q1 2018 quarterly threat report - … · nmap scripting engine masscan ssh sipvicious scanner...

QUARTERLY THREATREPORT

Produced by eSentire Threat Intelligence

T H R E A T I N T E L L I G E N C E

E SE N T I R E

Q1 2018

Q1

2QUARTERLY THREAT REPORT Q1 2018

T H R E A T I N T E L L I G E N C EE SE N T I R E


E SE N T I R E

2

CONTENTSPREFACE

EXECUTIVE SUMMARY

MOST VULNERABLE INDUSTRIES

THREAT TYPES OBSERVED

THREATS AT THE PERIMETER

THREATS BEYOND THE PERIMETER

TAKEAWAYS AND RECOMMENDATIONS

METHODOLOGY

ATTACHMENTS

3

4

5

6

7

9

12

14

15


PREFACE

eSentire invented a highly integrated technology stack that enables unparalleled visibility into our mid-market customer networks, and agile real-time threat response capabilities. This report provides a quarterly snapshot, analyzing all events investigated by the eSentire SOC, while addressing three topics: threat types, threat volume and attack types. Each topic is divided into multiple sections, including visual data analysis, written analytical analysis, practical recommendations and key assumptions


This quarter saw a dramatic increase in attacks targeting consumer-grade routers, increasing 539% from Q4, 2017.The majority of hostile detections on the eSentire threat detection surface pertain to perimeter threats: Information Gathering, Intrusion Attempts, and Reputation Blocks. eSentire Threat Intelligence assesses with medium confidence that these detections originate, largely, from automated scanning and exploitation attempts. Threats beyond the perimeter, such as Malicious Code (+35%) and Phishing (+39%) both saw increases in the first quarter of 2018.

Education, Construction, and Biotechnology were among those verticals that experienced the highest amount of traffic, due to a high degree of consumer-grade router exploit attempts, brute forcing, and web server exploit attempts. This high threat volume likely indicates an over-exposed threat surface in these industries.

Data from esENDPOINT customers showed heavy use of legitimate Microsoft binaries such as PowerShell and MSHTA. These are popular tools for downloading and executing malicious code in the initial stages of a malware infection. PowerShell can also be leveraged by adversaries to reduce their on-disk footprint and evade detective controls by operating in memory and obfuscating command-line parameters. In January 2018, an unknown adversary was observed leveraging managed service providers and legitimate cloud services to access and deploy CryptoMining software in a campaign impacting multiple eSentire customers. The use of trusted service providers and cloud services were used to successfully evade detection at the network layer, however, the malicious activity was identified via anomaly detection at the endpoint layer.

EXECUTIVE SUMMARYT H R E A T I N T E L L I G E N C E

E SE N T I R E


MOST VULNER ABLE INDUSTRIES

In the period from January 1 to March 31 this year, eSentire observed 830,000 potentially hostile events that resulted in 38,000 alerts sent to clients. After normalization by sensor count (see Methodology section) the top five affected industries included Education, Retail, Biotechnology, Construction, and Nonprofit Organizations (Figure 1).


E SE N T I R E

Educational organizations on eSentire’s threat detection surface experienced a flurry of exploitation attempts in the first quarter. The majority of these detections were attributed to exploit attempts targeting consumer-grade routers. This does not indicate, with certainty, that vulnerable routers are present on the organization’s network. Rather, it suggests a higher exposure to automated opportunistic attacks among educational organizations on eSentire’s detection surface. Trending in router exploitations was first observed in late 2017, when the Reaper Botnet was gaining media attention. Router exploitation attempts continued to be observed through Q1 of 2018, with a 539% increase in observations from Q4 2017 to Q1 2018. Biotechnology experienced a wave of SSH Brute Force attempts as well as a variety of exploit attempts. Most of the vulnerabilities targeted by these exploits were dated between 2013 and 2016. For example, HeartBleed – a four-year-old vulnerability – is still being observed in the wild. Nonprofit organizations experienced several waves of traffic attempting to exploit the HeartBleed OpenSSL vulnerability. Retail organizations experienced a large degree of exploit attempts across different technologies with a focus on web servers. Many attacks targeted PHP or web server vulnerabilities. Construction organizations experienced similar exploit attempts against publicly facing web servers, as well as a variety of scanning activity and SSH brute force attempts.

