Monthly Threat Report October 2023

Monthly Threat Report October 2023

by | Oct 6, 2023 | Threat Report, Threat Research

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of September 2023.

Executive Summary

  • Email threats remained nearly the same as the previous month throughout the data period at an alarming level.
  • HTML file usage for delivery of malicious payloads is down, while PDF and archive usage is up. All common operating systems support these file types. Hence, attackers continue to arm them with malicious intent.
  • The Entertainment and Mining industries remain the two most targeted industries over the last 30 days.
  • There has been a notable increase in brand impersonation phishing emails over the data period, with marked increases for the Netflix, FedEx, DocuSign, and T-Mobile brands.
  • Microsoft continues to experience security incidents, which questions its security culture.
  • A critical vulnerability in the libwebp library that encodes and decodes WebP images has prompted many affected applications to rush out patches. We predict that threat actors will rush to capitalize on this.
  • We predict we will continue to see a trickle of information regarding the Storm-0558 breach due to US Government investigations. Recent reports highlight that threat actors managed to exfiltrate around 60,000 emails from 10 State Department accounts.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for September 2023 compared to August 2023.

Unwanted Emails by Category

The change in the amount of unwanted emails by category was nearly negligible for the data period. We saw a SLIGHT increase in the amount of threats and advanced threats but nothing noteworthy.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File Types Used in Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

File Types Used in Attacks

Top File Types in Email Attacks

  • Archive and PDF usage is up
  • HTML file usage is down

This month saw an increase in the usage of PDF files to deliver malicious payloads. One common malicious payload we have seen via this method during the data period is the DarkGate Malware. We suspect several threat actors that were previously shipping Qakbot via malicious PDFs have shifted to the DarkGate Malware instead, and we now see more malicious PDF files.

If you would like to read more of our commentary on the results of last month’s disruption of the Qakbot botnet, please see the report from the previous month.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

Overall, we observed a slight net increase in threats across most industries during the defined data period for this report. This correlates with the slight increase in threats, as discussed earlier in the report.

The top targeted industries continue to be the entertainment and mining sectors – the same as last month. That said, there was a noticeable increase in email threats levied at the research and manufacturing verticals. This is a trend we will continue to watch in the coming days.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

We observed major increases in brand impersonation attempts throughout the data period of this report. While DHL remains the most impersonated brand by a large margin, Netflix, DocuSign, LinkedIn, FedEx, and T-Mobile all saw significant increases over the previous month.

Continued Impersonation of Shipping Organizations

As we have reported during the previous two months, it is common to see shipping organizations near the top of the impersonated list simply because package shipment is quite common in our post-COVID world. If attackers can land a phishing message about your “pending package delivery” in your inbox at the right moment, you have a greater chance of interacting with it.

Significant Increase in T-Mobile Brand Impersonation Attempts

One possible reason for the T-Mobile increase could be attributed to yet another potential data leak from the US Telecom organization in that an application “glitch” allowed users to see the account details of multiple accounts, not just their own. It is common to see threat actors use information from such situations.

Variations of DocuSign Impersonation Phishing Emails

Also worth noting when it comes to recent DocuSign phishing messages is that some threat actors have fallen back to simply embedding a link behind images in their brand impersonation emails, as shown below:

DocuSign Brand Impersonation Phishing URL Image

That said, we continue to see the traditional method of brand impersonation attempts as DocuSign, where the attacker uses HTML to piece together the phishing email more accurately:

DocuSign Brand Impersonation Phishing HTML

Also of note is a current DocuSign impersonation campaign specifically targeting the US Department of Veterans Affairs (VA). We have included a screenshot of this particular vulnerability in the image below:

DocuSign Brand Impersonation with VA Branding

Major Incidents and Industry Events

Microsoft Storm-0558 Breach Update

As discussed in our two previous iterations of this monthly report, we have some additional commentary on the Storm-0558 Breach. If you are unaware of the background of this particular attack, please see the section in last month’s threat review where we provided several key details behind the breach. The short version is that Chinese Nation-State threat actors procured a Microsoft consumer signing key and used it to forge authentication tokens to gain access to Microsoft cloud services.

What is new this month is that we now have some confirmed reports as to the extent of the damage. Previously, we only had communications from Microsoft that “approximately 25 organizations” had been impacted. We now have confirmation that 60 thousand emails from the US State Department had been exposed as a result of this breach. In addition, the attackers took a complete list of the department’s email addresses. This makes the targeting of future attacks much more effective for threat actors.

We likely have not seen the end of news about this breach, so we will continue to watch for updates in the coming weeks.

Another Microsoft Data Breach Involving 38 TBs of Data

It has been a bad couple of years for Microsoft on the security front, and it is not improving. Even after the Storm-0558 fiasco mentioned above, there is already a net new cybersecurity incident with Microsoft. This time involving 38 TBs of private data. To quote Microsoft:

Microsoft investigated and remediated an incident involving a Microsoft employee who shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly permissive Shared Access Signature (SAS) token for an internal storage account.

The notice from Microsoft would have you believe said breach was quickly remediated and no damage done. While they claim this breach impacted no customers, it is worth noting that information regarding what was contained in the 38TB data trove is absent from Microsoft’s notice. Researchers from Wiz, who disclosed the breach to Microsoft, stated that the trove included the personal backups of two Microsoft employees and that said backup included:

The backup includes secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.

While, yes, customer data was likely not impacted, this is not a breach to be simply swept under the rug. All of the items contained within this breach will undoubtedly be used in other attacks, and it also provides some insight into the internal workings of Microsoft and its technology stack.
At the very least, it is another line item on a growing list of Microsoft security lapses in the past three years that continues to bring Microsoft’s commitment to ecosystem security into question.

Critical libwebp Vulnerability

One critical CVE that came to light during the data period that system admins and security professionals should be aware of is a vulnerability in the libwebp image encoding/decoding library. This vulnerability uses a specially crafted HTML page to cause a heap buffer overflow, allowing for arbitrary code execution or denial of service.

