Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Q2 2021. Show all posts

Research shows that 91.5% Malware in Q2 2021 Appeared Over Encrypted Connections

 

According to the recent WatchGuard data, 91.5 percent of malware originated via encryption techniques during Q2 2021. This represents a significant increase compared to the previous quarter, implying that any organization that does not examine encrypted HTTPS traffic at the periphery is overlooking 9/10 of all malware. 

The study also showed worrisome increases in file-less malware threats, a substantial increase in ransomware, and a massive increase in network cyber attacks. “With much of the world still firmly operating in a mobile or hybrid workforce model, the traditional network perimeter doesn’t always factor into the cybersecurity defense equation,” said Corey Nachreiner, CSO at WatchGuard. 

AMSI.Disable.A appeared in the leading malware segment for the very first time in Q1 and quickly rose to the forefront this quarter, ranking second overall by volume as well as first for cumulative encoded attacks. This malware family employs PowerShell techniques to leverage various Windows security flaws, but what makes it particularly intriguing is its evasive technique. 

AMSI.Disable.A employs code capable of deactivating the Antimalware Scan Interface (AMSI) in PowerShell, enabling it to avoid script-security screening while carrying out its malware payload completely unnoticed. Within the first six months of 2021, malware observations believed to have originated from scripting engines such as PowerShell already have managed to reach 80% of last year's overall script-initiated attack volume, representing a significant increase compared to the previous year. 

In the following quarter, the said number increased by another million, indicating an aggressive course that emphasizes the evolving importance of keeping perimeter security along with user-focused safeguards. Whereas overall ransomware detections on endpoints fell from 2018 to 2020, the trend reversed in the first half of 2021, with the six-month total finishing just short of the full-year total for 2020. 

The Colonial Pipeline attack on May 7, 2021, demonstrated unequivocally that ransomware will be here to stay. The breach, which was the top security incident of the quarter, demonstrates how cybercriminals are not only targeting the most essential services – such as hospitals, industrial control, and infrastructure – but also seem to be intensifying attacks against such elevated targets. 

One of the most notable examples was a 2020 vulnerability within the popular online scripting language PHP, however, the other three aren't. A 20ll Oracle GlassFish Server vulnerability, a 2013 SQL injection flaw in the medical records application OpenEMR, and a 2017 remote code execution (RCE) vulnerability in Microsoft Edge are among them. Even though they are all out of date, they all pose a danger if not patched. 

Although it's an old attack vector that has hopefully been fixed in most systems, those who are yet to patch will be in for a huge shock if an attacker manages to get to it before they do. A very relatively similar RCE security flaw, CVE-2021-40444, hit the headlines earlier this month when it was purposefully abused in targeted attacks against Microsoft Office and Office 365 on Windows 10 computers. 

Malware designed to target Microsoft Exchange servers and generic email clients to install remote access trojans (RATs) in highly sensitive locations has recently increased. It's most probably because Q2 was the second consecutive quarter in which remote employees and learners reverted to either hybrid offices and educational environments or normally functioning on-site behavior. 

Strong security consciousness and monitoring of departing communications on gadgets that aren't essentially connected directly to the connected devices is advised in any event – or location.

Q2 2021 Report by Digital Shadow, Abridged

 

Q2 2021 was among the most important ransomware periods, with several significant events taking place. Humans witnessed one of the biggest pipelines in the United States being targeted, new ransomware organizations emerging and some others disappearing this quarter. People witnessed renowned cybercriminal forums denouncing ransomware and certain law enforcement activities radically changing some ransomware operations. 

According to the recent report by Digital Shadows, a cybersecurity firm, more than 700 firms were attacked with ransomware and their information was dumped on data leak websites in Q2 of 2021. Of the nearly 2,600 victims mentioned on the data leak websites of ransomware, 740 were identified in Q2 2021, depicting a 47% rise over Q1. 

Digital Shadows researchers found an increase of 183% between the first quarter of 2012 and the second quarter in the retail sector with ransomware operations. 

Q1 2021 was driven by supply chain attacks, such as that of the Microsoft Exchange Server and SolarWinds, compared to the latest quarter when the present and the future threat environment of ransomware was defined. 

The report includes the quarter's main events including the DarkSide Colonial Pipeline attack, the JBS attack on the world's largest meat processor, and enhanced US and European law enforcement actions. 

But the Photon Research Team from Digital Shadows noticed that other ranching themes had emerged under the surface. Since the Maze ransomware gang helped to popularize the definition of the data leak, double extortion methods among groups who wanted to inflict maximum harm after attacks have become widespread. 

 According to the investigation, data appeared to be common on dark web leak sites from organizations of the commercial products and services industry. The list of affected organizations was likewise dominated by construction and materials, retail, technology, and healthcare organizations. 

Conti Group led the way, following Avaddon, PYSA, and REvil with concerning activities. 

"This is the second consecutive quarter that we have seen Conti as the most active in terms of victims named to their DLS. Conti, believed to be related to the Ryuk ransomware, has consistently and ruthlessly targeted organizations in critical sectors, including emergency services," the report said. 

However, the research warns that several organizations have gone or emerged from nowhere in the global ransomware marketplace. According to digital shadows, the organization halted operations in Q2, are Avaddon, Babuk Locker, DarkSide, and Astro Locker, whilst groups such as Vice Society, Hive, Prometheus, LV Ransomware and Xing, Grife, and Ransomware, arose from their Dark-Web leak sites. 

In addition, 60% of victims' firms are situated in the United States, with only Canada witnessing a decline in ransomware assaults from Q1 to Q2. Over 350 US-based organizations, compared to 46 in France, 39 in the UK, and 35 in Italy, have been affected by ransomware in Q2. 

Lastly, the report's scientists questioned if Q3 saw other attacks similar to the Kaseya ransomware campaign, where REvil operators employed a zero-day vulnerability to infiltrate more than forty managed service providers.