The prevalence of brute force attacks and outdated exploit attempts implies that a high degree of automated, low-capability threats populate hostile internet traffic. These opportunistic threats are numerous, but rarely successful. Their low success rate is likely justified by their low operational cost.

Malicious Code incidents continue to favor email as a delivery vector, and PowerShell continues to be a popular tool for both opportunistic and targeted attacks. Data from esENDPOINT customers showed PowerShell usage was prevalent in confirmed Malicious Code incidents during the first quarter of 2018 (see Threats Beyond the Perimeter).

Figure 1: Top 5 Industries experiencing verified hostile traffic.

Education

RetailBiotechnologyNonprofitConstruction


THREAT TYPES OBSERVED

The majority of traffic observed on eSentire’s threat detections surface (Figure 2) consists of Information Gathering (scans) and Intrusion Attempts (including both bruteforce and exploit attempts).


E SE N T I R E

This traffic, along with the majority of reputation blocks, are often the result of automated and opportunistic attacks that are constantly scanning public IP ranges for vulnerable software, including OpenSSL, Apache Struts, and Drupal. Reputation Blocks are the result of eSentire blocking traffic from known hostile IP addresses. Information about known hostile IPs is acquired from both internal observations of attacks and intelligence acquired from external partners. Often, these threats are related to Information Gathering or Intrusion Attempts, but can include malware distribution and command and control infrastructure (Malicious Code).

Any software executed on an endpoint that is used for malicious purposes can be classified as Malicious Code. This can often include banking trojans, RATs, CryptoMiners, and ransomware. Phishing attacks represent a lower volume of potentially hostile traffic compared to all other threat types. However, phishing attacks have a fairly consistent success rate (Figure 8) and can often lead to complete compromise of a network, if not addressed immediately.

Over the New Year, Intrusion Attempts grew 36% (Figure 3), due largely to exploitation of a DNS manipulation vulnerability in consumer-grade routers. These manipulations can allow attackers to redirect victims to malicious infrastructure to achieve a variety of results, including malware and phishing landing pages. Other exploits focused on consumer-grade routers.

Successful phishing attacks rose from 102 in Q4 2017 to 130 in Q1 2018 (Figure 8 ). A spike in Malicious Code events for the quarter resulted from activity generated by malicious documents, Kovter and the Android Batmob.b AdWare. Information Gathering dropped over the New Year due to a dramatic decline in SSH scans.

Figure 2: Distributing of threat types seen in potentially hostile traffic.

Figure 3: Quarter over quarter change in threat type volume.

Information Gathering Phishing1.85%

Reputation Block Malicious Code

Intrusion Attempt44.17%

25.41%

23.10%

5.46%

% Change

Threat Type 2017 Q4 2018 Q1

39%36%35%

3%1%

-24%UnclassifiedInformation Gathering

Phishing 10.0K 14.0K242.4K 328.9K30.0K 40.6K

162.1K 166.7K3.4K 3.4K

169.4K 128.8K

Reputation BlockMalicious CodeIntrusion Attempt


THREATS AT THE PERIMETER

The majority of perimeter threats on eSentire’s detection surface originated from Intrusion Attempts (Figure 4) which were made up, largely, of exploit attempts and bruteforce attacks. The majority of exploit attempts targeted common web application software, while the majority of brute force targeted remote access protocols, with SSH being the most popular target.

