Latest ESET Threat Report Warns of Exploding RDP Attacks • The Register
Security specialist ESET’s latest threat report warns of a massive increase in attacks against Remote Desktop Protocol (RDP) endpoints – and new activity by the Nobelium gang against European government organizations.
ESET figures show attacks on RDP servers have increased 103.9% since its Q1 report in June – it publishes three a year – to a total of 55 billion detected brute force attacks, in large part thanks to a campaign centered on Spanish targets. .
“It appeared in Q1 2021 that the growth of RDP attack attempts would slow down,” said Ondrej Kubovič, ESET security awareness specialist. The register.
“Q2 2021 brought some surprise as RDP detections accelerated again. The trend suggests further growth in attack attempts and likely a sharp increase in Q3, as this is typically the peak period. busiest of the year. “
“Although there has been a moderate increase in RDP attacks in some areas, the massive attacks in August against Spanish entities were a runaway trend,” said Ladislav Janko, senior malware researcher.
“According to our telemetry, the number of attacks against Spanish targets represented a third of global detections in August. After Spain, Germany, the United States and Italy were far behind. We have also seen a similar trend for SQL password guessing attacks. “
While RDP attacks may have doubled, there has been an interesting, albeit slight, downtrend in cryptocurrency-related bad behavior – but one that may already be reversing. “Our data suggests a strong link between the price of cryptocurrency and cryptocurrency-related attacks – primarily with regards to cryptomining,” Kubovič told us.
“Our report even mentions the announcements from PayPal and Twitter that pushed up the prices of major cryptocurrencies as a result of this increase (visible in the trend towards the end of Q2). If there are more adoptions / high profile announcements supporting cryptocurrencies in the coming months, we expect their prices to rise and cryptomining to follow. “
Despite a single-digit reduction in ransomware attacks, which ESET has also linked to a collapse in the cryptocurrency market, the company has made it clear that the problem will not go away. “The ransomware scene officially became too busy to follow in Q2 2021, but some incidents were impossible to miss,” wrote Roman Kováč, ESET’s research director, in the report’s foreword.
“The attack terminating the operations of Colonial Pipeline – the largest pipeline company in the United States – and the supply chain attack exploiting a vulnerability in Kaseya IT management software, sent shockwaves that have not only been felt in the cybersecurity industry.
Unlike the SolarWinds hack, the Kaseya attack appeared to be aimed at financial gain rather than cyber espionage, with the perpetrators setting an ultimatum of $ 70 million – the heaviest ransom demand known to date. “
The report also sounded the alarm over targeted attacks by the advanced persistent threat group Nobelium, which is believed to be linked to the Russian government and accused of being behind the attack on SolarWinds’ Orion computer monitoring platform. last year, which gave him access to US government networks. and the country’s judicial system.
The researchers found, however, that the group’s focus extended far beyond US borders. “In recent months, the Dukes [Nobelium] launched several harpooning campaigns targeting European diplomats, think tanks and international organizations, ”the report revealed. “ESET researchers have identified victims in more than 12 different European countries.
“ESET telemetry shows that the attackers sent spear-phishing emails to several European diplomatic missions on July 13, 2021,” the report continued. “These recent events show that even after the SolarWinds campaign was revealed, the Dukes still use Cobalt Strike as their primary implant. Due to the group’s persistence and the quality of its decoys, it remains a major threat to Western diplomats, NGOs, and think tanks. “
ESET is the second major company to warn of continued Nobelium actions so far this week, but as ESET’s report named the Cobalt Strike business toolkit as the group’s main payload, Microsoft has discovered that he had started using custom malware called FoggyWeb and designed to target Active Directory Federation Services (AD FS) servers.
The threat report also called the Gamaredon group “very active” during the period under surveillance, with a particular focus on government organizations in Ukraine. The group updated their toolkit, starting to use the open-source Nmap network analysis tool in what the researchers described as a “more complex” payload.
A particularly depressing section of the report deals with the increase in even more disgusting “stalkerware” or “spouseware” often used in abusive relationships to monitor the abused party’s messages, location, and even offline conversations. “If potential victims want to prevent anyone from tampering with their mobile device,” Kubovič told us, “they need to protect it with a strong password that is not easy to guess and that is not shared with anyone. However, We fully understand that harassment is common, linked to harassment and other forms of violence.
“Victims should carefully consider removing any stalkerware or software with this type of functionality that they might find. As stopstalkerware.org points out, whoever installed it will know that it has been removed or disabled, and this could have Consequences In cases where cyberstalking is only part of a very unhealthy and abusive relationship dynamic, victims may decide to go to law enforcement, but this requires careful preparation.
“On a secure device or through a trusted person,” Kubovič continued, “they can contact organizations that offer help. If they do so on a mobile or any other device on which a stalker or spousal software installed, the perpetrator will know. Another option for seeking help may be to use a spare mobile phone with a new phone number, new email address, new passwords and multi-factor authentication enabled.
On the mobile side, the report highlighted how prevalent Android malware is, especially compared to malware written for Apple’s iOS platform. “This is an open source system with many vendors having their own versions of Android (with their own vulnerabilities and patching issues),” Kubovič explained as one reason for Android’s popularity among the dozen. er-do-wells.
“One notable difference though: Most of the instances where iOS has been (or has been) targeted were high-profile attacks targeting zero-days or leveraging zero-click attacks. Based on that, we could say Android is more attractive to the “average” cybercriminal as a means of making money, whereas iOS is generally in the crosshairs of sophisticated groups, nation states and / or spyware companies, targeting very specific users . of these actors can target both operating systems. “
The report highlighted some positive changes to the Android ecosystem. “The new iteration of Android promises to provide users with more control and transparency over how their data is processed,” the researchers wrote. For example, Privacy Dashboard will provide a clear and simple overview of app access to device location, microphone and camera over the past 24 hours. Android 12 will also add metrics that show users in real time which apps are accessing their camera and microphone feeds. “
“Since the pandemic struck, it appears that updates have become even more crucial to the security posture,” Kubovič said of how organizations can protect themselves, “which was highlighted by many many attacks targeting recently released (and fixed) vulnerabilities (eg VPN, MS Exchange etc). So if I had to choose one thing it would be updates. The second is a reliable security solution, this which means independently tested AV for users and a complex security suite (Endpoint + EDR + password manager / MFA + extra layers) for enterprises. “
The latest ESET Threat Report is available for download [PDF] now. Kubovič, however, would not rely on forecasts for the coming year, which will instead be part of the company’s 2021 final report. ®