Our latest Quarterly Threat Report is out, and 2018 has been keeping network defenders on their toes as malicious actors continue to find new ways to compromise networks alongside their tried-and-true cybersecurity attacks. In Q2, we saw a combination of both new methods paired with old tactics, familiar botnets leveraging new vulnerabilities, and the reinforcement that as network defenders, we cannot afford to not know what is in our networks.
Compromised credentials: The keys to the kingdom
In Q2, we saw a continued emphasis on credential theft and account leaks across all industries, along with an increase in remote access attempts.
Credentials are being stolen by adversaries as they interact with users via phishing attacks or voice-based vishing scams and then used to gain access to the victim’s system—but stolen credentials are also being used in ways that don’t involve compromising systems at all. Over the past few months, we saw a huge wave of spam-based extortion attempts, with emails using the identification of a user’s password as “evidence” that their system has been compromised and threatening to release embarrassing information or videos of the recipient unless they paid the sender of the email. Though these emails are scams and there is no real compromising information, this is another example of how even years-old credential leaks can continue to have a significant impact today.
Q2 botnet roundup
This past quarter also included an assortment of botnet activity. Our Heisenberg honeypot nodes caught numerous attempts to inventory and usurp various devices and services this quarter, including campaigns targeting a variety of routers, Android debugger-enabled systems, Drupal, and WebLogic. While the growing goal of many of these botnets appears to be cryptocurrency mining, the growing number of routing and IoT devices in these botnets can have an impact on daily operations, with the FBI noting that a (possibly) unintended side effect of some botnet activity is a denial of service against the compromised device.
Tracking RDP activity
Another oldie but goodie that just won’t go off the radar is the malicious use of Remote Desktop Protocol (RDP). We have seen only a slight decrease in internet-exposed RDP over the past year, according to Project Sonar studies.
This is a protocol that often gives attackers everything they need to accomplish their goals—or at least gives them a good start along that path—so it is no wonder that attackers don’t want to give it up. In Q2, we saw a steady trend in attempts to brute-force RDP, with one huge spike in the middle of the quarter, and analyzed which usernames and passwords we saw attempted against the protocol to better understand how to protect against these types of attacks.
So much more!
Read the Q2 Threat Report in its entirety for more information on the trends and activities we saw in Q2, and learn how to make sure you aren’t falling victim to any of the tactics—new and old—that we have been keeping an eye on.