Exploit Attempts: Maintaining a consistent trend, Apache Struts continues to top the list with tens of thousands of exploit attempts detected for the quarter (Figure 5). At only thousands of attempts, targets like Oracle WebLogic, Bash and Ruby were also common. Shellshock, a Bash vulnerability, is another example of an outdated vulnerability that continued to see exploit attempts through Q1. Outdated, opportunistic attacks are rampant in the wild, waiting to be unleashed when security updates are delayed or out-of-date systems are exposed to the internet.

Figure 4: Attacks on the perimeter for the first quarter of 2018.

Figure 5: Most targeted software in Q1 of 2018 (Note: axis is logarithmic).


E SE N T I R E

Software

1

Jan 7, 180K

20K

40K

60K

100

Feb 4, 18

10

Jan 21, 18

1,000

Feb 18, 18

10,000

Mar 4, 18 Mar 18, 18

DrupalIIS

SIPApache Tomcat

Nginx

Apache Struts

RubyWebLogic Server

Bash

Detections

Perim

eter

Thr

eats

Intrusion Attempt

Information Gathering

Reputation Block


Scanning Tools: The most popular tools in the first quarter were the MuieBlackCat and ZmEu Scanners (Table 1), both of which attempt to find vulnerabilities in php-based web servers. OpenVAS and NMAP scanners were also popular tools, typically favored during the reconnaissance phase of an incident or campaign.

Brute Force Targets: When it comes to brute force attacks, SSH and Remote Desktop Protocol (RDP) are favored with some attempts on HTTP. FTP servers also saw a modest degree of attempts in Q1 (Table 2).

Top 10 SSH Brute Force Attempts: eSentire’s ThreatLab logs thousands of SSH brute force attacks per day, collecting information about login attempts, including username, password, and country of origin (Figure 6). Default usernames like ‘root’, ‘admin’, and ‘support’ and similarly basic passwords (including a blank or Null password) were popular. The majority of brute force attacks originated from infrastructure based in China, followed by the United States, Germany, and Russia.

Table 1: Most popular tools for Information Gathering

Table 2: Most popular protocols for Brute Force attacks.

Figure 6: Attempted credentials and source country of attacks on the eSentire honeypot.


E SE N T I R E

Scanning Tools

Protocol

1

1

1,000

1,000 1,500 2,000

500

500

NMAP Scripting EngineMasscan

SSH

SIPVicious Scanner (VoIP)

RDP

Muhstik

HTTP

Nessus Scanner

Telnet

Jorgee Scanner

FTP

ZmEu Scanner

NMAP ScannerOpenVAS Scanner

Muieblackcat Scanner

Number of Records

Number of Records

Top 10 Usernames Top 10 Passwords Top 10 Countries

0M 0K 0K4M 400K 400K6M2M 200K 200K

Null admin BRguest password INuser 123456 GR

Administrator 12345 MOsupport user TW

supervisor 7ujMko0admin VN

root Null CN

shell\x00 1234 RUenable\x00 sh\x00 DE

admin system\x00 US

Count Count Count


THREATS BEYOND THE PERIMETER

A fraction of investigations into events inside the perimeter result in alerts on endpoint threats (Figure 7).

Threats that make it beyond the perimeter of an organization’s network can be costly, exposing data and critical business infrastructure. Malicious Code can arise from downloading and opening malicious documents, either from email or a web browser, but they can also be injected without user awareness following a successful exploit or intrusion. Organizations can also become compromised if the credentials of employees are accidentally shared with an attacker’s deceptive login page. Depending on the privileges allowed for the compromised user, a successful phishing attack could give an attacker considerable power over an organization’s infrastructure and data.

Figure 7: Attacks that have made it past the perimeter in the first quarter of 2018.