This CVE was originally tracked by Google as a Chrome-specific vulnerability, but it became quickly apparent that it was NOT a Chrome-only issue. The vulnerability is now being tracked as CVE-2023-4863 with a CVSS score of 8.8 and the reach of impacted applications is quite large. The below list are just some of the affected applications that have been listed as vulnerable:

  • Chrome
  • Firefox
  • Microsoft Edge
  • Skype
  • Electron-Based Apps (Like Microsoft Teams)
  • Signal
  • 1Password
  • Brave
  • Opera

It is also worth noting that there are some in the security space that see a potential link between this vulnerability and one for IOS and reported to Apple by security researchers Citizen Labs and tracked as CVE-2023-41064. It is believed that the NSO Group used this vulnerability and its pegasus spyware in an exploit chain called “BLASTPASS”.
The recommendation is to patch all affected software quickly.

Predictions for the Coming Months

It remains to be seen what malicious application will ultimately fill the void left by last month’s disruption of the Qakbot botnet. We expect to see several different malware variants in the coming days. Still, as of now, DarkGate is looking like a potential option for threat-actors. We will continue to monitor this in future reports.

We predict that the fallout from the Storm-0558 breach will continue for some time. While we heard numbers from the US State Department this month, more details will likely come to light in the coming days. This will be primarily driven by the ongoing DHS Cyber Safety Review Board investigation into the incident and US government consumption of cloud services in general. The result may be more information and new government policies on the usage of cloud services.

Finally, we also predict that threat actors will seek to capitalize on the libwebp vulnerability that was disclosed over the last month. With as far reach as this vulnerability is, it will take the industry time to roll out patches. There will likely be successful exploitation of this vulnerability in the wild before we see the end of it.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Andy Syrewicze, Security Evangelist, on further Microsoft Security Incidents:

There was a time where I couldn’t see Microsoft being the source of so many data incidents but the last 3 years are proof that it was an unrealistic expectation. It’s no secret, that when you’re a major cloud vendor, you become a target. However, the whole business model of the Microsoft Cloud is built around trust, and that trust is failing at this moment for many in the industry. With as crucial as Microsoft Cloud Services are to the general public, I don’t think there has ever been a time where the expertise of independent, third-party security vendors has been needed more. In light of all the recent breaches, Microsoft needs to win trust back, and they’re going to have to be open, transparent, and work with the vendor community in order to do so.

From Umut Alemdar, Head of Security Lab, on zero-day vulnerabilities in 2023:

The cybersecurity state in September 2023 is alarming, with the number of reported zero-day vulnerabilities increasing significantly from around 52 in 2022 to approx. 77 so far in 2023. One of the most critical zero-day vulnerabilities discovered in 2023 is CVE-2023-5129, a heap buffer overflow in the libwebp image library. This vulnerability is being actively exploited in the wild and allows attackers to execute arbitrary code on victim systems. Businesses should invest in cybersecurity measures to protect themselves from the increasing threat of zero-day vulnerabilities. By implementing a comprehensive cybersecurity strategy and regularly training employees on cybersecurity best practices, businesses can help mitigate the risk of being attacked. But remember, even with preventive measures, some zero-day vulnerabilities can still be exploited. Event logging and business recovery measures, such as backups for critical systems, are critical for detecting, investigating, and recovering from zero-day attacks.

Monthly Recommendations

  • Urgently get patches installed for applications in your environment that are affected by the libwebp vulnerability. The best place to start is to ensure web browser updates are handled first.
  • With the increase in brand impersonation attempts and cleverly disguised phishing messages, it is an excellent time to review your email security posture as well as your internal practices for security awareness training. These services will go a long way towards preventing end-users from falling prey to this noted increase.
  • Specifically, if you use DocuSign internally, ensure you communicate the best methods for spotting DocuSign phishing emails to those in your organization who are most likely to encounter them.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Monthly Threat Report September 2023: The Demise of Qakbot?

Monthly Threat Report September 2023: The Demise of Qakbot?

by | Sep 8, 2023 | Threat Report, Threat Research

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of August.

Executive Summary

  • Our data shows that there was a slight decrease in threats for this report’s data period.
  • HTML files continue to be the most common file type used to deliver malicious payloads. This was correlated with a continued decrease in the use of malicious PDF and archive files, likely due to the disruption of Qakbot.
  • The entertainment and mining verticals were the most targeted industries over the past month
  • DHL continues to be the most impersonated brand in phishing attacks, with noted increases in Netflix, Mastercard, and others.
  • The FBI’s disruption of the Qakbot botnet will cause associated threat actors to use other botnets on the dark web.
  • Microsoft has yet to release more details regarding the Storm-0558 breach, and the US Government has taken steps to investigate the situation.
  • A French government agency and a software vendor in the gaming space both had breaches that accounted for the PII of roughly 14 million individuals being stolen by threat actors.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for August 2023 compared to July 2023. 

Unwanted Emails By Category

This month saw a negligible decrease in messages in the “Threat” and “AdvThreat” categories compared with July’s data. As a result, there was a slight increase in the “Rejected” emails for this data period. 

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity. 

Other categories in the image are described in the table below: 

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File Types Used in Attacks

The following table shows the distribution of file types used in email attacks throughout the data period. 

Top File Types in Email Attacks

HTML files continued to see an increased trend in usage from previous months, while there has been a significant reduction in malicious PDF files and archive files. This can likely be attributed to the disruption of the Qakbot Botnet by the FBI because Qakbot frequently used PDFs as a means to infect new machines.

We continue to see a decrease in the use of Excel and Word documents to deliver payloads. We continue to attribute this change to Microsoft’s decision to disable macros in Office applications by default, which is a positive change for the industry.

