Page 171 - Cyber Defense eMagazine March 2024
P. 171

The researchers observed an increase in the use of compromised devices to launch attacks, whether
            directly or via "residential proxies".  This is reflected by the fact that 48% of attacks came from IPs
            managed by ISPs, 32% from organizations in business, government and other sectors, and 10% from
            hosting or cloud providers.


            Web applications  and remote management are the most attacked services. It is worth noting that
            remote management services were often targeted with usernames linked to IoT devices.

            Exploits against network infrastructure and IoT devices increased. The most targeted IoT devices are IP
            cameras, building automation, and network attached storage.

            Only 35% of exploited vulnerabilities appeared in CISA KEV, suggesting that defenders need to look at
            other sources to have a more comprehensive list of risky devices, especially when it comes to OT and
            IoT/IIoT.

            OT keeps being a constant target. Five OT protocols were the most loved by threat actors: Modbus (a
            third of attacks), Ethernet/IP, Step7, DNP3 (with around 18% each) and IEC10X with 10% of attacks. The
            remaining 2% are divided into many other protocols, of which the majority is BACnet. Most attacks target
            protocols used in industrial automation and the power sector. Building automation protocols are
            less often scanned, but exploits against building automation are more common.

            Post-exploitation actions focused on persistence (50%, up from 3% in 2022), discovery and execution.
            Most  observed  commands  are  for  generic  Linux  systems,  but  there  were  also  commands  executed
            specifically for networking operating systems that run on popular routers.

            The researchers observed an equal amount of remote access trojans (RATs) and information stealers
            (infostealers) as the most popular type of malware. Botnets and other downloaders come in third and
            fourth, followed by crypto miners and then a variety of other malware, such as keyloggers and adware.
            The most popular malware families observed were the Agent Tesla RAT (16%), then variants of the Mirai
            botnet (15%) and the Redline infostealer (10%).


            Cobalt Strike remained the most popular command and control (C2) architecture (46%), followed by
            Metasploit (16%) and the emerging Sliver C2 (13%). Most C2s are located in the United States (40%),
            followed by China (10%) and Russia (8%).



            A Closer Look at Germany

            Germany is a focal point for cyber threats. Of the 600 threat actors we track, 82 primarily target German’s
            organizations. These threat actors mostly originate from Russia and China. Among their targets, the
            government sector remains the most targeted sector. It is important to note that the manufacturing
            sector is ranking as the seventh most targeted industry in Germany. This underscores the evolving
            landscape of cyber threats in the region, where both nation-state (mostly interested in espionage) and
            non-state actors (mostly interested vin financial gain) are actively pursuing their objectives with increasing
            sophistication.






            Cyber Defense eMagazine – March 2024 Edition                                                                                                                                                                                                          171
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   166   167   168   169   170   171   172   173   174   175   176