E SE N T I R E

Jan 7, 180K

400

200

600

800

Feb 4, 18Jan 21, 18 Feb 18, 18 Mar 4, 18 Mar 18, 18

Endp

oint

Thr

eats Phishing

Malicious Code

Perimeter attacks observed on eSentire’s threat detection surface suggest a high degree of low-effort, automated attacks targeting misconfigured software exposed to the public internet. While these attacks are rarely successful, the volume of attacks ensures that exposed, vulnerable systems will be quickly scanned and exploited. There are still a significant volume of attackers using more recent vulnerabilities, such as Apache Struts CVE-2017-5638, or the numerous PHP vulnerabilities, but they represent a smaller volume of overall attacks. Similarly, the majority of brute force attacks appear to be targeting default credentials left on devices that have been connected to the internet.

Opportunistic attacks at the perimeter seek out, and attempt to exploit, known vulnerabilities and weak configurations in externally facing services. Beyond the perimeter, the volume of threats originating from client endpoints is far smaller and includes Malicious Code and Phishing.


Phishing Lures: The most popular phishing lures used in Q1 of 2018 were DocuSign, Office 365, and OneDrive. Despite DocuSign being the most popular lure used overall (Figure 8, left), Office 365 had the best success rate, jumping to nearly five times that of the previous quarter (Figure 8, right).

Endpoint Threats: Across esENDPOINT customers, the most commonly detected threat in Q1 2018 was the execution of Malicious Code at 93% (Figure 9), followed by Active Intrusions (5%). Active Intrusions often involve an attacker interacting with the victim’s system through a shell initiated via a myriad of techniques, many of which overlap with Malicious Code. 91% of critical incidents detected via esENDPOINT involved known, legitimate binaries such as PowerShell or MSHTA. These processes are used by opportunistic and targeted threats alike, allowing them to circumvent basic controls to deliver and install malware.

Figure 9: Endpoint threats observed on eSentire’s detection surface.


E SE N T I R E

Exploit Kit

Active Intrusion

Malicious Code93.21%

5.41%

1.35%

Figure 8: left: most popular phishing lures, right: change in successful phishing attacks from quarter to quarter

Phishing Success Rate

StatusFailSuccess

0 40 6020

Adobe

Apple

Google

Facebook

PayPal

TechSupport

DocuSign

Dropbox

OneDrive

Office 365

2018 Q1 MoM

0% 200%

Lure Used 2017 Q4 2018 Q1

Google

Verizon

Adobe

Yahoo

Office 365

LinkedIn

4

1

19

1

1

2

3

1

3

6

8

2

3

3

4

0

3

1

4

0

1

1

1

0

Facebook

Chase

DocuSign

Dropbox

Apple

OneDrive


Malicious Code: Incidents observed across esENDPOINT customers involved CryptoMiners (45%), Banking Trojans (32%) and, to a lesser extent, Credential Stealers (13%) and Ransomware (3%). At least 21% of Malicious Code incidents originated from Malicious Word documents.

Opportunistic actors continue to leverage PowerShell to retrieve and execute malicious code from remote sources. PowerShell was a popular execution technique among Malicious Code incidents in Q1. Mainstream endpoint detection and response solutions enjoy widespread coverage of these execution techniques, meaning adversaries may become motivated to modify their tactics in the future. Several Malicious Code incidents were observed in Q1 employing obfuscated PowerShell commands to impede analysis. These techniques are not new, but make up a significant portion of endpoint detections with 13% of observed incidents involving obfuscated command-line parameters. Analysts are often able to make inferences by examining PowerShell actions following execution of obfuscated commands. In addition to command-line obfuscation techniques, use of Managed Service Providers (MSP) for initial access and trusted cloud services for malware staging were also observed. In late January, an unknown adversary leveraged a flaw in Kaseya’s Virtual System Administrator (VSA) product to deploy CryptoMiners across a handful of eSentire clients. This attack leveraged trusted systems throughout its lifecycle, relying on Kaseya VSA endpoint agents for initial access via MSPs and trusted cloud platforms for delivery of malicious scripts. The result was a CryptoMiner which operated in memory with multiple persistence mechanisms. Leveraging trusted IT and Cloud systems ensured this attack went largely unnoticed by traditional detective controls. The threat was identified by esENDPOINT via process behavior monitoring. Kaseya was notified of the intrusions, resulting in multiple security fixes.

