Page 171 - Cyber Defense eMagazine March 2024
P. 171
The researchers observed an increase in the use of compromised devices to launch attacks, whether
directly or via "residential proxies". This is reflected by the fact that 48% of attacks came from IPs
managed by ISPs, 32% from organizations in business, government and other sectors, and 10% from
hosting or cloud providers.
Web applications and remote management are the most attacked services. It is worth noting that
remote management services were often targeted with usernames linked to IoT devices.
Exploits against network infrastructure and IoT devices increased. The most targeted IoT devices are IP
cameras, building automation, and network attached storage.
Only 35% of exploited vulnerabilities appeared in CISA KEV, suggesting that defenders need to look at
other sources to have a more comprehensive list of risky devices, especially when it comes to OT and
IoT/IIoT.
OT keeps being a constant target. Five OT protocols were the most loved by threat actors: Modbus (a
third of attacks), Ethernet/IP, Step7, DNP3 (with around 18% each) and IEC10X with 10% of attacks. The
remaining 2% are divided into many other protocols, of which the majority is BACnet. Most attacks target
protocols used in industrial automation and the power sector. Building automation protocols are
less often scanned, but exploits against building automation are more common.
Post-exploitation actions focused on persistence (50%, up from 3% in 2022), discovery and execution.
Most observed commands are for generic Linux systems, but there were also commands executed
specifically for networking operating systems that run on popular routers.
The researchers observed an equal amount of remote access trojans (RATs) and information stealers
(infostealers) as the most popular type of malware. Botnets and other downloaders come in third and
fourth, followed by crypto miners and then a variety of other malware, such as keyloggers and adware.
The most popular malware families observed were the Agent Tesla RAT (16%), then variants of the Mirai
botnet (15%) and the Redline infostealer (10%).
Cobalt Strike remained the most popular command and control (C2) architecture (46%), followed by
Metasploit (16%) and the emerging Sliver C2 (13%). Most C2s are located in the United States (40%),
followed by China (10%) and Russia (8%).
A Closer Look at Germany
Germany is a focal point for cyber threats. Of the 600 threat actors we track, 82 primarily target German’s
organizations. These threat actors mostly originate from Russia and China. Among their targets, the
government sector remains the most targeted sector. It is important to note that the manufacturing
sector is ranking as the seventh most targeted industry in Germany. This underscores the evolving
landscape of cyber threats in the region, where both nation-state (mostly interested in espionage) and
non-state actors (mostly interested vin financial gain) are actively pursuing their objectives with increasing
sophistication.
Cyber Defense eMagazine – March 2024 Edition 171
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.