Emotet, Trickbot, and Buer – Named after a Demon – Here are the Malware Campaigns Infoblox Tracked in Q1 2021

By: Craig Sanderson, Vice President of Security Products at Infoblox

The Infoblox Q1 2021 Cyber Threat Intelligence Report provides original research and insight into threats we observed leading up to and including this period of time. During Q1 2021, the Infoblox Cyber Intelligence Unit (CIU) has published original research reports on campaigns delivering

Cloud Vulnerabilities Remain Front and Center

One of the leading causes of cloud breach vulnerability is errors in cloud administration, configuration, and setup, including too many points of administration and different dashboards and too many policies to propagate, synchronize, and maintain consistently.

Architecture requirements for large enterprises and government remain almost completely committed to hybrid as they have both on-premises and cloud resources to protect. New controls to secure container-based workloads, lockdown cloud configurations, and encrypt data in the cloud are still being deployed.

As we noted last quarter, many organizations use security stacks don’t scale easily, if at all, from on-premises to the cloud. With new points of administration and management, plus a new front-end configuration, come increased opportunities for error and a potential data breach.

The CI/CD Pipeline Is Under Assault

There has been considerable coverage and research into the SolarWinds breach. CISA’s analysis of the attack on SolarWinds concluded that the threat actors added a malicious version of the binary SolarWinds.Orion.Core.BusinessLayer.dll into the SolarWinds software lifecycle. This version was then digitally signed by a legitimate SolarWinds code signing certificate. The malicious code became trusted once it was digitally signed, defeating the purpose of code signing: providing reassurance to users that the code an organization distributes can be trusted.Emotet, Trickbot, and Buer – Named after a Demon

Crafting a strategy to breach a software provider’s most secured continuous integration/continuous delivery (CI/CD) pipeline means threat actors are aiming for the heart of cyber defenses. By successfully breaching the CI/CD pipeline, threat actors would assume a mantle of trust and are capable, virtually unhindered, of using an organization’s trusted reputation to distribute malware across its user base, potentially enabling serious and widespread damage.

Remote Work Environments

With many organizations allowing users to utilize home broadband connections for work use, the corporate attack surface has grown substantially, with sensitive data being strewn and exposed everywhere. None of this has changed in Q1 2021.

Data supporting the incremental risk of WFA environments is circulating from a growing variety of sources.  For example, the ed-tech advocacy group the Consortium for School Networking (CoSN), creates and publishes surveys on cyber technology issues. According to Keith Krueger, CEO of CoSN, cybercriminals are using phishing scams to target remote students and educators, which often appear to come from recognizable email addresses at first glance. “In a school environment, about 3 percent of teachers click inappropriately on phishing scams,” Krueger said. “That was jumping to 15 to 20 percent from home, so a lot of cybercriminals are getting into the network.”

Email Remains the Leading Attack Vector

Email remains the top threat vector used to attack both government and businesses of all sizes. Email delivers 75 to 90 percent of malware. Despite training and widespread warnings against spam, users continue to open suspicious emails, both in their business and personal accounts. They click on malicious email attachments and URLs, as well as view websites not generally associated with business use.

The Infoblox CIU continues to observe widespread threat actor use of email campaigns employing social engineering tactics to propagate a variety of attacks. In some instances, these attacks are highly targeted to one individual or organization, a technique known as spear-phishing, but larger campaigns are more common.

Ransomware as a Service

The widespread use of ransomware continues unabated into Q1 2021, with ransomware tools increasing in sophistication. Ransomware-as-a-service (RaaS) platforms that can be easily deployed by even the least technical ransomware threat actor. As threat actors become more skilled and capable at using ransomware, they are executing increasingly more damaging attacks, often against enterprises and government organizations.

COVID-19 Remains a Top Theme for Social Engineering

COVID-19 has continued to present threat actors with new opportunities. Over the past year, there has been an endless progression of COVID-related phishing attacks. As these attacks ramped up through 2020, Google alone blocked a reported average of 18 million daily malicious COVID-19 messages to Gmail users. Beyond malware and phishing email, Google also blocked more than 240 million spam messages related to COVID-19.

This new opportunity saw threat actors successfully impersonating government authorities such as the World Health Organization (WHO). You can see our report on Trickbot WHO?, which used a fraudulent coronavirus alert from the WHO to deliver Trickbot banking malware. Other emails impersonated UNICEF and attempted to leverage psychological manipulation by posing as a children’s charity. You can see our earlier reports on coronavirus-related themes to get a sense of the depth and breadth of these campaigns.

For all of these reasons and more, the cyberthreats remain alive and well. As before, threat actors will both innovate, adjust and sustain proven methods as 2021 unfolds. Rogue nation-states and organized crime will continue to build on their offensive capabilities. Accurate intelligence about timely, relevant threats enables an organization to make thoughtful, targeted improvements to its defenses and lower its risk.

 689 total views,  2 views today