- Elusive malware
- Ransoms keep going up
- Insecure software
- Targeting virtual infrastructure
- Targeting software developers and cloud services
- Wiretapping, interception of messages, and news about 5G
- Governmental institutions are the most frequently attacked organizations
- About the research
Highlights of Q1 2021 include:
- The number of attacks increased by 17% compared to Q1 2020, and compared to Q4 2020, the increase was 1.2%, with 77% being targeted attacks. Incidents involving individuals accounted for 12% of the total.
- Ransomware is still the malware that is most often used by attackers. In Q1, they demanded astronomical ransoms and refined their arsenal, including adding new ways to hide from security tools. There is a lot of new ransomware, for example, Cring, Humble, and Vovalex. And the good old WannaCry is running rampant again. Ziggy operators set a precedent: they returned the ransoms paid to the victims and "turned to the light side".
- The most popular vulnerabilities for attackers this quarter were breaches in the Microsoft Exchange Server software (ProxyLogon) and the outdated file sharing program Accellion FTA. Attackers used a zero-day vulnerability discovered in SonicWall VPN solutions not just to hack the company, but also to launch attacks on its customers. SonicWall presumably failed to notify its customers in time about the identified vulnerability or a need to implement protective measures. The incident supports the argument that software manufacturers should inform their customers as soon as possible about existing vulnerabilities and ways of protecting themselves until a patch is released.
- More and more cybercriminals are developing malware to conduct attacks on virtualization environments, and some are aggressively trying to exploit vulnerabilities already found in software for deploying virtual infrastructure. At the beginning of 2021, our security engineers helped to eliminate critical vulnerabilities in VMware products. We strongly recommend installing the security updates as soon as possible.
- The number of attacks targeting IT companies has remained consistently high for a second quarter in a row. In 15% of cases during Q1 2021, hackers targeted IT companies to conduct an attack on their customers or to steal customer data. At the beginning of 2021, there were still reports in the media about new victims of the attack on SolarWinds: the company's customers claim that their networks have been compromised.
- Telecom companies were twice as likely to be attacked as in Q4 2020. In 71% of the attacks, hackers aimed at obtaining data, with a particular interest in the 5G technology. Nine out of ten incidents saw attackers use malware—most frequently, RATs, which accounted for 55% of all attacks.
To protect from cyberattacks, follow our general recommendations for ensuring personal and corporate cybersecurity. Also, given the specifics of the attacks in the past quarter, we strongly recommend that you install security updates in a timely manner and pay special attention to protecting virtual infrastructure. You can strengthen security at the corporate perimeter by using modern security tools, for example, web application firewalls for protecting web resources. To prevent malware infection, we recommend using sandboxes to analyze the behavior of files in a virtual environment and detect malicious activity.
The number of incidents in Q1 2021 increased by 17% compared to the same period in 2020, and compared to the Q4 2020, the increase was 1.2%, with 88% of the attacks targeting organizations. Cybercriminals typically attacked government institutions, industrial companies, science and education institutions. The main motive for attacks on both organizations and individuals remains acquisition of data. Attackers' main targets are personal data and credentials, and attacks on organizations are also aimed at stealing intellectual property.
77% of attacks were targeted
12% of attacks were directed at against individuals
Ransomware is predictably the most popular type of malware. Its share, among other malware used in attacks on organizations, increased by seven percentage points compared to Q4 2020 and is now 63%. Emailing remains the prevailing method of delivering malware: attackers used it in six out of ten malware attacks on organizations. Individuals are still most often attacked by banking trojans, spyware, and malware that provides remote access to the device.
Malware developers continue to look for new ways of bypassing security measures. To achieve that goal, attackers, for example, use unpopular programming languages, as in the case of BazarBackdoor (RAT), which was rewritten in Nim; the ransomware operators of Vovalex and RobbinHood chose such uncommon languages as D and Golang, respectively, from the get-go.
