Cyber Hub

As ransomware attacks continue to prove themselves as one of the most profitable TTPs for cybercriminals today, their sophistication and frequency increase as well. The average ransom payment in ransomware attacks sharply grew by 33% in Q1 of 2020, and threat actors seems to be highly motivated than ever to utilize it. This week, security researchers have detected new threatening malware strains of the [F]Unicorn ransomware, as well as an extended activity of PonyFinal ransomware against organizations around the world.

Over the past week, several malware campaigns exposed new developments and capabilities that improve their abilities to avoid detection and cause greater damage to the infected victims. The TrickBot trojan has been seen using a new module to avoid detection and infect domain controllers while a new malware named Valak, that was used as a loader, has started collecting sensitive data. In addition, a new malware dubbed Octopus Scanner was detect infecting organizations using GitHub.

Each week there are several reports of cyber-attacks and high-severity vulnerabilities found. The risk they pose to your organization depends on a variety of factors that are in a near-constant state of change. This week we saw a number of security issues affecting the Exim MTA servers. In addition, we also witnessed attacks exploiting SaltStack vulnerabilities and the dangers of having potentially affected unpatched Cisco products.

Botnets remain at the top of the hackers' list of preferred tools due to the ability to magnify attacks without much effort. From DDoS attacks to malware delivery, botnets continue to create headlines with new methods used by threat actors to wreak havoc and seize financial gains.

As ransomware attacks continue proving themselves as one of the most profitable TTPs for cybercriminals today, their sophistication and frequency increases as well. The average ransom payment in ransomware attacks has sharply grown by 33% in Q1 of 2020. Threat actors seem to be highly motivated than ever to utilize it. This week, security teams have discovered new disturbing evasion techniques of the infamous NetWalker and Ragnar Locker ransomware.

Many new phishing campaigns were detected over the past week where threat actors are still focused on leveraging COVID-19 and the fact that most employees are working remotely, from home, using various communication and collaboration platforms. Apart from that, threat actors continue developing new phishing techniques to avoid detection and not raise suspicion by the victims. A massive campaign capitalizes the Coronavirus to spread the NetSupport RAT, while the collaboration platform, LogMeIn is impersonated to gather credentials. In addition, threat actors are taking advantage of the tax season for credentials gathering as well, while in another campaign, Google Firebase is used to host phishing pages. Moreover, a new phishing campaign is being spread by luring employees to access files that are related to upcoming bonuses in order to gain permissions to internal systems without the need to use credentials or MFA required.

Threat actors consistently come up with new ways to distribute malware that will be used for their malicious intentions to harm individuals and organizations. When it comes to state-sponsored actors, the scope of the attacks usually increases in direct proportion to the threat actor’s resources. Over the past week, security researchers have detected new malware strains that are believed to be associated with the infamous Lazarus hacking group.

The first quarter of 2020 -which is largely defined by lockdown and work-from-home due to COVID-19 - has proved to be the most prolific time for ransomware attacks. Poorly secured RDPs are the most common infection vector for ransomware. As people increasingly leverage this technology to remotely access their corporate networks, the number of successful ransomware attacks increases as well. Accordingly, the average ransom payment grew by 33% in Q1 placing it at $111,605, a huge profit to the attackers, giving much motivation for cyber-gangs to utilize ransomware as their TTP.

Threat actors consistently come up with new ways to distribute malware that will be used for their malicious intentions to harm individuals and organizations. Over the past week, a new botnet dubbed Kaiji was detected targeting servers and IoT devices in order to execute DDoS attacks. ln addition, a new macOS version of Dacls RAT associated with the Lazarus Group was observed spreading in the wild.

Many new phishing campaigns were detected over the past week: threat actors are still focused on leveraging the fact that most employees are working from home remotely using various communication tools. A massive phishing campaign has been impersonating Cisco Webex to gather credentials using a phishing website. Skype users were also targeted by threat actors who also built a phishing website to gather credentials. Moreover, the FBI has warned of an increase in BEC attacks leveraging the COVID-19 pandemic. Another phishing campaign targeted executive credentials and payment details by impersonating a telecommunications service provider.