Other notable changes over the last month include a noticeable increase in malicious archive files and slight increases in the use of Excel files, Word docs, and executable files. With this in mind, we continue to attribute the current low usage of Office documents for payload delivery as a direct result of Microsoft’s decision to disable macros in Office applications by default.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

In a “reverse course” from the findings in our last report at the beginning of August, we saw a net decrease in the email threat index across all industry verticals during the month of August. This means fewer threats were targeted at businesses via email than the previous month. While we don’t see a specific reason behind this trend, it’s likely just a result of the usual ebb-and-flow of email-based threats throughout the summer months.

Regarding the top targeted industry, the entertainment sector remains in the number one spot from last month, with the Mining industry taking the second place. In a vast reduction compared to the previous report, we now see the research industry’s threat index coming in third place during the data period.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

While there have been some changes this month compared with the previous data set, the top category areas for brand impersonation attacks remain roughly the same. Shipping companies, social media, and finance all continue to be popular brands for impersonation. This makes sense, given the value we place on these services as a society. Shipping is still increasing, social media continues to see heavy use, and finance will ALWAYS be a target area for threat actors. 

That said, despite seeing a considerable reduction in DHL impersonation attempts during August, it remains the most impersonated brand BY FAR. Mastercard, Netflix, 1&1, Strato, and Santander all saw increases in brand impersonation attempts over the last month. Of particular note is a specific phishing attempt involving Netflix brand impersonation. The target is warned that their account has expired and that they should take action to extend their service “for free” for 90 days. Risk indicators for this attack are commonly the sender’s address (a Gmail address in the example below), and the associated link sends the user to a TinyURL address. 

Netflix Brand Impersonation

Major Incidents and Industry Events

As usual, there are several cybersecurity-related news items to discuss in this month’s report. 

The Disruption of Qakbot 

The most notable to discuss is the FBI’s disruption of the Qakbot Botnet. To quote the article:

The action represents the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.

For those who have followed Qakbot throughout its history, this really comes as no surprise. The FBI identified as many as 700,000 machines as having been infected by the Qakbot Malware. Of those, the FBI could use Qakbot’s software against itself because they sent uninstall signals to infected machines as part of the operation. Additionally, 9 million USD of cryptocurrency was seized as part of the operation.

To say this sounds like a resounding success would be an understatement. Qakbot is a botnet that threat actors have been using for years to launch attacks on various industry verticals and critical infrastructure, and it’s a botnet that we’ve kept a close eye on here at Hornetsecurity for some time as well. That said, there are two things to keep in mind:

  1. What new or existing botnet will threat actors turn to fill the gap left by Qakbot?
  2. Have all the command and control servers been taken down or been rendered ineffective by the FBI?

There are other botnets for threat actors to choose from, but only some have the reach and the capabilities that Qakbot did. Emotet malspam hasn’t been seen since April 2023, but knowing that botnet’s history and capabilities it’s possible we may see it emerge once again. It’s also entirely possible that a lesser known or completely new botnet will seek to fill the void as well. In either case we will continue to keep an eye on this space here at Hornetsecurity. If you’re interested in learning more about Emotet, we featured an episode on the Security Swarm Podcast. We’ve embedded the episode below if you’re interested:

The Security Swarm Podcast Episode 3 - Emotet Malware Returns

Finally, regarding the question of whether or not we’ve seen the last of Qakbot? Botnets with the reach of Qakbot are challenging to eradicate. It looks like the FBI has dealt with the needed command and control servers, but time will tell if there are other dormant command and control servers out there. At the very least, Qakbot’s capabilities have been severely diminished. 

More Data Breaches

It wouldn’t be a month in Cybersecurity without (at least) a data breach or two. Two worth noting, due to size, are PlayCyber Games and the French Government agency responsible for unemployment and financial aid both reported breaches that, when combined, accounted for nearly 14 million records containing PII. 

Yes, breaches happen frequently, but governments worldwide are getting increasingly impatient regarding the private sector’s history of leaked data. The excuse of “An attack of unprecedented scale and sophistication” will only work so long, and as more individuals and agencies become impacted, the push to impose penalties and fines on negligent businesses will continue to rise, for example, it was reported near the end of 2022 that the Australian Government would be imposing harsher penalties for organizations that fail to take sufficient measure to protect customer data. More recently, it has been reported that the US government’s Cyber Security Review Board (CSRB) will be looking into Microsoft’s handling of the Storm-0558 fiasco that lead to the breach of multiple US government entities. 

No organization likes the extra scrutiny from world governments, but the additional oversight can only be good in today’s cybersecurity ecosystem. 

Microsoft Cloud – Storm-0558 Incident Update

r

September 8 Update

On September 6th, additional details regarding this attack were released by Microsoft. While the update does answer the question of how the consumer signing key was compromised, the remaining points and criticisms below, stand. The short of it is, a crash dump from the consumer signing system had been moved to a debugging environment and was subsequently involved in a compromise of an internal user account. One other item to note from this most recent announcement is this statement:

“Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.”

Amazingly, the needed logs had not been retained due to retention policies, so full verification of said exfiltration could not occur.

That all said, what other news is there in the Storm-0558 saga since our commentary last month? In terms of official disclosures from Microsoft, there has been nothing official since their statement back on July 11th except for a July 14 technical analysis of the attack and it’s actors. While the article does provide some helpful info on the attack, its also clear (from what the article DOESN’T say) that Microsoft wants to move on from this issue.

Two of the remaining core issues left unanswered are focused on the compromised consumer signing key and the fact that higher tier logging licenses were needed to identify the attack within Microsoft cloud services.

Regarding the signing key, Microsoft states, “The method by which the actor acquired the key is a matter of ongoing investigation.” When it comes to logging, Microsoft has stated on July 19th that, “Today we are expanding Microsoft’s cloud logging accessibility and flexibility even further. Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost.” 