Some attackers have upgraded their tools with features that erase traces of malicious activity—as seen in such miners as OSAMiner, Black-T and Pro-Ocean. The code of the OSAMiner cryptominer, which targets macOS-based devices, contains a function that allows killing the Activity Monitor process, along with other monitoring and anti-malware tools. Activity Monitor is the Mac equivalent of Task Manager. The Black T miner, which targets Unix systems, clears bash history after deploying its payload and erases all traces of its own activity. The added openly accessible function for hiding the process is called libprocesshider; if detected, it may lead security experts to assume the presence of a malicious load. This tool is also used by attackers who distribute the Pro-Ocean miner, which attacks Apache ActiveMQ, Oracle WebLogic, and Redis servers, and checks the target environment before installation. At this stage, it determines whether to hide the malware, and if, for example, the malware finds itself in the Tencent Cloud or Alibaba Cloud environment, it starts the process of deleting monitoring agents.
Another way to hide the destructive load is to split the malware into archives. An example is the Masslogger Trojan designed to collect credentials. Attackers use email to deliver the malware, and to bypass the security measures, they split the executable file into multivolume archives with such extensions as .r00, .r01, and so on.
Having analyzed the latest attacks by the RTM APT group, the PT ESC team found that the attackers were using packers as a service to bypass security tools. This approach greatly complicates a search for known signatures, but behavioral analysis of files in the sandbox allows detecting malicious activity. In addition, the use of cryptors does not affect interaction between the malware and management servers, which means that they can be detected by analyzing network traffic.
A cryptor (packer) is a program that uses cryptographic methods to package malware in order to hide it from security tools during signature analysis.
Since the beginning of 2021, RTM has added the Quoter ransomware to their arsenal. According to researchers, if the banking Trojan has failed to complete its tasks and collect information from the infected host, the attackers launch Quoter onto the company's network as Plan B. Following the example of other ransomware operators, RTM employ the strategy of double extortion in their attacks. The group still uses social engineering methods as the main method of delivery, sending phishing emails to victims.
The group's activity in Q1 2021 decreased compared to Q4 2020, but this may indicate that the attackers are busy developing new attack techniques or refining existing tools for now.
Ransoms keep going up
Every third attack in Q1 involved ransomware operators. At the end of 2020, healthcare was the most frequently attacked sector, but in Q1 2021, the first place was shared by industrial, scientific and educational organizations. They amounted to 30% of all incidents involving ransomware; 28% of the attacks were directed at governmental and medical institutions.
In about seven out of ten ransomware attacks on organizations, email was used as a method of delivering the malware, and in a quarter of cases, attackers exploited vulnerabilities and searched for unprotected resources accessible from the Internet.
The 5 most active ransomware programs in Q1 2021
- Conti (Ryuk)
- Babuk Locker
New players appearing on the scene
Hog is currently targeting individuals. Its operators decrypt the victims' devices only if they connect to their Discord server. The use of Discord was previously seen in other hackers' attacks and is becoming a frequent practice. Hog operators could be testing new techniques.
In Q1 2021, REvil operators broke all records in ransom demands. They demanded $50 million after attacking the IT company Acer, and, after encrypting the network of the pan-Asian retail chain Dairy Farm Group, demanded 30 million in exchange for a decryptor and nondisclosure of the stolen data. Such large amounts are due to the ask-more-to-get-more tactic. The incident with the retailer FatFace speaks to the success of the campaign. In early January, Conti (Ryuk) operators penetrated the company's network by conducting a phishing attack, and after seven days of reconnaissance, extracted 200 GB of data and started the encryption process. Initially, the attackers demanded $8 million. However, during the negotiations, the amount was reduced to 2 million, which satisfied both parties.
Due to the fact that some companies refuse to pay the ransom, ransomware operators are forced to come up with new tactics. These days, if the company is refusing to pay, the attackers threaten to report the attack and the data theft to its customers. The fraudsters expect that the customers will persuade the company to pay a ransom to prevent the disclosure of their data.
Old players making a comeback
The WannaCry ransomware that thundered around the world four years ago is back in the game. According to Check Point, the number of affected organizations in March 2021 increased fortyfold compared to October 2020. The malware is being distributed using the EternalBlue exploit. The extortionists mostly attack government institutions and defense contractors, while the industrial sector ranks second, and financial organizations and medical institutions rank third and fourth, respectively.
