by Business Insights , on 24.08.2023
MDR Insights: Understanding the Threat Landscape
In our previous discussion about Threat Modeling and its application in Bitdefender MDR's intelligence monitoring, we emphasized the importance of considering the threat landscape. This term refers to the overall picture of potential cybersecurity threats and risks faced by individuals, organizations, or systems, including various cyberattacks, vulnerabilities, and potential adversaries. A clear grasp of the threat landscape is instrumental in identifying, assessing, and mitigating security risks. read more
by Business Insights , on 22.08.2023
Businesses are facing an uphill battle when it comes to the evolving threat landscape. Successful ransomware and malware attacks are on the rise and zero-day vulnerabilities place an urgent need on proactive measures for threat detection and response. As a result, Cyber Threat Intelligence (CTI) has become essential, serving as an early warning system that enables organizations to prepare, defend, and respond effectively to cyber threats. read more
by Marcos Colón, from Business Insights , on 17.08.2023
The 2023 Black Hat Conference in Las Vegas, Nevada was the perfect opportunity for some of the brightest minds in cybersecurity – including Bitdefenderexperts –to gather in an effort to exchange ideas, showcase their talent, and also conduct a little business. read more
by Business Insights , on 16.08.2023
Bitdefender has expanded its platform to include Cloud Security Posture Management (CSPM) and Cloud Entitlement Infrastructure Management (CIEM), along with security consulting services that augment Bitdefender MDR services. This is the result of completing the acquisition of Horangi Cyber Security, which is now a Bitdefender company. read more
by Business Insights , on 08.08.2023
Organizations are increasingly finding themselves in a constant tug-of-war on multiple fronts. From battling an array of threats and mitigating vulnerabilities, to managing risks tied to cloud-based environments and third-party vendors. read more
by Business Insights , on 31.07.2023
The notorious CL0p hacker group has been highlighted in recent news due to a significant increase in their ransomware attacks. This cybercriminal organization has targeted multiple banks, federal agencies, and corporations, exploiting a specific vulnerability known as CVE-2023-34362 in MOVEit software. Thanks to this vulnerability, they gained unauthorized access to sensitive data, leading to severe data breaches across various sectors.
The attack technique involved compromising Internet-facing MOVEit transfer web applications by exploiting the flaw. Subsequently, the threat actors implanted malware into these applications, enabling them to extract data from the underlying MOVEit databases without authorization.
In response to these malicious activities, the FBI and the CISA have issued a joint cybersecurity advisory. The advisory sheds light on CL0P's tactics, emphasizing the group's adaptability and notorious reputation. Known for their involvement in financial fraud, phishing attacks, and zero-day exploits, CL0P operates as a
In recent months, CL0P has been particularly active in targeting the GoAnywhere MFT platform, using zero-day vulnerabilities to steal data and demand ransoms. Their sophisticated toolkit includes malware such as FlawedAmmyy/FlawedGrace RAT, SDBot RAT, and Truebot downloader module, enabling them to collect sensitive information and spread their malware extensively.
Their impact has been significant, compromising over 3,000 U.S.-based organizations and 8,000 global organizations. By leveraging Truebot to download FlawedGrace or Cobalt Strike beacons, they gain further network access once they infiltrate the Active Directory server. Additionally, they've exploited the SQL injection zero-day vulnerability CVE-2023-34362 to install the LEMURLOOT web shell on MOVEit Transfer web applications.
To combat this threat, the FBI and CISA have recommended several countermeasures, including routine software patching and updating, regular vulnerability assessments, and adherence to established cybersecurity best practices. They've also provided lists of IP addresses and domains associated with TA505, relevant MITRE ATTandCK techniques, and recommended mitigation strategies.
Organizations are strongly encouraged to validate their security controls and promptly report ransomware incidents to the FBI or CISA. Additional resources on managing ransomware threats can be accessed on stopransomware.gov and the CISA/MS-ISAC Joint Ransomware Guide. With opportunistic attacks on the rise, we also recommend reading our article on understanding and managing software vulnerabilities.
Spear phishing attacks are often used as an initial attack vector and ransomware infection is often the final stage of the kill chain. For this report, we analyzed malware detections collected in June 2023 from our static anti-malware engines. Note: we only count total cases, not how monetarily significant the impact of infection is. Opportunistic adversaries and some RaaS groups represent a higher percentage compared to groups that are more selective about their targets since they prefer volume over value.