This begs the question, why wasn’t this level of logging included to begin with? Should the logs needed to monitor their environments be kept from customers behind licensing paywalls? Regardless, when it comes to cloud-based systems used by millions of users worldwide, trust is important. Microsoft’s handling of this situation clearly brings trust to the fore, and this breach will continue to be a topic of debate in the security space for some time.

We’ll continue checking on this issue in future Monthly Threat Reports.

Predictions for the Coming Months

All eyes remain on Microsoft concerning the Storm-0558 breach and what changes, if any, will result as an effect of the US Government investigation. While investigations of this type drag on for some time, we anticipate some actionable items as a result. We may see some additional news from Microsoft on this case as well, but more likely, any additional communication will be in reaction to government findings.

We also see it likely for other botnets to see an uptick in traffic in the coming weeks and months. The dark web doesn’t stop, and former “customers” of Qakbot will need to get those services elsewhere. Emotet seems a possible candidate, but time will tell.

Even though there was little to report on in terms of AI-related security news from the past few weeks, investments and grant programs aimed at bringing AI to defensive cybersecurity tools are likely to produce results in the near future. We’ve heard so much recently about how threat actors can use AI, and it will be nice to see what the security vendors in the industry do with AI capabilities as well!

Note: If you’d like an example of how security vendors can make use of AI in their toolkits, we also recorded an episode of The Security Swarm Podcast that focused on the use of AI in defensive tools as well as the Emotet episode mentioned earlier in this report.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below! 

From Yvonne Bernard, CTO, on the FBI’s Disruption of Qakbot: 

The FBI’s disruption of the Qakbot botnet is a remarkable and impressive milestone in authorities’ countermeasures against Cyber Threats. However, history (E.g. with Emotet) has shown that this does not necessarily last forever. So, we must closely monitor Qakbot’s potential return while also keeping an eye out for the emergence of new botnets or any existing botnet with increasing popularity in the next weeks, months and years. 

From Jan Bartkowski, Team Lead Security Architecture & Engineering, on Recent Data Breaches: 

The recent amount of data breaches shows that the arms race between attackers and defenders is in full play as always. And more often than we all would like to see, the attackers succeed by being a step ahead or – maybe more often – some companies being a step behind. This highlights the constant necessity for companies to continuously invest into their information security posture. A defense in depth is mandatory to (hopefully) prevent the worst case scenario from happening in case that a single security measure fails. This includes not only IT systems but also the human workforce as even the most technically skilled engineers aren’t immune to making mistakes as e.g. Lastpass and Microsoft had to realize. 

Monthly Recommendations

  • Now is an excellent time to read up on common botnet threats like Emotet. With one of the major players (Qakbot) being removed from the space, we will likely see varied and potentially unknown botnet activity in the coming months. Following security best practices and partnering with a Trusted Security Vendor with a proven track record of identifying botnet threats can help mitigate the potential risks.
  • If you’re a Microsoft Cloud customer, stay up to date on the latest logging mechanisms and changes as announced by Microsoft. Microsoft has claimed the needed mitigations are in place. Still, identity logging will be critical to ensure no lingering damage from the Storm-0558 breach.
  • Impersonated brands continue to change monthly, making it difficult to defend against these types of phishing attempts. Keeping end-users updated with next-gen phishing simulation training can help keep your organization safe.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Monthly Threat Report August 2023: WormGPT and an Increase in Email Security Threats

Monthly Threat Report August 2023: WormGPT and an Increase in Email Security Threats

by | Aug 7, 2023 | Threat Report, Threat Research

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data for the month of July.

Executive Summary

  • Our tracked threat categories saw a net increase across the board for the month of July vs. June.
  • HTML files were the top file type for email attacks last month. This is largely because there was a significant decrease in malicious PDF usage by Qakbot.
  • The entertainment and research verticals were the most targeted businesses in the past month.
  • DHL continues to be the most impersonated brand, with impersonation attempts increasing for Sparkasse, LinkedIn, Mastercard, and Netflix.
  • New dark-web generative AI tools like WormGPT will likely increase Business Email Compromise attacks over the coming weeks and months.
  • There continue to be privacy failures, double-extortion attacks, and other fallout associated with the MOVEit file transfer software vulnerabilities from earlier this summer. If you haven’t patched yet, do so. TODAY.
  • A recent breach of Microsoft Cloud services by a Chinese threat actor is leading some experts in the industry to call Microsoft’s response to the breach into question. It is also likely to renew the conversation about cloud providers’ role in Security.
YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for July 2023 compared to June 2023.

 

Unwanted Emails by Category

This month saw a slight increase in the number of threatening emails. The amount of mail classified as “Spam” is up 2.9%, while the amount of mail classified as “Threat” and “AdvThreat” increased by 0.9% and 0.2%, respectively. This led to the amount of “Rejected” mail seeing a 3.9% reduction.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File Types Used in Attacks

The following table shows the distribution of file types used in attacks.

File Types Used In Attacks

HTML files have taken the top place as the most used file type in email attacks over the month of July. This was primarily because of a reduction in the use of malicious PDF files, which were predominantly used to distribute the Qakbot malware. While the Qakbot malware is still active, during this month, it was not distributed via email-based attacks.

NOTE:If you would like to learn more about Qakbot and botnets, check out the Security Swarm Podcast episode below.

YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Other notable changes over the last month include a noticeable increase in malicious archive files and slight increases in the use of Excel files, Word docs, and executable files. With this in mind, we continue to attribute the current low usage of Office documents for payload delivery as a direct result of Microsoft’s decision to disable macros in Office applications by default.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

 

Industry Email Threat Index

Most industry verticals saw a net increase in their given threat index for the month of July. To put it simply, the data shows that more threats were levied at (most) businesses than the previous month. Attacks always have an ebb and flow, and even though last month saw a universal decrease in the number of threats, the data is swinging back in the other direction for this data period.