REvil has acquired a new feature: the ability to run the encryption process in Windows safe mode, which enables the malware to bypass security measures. Conti (Ryuk) developers have supplemented it with the ability to spread to other devices within the domain. It is distributed over the network through shared network resources, where it creates copies of itself, and files are launched by creating tasks in the Windows task scheduler.
Secure storage of stolen data
Darkside operators, who attacked the Brazilian electric power company Companhia Paranaense de Energia (Copel), stealing about 1 TB of sensitive information, use their own method of data storage. They do not store stolen information on specially created private websites, as this is not safe. Instead, they have developed a distributed database: the data is stored on different servers. This helps to limit the number of individuals who can look at the data and avoid losing access to stolen information due to possible blockages.
Fear of liability
Ziggy operators, in the wake of the news about the capture of the attackers who distributed Netwalker and the destruction of the Emotet botnet infrastructure by law enforcement agencies, announced the end of their hacking career and promised the victims who paid them a ransom to return the money.
The first quarter of 2021 will be remembered for aggressive exploitation of vulnerabilities in the Microsoft Exchange Server software (ProxyLogon vulnerabilities) and Accellion FTA. The ProxyLogon vulnerabilities were exploited by distributors of the Black Kingdom and DearCry ransomware tools, Lemon_Duck cryptocurrency miner operators, and other APT groups.
Vulnerabilities in the outdated Accellion FTA data transfer software were exploited by Clop operators and the cybercriminal group FIN11: about 100 organizations were affected. About a quarter of these organizations suffered from major data breaches: the Singapore-based mobile operator Singtel, law firm Jones Day, universities in Miami and California, U.S. Bureau of Shipping, rail operator CSX, and aircraft manufacturer Bombardier. Centene, which was also affected by the vulnerabilities, filed a lawsuit against Accellion. The claim demands reimbursement of expenses associated with recovering from the attack.
The vulnerability CVE-2015-1427 in Elasticsearch allows attackers to bypass the sandbox protection mechanism and execute arbitrary commands. This quarter, it was used by operators of three botnets: z0Miner, Skidmap, and WatchDog. Another botnet, FreakOut, expanded with the help of vulnerabilities in TerraMaster (CVE-2020-28188), Zend Framework (CVE-2021-3007), and Liferay Portal (CVE-2020-7961).
Speaking of vulnerabilities, we cannot fail to mention the incident with SonicWall, the manufacturer of information security systems, which was hacked via a zero-day vulnerability in the NetExtender and Secure Mobile Access VPN products in late January. It was followed by media reports of attacks on the company's customers who were using the vulnerable solutions. For example, this opportunity was used by the UNC2447 group, which distributes the FiveHands ransomware (an updated version of DeathRansom) through the WarPrism loader or the SombRAT backdoor. According to researchers, the attackers were exploiting the vulnerability even before a security update appeared. Presumably, SonicWall did not alert its customers on time to the identified breach or a need to take protective measures.
Targeting virtual infrastructure
Q4 2020 saw a trend for attackers gearing their malware toward attacks on virtual infrastructure, and in Q1 2021, this trend consolidated. We can link this primarily to the global process of moving corporate IT infrastructure into a virtual environment. Attackers carefully monitor information about new vulnerabilities and try to find a use for these in their attacks as soon as possible. In early 2021, our experts helped to eliminate several critical vulnerabilities in VMware products, including CVE-2021-21972 in vCenter Server, which allowed remote code execution. At the time of publication, we estimate that the number of devices vulnerable to CVE-2021-21972 worldwide exceeded 6,000. After the vendor's security updates appeared in early February and the bulletin was published, Bad Packets researchers discovered multiple network scans conducted to find vulnerable hosts.
Darkside, RansomExx and Babuk Locker operators are aggressively exploiting other vulnerabilities in VMware products to encrypt data stored on virtual hard drives, such as the remote code execution vulnerabilities CVE-2019-5544 and CVE-2020-3992.
