7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
It’s been a summer of ransomware hold-ups, supply chain attacks and fileless attacks flying under the radar of old-school security. With malware running amok while we were lying on the beach, here’s a recap of the most burning strains and trends seen in the wild during the months of July and August 2019.
The heat must have had an effect as this summer saw malware continuing to evolve, particularly around three core trends:
Malware has been increasingly designed to bypass security controls leveraging a host of tactics, most notably by:
Taking evasion techniques one step further, an increasing number of strains are leveraging PowerShell commands and masquerading as legitimate system tools, all while running completely from memory (RAM) to fly under the radar of traditional IoC-based solutions and requiring behavior-based analysis to detect.
No thanks to underground botnet-as-a-service businesses, whole botnets of compromised systems are rented out to hackers, through which they can leverage ready-made access to live and well systems to simultaneously unleash multiple malware strains at their disposal. For example, Emotet serving IcedID (Bokbot) followed by Trickbot or the Ryuk ransomware.
What were this summer’s most exotic and lethal malware strains? Here’s a roundup.
Targeting European and Brazilian organizations, and posing an immediate threat to 76% of organizations who tested their resilience to it, according to the Cymulate Research Lab, the fileless Astaroth malware evades traditional IoC-based security controls, stealing user credentials, including PII, system and financial data.
Credit: Microsoft
At no point during the entire attack kill chain does Astaroth drop any executable files on disk, or use any file that is not a system tool, running its payload completely in memory (RAM).
The Sodinokibi (“Sodi”) ransomware is rare in its usage of a Windows vulnerability, namely CVE-2018-8453 patched by Microsoft last year, which enables gaining admin-level access. Suspected to be the successor of the GandCrab ransomware-as-a-service, Sodinokibi is disseminated through managed service providers’ (MSP) websites, a form of supply chain attacks, where download links are replaced with the ransomware executable. Initially suspected as being offered as a service in the underground because of its ‘master encryption key’ approach, it has been confirmed that this is, in fact, the case.
> #Sodinokibi #REvil Ransomware as a Service arrived in russian hacking forum. pic.twitter.com/inT5BYWDIN
>
> — Damian (@Damian1338) August 28, 2019
The good news is that none of the organizations simulating this specific variant were found to be vulnerable; however, the exposure rate for other Sodi variants during this summer ranged between 60% and 77%, depending on the strain tested.
Targeting German-speaking countries, GermanWiper does not really encrypt files. Rather, it overwrites all the victim’s content with zeroes, irreversibly destroying their data. The ransom note is therefore bogus, rendering any payments made useless, and making offline backups crucial for recovery.
Posing as a job application with a CV attachment, the malware is spread via email spam campaigns. 64% of organizations simulating GermanWiper appeared to be vulnerable when testing controls against it.
Posing a threat to** 70% of organizations**, based on attack simulations performed, MegaCortex deliberately targets larger firms in a bid to extort larger sums of cash, ranging from $2M-$6M in bitcoin. The MegaCortex operators compromise servers critical to businesses and encrypt them and any other systems connected to the host.
This ransomware was originally executed using a payload encrypted with a password that was manually entered during a live infection. In its newer strain, this password is hardcoded along with other features that have been automated, such as security evasion techniques. The malware has also evolved to decrypt and run its payload from memory.
The Russian-speaking advanced persistent threat (APT) group is one of the most sophisticated in the world and has recently updated its TTPs to encrypt critical strings, including commands issued to bots in order to evade detection. Initially sending recon emails to potential victims to identify the easy-clickers, after initial infection, the hackers now spread additional malware to victims either through their rewritten TrueBot loader or through a fileless loader called Ivoke, hiding C2 communications through DNS tunneling. Over the past year, the group has amassed an estimated $4 million.
84% of organizations are vulnerable to the strain released this summer, according to Cymulate data.
Specifically targeting governments and international bodies, Turla was seen to hijack infrastructure belonging to the Iranian-linked Oilrig APT group. Using a combination of custom malware, modified versions of publicly-available hacking tools and legitimate admin software, the group has been moving towards LOTL techniques, and its victims include ministries, governments, and communications technology organizations in ten different countries.
70% of organizations were found vulnerable to this threat at the time of security testing.
Looking to assess your organization’s security posture now that the summer is over? Explore how breach and attack simulation can provide you with the immediate, actionable insights you need.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C