Regarding the top targeted industry, the entertainment sector remains near the top, with research firms seeing a significant increase in the number of attacks in the last 30 days as well. Threat actors know that intellectual property is valuable, so it’s common for research firms to be a heavy target for ransomware and IP theft. Nonetheless, the increased amount of attacks was noticeable.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

 

Impersonated Brands

This month’s data also shows that we’ve had some changes in brand impersonation attacks. For example, even though impersonation attempts for DHL saw a net decrease from last month, it remains the most largely impersonated company for these styles of attacks BY FAR. Amazon impersonation attempts saw a noted increase as well. Shipping companies remain high on the list, with an apparent reason for this. Many of us are waiting for a package delivery at any given time. If a threat actor just happens to deliver one of these malicious “shipping emails” to a user’s inbox at just the right time, it’s probable the user may fall victim to the payload. Threat actors see a significant degree of success in this style of attack.

Other notable monthly increases include Sparkasse (German Banking), LinkedIn, Mastercard, and Netflix. Among those increases, nothing has been out of the norm for the last 30 days except a minor spike in Netflix impersonation attacks. Even though there isn’t a high chance of pulling sensitive information, like payment details, out of a target’s Netflix account, threat actors can still leverage the knowledge gained for use in other attacks, such as credential stuffing, or sell access to the Netflix accounts in Darknet forums for lower prices.

Other Interesting Findings in Our Data This Month

Every month we keep a lookout for anything else that’s interesting in our data. This often surfaces new attacks, attack types, and threat-vector variations. During the last month, we’ve identified several cases where a malicious QR code is embedded within an email. While that isn’t out of the ordinary, and we’ve identified increased use of malicious QR codes industry-wide in the past years, there is a stark difference in what we’ve observed in this case.

A typical defense against malicious QR codes (if you don’t have a security vendor that scans them like Hornetsecurity) is to scrutinize the associated URL of the QR code highly. We’ve seen a trend in the last month where threat actors are obfuscating the use of IP addresses within their URLs by making them appear without separated octets. For example, the URL http://194.6.209.34 pointing to the www.hornetsecurity.com web server can also be written as http://3255226658. End users have been somewhat trained to be suspicious of IP addresses. With this formatting, a potentially malicious link may pass this trained practice for some users.

Major Incidents and Industry Events

There are several exciting developments in the cybersecurity news space for the month of July.

Notably, the MOVEit file-transfer software vulnerabilities continue to plague the industry. This attack stems from a collection of SQL injection attacks that enable privilege escalation and unauthorized access to target environments. The most recent vulnerabilities are being tracked as CVE-2023-36934 if you want to read more about it.

The Clop ransomware gang continues to exploit these vulnerabilities, and has even started double-extortion attacks on targets by threatening to leak stolen data if the ransom isn’t paid. Meanwhile, the number of breaches attributed to these vulnerabilities continues to stack up. The affected organizations now include Deloitte, the Hallmark channel, and various government entities.

The use of generative AI in cyber-attacks has continued to evolve over the past month. The Independent has reported that as many as 200k compromised OpenAI accounts are now for sale on the dark web. This is up from the 100k number that we commented on in last month’s report. On top of that, the hacking community has now developed its threat-actor variant of ChatGPT, dubbed WormGPT, which lacks any of the controls or ethical barriers that are present in ChatGPT itself. This highlights that generative AI will continue to change the threat landscape and make launching attacks more accessible to less skilled threat actors.

Our final news item for the week focuses on Microsoft directly. In a July 11th announcement, Microsoft indicated that a Chinese threat-actor designated Storm-0558 had somehow gained access to a Microsoft account consumer signing key. The threat actor then used the stolen signing key to forge authentication tokens that allowed them unauthorized access to data in Exchange Online, and Outlook.com accounts across “approximately 25 organizations” Experts were quick to point out that the potential list of impacted services was likely more than just Exchange Online and Outlook.com. Some commented that the list potentially includes services like SharePoint, OneDrive, and Teams. According to Microsoft, the vulnerability that led to this breach has now been patched.

It’s still early days for this breach, and more information will be forthcoming, but this highlights the growing industry problem of “vendor overdependence”. For those unfamiliar with this concept, it’s the act of utilizing one vendor for an increasing percentage of critical business functions with a potential lack of independent oversight. In this case, you have the same vendor (Microsoft) not only holding onto and providing access to customer production data through services like Microsoft 365 but also the party involved in providing Security for those services. There is a potential conflict of interest.

Arguably, third-party involvement in this recent case wouldn’t have helped, as the breach was due to a vulnerability in Microsoft’s authentication process. Still, the point is that a third party can help keep an objective eye on potential threats. It is generally healthy for the IT security community and businesses to consume services from a major cloud provider.

Predictions for the Coming Months

We predict that malicious use of generative AI will continue to increase and will likely be part of this section of our monthly report for some time. It’s clear that generative AI is the next stage of the ever-present “arms race” between blue teams and threat actors. Knowing that new dark-web-specific generative AI tools are being developed (like WormGPT), it’s reasonable to assume that attacks like Business Email Compromise (BEC) will likely increase. These tools provide the necessary skills and access for lucrative attacks like BEC to threat actors lacking the skills needed.

The fallout from the Storm-0558 Microsoft breach will be a recurring theme as more information comes to light in the coming weeks. The conversation around vendor overdependence and the role of 1st party providers in the cloud will likely come under heavy scrutiny by the community and government entities.