Attackers who distribute the Hildegard Trojan purposefully attack Kubernetes environments. To hide their malware, they use several techniques at once, including encrypting the payload, masking the malicious process as the bioset process in Linux and using the Dynamic Linker Hijacking technique.
Gaining access to virtual infrastructure and cloud services is a fairly popular topic on the darkweb. The services of so-called brokers are also used by ransomware operators for acquiring credentials to log in to the systems. In addition to ready-to-use access to certain companies, attackers post offers to hack companies to order on darkweb message boards.
Targeting software developers and cloud services
The number of attacks on IT companies has not decreased since the beginning of Q4 2020. The main motive of hackers attacking this industry is to obtain data (66%). In 27% of the incidents, hackers sought financial gain, and in 15% of the cases, companies were hacked to facilitate subsequent attacks on their customers.
The consequences of the attack on SolarWinds were evident still even in early 2021. Thus, in early March, news about the attack on the IT company Robotron appeared in the media. The incident also affected the company's customers who installed malicious updates for the Werkzeugkasten backup server. The investigation revealed that the company's network was compromised as a result of the attack on SolarWinds. According to Robotron, the first victim to install malicious updates was a small company in the Netherlands (neither the name nor even the industry in which the company operates were disclosed). Under the guise of updates, the BlockKopieren ransomware was distributed.
Supply chain attacks did not spare information security companies. In early February, the French company StormShield reported that its systems had been hacked. Attackers compromised the technical support portal. As a result of the incident, the source code of the Stormshield Network Security software firewall was stolen. It can be assumed that the attackers will examine the stolen code to find vulnerabilities in the software. In early January 2021, Malwarebytes, which produces information security tools, suffered due to a vulnerability in an application that has privileged access to Microsoft Office 365 and Azure. Note that in half of the attacks on this industry, attackers exploited software vulnerabilities.
Ransomware operators were involved in 56% of the malware attacks. The most significant incidents in terms of consequences occurred with the American IT service provider CompuCom and the Canadian IoT solution provider Sierra Wireless. In the first case, due to the attack using the DarkSide ransomware, the company suspended the provision of services to some customers. The company estimates that it will have to spend up to $20 million to eliminate all of the consequences, and the expected loss of revenue ranges from 5 to 8 million. Sierra Wireless, which was also affected by the ransomware attack, was forced to stop production, and the company's website was unavailable for two weeks. In addition, the company had to withdraw its financial forecast for Q1 2021, as it now needs to be adjusted.
The share of RATs increased by 23 percentage points compared to Q4 2020. In one of the campaigns, the attackers distributed it under the guise of Xcode, a free IDE for the Apple ecosystem. SentinelOne researchers discovered this malware in the legitimate project TabBarInteraction. The campaign is aimed at developers who will then inadvertently distribute remote control malware to their clients as part of the project. Another attack aimed at software developers involved hacking the official PHP Git repository and adding malicious commits. It is noteworthy that the attackers managed to add well-known developers' signatures to the commits.
Popular cloud services that facilitate interaction and simplify companies' IT infrastructure also became a favorite target for attackers. The reason for this phenomenon is that by attacking a cloud service provider, hackers can gain access to the customers' data, as it happened, for example, during the January incident with the Bonobos clothing store. The store suffered a data leak due to an attack on the cloud service provider that the company used to store customer credentials and personal data. A similar incident occurred with the network equipment manufacturer Ubiquiti.
According to the United States Cybersecurity and Infrastructure Security Agency, hackers managed to find a way to bypass two-factor authentication to compromise cloud services. This was achieved through a "pass the cookie" attack.
In this type of attack, attackers intercept the session of an already authenticated user or use stolen session cookies to authenticate with a web resource.
Wiretapping, interception of messages, and news about 5G
The number of attacks on telecom companies doubled compared to Q4 2020.
In 71% of the attacks, the attackers pursued the motive of obtaining data. The 5G technology turned out to be really interesting topic for hackers, perhaps due to the fact that they want to understand the features of its implementation in order to subsequently conduct attacks on subscribers. As part of a major cyberespionage campaign, hackers created a fake website that mimics Huawei's official job portal. Upon visiting this resource, a malicious Flash application was installed on the victim's computer, which acted as a loader for a subsequent installation of Cobalt Strike Beacon. At least 23 telecommunications companies fell prey to this campaign.