Figure 10: Types of Malicious Code events detected on endpoints.


E SE N T I R E

Credential Stealer Ransomware3.23%

Banking Trojan HTA JavaScript Downloader

CryptoMiner45.16%

32.26%

12.90%

6.45%


There are several actions that when taken, can protect business networks from compromise.

Protect against vulnerability exploit

While successful exploitation of older vulnerabilities is uncommon, the prevalence of opportunistic intrusion attempts in the wild means that administrators should be mindful when exposing systems to untrusted networks. Devices should be checked often to ensure they’re hardened with secure hardware and software configurations.

Protect against router compromise

• Confirm that network infrastructure devices are properly configured and up to date with security patches

• Ensure all default passwords for network infrastructure devices have been changed• Limit access to management interfaces

Revisit organizational awareness training programs to protect against phishing

Employees become the last line of defense when email filtering or malware detection systems fail to block phishing attacks. User education and security encouragement are primary factors in the prevention of successful phishing attacks. It is advised that user education programs be tested regularly to validate their effectiveness.

TAKEAWAYS AND RECOMMENDATIONS


E SE N T I R E


Protect against opportunistic threats like PowerShell-based attacks

Follow these 6 key steps to guard against covert attacks like PowerShell:

Log PowerShell activity across the network• Enable the logging function via Group Policy• Centralize and compare logs against known attack method signatures. Gaining

visibility into network connections established by PowerShell processes is a simple, yet highly effective method for detecting modern malware

Block Word document macrosAverage users do not need to execute Word document macros received in their email inbox. Blocking macros reduces the overall attack surface.

Enforce user educationMalware attacks often require user interaction in the initial phases of infection. As such, educating staff about ongoing threats is an important step in preventing successful attacks.

Restrict privilegesSome scripts require administrative privilege to run therefore, restricting user privileges based on user requirements reduces the potential impact of compromise.

Implement application whitelistingApplication whitelisting is an effective control for preventing unapproved software from being executed. It involves maintaining an active list of approved software which can generate additional overhead, meaning it may not be a cost-effective solution for some organizations.

Maintain up-to-date antivirus defensesMaintaining up-to-date antivirus programs that contain the latest heuristics and signature-based rules can assist in detecting the latest threats. Other endpoint solutions can be employed and include EDR, HIDS, and NextGen antivirus.


E SE N T I R E

1 |

4 |

5 |

6 |

2 |

3 |


Industry Comparisons are made using data normalized by sensor count. Sensor count serves as a measure of company size. It follows that the sum of sensors for all companies in an industry approximates the scope of coverage for each industry. Normalizing the number of events in each industry by this number, then, gives an impression of attack intensity per area of detection surface.

Threats at the Perimeter: A time series representation of the volume of all detections originating from scans (Information Gathering), Intrusion Attempts, and Reputation Blocks, regardless of whether the detection merited an alert to the client

Threats Beyond the Perimeter: A time-series representation of the volume of alerts sent on Malicious Code and Phishing events was generated from known hostile threats, as indicated by SOC’s notes on investigation conclusions. Software targeted and exploit tools used are based on meta-data associated with detections.

Phishing Lures are recorded in a case management system as phishing incidents are observed on eSentire’s threat detection surface. The SOC maintains a record of whether phishing credentials were submitted or not, allowing differentiation between successful and failed attempts.

Endpoint Detection data was interpreted from impartial records for which broader context was not available due to retention limits. This accounted for approximately half of Malicious Code detections, which were removed from the data set for Figure 10. The other half was categorized based on event metadata and analyst notes.