Finally, we suspect persistent threats like Qakbot will continue to evolve. While there are signs that the threat actor behind Qakbot has pivoted to other styles of attacks with lower volume, the threat remains. We will continue to provide updates on persistent email threat actors like Qakbot and Emotet on a month-to-month basis as needed.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Andy Syrewicze, Security Evangelist, on vendor overdependence:

There’s something to be said about a tightly integrated service like M365. I get it, but some service areas should only be provided by the same vendor with heavy oversight. For example, productivity solutions (like M365) and Security. There is an inherent conflict of interest in a vendor selling a solution like M365, which then is also the party responsible for transparent Security. As discussed in a recent episode of the Security Swarm Podcast, there is very little transparency on the state of Security internally within many major cloud platforms, and third-party security providers play a key role in keeping everything transparent and keeping everyone honest. Microsoft seems to have done an OK job in terms of communication with the recent Microsoft Cloud breach, but it’s sure to bring the whole conversation around vendor overdependence back to the fore in the coming weeks, and frankly, it should.

From Jan Bartkowski, Team Lead Security Architecture & Engineering, on the challenges blue teams face with cloud applications:

Security teams face the difficult challenge of monitoring all IT resources their company uses. Monitoring the activity on cloud applications is crucial but often impossible or heavily restricted: Many cloud applications simply do not provide auditing logs or similar options to help identify suspicious behavior. Microsoft’s recent announcement of expanding their logging in the non-E5 plans was overdue. Locking, sometimes even basic security features behind additional required licenses, is a way too common practice that vendors and customers should question to enable security teams.

Monthly Recommendations

Given the current state of the landscape, what are our recommendations for this month?

  • If your organization uses the MOVEit file transfer software and still needs to apply the patches for the recent string of vulnerabilities, please do so ASAP.
  • With email threats increasing across categories this month, now is an excellent time to evaluate your email security posture. Look at the solutions you have in place and ensure the proper rules and mitigations are present. If you’re in need of a solution in this space, we offer a robust and feature-rich solution for email security in our 365 Total Protection suite.
  • With the rise in Business Email Compromise attacks, end users must learn to detect fraudulent emails well. If you still need to invest in security training for your end users, do so now. Like the point above, if you need a solution, we have an effective and time-friendly solution in the Hornetsecurity Security Awareness Service.
  • Even though Microsoft claims the damage from the Storm-0558 breach is contained, check your security and M365 audit logs for suspicious behavior. Ideally, you have a security logging solution, e.g., SIEM, that highlights suspicious user logins and interactions for you. Ensure you have internal processes defined on how to handle security incidents.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Monthly Threat Review June 2023

Monthly Threat Review June 2023

by | Jul 5, 2023 | Threat Research

QakBot remains a threat, DHL and Crypto Service MetaMask Brand Impersonation on the Rise

Introduction

The Monthly Threat Review by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Review focuses on data for the month of June.

Executive Summary

  • The overall trend for June vs. May is a decrease in threats. That said, the number of more sophisticated malware campaigns increased.
  • PDF usage as a payload delivery mechanism is up 1.4% over the previous month. Continued use by the Qakbot malware largely drives this.
  • Despite Microsoft’s crackdown on Macros in Office products, using Word and Excel documents for payload delivery has increased. While the attack chain is more difficult now due to Microsoft’s changes, threat actors are successfully using cleverly crafted documents to trick users into copying suspicious files to the Office templates folder, where execution is then allowed.
  • Mining and Entertainment continue to be the current most-targeted industry verticals.
  • We have observed large increases in brand impersonation attacks for DHL, MetaMask, American Express, Strato, and LinkedIn.
  • Multiple SQL injection vulnerabilities in the MOVEit file-transfer application from Progress Software have led to data breaches across countries and industry sectors. Rapid patching and mitigation are STRONGLY recommended.
  • AI continues to be a sore spot for security and privacy across the industry. Compromised OpenAI accounts with logged prompt history could be a potential issue for organizations using privileged information within chat prompts.
  • AI-enabled attacks are predicted to increase and eventually become the norm.

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for June 2023 compared to May 2023.

Unwanted Emails by Category

Overall amounts of traffic in the “Threat”, “AdvThreat”, and “Spam” categories were down for June, while the amount of traffic “Rejected” saw a 5.3% increase for the month.

As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the connection right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File Types Used in Attacks

The following table shows the distribution of file types used in attacks.

File Types Used in Attacks

The re-emergence of Qakbot is seen as the primary driver behind the increase in PDF attachments over the last few months. As some other delivery mechanisms, such as DOCX (Word), have become more challenging, PDF remains a popular option for threat actors.

NOTE: If you would like to learn more about Qakbot and botnets, check out the Security Swarm Podcast episode below.

YouTube

Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

That said, attackers continue to find ways around Microsoft’s decision to disable macros in Office applications by default. This is usually done by a cleverly crafted header within the malicious document that is made to appear as a legit Office notification. The “notification” instructs the user to move the offending document to the Office templates folder and re-open it. This will typically allow the malicious code to run on the target system.

The difficulties in leveraging office documents for malicious purposes continue to drive the use of other file types for attacks, such as HTML, which use is still relatively high, and disk image files.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

Overall, the threat is down across the board for June compared to May. This coincides with fewer malicious emails, as shown in the “Unwanted Emails by Category” section above. One potential reason could be that this is the start of the summer holiday season, and threat actors may assume that fewer people are in the office. In addition, fewer compromised devices abused for sending spam and threat emails are online. However, it is important to highlight that the number of more sophisticated malware campaigns, such as QakBot, increased.

Regarding the top targeted industry, the Mining and Entertainment verticals remain the most targeted sector for June, just as in May.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

The biggest mover on this list for June is MetaMask, one of the largest crypto wallet providers. An extensive threat-actor campaign (June 27-29) targeted users of the MetaMask Cryptocurrency Wallet service. The goal was to impersonate the brand to access the victim’s crypto wallets and the funds within.

Brand impersonation for DHL, American Express, Strato, LinkedIn, and 1&1 also saw a marked increase over the month compared to May. These all remain popular options for threat actors — especially shipping services such as DHL. With the increase in at-home deliveries in the last couple of years, threat actors know they have a high probability of landing a compelling “shipping email” into users’ mailboxes when they may be expecting a delivery.