The following ransomware data is based on detections, not infections.
Top 10 Ransomware Families
We analyzed malware detections from June 1 to June 30. In total, we identified 226 ransomware families. The number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries.
Top 10 Countries
In total, we detected ransomware from 137 countries in our dataset this month. Ransomware continues to be a threat that touches almost the entire world. Below is a list of the top 10 countries most impacted by ransomware. Ransomware attacks often occur opportunistically, with the frequency of such detections increasing in relation to the size of a country’s population.
Below are the top 10 trojans targeting Android we have seen in our telemetry during June 2023.
SMSSend.AYE - Malware that tries to register as the default SMS application on the first run by requesting the consent of the user. If successful, it collects the user's incoming and outgoing messages and forwards them to a Command and Control (CandC) server.
Downloader.DN – Repacked applications taken from the Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.
Triada.LC – Malware that gathers sensitive information about a device (Device IDs, Subscriber IDs, MAC addresses) and sends them to a malicious CandC server. The CandC server responds by sending back a link to a payload that the malware downloads and executes.
HiddenApp.AID - Aggressive adware that impersonates AdBlock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher.
AgentSpy.E - Applications that were taken from Google Play Store and re-packed with malware. The malware packages are obfuscated, with the primary objective
SpyAgent.DW - Applications that exfiltrate sensitive data like SMS messages, call logs, contacts, or GPS location.
Agent.gQNIO - Generic name that detects obfuscated applications that are signed with debug certificate and bundled with numerous adware SDKs.
Marcher.AV - Applications that disguise themselves as Google Play Store applications. The malware tries to ask for accessibility permissions to capture keystrokes and also uses the VNC screen recording function to log the user’s activity on the phone.
Banker.XO - Polymorphic applications that impersonate legitimate apps (Google, Facebook, Sagawa Express, etc.). Once installed, it locates banking applications installed on the device and tries to download a trojanized version from the CandC server.
Banker.XJ - Applications that drop and install encrypted modules. This trojan grants device admin privileges and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the CandC server to receive commands and upload sensitive information.
Homograph Phishing Report
Homograph attacks work to abuse international domain names (IDN). Threat actors create international domain names that spoof a target domain name. When we talk about the “target” of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. You can read more about this type of attack in one of our previous reports.
Below is the list of the top 10 most common targets for phishing sites.
About Bitdefender Threat Debrief
The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release and subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.
Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 150 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.
We would like to thank Bitdefenders Alin Damian, Mihai Leonte, Justin Mills, Andrei Mogage, Sean Nikkel, Nikki Salas, Rares Radu, Ioan Stan, Iulian Timischi, Marius Tivadar, and Horia Zegheru (sorted alphabetically) for their help with putting this report together. read more
by Business Insights , on 26.07.2023
In June 2023, a significant cybersecurity incident sent shockwaves through the corporate world. The CL0P hacker group exploited a vulnerability in MOVEit software, leading to severe data breaches. CL0P targeted organizations like banks, federal agencies, and corporate entities. This is a stark reminder of the importance of understanding and managing vulnerabilities in the evolving realm of cybersecurity. If unchecked and exploited, these vulnerabilities lead to significant security breaches, compromising sensitive data, disrupting critical processes, and causing severe damage to an organization. This guide aims to shed light on vulnerability management, the process of reporting and assessing vulnerabilities, and the tools available for remediating Common Vulnerabilities and Exposures (CVEs). read more
by Business Insights , on 24.07.2023
The cybersecurity industry is undergoing a significant shift as it’s finding its way to adapt to a post-pandemic world. Over the past few years, industries accelerated their digital transformation efforts, increased their reliance on remote work, and leveraged cloud-based services on a greater scale. This rapid change, alongside lingering uncertainty about the future, has created new challenges and risks for businesses. Given these new complications, it’s increasingly clear that some industries need to prioritize cybersecurity or else risk an outsized increase in cyber incidents and compromises. read more
by Business Insights , on 19.07.2023
The booth is packed up and ready to go. Rat Pack fedoras are in hand. And the Scuderia Ferrari showcar is en route. We can’t wait to see you at Black Hat USA 2023 in Las Vegas. Our team of product and cybersecurity research experts are ready to hit the ground running as soon as we arrive on the Las Vegas strip. read more