of attack for DarkGate has pivoted somewhat towards instant messaging, the attacks can also be seen via email.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

During this data period, we have observed a net decrease in threat indices across all industries except for the research vertical. The research industry remains at (or near) the top of the list for this month’s report. According to our data, this industry has seen a consistent threat landscape for some time and is frequently in the top 3 targeted industry sectors. This is mainly due to the fact that research organizations are often working with sensitive intellectual property and supporting data, making them ripe targets for threat actors who can not only attempt to ransomware the organization but also threaten to release said data to the public via double extortion attacks.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

Shipping and finance brands continue to top our list of most impersonated brands for this month’s report. Even though the number of DHL brand impersonations is down, the global shipping vendor remains at the top of the list. Amazon, Mastercard, and PayPal also saw noted increases. Another trend we have observed this month is a significant increase in brand impersonation attempts for several German banks. Increases for shipping and finance organizations are not uncommon this time of year as many threat actors will try to capitalize on the holiday shopping season and attempt to sneak into end-users inboxes, posing as one of these organizations.

Major Incidents and Industry Events

Update on Storm-0558

Thankfully, there has been no further negative news surrounding the Storm-0558 breach that occurred earlier this year. For those who are unaware, Storm-0558 is the designation that Microsoft gave to a group of nation-state threat actors that managed to procure a Microsoft consumer signing key. The group then used that signing key to forge authentication tokens to gain access to Microsoft cloud services. We have covered this breach extensively through these monthly reports since the news broke.

That all said, Microsoft has made a new announcement regarding this case in that they confirmed they’ve begun to roll out some of the promised logging changes they had mentioned while they are postmortem analysis of the breach. Microsoft did not even detect the Storm-0558 breach. The US State Department is the entity that brought the breach to Microsoft’s attention, and this is ONLY because the State Dept. had the premium logging capabilities licensed and enabled for the applicable cloud services.

This was a HUGE point of criticism against Microsoft, as many security experts in the industry pointed out that adequate logging should not be placed behind a paywall of any kind. Thankfully, Microsoft has taken this criticism seriously and has started rolling out these logging capabilities as promised. Said changes included extended default retention policies, additional capabilities, and more. While this change is welcome and does help, the question of over-reliance on Microsoft for security continues to be asked in the security community. We’ll continue to provide updates on this case as new developments occur.

CitrixBleed

October 10th saw the industry add another major zero-day flaw to the list for 2023, this time from Citrix. CVE-2023-4966 (known as CitrixBleed) is a flaw in Citrix NetScaler devices and has seen exploitation in the wild since August, as reported by Mandiant. This vulnerability allows attackers to force the system to return system memory via a specially crafted HTTP GET message. The memory dump contains post-authentication session tokens that the attacker can use to log in to the device while bypassing MFA. Once an attacker gains access to the system, the goal is often lateral movement, privilege escalation, persistence, and data exfiltration. Thankfully, Citrix has released a patch, urges customers to install it ASAP, and also recommends taking the extra step to kill all existing sessions as outlined in their official notice.

This vulnerability is a stark reminder to the industry that comprehensive security involves more than just endpoints, servers, and cloud services. Network devices, IoT devices, and those often after-thoughts components can be easy stepping stones for threat actors to use to access critical data. If you still need to make a plan for patching these types of devices in your environment, make sure you get them on your schedule ASAP.

SEC Repercussions for SolarWinds

Even though not directly technical, the next item on this month’s list has some serious implications for the security industry. It’s been clear for some time now that various governments and business regulatory bodies have begun losing patience with the increase in security lapses in recent years. This can be seen, for example, in Australia, where steep fines are now levied against organizations that do not take relevant steps to provide proper cybersecurity. Or, another example is the Department of Homeland Security’s Cyber Safety Review Board investigation of the recent Microsoft Cloud issues.

The latest example of this comes from the US Securities and Exchange Commission (SEC), and it targets SolarWinds, and it’s Sunburst vulnerabilities from late 2020 specifically. While SunBurst is old news in the security space, the SEC has taken the unprecedented step of charging SolarWinds and their CISO with “Fraud and Cybersecurity Failures”. This can be seen as a clear escalation by governing bodies and agencies and would mark one of the first times that actual charges are being filed regarding alleged security negligence against an organization AND (more shockingly) a specific officer within said organization. Despite the charges being valid or not, many see this as a step too far, and some fear that this will keep talented and competent security professionals from stepping into the CISO role for fear of legal risk. It’s still early days regarding this case. Still, the security community is watching, and we’ll continue to monitor this in future reports as the impact on the security community could be significant.

