Skip to content

Threat Intel Report Q2 2020

A comprehensive approach

Anticipate threats


Proactively harden your directory infrastructure

Uncover vulnerabilities and weak configurations to maintain strong security boundaries

AD admins, blue teams, and auditors

Detect attacks


Detect attacks in real time with our AD-specific threat intelligence

Make AD an integral part of your security practice with SIEM and SOAR integrations

Enable your threat hunters with AD-native investigation capabilities

SOC analysts and threat hunters

Respond to breaches


Replay attacks and hunt for patient zero

Remediate at machine-speed through our orchestration playbooks

Detect persistence mechanisms and kick them out for good

Incident responders

The features we are proud of

Cutting-edge security technology

Harden, detect, respond
All your practices extended to your most vital IT asset: Active Directory

True real-time
Live exposure visualization, immediate attack alerts

Step-by-step recommendations
A follow-the-guide approach for AD admins new to security

Intelligence-driven, AD-native
Beyond compliance, detect AD-specific attack patterns

Seamless end-to-end user experience

No agents, no privileges
An instant-on application with hardly a footprint on operations

Dashboard-oriented UX
To simplify decision-making
and prioritization

Simple, no-nonsense architecture
Using standard protocols and proven technologies

Native integrations with your other practices
Turbo-charge your SIEM, SOAR, and IAM solutions

Top 5 attack trends

Q2 2020

Ransomware and malware increasing dramatically

Remote work attacks increasing

Ransomware stealing and posting data

Ransomware delivering payloads

Active Directory enumeration and command-and-control

Ransomware efforts increasing dramatically

  • Ransomware cyberattacks increased 25% worldwide
  • 60% of ransomware attacks hit financial and healthcare institutions
  • Ex: NASA has experienced an exponential increase in malware attacks and a doubling of agency devices trying to access malicious sites in the past few days

Remote work attacks increasing

  • Researchers at Kaspersky Labs observed since March that cybercriminals have shifted to targeting networks with remote desktop protocol (RDP) brute-force attacks
  • An increase in RDP attacks means that hackers are likely looking for hastily erected IT infrastructures intended to enable remote work
  • Zscaler reported a 30,000% increase in phishing, malicious websites, and malware targeting remote users
  • In April, Kaspersky published a report that found brute-force attacks targeting usernames and passwords of RDP connections increased with the rise of the new remote workforce
  • According to a recent study commissioned by Barracuda, nearly half (46%) of global businesses have encountered at least one cybersecurity “scare” since shifting to a remote work model, and 49% of respondents anticipate suffering a data breach or security incident in the next month

Ransomware stealing and posting data

  • The average cost to an organization that didn’t pay the ransom totaled more than $732,000, while victims that did pay off their attacker saw their cleanup and recovery costs rise to more than $1.4 million, according to a Sophos study
  • Ransomware gangs favor using compromised RDP connections, along with phishing emails, to gain footholds in networks and begin extensive reconnaissance before finding which files and data they want to encrypt and steal, according to a recent report from security firm Coveware

Ransomware delivering payloads

  • Attackers are attempting to deliver Remcos remote access tool (RAT) payloads on the systems of small businesses via phishing emails impersonating the U.S. Small Business Administration
  • Bleeping Computer reported that a open redirect is being used by attackers to push malware payloads onto unsuspecting victims’ systems with the help of coronavirus-themed phishing emails

Active Directory enumeration and command–and-control

  • The attack was carried out by the gang behind Ragnar Locker, who break into company networks, make themselves admins, conduct reconnaissance, delete backups, and deploy ransomware manually before demanding multimillion-dollar ransoms
  • Once they gain access, they use tools like Mimikatz, PowerShell Empire, and PSExec to gather login credentials and spread laterally throughout the network
Active Directory enumeration and command–and-control

Ransomware becomes more than ransomware

  • Ransomware has shifted to do more than just infect, encrypt, and request a ransom; the attacker is now taking more actions to pressure the victim to pay
  • The attacker is also trying to be more stealthy and bypass any detection solutions by placing an actual VM on the victims machine
  • To be more precise in their actions, attackers are also using powerful enumeration and analysis tools, like BloodHound for AD, to gather information so they can target weak areas within the network

Ransomware now steals data and sells on the dark web

  • A hacker is selling a database containing the information of 91 million Tokopedia accounts on a dark web market for as little as $5,000
  • Ransomware operators of REvil, also known as Sodinokibi, are auctioning stolen data, according to a site they launched on the dark web with similarities to eBay
  • “Following our announcement last week that a ransomware attacker had stolen data contained on at least one Toll corporate server, our ongoing investigation has established that the attacker has now published to the dark web some of the information that was stolen from that server” 

Ransomware delivers VMs to bypass detection

  • Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered because they’re out of reach for security software on the physical host machine
  • A new ransomware attack method takes defense evasion to a new level—deploying as a full virtual machine on each targeted device to hide the ransomware from view

Ransomware uses BloodHound to enumerate AD

  • Across multiple incidents, the BloodHound utility was used, presumably to assess possible methods of obtaining credentials with domain administrator privileges and enable attackers’ efforts to understand the impacted organization’s AD configuration
  • Over a period of several days, an actor conducted reconnaissance activity using BloodHound

Attack examples

Our solutions

Provide field-tested products
with a seamless end-to-end user experience

Break the dynamics of most modern threats to enterprises by preventing attacks from spreading internally

A technical expertise recognized and awarded worldwide

Comments are closed.

Download pdf

Want more insights?

Contact us