METHODOLOGYT H R E A T I N T E L L I G E N C E

E SE N T I R E


Attachment 1: Threat Signals Normalization Taxonomy (based on the eCSIRT.net taxonomy)

Threat Signals Type Normalization Schema

Threat Type Sub Type Description/Examples

Malicious Code

Virus

Any malicious software that is intentionally included or inserted in a system for a harmful purpose. A user interaction is normally necessary to activate the code.

Worm

Trojan

Spyware

Ransomware

Rootkit

...

Information Gathering

Scanning

Attacks that send requests to a system to discover weak points. This also includes some kinds of testing processes to gather information about hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, …).

Sniffing Observing and recording network traffic (wiretapping).

Social Engineering Gathering information from a human being in a non-technical way (eg, lies, tricks, bribes, or threats).

Intrusion Attempts

Exploiting known vulnerabilities

An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (eg, buffer overflow, backdoors, cross side scripting, etc).

Login attempts Multiple login attempts (guessing / cracking of passwords, brute force).

New attack signature A network intrusion attempt using an unknown exploit.

Availability

DDoS By this kind of an attack a system is bombarded with so many packets that the operations are delayed or the system crashes. DoS examples are ICMP and SYN floods, Teardrop attacks and mail-bombing. DDoS often is based on DoS attacks originating from botnets, but also other scenarios exist like DNS Amplification attacks.

However, the availability also can be affected by local actions (destruction, disruption of power supply, etc.) or by spontaneous failures or human error, without malice or gross neglect being involved.

DoS

Sabotage

Outage (no malice)

Fraud

Unauthorized use ofresources

Using resources for unauthorized purposes including profit-making ventures (eg, the use of e-mail to participate in illegal profit chain letters or pyramid schemes).

Copyright Selling or installing copies of unlicensed commercial software or other copyright protected materials (Warez).

Masquerade Types of attacks in which one entity illegitimately assumes the identity of another in order to benefit from it.

Phishing Masquerading as another entity in order to persuade the user to reveal a private credential.

AT TACHMENTST H R E A T I N T E L L I G E N C E

E SE N T I R E



E SE N T I R E

Threat Signals Type Normalization Schema

Threat Type Sub Type Description/Examples

Unclassified

All incidents whichdo not fit in one ofthe given categoriesshould be put into this class.

If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.

Policy Violation

UnauthorizedApplications• Skype• P2P• SMTP• FTP• ...

Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user.

Remote Access• SSH• LogMeln• RDP• TeamViewer• ...

Proxy/Tunnel• Proxy• TOR• ...

ReputationBlock Known bad indicator Block/ detection based on known bad indicator, but without other

validation or attribution to other incidents types.

Source: https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/existing-taxonomies

Attachment 2: Confidence Language Used

Confidence language expresses the analyst’s judgment on the probability, or likelihood that a certain event will occur under defined circumstances and considering the cumulative quality of information that supports an assessment.

• Certainly: 100% or (10/10) chances that a certain event will occur under defined circumstances.

• Highly Probable: 93%+-6% or (8/10) chances that a certain event will occur under defined circumstances.

• Probable: 75% or (7/10) chances that a certain event will occur under defined circumstances.

• Plausible: 50% or (5/10). Chances are even.

• Probably not: 30% +-10% or (3/10) that a certain event will occur under defined circumstances.

• Almost Certainly not: 7%+-5% or (1/10) that a certain event will occur under defined circumstances.


eSentire is the largest pure-play Managed Detection and Response (MDR) service provider, keeping organizations safe from constantly evolving cyber-attacks that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC), staffed by elite security analysts, hunts, investigates, and responds in real-time to known and unknown threats before they become business-disrupting events. Protecting more than $6 trillion in corporate assets, eSentire absorbs the complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with growing regulatory requirements. For more information, visit www.eSentire.com and follow @eSentire.

q1 2018 quarterly threat report - … · nmap scripting engine masscan ssh sipvicious scanner...

Documents