Infoblox is pleased to publish this edition of our Quarterly Cyberthreat Intelligence Report https://info.infoblox.com/resources-whitepapers-infoblox-q1-2021-cyberthreat-intelligence-report. We publish these reports during the first month of each calendar quarter. This Q1 2021 report includes our publicly released threat intelligence from January 1, 2021, through March 31, 2021.
This publication provides our original research and insight into threats we observed leading up to and including this period of time. Our report includes a detailed analysis of advanced malware campaigns and analysis of recent significant attacks. In some cases, we share and expand on original research published by other security firms, industry experts, and university researchers. We feel that timely information on cyberthreats is vital to protect the user community at large.
Infoblox Cyberthreat Intelligence Reports generally include research on specific threats and related data, customer impacts, analysis of campaign execution and attack chains, as well as vulnerabilities and mitigation steps. We may also share background information on the attack groups likely responsible for the particular threats under review.
During Q1 2021, the Infoblox Cyber Intelligence Unit (CIU) has published original research reports on campaigns delivering:
- Valyria Trojan Drops Emotet
- Snake Keylogger
- Italian Emotet
- Buer Loader Trojan
- RuRAT Trojan
- Warezov Worm
- Dridex Banking Trojan
- Hancitor Downloader
- Trickbot Loader
- Burkina Trojan
Some of the areas covered in the report are summarized below. Many of the trends we have observed impacting Q4 2020 continued to evolve in Q1 2021.
Cloud Vulnerabilities Remain Front and Center
One of the leading causes of cloud breach vulnerability is errors in cloud administration, configuration, and setup, including too many points of administration and different dashboards and too many policies to propagate, synchronize, and maintain consistently.
Architecture requirements for large enterprises and government remain almost completely committed to hybrid as they have both on-premises and cloud resources to protect. New controls to secure container-based workloads, lockdown cloud configurations, and encrypt data in the cloud are still being deployed.
As we noted last quarter, many organizations use security stacks don’t scale easily, if at all, from on-premises to the cloud. With new points of administration and management, plus a new front-end configuration, come increased opportunities for error and a potential data breach.
The CI/CD Pipeline Is Under Assault
There has been considerable coverage and research into the SolarWinds breach. CISA’s analysis of the attack on SolarWinds concluded that the threat actors added a malicious version of the binary SolarWinds.Orion.Core.BusinessLayer.dll into the SolarWinds software lifecycle. This version was then digitally signed by a legitimate SolarWinds code signing certificate. The malicious code became trusted once it was digitally signed, defeating the purpose of code signing: providing reassurance to users that the code an organization distributes can be trusted.
Crafting a strategy to breach a software provider’s most secured continuous integration/continuous delivery (CI/CD) pipeline means threat actors are aiming for the heart of cyber defenses. By successfully breaching the CI/CD pipeline, threat actors would assume a mantle of trust and are capable, virtually unhindered, of using an organization’s trusted reputation to distribute malware across its user base, potentially enabling serious and widespread damage.
Work From Anywhere Environments
With many organizations allowing users to utilize home broadband connections for work use, the corporate attack surface has grown substantially, with sensitive data being strewn and exposed everywhere. None of this has changed in Q1 2021.
Data supporting the incremental risk of WFA environments is circulating from a growing variety of sources. For example, the ed-tech advocacy group the Consortium for School Networking (CoSN), creates and publishes surveys on cyber technology issues. According to Keith Krueger, CEO of CoSN, cybercriminals are using phishing scams to target remote students and educators, which often appear to come from recognizable email addresses at first glance. “In a school environment, about 3 percent of teachers click inappropriately on phishing scams,” Krueger said. “That was jumping to 15 to 20 percent from home, so a lot of cybercriminals are getting into the network.”
Email Remains the Leading Attack Vector
Email remains the top threat vector used to attack both government and businesses of all sizes. Email delivers 75 to 90 percent of malware. Despite training and widespread warnings against spam, users continue to open suspicious emails, both in their business and personal accounts. They click on malicious email attachments and URLs, as well as view websites not generally associated with business use.
The Infoblox CIU continues to observe widespread threat actor use of email campaigns employing social engineering tactics to propagate a variety of attacks. In some instances, these attacks are highly targeted to one individual or organization, a technique known as spear-phishing, but larger campaigns are more common.
Ransomware as a Service
The widespread use of ransomware continues unabated into Q1 2021, with ransomware tools increasing in sophistication. Ransomware-as-a-service (RaaS) platforms that can be easily deployed by even the least technical ransomware threat actor. As threat actors become more skilled and capable at using ransomware, they are executing increasingly more damaging attacks, often against enterprises and government organizations.
COVID-19 Remains a Top Theme for Social Engineering
COVID-19 has continued to present threat actors with new opportunities. Over the past year, there has been an endless progression of COVID-related phishing attacks. As these attacks ramped up through 2020, Google alone blocked a reported average of 18 million daily malicious COVID-19 messages to Gmail users. Beyond malware and phishing email, Google also blocked more than 240 million spam messages related to COVID-19.
This new opportunity saw threat actors successfully impersonating government authorities such as the World Health Organization (WHO). You can see our report on Trickbot WHO?, which used a fraudulent coronavirus alert from the WHO to deliver Trickbot banking malware. Other emails impersonated UNICEF and attempted to leverage psychological manipulation by posing as a children’s charity. You can see our earlier reports on coronavirus-related themes to get a sense of the depth and breadth of these campaigns. Earlier reports include COVID-19 Unemployment Fraud, Formbook Coronavirus Campaigns, New Agent Tesler Infostealer Campaigns Using Coronavirus Themes, Spoofed Coronavirus Map Delivers AZORult Infostealer and LokiBot Rides Fear of Coronavirus.
For all of these reasons and more, the cyberthreats remain alive and well. As before, threat actors will both innovate, adjust and sustain proven methods as 2021 unfolds. Rogue nation-states and organized crime will continue to build on their offensive capabilities. Accurate intelligence about timely, relevant threats enables an organization to make thoughtful, targeted improvements to its defenses and lower its risk.
We hope you find our Quarterly Cyberthreat Intelligence Report of benefit. Subscribers to our threat intelligence products and services will receive the full reports, which provide more comprehensive data, including an in-depth list of the indicators of compromise (IOCs) for the specific campaign, as well as other timely alerts and information.
Please follow this link to download the Q1 2021 Cyberthreat Intelligence Report:
If there are questions please reach out to us at firstname.lastname@example.org.