In early 2021, researchers from ClearSky reported on a campaign they identified, which collected sensitive data. Conducted by the Volatile Cedar cybercrime group, the campaign began in Q3 2020 and continues to this day. During the attacks, hackers exploit the web vulnerabilities CVE 2019-3396 (Atlassian Confluence), CVE 2019-11581 (Atlassian Jira) and CVE 2012-3152 (Oracle Fusion). among the victims of this campaign were, for example, the American telecom company Frontier Communications, the Egyptian mobile operator Vodafone Egypt, the Israeli National Information Technology Center, as well as the telecom companies Mobily and Saudinet in Saudi Arabia, and other major companies in the industry.
Malware was used in 91% of the attacks. Most (55%) of the incidents involved RAT, as in the case of USCellular. This fact may indicate that access to telecom companies is of high value to hackers: it can be sold on a darkweb forum or used in further attacks on subscribers.
Access to telecom equipment can allow attackers to intercept calls and messages of subscribers, track their location, and conduct fraudulent operations.
Governmental institutions are the most frequently attacked organizations
Since 2017, governmental institutions have topped our rankings of the most frequently attacked organizations. For their malicious actions, hackers mainly used malware (63% of attacks) and social engineering techniques (56%). The exploitation of web vulnerabilities ranks third: the share of this method (22%) increased by 13 percentage points compared to Q4 2020. Most often, attackers exploited vulnerabilities that were popular in Q1 2021, such as the ProxyLogon vulnerability used, e.g., in the incident with the Norwegian parliament and a vulnerability in Accellion FTA, which affected the audit service of the state of Washington. The APT groups LuckyMouse, Tick, and Calypso, which target organizations in the United States, Europe, Asia, and the Middle East, including governmental agencies, were also seen exploiting the ProxyLogon remote code execution vulnerability (CVE-2021-26855). The purpose of these campaigns was to obtain data.
The share of ransomware operators in attacks on governmental institutions is increasing: they were found in 70% of malware attacks. In addition to ransomware, attackers also used banking Trojans (18% of malware attacks), RATs (13%), and spyware (8%).
In this context, we should note the February attack on smart city systems in India. The Economic Times stressed that this is the first attack ever on the infrastructure of a smart city. The ransomware operators demanded $646,000 for troubleshooting the problems they created. An equally interesting example is the attack by the hacker group Hotarus Corp, which managed to hack the network of the Ministry of Economy and Finance of Ecuador and distribute their ransomware Ronggolawe (AwesomeWare). The peculiarity of this ransomware is that it is written in PHP and encrypts the files of the victim company's web applications. During this attack, the credentials of more than 6,500 users were compromised, and sensitive information, including emails and personal data of employees, was stolen.
Social engineering techniques were used in 56% of the incidents. For example, the APT group SideWinder, whose activities were monitored by PT ESC, uses these to deliver malware. Attacks by this group on governmental institutions in Southeast Asia were recorded throughout Q1 2021. As the first step of the attacks, the hackers attached a file with a .lnk extension to phishing email. If the user opened the file, the mshta.exe utility ran, displaying a stub document to the victim to allay its suspicions, while the main script deployed the Trojan. This technique is used by many APT groups that we talked about in Q2 2020 and Q3 2020.
About the research
In this quarterly report, Positive Technologies shares information on relevant global IT security threats. The information draws on our own expertise, the outcomes of investigations and data from authoritative sources.
We believe that the majority of cyberattacks are not made public due to reputational risks. The result is that even organizations that investigate incidents and analyze activity by hacker groups are unable to do a precise count of threats. This research aims to draw the attention of companies and common citizens who concern themselves with the state of information security to the key motives and methods of cyberattacks, and to highlight the main trends in the changing cyberthreat landscape.
In this report, each mass attack—for example, when attackers send phishing email to multiple addresses – is counted as a single incident. Definitions of terms used in this report are available in the glossary on the Positive Technologies site.