Infoblox identifies the biggest malware campaigns of Q1 2021

Network management company Infoblox and its Cyber Intelligence Unit (CIU), today released the latest iteration of the company’s quarterly Cyber Threat Intelligence Report. Incorporating detailed analysis of advanced malware campaigns and significant attacks which took place between 1st January 2021 and 30th March 2021, the report delves into the impact of a breach in the current climate as well as potential mitigation steps.

Key findings include:

1) Cloud Vulnerabilities Remain Front and Center

The leading causes for cloud vulnerabilities include errors in cloud administration, configuration, and setup, including too many points of administration and different dashboards, as well as too many policies to propagate, synchronise, and maintain consistently.

Infoblox’s latest report found that architecture requirements for large enterprises and governments remain almost completely committed to hybrid as they have both on-premises and cloud resources to protect. However, many organisations use security stacks that don’t scale easily, if at all, from on-premises to the cloud. With new points of administration and management, plus a new front-end configuration, come increased opportunities for error and a potential data breach.

 

2) The CI/CD Pipeline Is Under Assault

The report also outlines the considerable coverage and research into the SolarWinds breach. TheCISA’s analysis of the attack on SolarWinds concluded that the threat actors added a malicious version of the binary SolarWinds.Orion.Core.BusinessLayer.dll into the SolarWinds software lifecycle. This version was then digitally signed by a legitimate SolarWinds code signing certificate. The malicious code became trusted once it was digitally signed, defeating the purpose of code signing: providing reassurance to users that the code an organisation distributes can be trusted.

Crafting a strategy to breach a software provider’s most secured continuous integration/continuous delivery (CI/CD) pipeline means threat actors are aiming for the heart of cyber defenses. By successfully breaching the CI/CD pipeline, threat actors would assume a mantle of trust and are capable, virtually unhindered, of using an organisation’s trusted reputation to distribute malware across its user base, potentially enabling serious and widespread damage.

 

3) Remote Work Environments present a new challenge

Another key finding from the report centred on remote work environments. With many organisations allowing users to utilise home broadband connections for work use not only for the duration of the world health crisis, but possibly permanently, the corporate attack surface has grown substantially, with sensitive data being strewn and exposed everywhere.

It is not only businesses, schools have found themselves under attack as well. Cybercriminals are using phishing scams to target remote students and educators, which often appear to come from recognisable email addresses at first glance. In a school environment, about 3 percent of teachers click inappropriately on phishing scams, an increase to 15 to 20 percent from home, allowing cybercriminals to get into the network.

 

4) Email Remains the Leading Attack Vector

In Q1, email remains the top threat vector used to attack both government and businesses of all sizes, delivering 75 to 90 percent of malware. Despite training and widespread warnings against spam, users continue to open suspicious emails, both in their business and personal accounts. They click on malicious email attachments and URLs, as well as view websites not generally associated with business use.

There is a continued widespread threat actor use of email campaigns employing social engineering tactics to propagate a variety of attacks. In some instances, these attacks are highly targeted to one individual or organisation, a technique known as spear-phishing, but larger campaigns are more common.

 

5) COVID-19 Remains a Top Theme for Social Engineering

COVID-19 has continued to present threat actors with new opportunities. Over the past year, there has been an endless progression of COVID-related phishing attacks. As these attacks ramped up through 2020, Google alone blocked a reported average of 18 million daily malicious COVID-19 messages to Gmail users. Beyond malware and phishing email, Google also blocked more than 240 million spam messages related to COVID-19.

 

This new opportunity saw threat actors successfully impersonating government authorities such as the World Health Organization (WHO) or UNICEF and attempted to leverage psychological manipulation by posing as a children’s charity.

Craig Sanderson, VP of Security Products at Infoblox said: “For all of these reasons and more, the cyberthreats remain alive and well. As before, threat actors will both innovate, adjust and sustain proven methods as 2021 unfolds. Rogue nation-states and organised crime will continue to build on their offensive capabilities. Accurate intelligence about timely, relevant threats enables an organisation to make thoughtful, targeted improvements to its defenses and lower its risk.”

 

Leave a Reply

Your email address will not be published. Required fields are marked *