Major Incidents and Industry Events

The current major concern in the industry continues to be the fallout from vulnerabilities in the popular file-transfer software MOVEit from Progress Software. While multiple vulnerabilities are at play, the most severe has been categorized as SQL injection attacks that enable privilege escalation and unauthorized access to environments. The most recent CVE for the MOVEit Transfer application is being tracked as CVE-2023-35708. If you use MOVEit and still need to apply the June 15th patch, it is STRONGLY recommended you block traffic to MOVEit via ports 80 and 443.

Despite the danger, many businesses are being caught off guard. There are several organizations that have been impacted by these vulnerabilities, including the New York City Department of Education, Schneider Electric, Siemens Electric, and 122 organizations in total, according to Ars Technica.

Other concerns in the industry continue to center around the use of AI, either via direct use by threat actors to launch AI-enabled attacks or in terms of privacy concerns. The Hacker News recently reported over 100k OpenAI accounts had been stolen and sold on the dark web. Remember that ChatGPT saves a log of all previous prompts and responses. Pair this with the news that there have been several instances of business employees inputting sensitive company data into AI services, and you have a recipe for disaster. Samsung recently fell victim to this problem.

 

Predictions for the Coming Months

While the industry hopes there will be no further fallout from the MOVEit zero-day vulnerability, we expect to hear from more casualties in the following days and weeks. Security researchers and threat actors may test attack patterns against the MOVEit zero-day vulnerability on other popular services to see if it can be applied. Consequently, we may see similar findings affecting other services in the near future as the vulnerability gains attention in the news.

We are also likely to see AI-enabled attacks continue to ramp up. With ChatGPT accounts readily available for purchase on the dark web, we will likely see threat actors continue to utilize it for assistance with attacks. On top of that, we are likely to see cases where sensitive data has been compromised due to stolen ChatGPT accounts and logged prompt data. Stolen sensitive data can be used not only for extortion but also for spearphishing attacks.

On top of all this, the usual threats persist. Qakbot will continue operations. It is uncertain what the current operational status of Emotet is, but it is possible that we could see it reemerge utilizing advanced delivery methods similar to those used by the QakBot malware.  While not as heavily featured in the news as some of the other items mentioned above, the threat of these botnets remains nonetheless.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Andy Syrewicze, Security Evangelist, on AI-Enabled Attacks:

We continue to see cases where threat actors leverage AI for attacks, either for OSINT purposes or for automating a portion of the attack chain. While the doom and gloom of our new AI-fueled world have SOME genuine cause for concern, it’s important to remember that the blue team can also use AI. This includes training, log analysis, machine learning and natural language processing for defensive tools, and LOTS of other possibilities. The arms race between threat actors and blue teams will continue, and blue teams can use AI-powered defensive tools to keep up with threat-actor capabilities.

From Umut Alemdar, Head of Security Lab, on the QakBot malware:

The dynamic and rapidly evolving nature of the QakBot malware poses significant risks to businesses and organizations worldwide. The threat actors behind QakBot changed the delivery techniques multiple times this year to manage to bypass security solutions, and we expect to see more creative approaches in the second half of the year. Hence, investing in advanced protection systems augmented by AI and incident response tools is crucial for businesses today. Additionally, conducting regular cybersecurity awareness training for employees is paramount, as it significantly mitigates the risk of successful filter bypasses and safeguards your organization from costly breaches. A proactive, well-rounded approach to cybersecurity is the key to staying secure.

Monthly Recommendations

Given the current state of the landscape, what are our monthly recommendations?

  • For starters, you can continue to use this monthly report to stay current on the latest email threats and communicate those most relevant to your user base. For example, if your organization uses DHL for regular shipments, communicate the risk of fraudulent DHL emails to the relevant team members.
  • Train your users HEAVILY to scrutinize PDF, Word, and Excel files. We continue to see these files being used for the delivery of payloads. If a user sees one of these file types from an external source, they should be trained to be extra careful with such emails. That said, if you need help training your users along these lines and you are not already a Hornetsecurity customer, be sure to check out our Security Awareness Service for more information.
  • If your organization uses MOVEit by Progress Software, we urge you to install the latest patches. If you still need to install the patches, block traffic to the service on ports 80 and 443 AT A MINIMUM until you can apply the patches. This vulnerability is being actively exploited in the wild, so do not wait.
  • If your organization still needs to discuss how workers should or should not be using AI tools, you should do so ASAP and develop internal policies. Many organizations have lost the governance of sensitive company data when employees use said data inside of an AI prompt. This potential exposure point needs to be addressed with internal policies at a minimum.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.

Email Threat Review November 2022

Email Threat Review November 2022

by | Dec 13, 2022 | Threat Research

Executive Summary

  • Emotet started to use social engineering tricks to bypass Microsoft’s recent macro restrictions for documents downloaded from the Internet.

Summary

In this monthly email threat review installment, we present an overview of the email-based threats observed in November 2022 and compare them to the previous month’s threats.

The report provides insights into the following:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 86.29
Spam 10.28
Threat 2.45
AdvThreat 0.98

The following histogram shows the email volume per category per day.

Many rejected emails around 2022-11-14 to 2022-11-16 were related to an extensive periodic reoccurring sextortion scam campaign targeting German-speaking victims.

