The 2021 Cyberthreats in Context

In the widespread transition to cloud computing, many organizations have transferred their legacy applications to infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) platforms. They have also expanded their use of software as a service (SaaS) to meet enterprise application requirements, resulting in a broad distribution of sensitive information across a variety of cloud platforms.

Many organizations, however, still do not have sufficient security for their cloud deployments. The existing enterprise security stack, including security controls such as data loss protection, cannot scale to the cloud. New controls to secure container-based workloads, lock down cloud configurations and encrypt data in the cloud are still being deployed. Email, social media and collaborative software have created more vectors than ever for threat actors to target organizations. Infection from malware can result in the loss of sensitive data and open channels for threat actors to target more victims.

The high number of employees teleworking during the pandemic has exacerbated the problem. Working remotely presents vulnerabilities that are more easily exploited by threat actors. Teleworkers require access to enterprise resources from multiple endpoints, including both employer-provided and personal laptops, as well as a variety of mobile devices.

However, many cybersecurity procedures and security controls used within enterprise facilities cannot provide the same level of security for remote locations. The on-premises legacy enterprise security stack will not work for remote workers without significant redesign, planning and a move to new security controls to support distributed infrastructure and cloud deployments. Domain Name System (DNS) security can be configured to protect teleworkers, but many organizations don’t yet have the additional protections and visibility that DNS security deployment would provide. The same is true for expanded threat intelligence data: It can be tremendously useful, but only if you have it.

The situation is further complicated by teleworkers who must use personal “untrusted” devices to access critical corporate resources and information. This remote access must be granted not only to employees but also to business partners and contractors. They must access resources on-premises, behind the legacy firewall and in a multitude of SaaS, IaaS and PaaS clouds.

Mohammed Al-Moneer, Regional Director, META at Infoblox says, “As of the end of 2020, many organizations have still not implemented necessary cybersecurity to protect this far more distributed user base. Email, a vital and essential tool, remains the top threat vector used to attack both government and businesses of all sizes. Despite training and warnings, users continue to open suspicious emails, both in their business and personal accounts. They click on malicious email attachments and URLs and view websites not generally associated with business use. Proprietary business information is at risk when workers use personal and business instances of applications such as Office 365 on the same machines, collaborate within clouds and connect to an ever-increasing number of SaaS clouds that are not work related and not sanctioned by their IT department.”

“For all of these reasons and more, cyberthreats remain alive and well. Threat actors will innovate, adjust and sustain proven methods in 2021. Rogue nation-states and organized crime will continue to build on their offensive capabilities. Accurate intelligence about timely, relevant threats enables an organization to make thoughtful, targeted improvements to its defenses and lower its risk.”

Q4 2020 Threat Report Highlights

• Email, Phishing and Social Engineering Remain Attackers’ Threats of Choice - As in previous quarters, the Infoblox Cyber Intelligence Unit (CIU) observed extensive threat actor use of socially engineered email campaigns to propagate a variety of attacks. Phishing emails spoof communications that appear to come from a reputable source. The goal is often to steal sensitive information such as authentication data, install malware or obtain other financial credentials such as credit card numbers. In some instances, these attacks are highly targeted to one individual or organization (spear-phishing), but larger campaigns are more common. Socially engineered phishing emails persuade recipients to click on a link to a malicious site or file, or to open an attachment—often a compressed file or a Microsoft Office file. In many of the campaigns the CIU observed, recipients also had to enable editing or macros for the infection to commence.

• 404 Keylogger Campaigns - On October 11 and 15, the CIU observed two related malspam campaigns that used 7-Zip archive files to deliver the 404 Keylogger malware.

• Emotet Gets Political - From October 16 to 19, the CIU observed a malspam campaign that referenced political themes in the subject lines of the emails and in the attached file name. The campaign distributed the Emotet banking trojan. The threat actors spreading Emotet have previously used popular topics such as COVID-19 as lures.

• Formbook Infostealer Campaigns Continue - On October 30, the CIU observed a malicious email campaign distributing Formbook malware via Roshal Archive (RAR) attachments that contained a malicious binary executable file. Emails in this campaign leveraged a SWIFT invoice lure to persuade victims to open and run the attached files. The CIU has observed and reported on several Formbook campaigns in the past. Some of these campaigns used SWIFT lures to entice victims into opening malicious file attachments, while others used lures like the ongoing COVID-19 pandemic.

• Remcos RAT Malspam Campaign - During the week of November 9, the CIU discovered a malspam campaign distributing the Remcos RAT. The emails in this campaign carried malicious Microsoft Office documents that required the user to enable macros to execute the Remcos payload. The CIU previously reported on a Remcos campaign in July 2019 that distributed Rich Text Format (RTF) files and exploited the Microsoft Equation Editor remote code execution vulnerability.

• Hancitor Downloader and Follow-On Malware - Between November 23 and December 8, the CIU observed multiple malspam campaigns that all used DocuSign-themed lures to entice users to download and open Microsoft Word documents with malicious macros that install embedded copies of the Hancitor trojan downloader.

• AveMaria RAT Malspam Campaign - Between December 2 and 7, the CIU observed a malicious email campaign distributing the AveMaria remote access trojan (RAT). In this campaign, threat actors used subjects referencing text message logs to lure users into opening a malicious Rich Text Format (RTF) file attachment that was disguised as a Microsoft Word document (DOC). The CIU previously reported on an AveMaria campaign in April 2019 that used shipping lures and contained similar malicious DOC files.

• LokiBot Campaign Uses Microsoft Office Exploit - On December 9, the CIU observed a malicious email campaign exploiting CVE 2017-11882 to distribute LokiBot malware. This campaign used purchase order–themed lures to entice victims into downloading malicious Microsoft Excel files. The CIU has previously written several reports on LokiBot, including on campaigns that used coronavirus-themed lures, NGROK tunneling to download payloads and malicious RTF files to infect victims. CVE 2017-11882, a stack buffer overflow vulnerability in the Microsoft Equation Editor, is an exploit commonly used by threat actors.

• Encrypted Excel Files Drop Abracadabra Trojan - From December 13 to 14, the CIU observed a spam email campaign distributing a trojan known as Abracadabra via an encrypted Microsoft Excel spreadsheet with malicious macros. In this campaign, threat actors used an email subject referencing an overdue invoice to lure users into opening the malicious attachment.