In a recent study by CrowdStrike regarding cyber threat activity show more intrusion attempts in the first six months of this year than in all of 2019. The pandemic-related shift to remote work and the growing availability of Ransomware-as-a-Service (RaaS) were two major drivers. Red Sky Alliance has reported on many of these ransomware groups and actors in detail in 2020. These reports can be found at no charge at https://redskyalliance.org.
The security vendor's threat-hunting team blocked some 41,000 potential intrusions just between Jan. 1 and June 30 this year compared with 35,000 for all last year. Incidents of hands-on-keyboard intrusions in the first six months of 2020 where a threat actor is actively engaged in malicious activity was some 154 percent higher than the number of similar instances that CrowdStrike's researchers observed in 2019.
Predictably, one of the biggest causes for the increased threat activity was the rapid adoption of remote workforces in response to the COVID-19 pandemic. The switch significantly expanded the attack surface at many organizations, which threat actors were quick to try and exploit. Another driving factor was the growing availability of RaaS offerings and the resulting increase in threat actors and attack activity in the space. There was a notable increase especially in ransomware attacks that also involved the theft of sensitive data and subsequent attempts to extort victims with threats to officially release the data.
Despite all the attention that cyber espionage and nation-state-backed threat groups have garnered recently, an overwhelming majority of the actual attacks that CrowdStrike blocked in the first six months of this year were financially motivated. In fact, 82 percent of the hands-on-keyboard attacks that CrowdStrike's threat hunters encountered fell into the e-crime category, compared with 69%
As has been the case for some time, organizations in the financial, technology and telecommunications sectors were targeted more heavily than organizations in most other sectors. In addition, though, analysts observed what it called a dramatic increase in intrusion activity involving manufacturing companies. In fact, the manufacturing industry was the second most frequently targeted vertical after the technology sector in the first half of 2020. According to the company, the critical nature of most manufacturing operations and the valuable intellectual property and other data that manufacturing companies hold have made the sector an attractive target for both financially motivated attackers and nation-state threat groups.
Other sectors that experienced increased threat activity included healthcare, food and beverage, and academic institutions.
China-based adversaries posed a significant threat to organizations in multiple industries. Investigators observed at least six China-based actors targeting organizations in various data theft and cyber-espionage campaigns in the first half of 2020. Telecommunications companies were particularly popular targets for the China-based groups. Organizations in the manufacturing, healthcare, and agricultural sectors were also relatively heavily targeted.
In keeping with a recent trend, attackers used a variety of legitimate administration tools in their attacks. Some of them were native to the host operating system and others were not. The most frequently used tools included Process Hacker, Proc Dump, Advanced IP Scanner, Team Viewer, and Advanced Port Scanner. Attackers also used a variety of legitimate pen-testing tools in their campaigns including Mimikatz, Cobalt Strike, PowerShell Empire, PowerSploit, and Meterpreter.
One noticeable trend was the growing commonality in tactics, techniques, and procedures (TTPs) among e-crime groups and the generally more sophisticated state-backed groups. The overlap in TTPs is especially evident in the initial stages of an intrusion and in the use of legitimate admin tools and so-called living-off-the-land (LOTL) tactics to infiltrate networks, to escalate privileges, to achieve persistence, and to evade defenses. Where the two groups differ, the most is in stealth and persistence. While financially motivated groups tend to be louder and more obvious in their malicious activity, the state groups tend to be stealthier and more persistent.
According to cyber threat analysts, one especially worrisome development for defenders is the lengths to which attackers have going to evade detection. With organizations using more endpoint detection and response tools and other endpoint controls, threat actors have begun innovating ways around them. They have seen some pretty interesting things in terms of how far they will go, including literally downloading [antivirus] uninstallers" on compromised systems.
Analysts from Red Sky Alliance emphasize the use of cyber threat notification services, such as RedXray that will provide cyber defense teams to see threats before they become breaches. This time sensitive intelligence can be added to any current network security service to block them. It has been noted that over seventy-two (72) TTPs that researchers observed attackers using to evade detection. Among them were tactics including registry modification, process injection, the use of signed code, process hollowing, malware that compiled after delivery, file deletion, and hidden users.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Red Sky Alliance can help protect with attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941