Vulnerability in Curl

Thankfully, it has been found that making use of the exploit for a recently discovered curl vulnerability is quite difficult. That said, we felt it was worth mentioning the disclosed curl vulnerabilities here due to the vastness of those impacted. For those who are unaware, curl is a commonly used system utility for transferring data using a variety of protocols. It’s present in most operating systems, including Windows, MacOS, and Linux. Due to that fact, this vulnerability has a large potential blast radius.

The vulnerability is being tracked under two CVEs – CVE-2023-38545 and CVE-2023-38546. Those impacted organizations should apply the needed patches applicable to your operating system.

Predictions for the Coming Months

The Holidays Will Drive an Increase in Malicious Emails

The holidays bring an increase in shipping, family communication, and financial transactions during November and December every year. Threat actors know this and will seek to hide malicious emails amongst that holiday communication. This will take the form of brand impersonation emails (particularly that of shipping companies), financial scams, charity fraud, and others.

We’ll Start to See the Industry Fallout from the CitrixBleed Vulnerability

Like other large-scale attacks impacting a large number of enterprise customers, we won’t know the extent of the damage for some time. The fact that this vulnerability was actively being exploited for a month or more before disclosure means that many organizations may have been impacted and not yet know it. With the vulnerability publicly known now, the race is on for IT teams to get mitigations into place before threat actors can target them. The extent of the damage is likely to start making some small ripples in the news in the coming days.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Umut Alemdar, Head of Security Lab, on the SEC’s actions against cybersecurity failures and the holiday season:

The SEC’s actions against cybersecurity failures mark a significant shift in regulatory oversight. This development should prompt organizations to reassess their compliance and cybersecurity frameworks, ensuring they align with evolving legal and ethical standards. I am excited to see how company boards will adapt and enhance their governance structures in response to these regulatory changes. As we approach the holiday season, a predicted spike in malicious emails necessitates a heightened state of alertness. This is an excellent time for CISOs and security teams to reinforce security training, update phishing response protocols, and ensure that all systems are adequately protected against the latest threat vectors. Stay safe!

From Andy Syrewicze, Security Evangelist, on the security of network appliances:

The recent Citrix NetScaler vulnerabilities are a good reminder for all organizations to re-evaluate their security posture and patching strategies. I’ve sadly seen it happen too many times where an organization will make great efforts to secure their servers, endpoints, and cloud services while switches, routers, and network appliances go years without firmware updates or patching. This goes for IoT devices as well. Any connected system is a potential foothold for an adversary, and businesses will only have a holistic security posture once ALL connected devices are taken into consideration.

Monthly Recommendations

  • Be aware of holiday spam and email scams and communicate the likely increase in malicious traffic to your end users. Also, consider investing in a trusted security awareness service to help educate your end users on these dangers.
  • Take advantage of new logging offered by Microsoft. As we discussed earlier in the report, Microsoft is offering some additional logging capabilities for cloud services. The extra visibility can help organizations keep an eye on their environments and is crucial to spotting anything out of the ordinary.
  • Apply Citrix NetScaler Patches and apply the proper mitigations if applicable to your organization.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Monthly Threat Report October 2023

Monthly Threat Report October 2023

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of September 2023.

Executive Summary

  • Email threats remained nearly the same as the previous month throughout the data period at an alarming level.
  • HTML file usage for delivery of malicious payloads is down, while PDF and archive usage is up. All common operating systems support these file types. Hence, attackers continue to arm them with malicious intent.
  • The Entertainment and Mining industries remain the two most targeted industries over the last 30 days.
  • There has been a notable increase in brand impersonation phishing emails over the data period, with marked increases for the Netflix, FedEx, DocuSign, and T-Mobile brands.
  • Microsoft continues to experience security incidents, which questions its security culture.
  • A critical vulnerability in the libwebp library that encodes and decodes WebP images has prompted many affected applications to rush out patches. We predict that threat actors will rush to capitalize on this.
  • We predict we will continue to see a trickle of information regarding the Storm-0558 breach due to US Government investigations. Recent reports highlight that threat actors managed to exfiltrate around 60,000 emails from 10 State Department accounts.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for September 2023 compared to August 2023.

