Threat intel report Q4 2019
The confetti has settled, and the hackers have a lot to celebrate.
The Alsid Research Team has been hard at work compiling the findings and forecasts you need for the year to come.
A comprehensive approach
Proactively harden your directory infrastructure
Bring vulnerabilities and weak configurations to light and maintain strong security boundaries through time
AD admins, Blue Teams, & Auditors
Detect attacks in true real-time with our AD-specific threat intelligence
Make AD an integral part of your security practice with SIEM & SOAR integrations
Enable your Threat Hunters with AD-native investigation capabilities
SOC Analysts & Threat Hunters
Respond To Breaches
Replay attacks and hunt for patients zero
Remediate at machine-speed through our orchestration playbooks
Detect persistence mechanisms and kick them out for good
The features we are proud of
Cutting-edge security technology
Harden, protect, respond
All your practices extended to your most viral IT asset: AD
Live exposure visualization, immediate attacks alerts
A follow-the-guide approach for ad admins who are new to security
Beyond compliance, detect ad-specific attack patterns
Seamless end-to-end user experience
No agents, no privileges
An instant-on application with hardly a footprint on operations
To simplify decision-making and priorization
Simple, no-nonsense architecture
Using standard protocols and proven technologies
Native integrations with your other practices
Turbo-charge your siem, soar, and iam solutions
Top 5 attack trends
2019 Q4: Main five tendencies
Supply Chain attacks on the rise
After phishing, spear-phishing attacks are still trendy
Specific attacks against public cloud are coming
Crypto miners are on the decline during the period
Active Directory used for lateral movement and privilege escalation
2019 Q4: Supply Chain attacks on the rise
• Supply chain attacks doubled in 2019 compared to 2018
• Most of the Software Supply chain attacks are made by installing malicious code into legitimate software
• National Cyber-Agencies created specific content to manage supply-chain vendors: USA, France, etc.
Supply chain attack examples:
• ShadowHammer attack on ASUS
• NordVPN attack
• PrismWeb e-commerce attack
2019 Q4: After phishing, spear-phishing attacks are still trendy
• Raise of Sextortion scam email: hackers use passwords stolen from major data breaches to abuse users and make them pay Bitcoin ransom
• Spear-phishing are more and more accurate using personal targeting
• Increase of two bands attacks by sending emails from valid business addresses: the first victim is only used to attack the second one with valid email address
2019 Q4: Specific attacks against public cloud are coming
- Misconfigured cloud environments was one of the main causes of data breaches
- Some unprotected Amazon servers provided Facebook users records exposition
- A misconfiguration in the box.com environment revealed several terabytes of sensitive data to the world
2019 Q4: Active Directory used for lateral movement and privilege escalation
- > 80% of the attacks are using Active Directory to perform lateral movement and privilege escalation
- > 60% of the new malwares include specific codes to target AD misconfiguration (mimikatz, Rubeus, etc.)
- Cheaper tools and kits to target AD: Cybercrime tools and kits can be purchased for as little as $1 on the Dark Web and online marketplaces
- Main feedback from 2019: no need to be expert anymore to create a cybercrime tool to target AD – just invest between 0,00013 and 0,00015 Bitcoins to buy a kit
- Cybercrime damages cost $6 trillion during 2019
- Ransomware damage estimated to $20 billion during 2019
- In average, worldwide, global cybercrime costs organizations $13 million during 2019
Feed back from the field
- 49.6 days between breach discovery and reporting dates
- >70% of cryptocurrency transactions are done for illegal activity
- Security breaches up >11%
- SMBs are targeted 43% of the time
- Ransomware attacks occur every 14 seconds
- $1.5 trillion cybercrime economy The cybercrime economy has grown to enjoy at least $1.5 trillion in profits each year
- 300 billion cybersecurity Market The value of the cyber security market is anticipated to reach $300 billion by 2024, according to a 2019 press release by Global Market Insights, Inc.
- $15 billion in cyber security funding
- 9% increase in cyber security spending
- Small businesses invest <$500 per year in cyber security products
Along 2019, as Alsid, we meet some prospects who invested a lot of money and effort in Anti-Virus or EDR solutions in year 2018. But they were hacked. We certainly feel discouragement from certain contacts.
Ryuk in a nutshell
- Huge increase of Ryuk ransomware attacks during the second part of 2019 Q4
- Ryuk is associated to WIZARD SPIDER – a Russian-based criminal organization, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting”
- Ryuk includes some specific tools in order to use AD to perform Escalation or Lateral movement
- Remarkable abilities:
- Bypasses anti-virus products
- Maintains persistence on the targeted machine
- Runs as legitimate process by injecting to Windows process
- Terminates processes
- Stops services
- At the end the Ryuk binary is downloaded and start his actions following these different steps:
- An obfuscated PowerShell script is executed and connects to a remote IP – address.
- A reverse shell is downloaded and executed on the compromised host.
- PowerShell anti-logging scripts are executed on the host.
- Reconnaissance of the network is conducted using standard Windows command line tools .
- Lateral movement throughout the network is enabled using Remote Desktop Protocol (RDP).
- Service User Accounts are created.
- PowerShell Empire is downloaded and installed as a service.
- Lateral movement is continued until privileges are recovered to obtain access to a domain controller.
- PSEXEC is used to push out the Ryuk binary to individual hosts.
- Batch scripts are executed to terminate processes/services and remove backups, followed by the Ryuk binary.
- Initial compromise is performed through TrickBot (not always, but often) or through Emotet which includes a download function to get Ryuk on the system
- Pwgrab, a TrickBot module, can perform the first credentials hack
Malicious documents files (droppers) distributed as attachments through phishing attacks
User is invited to open the attachment, then malicious code is run to download additional code: Trickbot or Emotet
TrojanSpy.Win32.TRICKBOT or TrojanSpy.Win32.EMOTET
Dropper downloads Trickbot or Emotet to be used for:
– Stealing credentials
– Downloading the ransomware
Performs lateral movement using Active Directory:
– MS17-010 vulnerability (SMB exploit)
– Networks shares (compromised accounts)
Upon execution, it will perform its encryption routine
Local and shared files becomes encrypted and ransom notes are activated
Ryuk ransom notes: RyukReadMe.txt
- Various ransom notes have been observed
- The body of the template is static with the exception of the email address and the Bitcoin (BTC) wallet address, which may change
- Email address is using prontonmail.com
- The ransom demand varies significantly – we think WIZARD SPIDER calculates the ransom amount based on the size and value of the victim organization
- To date, the lowest observed ransom was for 1.7 BTC and the highest was for 99 BTC
- WIZARD SPIDER has made 705.80 BTC, which has a current value of $3.7 million (USD)
- Ransomware damages will increase
- The malware kits are cheaper and cheaper: we will see a global movement from unknown criminal groups – in the coming months, a kid without any specific technical expertise, from his bedroom, could be a new criminal
- Active Directory will be the preferred target, because the attacker knows in advance it resides in your organization
- MacOS vulnerabilities are increasing, we will see more ransomwares dedicated to MacOS – In the large organizations, the MacOS are integrated in AD, this will be a new challenge for AD security people
Provide field-tested products
with a seamless end-to-end user experience
Break the dynamics of most modern threats to enterprises by preventing attacks to spread internally
A technical expertise recognized worldwide and awarded by numerous prestigious prizes
Need more information?
Have any questions? Get in touch with us.Contact us