The US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) have picked 11 malware families as their top threats. The list comprises malware that has evolved over the past ten years as banking trojans, remote access trojans, information stealers, and ransomware delivery tools.
The agencies listed the top malware strains of 2022:
- Agent Tesla (information stealer)
- AZORult (information stealer)
- Formbook (information stealer)
- Ursnif (banking Trojan)
- LokiBot (Trojan credential stealer)
- MOUSEISLAND (ransomware delivery)
- NanoCore (credential stealer)
- Qakbot (multipurpose trojan)
- Remcos (remote access trojan)
- TrickBot (multipurpose trojan/ransomware delivery)
- GootLoader (multi-payload malware platform)
The malware on the list is used primarily for financial gain rather than cyber espionage. "The most prolific malware users of the top malware strains are cyber criminals, who use malware to deliver ransomware or facilitate the theft of personal and financial information," noted CISA in the advisory.
Readers Note: Please visit https://redskyalliance.org and search by malware name to view research articles on the above malware groups.
Per the investigators, TrickBot, started as a banking trojan but evolved into a modular malware and has since served as an access broker for ransomware groups, such as the notorious Conti gang, by using its network of already compromised machines. CISA also offers an overview of how the malware ecosystem functions and how the industry's actors continue to fund, support, and improve their malicious software. "Many malware developers operate from locations with few legal prohibitions against malware development and deployment. Some developers even market their malware products as legitimate cyber security tools," CISA notes.
CISA's advisory is a useful resource with links to official US government technical briefings about each malware strain. It includes a summary of its main capabilities, the date it has been active, its malware classification, and its delivery method.
Trickbot, the world's largest botnet at one point, has been active since 2016 and, in October 2020, was targeted by Microsoft and its partners for a technical and legal takedown. That month, the US military's Cyber Command unit reportedly ran a campaign against Trickbot. CISA also warned Trickbot was planning an attack on US healthcare sector organizations. Despite these efforts, CISA notes that Trickbot remains active as of July 2022. "TrickBot malware is often used to form botnets or enable initial access for the Conti ransomware or Ryuk banking trojan. TrickBot is developed and operated by a sophisticated group of malicious cyber actors and has evolved into a highly modular, multi-stage malware," the advisory states. "In 2020, cybercriminals used TrickBot to target the Healthcare and Public Health (HPH) Sector and then launch ransomware attacks, exfiltrate data, or disrupt healthcare services. Based on information from trusted third parties, TrickBot's infrastructure is still active in July 2022."
CISA recommends organizations patch all systems and prioritizes patching known exploited vulnerabilities. It also recommends enforcing multi-factor authentication and securing remote desktop protocol (RDP) services. CISA, in April 2022, published the top 15 routinely exploited vulnerabilities, which included the ProxyShell and ProxyLogon Exchange email servers vulnerabilities, bugs in virtual private network (VPN) endpoints, and the Apache Log4j Log4Shell flaw. It is up to all organizations to take steps and adopt procedures to protect themselves from cyber-attacks. No government can stop these attacks except for the counties sponsoring or benefitting from the thefts or ransom payments.
The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data backup and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company-wide.
- For USA readers, join and become active in your local Infragard chapter; there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications directed at your domains. RedXray service is $500 a month and provides threat intelligence on ten (10) cyber threat categories, including Keyloggers, without having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings