Threat intel report Q1 2020

2020 is off to a rocky start for the world. Cybersecurity is no exception.
The Alsid Research Team is hard at work compiling the findings and forecasts you need for the year to come.
A comprehensive approach
Anticipate Threats
Proactively harden your directory infrastructure
Bring vulnerabilities and weak configurations to light and maintain strong security boundaries through time
AD admins, Blue Teams, & Auditors
Detect Attacks
Detect attacks in true real-time with our AD-specific threat intelligence
Make AD an integral part of your security practice with SIEM & SOAR integrations
Enable your Threat Hunters with AD-native investigation capabilities
SOC Analysts & Threat Hunters
Respond To Breaches
Replay attacks and hunt for patients zero
Remediate at machine-speed through our orchestration playbooks
Detect persistence mechanisms and kick them out for good
Incident Responder
The features we are proud of
Cutting-edge security technology

Harden, protect, respond
All your practices extended to your most viral IT asset: AD

True real-time
Live exposure visualization, immediate attacks alerts

Step-by-step recommendations
A follow-the-guide approach for ad admins who are new to security

Intelligence-driven, ad-native
Beyond compliance, detect ad-specific attack patterns
Seamless end-to-end user experience

No agents, no privileges
An instant-on application with hardly a footprint on operations

Dashboard-oriented UX
To simplify decision-making and priorization

Simple, no-nonsense architecture
Using standard protocols and proven technologies

Native integrations with your other practices
Turbo-charge your siem, soar, and iam solutions
Top 5 attack trends
2019 Q4: Main five tendencies
Attacks from China on the rise
Phishing tactics using Coronavirus crisis
Ransomware attacks impacts still increase
MacOS is now a new attack vector
Active Directory used for lateral movement and privilege escalation
Attacks from
China on the rise
- Observation shows chinese non-state cybercriminals transform from small organizations into well-organized criminal groups targeting international organizations
- Asia is the focys of attack, and advanced ransomware targeting Active Directory for fast movement is the main attack vector
- 800+ million people have Internet access in China: as the number increases, more criminal groups are engaging in cybercriminal activities to increase revenues
- The cybercriminal activities from China is growing at an annual rate of 30%
- According to dark web marketplaces, stolen data provided by Chinese actors is growing at a rate of 23% every year
- Chinese cybercriminal activity exceeds $15 billion USD. A recent Chinese study provided figures on the chinese cybercriminal underground: http://bit.ly/3a1jbSC
- An estimated 400,000 people are working for cybercriminal groups in China
- Dark web marketplaes are not easily accessible for Chinese cybergroups because the government still blocks access to Tor and anonymous Internet access – so the dark web is only used to sell services (e.g malware customization) or stolen data
- Many of the Chinese cybergroups are using « classic » forums (e.g Weibo or Baidu) and « language codes » to exchange information between groups :
Devices, computers,
or servers
Chicken meat: 鸡肉
Stolen accounts
or passwords
Letters/envelopes 字母 / 信封
Malicious
websites
Tracking material: 追踪材料
Stolen financial data
or credit cards
Fishing boxes: 钓鱼箱
Phishing tactics
using Coronavirus crisis
New cyberattacks exploit your fears with phishing emails designed to steal money, get personal information, and infect computers


This email is not from the CDC. It’s a phishing attack designed to harvest user names and passwords from people who click on the link. The link looks like it will take you to a CDC.gov websie about the coronavirus. It will not.
You land on a fake Microsoft Outlook login page, created to steal usernames and passwords. Criminals control this fake Outlook page.
Once they capture your login credentials, they can use them to access your email account and look for anything valuable.
An email will ask to open a document to explain about Coronavirus « care ». Another email will ask you for Bitcoin.

Ransomware attacks
impacts still escalating
- Malware threat rate and numbers detection is in line with those of Q4 2019
- Malware automation and industrialization are increasing (estimated to grow 13% over Q4 2019)
- New Ransomware-as-a-service platforms are spreading: better service offers and more advanced technical capabilities
MacOS is now
a new attack vector
- Adwares infection by OS for 2019 and Q1 2020:
- Windows OS: 24 million
- MacOS: 30 million
- Average number of threats by OS for 2019 and Q1 2020:
- Windows OS: 6 threats per endpoint
- MacOS: 11 threats per endpoint
- Rise of MacOS threats: increase of 400% in 2019 and Q1 2020 compared to 2018!
AD used for lateral
movement and privilege escalation
- Threat sophistication increased, with many more attacks using exploits, credential stealing tools, or multi-step attacks
- Mass infections targeting large organizations increased – AD usage is now a « by design » behavior: embedded Mimikatz increased by 42% during Q1 2020 compared to Q3/Q4 2019
- Emotet & Trickbot trojans are still increasing: the top 5 infections during Q1 2020 were using Emotet or Trickbot
- MacOS integrated in Active Directory appears to be a good new attack vector to infect whole organizations
Bouygues Construction attack: Maze Ransomware using Active Directory
Sources [FR]:
The rise of
ransomware-as-a-service
- Definition: « ransomware-as-a-service is abbreviated as RaaS. This is a form of software-as-a-service (SaaS) used by underground vendors to threaten actors by providing them a ransomware platform tool. »
- Ransomware-as-a-service (RaaS) borrows from the software-as-a-service (SaaS) model. This subscription-based model enables even the novice cybercriminal to launch ransomware attacks without much difficulty.
You can find various RaaS packages on the market that reduce the need to have much technical knowledge of how to create ransomware. This malicious model allows anyone to become an « affiliate » of an established RaaS package or service.
RaaS example: Sodinokibi.
Sodinokini attack methods include:
> Active exploitation of a vulnerability in Oracle WebLogic, officially named CVE-2019-2725
> Malicious spam or phishing campaigns with links or attachments
> Malvertising campaigns that lead to the RIG exploit kit, an avenue that GandCrab has used before
> Compomised or infiltrated managed service providers (MSPs) to push the ransomeware en masse. This is done by accessing networks via a remote desktop protocol (RDP) and then using the MSP console to deploy the ransomware
> Evading detection through the "Heaven’s gate" technique used to execute 64-bit code on a 32-bit process, which allows malware to run
Sodinokibi ransomware
business detections 2019

Other examples:



RaaS business model
Q1 2020:
Attack examples
- Travelex: Ransomware & data breach – source [EN]: https://www.nytimes.com/2020/01/09/business/travelex-hack-ransomware.html
- Enloe Medical Center: Ransomware – source [EN]: https://www.chicoer.com/2020/01/04/cyber-attack-hits-enloe-patient-records-safe-afficials-say/
- Travelex: Ransomware & data breach – source [EN]: https://www.nytimes.com/2020/01/09/business/travelex-hack-ransomware.html
- Enloe Medical Center: Ransomware – source [EN]: https://www.chicoer.com/2020/01/04/cyber-attack-hits-enloe-patient-records-safe-afficials-say/

Provide field-tested products
with a seamless end-to-end user experience

Break the dynamics of most modern threats to enterprises by preventing attacks to spread internally

A technical expertise recognized worldwide and awarded by numerous prestigious prizes