Unwanted Emails by Category

The change in the amount of unwanted emails by category was nearly negligible for the data period. We saw a SLIGHT increase in the amount of threats and advanced threats but nothing noteworthy.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File Types Used in Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

File Types Used in Attacks

Top File Types in Email Attacks

  • Archive and PDF usage is up
  • HTML file usage is down

This month saw an increase in the usage of PDF files to deliver malicious payloads. One common malicious payload we have seen via this method during the data period is the DarkGate Malware. We suspect several threat actors that were previously shipping Qakbot via malicious PDFs have shifted to the DarkGate Malware instead, and we now see more malicious PDF files.

If you would like to read more of our commentary on the results of last month’s disruption of the Qakbot botnet, please see the report from the previous month.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

Overall, we observed a slight net increase in threats across most industries during the defined data period for this report. This correlates with the slight increase in threats, as discussed earlier in the report.

The top targeted industries continue to be the entertainment and mining sectors – the same as last month. That said, there was a noticeable increase in email threats levied at the research and manufacturing verticals. This is a trend we will continue to watch in the coming days.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

We observed major increases in brand impersonation attempts throughout the data period of this report. While DHL remains the most impersonated brand by a large margin, Netflix, DocuSign, LinkedIn, FedEx, and T-Mobile all saw significant increases over the previous month.

Continued Impersonation of Shipping Organizations

As we have reported during the previous two months, it is common to see shipping organizations near the top of the impersonated list simply because package shipment is quite common in our post-COVID world. If attackers can land a phishing message about your “pending package delivery” in your inbox at the right moment, you have a greater chance of interacting with it.

Significant Increase in T-Mobile Brand Impersonation Attempts

One possible reason for the T-Mobile increase could be attributed to yet another potential data leak from the US Telecom organization in that an application “glitch” allowed users to see the account details of multiple accounts, not just their own. It is common to see threat actors use information from such situations.

Variations of DocuSign Impersonation Phishing Emails

Also worth noting when it comes to recent DocuSign phishing messages is that some threat actors have fallen back to simply embedding a link behind images in their brand impersonation emails, as shown below:

DocuSign Brand Impersonation Phishing URL Image

That said, we continue to see the traditional method of brand impersonation attempts as DocuSign, where the attacker uses HTML to piece together the phishing email more accurately:

DocuSign Brand Impersonation Phishing HTML

Also of note is a current DocuSign impersonation campaign specifically targeting the US Department of Veterans Affairs (VA). We have included a screenshot of this particular vulnerability in the image below:

DocuSign Brand Impersonation with VA Branding

Major Incidents and Industry Events

Microsoft Storm-0558 Breach Update

As discussed in our two previous iterations of this monthly report, we have some additional commentary on the Storm-0558 Breach. If you are unaware of the background of this particular attack, please see the section in last month’s threat review where we provided several key details behind the breach. The short version is that Chinese Nation-State threat actors procured a Microsoft consumer signing key and used it to forge authentication tokens to gain access to Microsoft cloud services.

What is new this month is that we now have some confirmed reports as to the extent of the damage. Previously, we only had communications from Microsoft that “approximately 25 organizations” had been impacted. We now have confirmation that 60 thousand emails from the US State Department had been exposed as a result of this breach. In addition, the attackers took a complete list of the department’s email addresses. This makes the targeting of future attacks much more effective for threat actors.

We likely have not seen the end of news about this breach, so we will continue to watch for updates in the coming weeks.

Another Microsoft Data Breach Involving 38 TBs of Data

It has been a bad couple of years for Microsoft on the security front, and it is not improving. Even after the Storm-0558 fiasco mentioned above, there is already a net new cybersecurity incident with Microsoft. This time involving 38 TBs of private data. To quote Microsoft:

Microsoft investigated and remediated an incident involving a Microsoft employee who shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly permissive Shared Access Signature (SAS) token for an internal storage account.

The notice from Microsoft would have you believe said breach was quickly remediated and no damage done. While they claim this breach impacted no customers, it is worth noting that information regarding what was contained in the 38TB data trove is absent from Microsoft’s notice. Researchers from Wiz, who disclosed the breach to Microsoft, stated that the trove included the personal backups of two Microsoft employees and that said backup included:

The backup includes secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.