Methodology

The listed email categories correspond to those listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
HTML 31.3
PDF 25.8
Archive 20.3
Excel 6.7
Executable 5.2
Word 4.1
Disk image files 3.5
Script file 0.5
Other 2.6

Despite the efforts of Microsoft to make Excel documents less attractive for attackers by disabling macros in documents downloaded from the Internet by default, malicious Excel documents made a comeback. The previous month the use of malicious Excel documents in attacks was in decline. However, Emotet started to use Excel macro documents despite Microsoft making it less attractive for attackers by combining it with a social engineering attack to bypass Microsoft’s mitigation. We outline this social engineering component in the highlighted threat email campaigns section.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries Share of threat in threat and clean emails
Research industry 3.9
Manufacturing industry 3.6
Mining and metal industry 3.5
Transport industry 3.4
Utilities 3.3
Automotive industry 3.1
Entertainment industry 3.0
Healthcare industry 3.0
Agriculture industry 2.9
Information technology industry 2.7

The following bar chart visualizes the email-based threat posed to each industry.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Phishing 26.2
URL 14.2
Extortion 6.3
Advance-fee scam 4.8
HTML 3.0
Executable in archive/disk-image 2.7
Impersonation 2.5
Maldoc 1.7
PDF 0.6
Other 38.0

The following histogram shows the email volume per attack technique used per hour.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
DHL 12.8
Postbank 9.4
Amazon 9.4
Sparkasse 7.1
LinkedIn 3.9
Microsoft 3.2
DocuSign 3.0
Strato 2.8
Fedex 2.6
Other 45.8

The following histogram shows the email volume for brands and organizations detected in impersonation attacks per hour.

Highlighted threat email campaigns

Previously many attackers, including the threat actors behind Emotet, stopped using macro documents. This is likely because Microsoft started disabling macros from documents downloaded from the Internet in their Office products per default. Attackers used other malicious files such as shortcut files (.lnk) or HTML files instead. Despite this, Emotet started to use malicious macros in Excel documents again this month. They used email conversation thread hijacking attacks as well as generic emails. However, the attached malicious Excel documents contain social engineering to bypass the macro restrictions imposed on documents downloaded from the Internet. To this end, the malicious document will tell the victim to copy the document to the Microsoft Office Templates folder. This Templates folder is a trusted location from which Microsoft Office will allow macros in the document again.

Like older Emotet macro documents, the macros will download the Emotet malware and execute it on the victim’s system.

Methodology

Hornetsecurity observes thousands of threat email campaigns of varying threat actors ranging from unsophisticated low-effort attacks to highly complex obfuscated attack schemes. Our highlighting includes only a subset of those threat email campaigns.

Email Threat Review November 2022

Email Threat Review October 2022

by | Nov 21, 2022 | Threat Research

Summary

In this monthly email threat review installment, we present an overview of the email-based threats observed in October 2022 and compare them to the previous month’s threats.

The report provides insights into the following:

Unwanted emails by category

The following table shows the distribution of unwanted emails per category.

Email category %
Rejected 78.73
Spam 15.41
Threat 4.17
AdvThreat 1.64
Content 0.05

The following histogram shows the email volume per category per day.

Methodology

The listed email categories correspond to those listed in the Email Live Tracking of Hornetsecurity’s Control Panel. So our users are already familiar with them. For others, the categories are:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Content These emails have an invalid attachment. The administrators define in the Content Control module which attachments are invalid.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.

File types used in attacks

The following table shows the distribution of file types used in attacks.

File type (used in malicious emails) %
HTML 27.8
Archive 24.9
PDF 16.6
Disk image files 7.9
Excel 6.5
Executable 5.0
Word 4.4
Script file 0.9
Other 5.9

The following histogram shows the email volume per file type used in attacks per 7 days.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median).

Industries Share of threat in threat and clean emails
Mining and metal industry 4.5
Manufacturing industry 4.0
Healthcare industry 3.9
Automotive industry 3.8
Research industry 3.7
Transport industry 3.6
Media industry 3.6
Utilities 3.5
Entertainment industry 3.4
Information technology industry 3.4

The following bar chart visualizes the email-based threat posed to each industry.

Methodology

Different (sized) organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Attack techniques

The following table shows the attack techniques used in attacks.

Attack technique %
Phishing 27.8
URL 10.8
Advance-fee scam 7.1
Executable in archive/disk-image 3.8
Extortion 3.5
HTML 2.3
Impersonation 1.0
Maldoc 0.8
PDF 0.1
Other 42.7

The following histogram shows the email volume per attack technique used per hour.

Impersonated company brands and organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated brand or organization %
Sparkasse 29.8
DHL 14.3
Amazon 12.7
Metamask 2.5
Santander 2.4
LinkedIn 2.1
Microsoft 2.1
Intuit 1.7
1&1 1.7
PayPal 1.3
Strato 1.2
Mastercard 1.2
Fedex 1.2
American Express 1.1
UPS 1.1
Barclays Bank 1.0
Royal Bank of Canada 1.0
HSBC 1.0
Other 20.6

The following histogram shows the email volume for brands and organizations detected in impersonation attacks per hour.

This month we detected several phishing emails impersonating MetaMask (a software cryptocurrency wallet used to interact with the Ethereum blockchain). On 2022-10-31, the most extensive detected campaign impersonating MetaMask. MetaMask thus enters this month’s top impersonated brands ranking in 4th place.

Highlighted threat email campaign

This month the threat actors distributing the QakBot malware via email conversation thread hijacking attacks started to alter the subjects of the stolen emails they send replies to. We believe this is done to impede analysis.

In an email conversation thread hijacking attack, the threat actors steal emails from victims and then reply to these emails with the original email conversation and subject being quoted in the fake reply email. These emails are often hard to spot in legitimate email traffic because they use legitimate email subjects and stolen content. However, if the attackers use the same stolen email multiple times for such reply attacks, an administrator in an attacked company could find other attack emails by searching for the same subject. To prevent this, the threat actors behind the QakBot malware campaign with bot ID BBxx started to insert repeat characters in their stolen email subjects.

In the following examples, we see emails whose original subject was Erinnerung (the German word for Reminder). The actors used this stolen email to form multiple attack emails by changing the subject to Erinnerrunng, Erinnneerrungg, and Erinnnerruung by randomly doubling characters in the subject. The lower part in each email is quoted from the original stolen email and is not altered like the subject.