The latest Threat Landscape Report provides valuable insights into the evolving threat environment that every security professional should read. When these insights and analysis are put into practice, organizations are better equipped to defend their organizations – not only against specific threats, but against the evolving threat landscape. The most recent report, covering Q4 of 2019, is no exception. Here are a few highlights:
Amidst the constant pressure to keep ahead of new threats, organizations seem to regularly forget that older exploits and vulnerabilities really have no expiration date, and threat actors will continue to use them as long they work. Research into last quarter’s threat landscape is no exception, showing that cybercriminals continue to exploit every possible opportunity to attack today’s expanding digital infrastructure. Alongside new attacks, older vulnerabilities and exploits continue to present.
But sometimes, these older threats include a new twist that make them even more dangerous.
A case in point is EternalBlue. It has been a virulent delivery tool used in some of the most destructive campaigns of the past few years, most notably in the WannaCry and NotPetya ransomware attacks of 2017. And a newer exploit with a similar potential for destruction is a “wormable” vulnerability known as BlueKeep, identified last May. And while it has not attracted the level of trouble as similar risks, it has the potential to enable malware to spread at the same speed and scale as WannaCry and NotPetya. Even though a patch for BlueKeep has been available from Microsoft for months, and the risk has been clearly articulated by the security community, far too many organizations have still not updated their vulnerable systems.
And now, a new version of the EternalBlue Downloader Trojan has surfaced with the ability to exploit the “BlueKeep” vulnerability, just as it did with WannaCry and NotPetya. Fortunately, the version currently in the wild is not completely ironed out, forcing targeted devices to crash multiple times before loading. But looking at the traditional development cycle of malware, determined cybercriminals are likely to have a highly functional version of this potentially devastating malware package in the near future.
As a result, any organization that has not yet done so is strongly advised to apply the EternalBlue patch to exposed systems as soon as possible.
Research from Q4 demonstrated significant levels of activity related to Charming Kitten, an cyberwarfare group linked to Iran that has been described by US government agencies and threat researchers as an Advanced Persistent Threat (APT). Active since 2014, these threat actors have been associated with numerous cyberespionage campaigns, targets including government officials, journalists covering global politics, and prominent Iranian expats.
Recent activity suggests that Charming Kitty has expanded into the election disruption business, having been linked to attacks targeting email accounts associated with a presidential election campaign.
In addition, Charming Kitten was observed employing four new tactics against intended victims that were all designed to trick victims into parting with sensitive information.
A wide range of IoT devices, such as wireless IP cameras, continue to be plagued by exploitable software. This situation is magnified when components and software are embedded into different commercial devices sold under a variety of brand names, sometimes by different vendors. Many of these components and services are often programmed using bits and pieces of pre-written code from a variety of common sources. These common components and pre-written code are sometimes vulnerable to exploit, which is why some of the same vulnerabilities crop up repeatedly across a wide range of devices.
The scale combined with the inability to easily patch these devices is a growing challenge, and spotlights the difficulties of supply chain security. A lack of patch awareness or availability, the prevalence of vulnerabilities in some IoT devices, and the documented attempts to “enslave” these devices in IoT botnets all contributed to these exploits having the third-highest volume among all IPS detections during the quarter.
Spam continues to be one of the top issues for organizations and individuals to deal with. This quarter’s report combines the volume of spam flow between nations with data showing the ratios of spam sent vs. spam received, visually revealing a new perspective on an old problem. The majority of spam volume seems to follow economic and political trends.
For example, the heaviest “spam trade partners” of the United States include Poland, Russia, Germany, Japan, and Brazil. In addition, in terms of exported spam volumes from geographic regions, Eastern Europe is the largest net producer of spam in the world. Most of the outbound-heavy spammers beyond that hail from Asian sub-regions. The remaining European sub-regions lead those with net negative spam ratios, receiving more than they send, followed by the Americas and Africa.
A fresh view on an persistent problem.
These and other insights in Q4’s Threat Landscape Report are designed to help security professionals keep a thumb on the pulse of the evolving threat environment. Critical insights not only inform these professionals of top threats they need to prepare their networks to repel, but also provides analysis and guidance on trends that enable security teams to build proactive defenses designed to defend against threat trends rather than just individual attacks.