While, yes, customer data was likely not impacted, this is not a breach to be simply swept under the rug. All of the items contained within this breach will undoubtedly be used in other attacks, and it also provides some insight into the internal workings of Microsoft and its technology stack.
At the very least, it is another line item on a growing list of Microsoft security lapses in the past three years that continues to bring Microsoft’s commitment to ecosystem security into question.

Critical libwebp Vulnerability

One critical CVE that came to light during the data period that system admins and security professionals should be aware of is a vulnerability in the libwebp image encoding/decoding library. This vulnerability uses a specially crafted HTML page to cause a heap buffer overflow, allowing for arbitrary code execution or denial of service.

This CVE was originally tracked by Google as a Chrome-specific vulnerability, but it became quickly apparent that it was NOT a Chrome-only issue. The vulnerability is now being tracked as CVE-2023-4863 with a CVSS score of 8.8 and the reach of impacted applications is quite large. The below list are just some of the affected applications that have been listed as vulnerable:

  • Chrome
  • Firefox
  • Microsoft Edge
  • Skype
  • Electron-Based Apps (Like Microsoft Teams)
  • Signal
  • 1Password
  • Brave
  • Opera

It is also worth noting that there are some in the security space that see a potential link between this vulnerability and one for IOS and reported to Apple by security researchers Citizen Labs and tracked as CVE-2023-41064. It is believed that the NSO Group used this vulnerability and its pegasus spyware in an exploit chain called “BLASTPASS”.
The recommendation is to patch all affected software quickly.

Predictions for the Coming Months

It remains to be seen what malicious application will ultimately fill the void left by last month’s disruption of the Qakbot botnet. We expect to see several different malware variants in the coming days. Still, as of now, DarkGate is looking like a potential option for threat-actors. We will continue to monitor this in future reports.

We predict that the fallout from the Storm-0558 breach will continue for some time. While we heard numbers from the US State Department this month, more details will likely come to light in the coming days. This will be primarily driven by the ongoing DHS Cyber Safety Review Board investigation into the incident and US government consumption of cloud services in general. The result may be more information and new government policies on the usage of cloud services.

Finally, we also predict that threat actors will seek to capitalize on the libwebp vulnerability that was disclosed over the last month. With as far reach as this vulnerability is, it will take the industry time to roll out patches. There will likely be successful exploitation of this vulnerability in the wild before we see the end of it.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Andy Syrewicze, Security Evangelist, on further Microsoft Security Incidents:

There was a time where I couldn’t see Microsoft being the source of so many data incidents but the last 3 years are proof that it was an unrealistic expectation. It’s no secret, that when you’re a major cloud vendor, you become a target. However, the whole business model of the Microsoft Cloud is built around trust, and that trust is failing at this moment for many in the industry. With as crucial as Microsoft Cloud Services are to the general public, I don’t think there has ever been a time where the expertise of independent, third-party security vendors has been needed more. In light of all the recent breaches, Microsoft needs to win trust back, and they’re going to have to be open, transparent, and work with the vendor community in order to do so.

From Umut Alemdar, Head of Security Lab, on zero-day vulnerabilities in 2023:

The cybersecurity state in September 2023 is alarming, with the number of reported zero-day vulnerabilities increasing significantly from around 52 in 2022 to approx. 77 so far in 2023. One of the most critical zero-day vulnerabilities discovered in 2023 is CVE-2023-5129, a heap buffer overflow in the libwebp image library. This vulnerability is being actively exploited in the wild and allows attackers to execute arbitrary code on victim systems. Businesses should invest in cybersecurity measures to protect themselves from the increasing threat of zero-day vulnerabilities. By implementing a comprehensive cybersecurity strategy and regularly training employees on cybersecurity best practices, businesses can help mitigate the risk of being attacked. But remember, even with preventive measures, some zero-day vulnerabilities can still be exploited. Event logging and business recovery measures, such as backups for critical systems, are critical for detecting, investigating, and recovering from zero-day attacks.

Monthly Recommendations

  • Urgently get patches installed for applications in your environment that are affected by the libwebp vulnerability. The best place to start is to ensure web browser updates are handled first.
  • With the increase in brand impersonation attempts and cleverly disguised phishing messages, it is an excellent time to review your email security posture as well as your internal practices for security awareness training. These services will go a long way towards preventing end-users from falling prey to this noted increase.
  • Specifically, if you use DocuSign internally, ensure you communicate the best methods for spotting DocuSign phishing emails to those in your organization who are most likely to encounter them.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.