As the first half of 2021 comes to a close, I decided to look back at the top 5 threats we detected during this 6-month period.
Every quarter, we produce trend reports for some clients. To do so, we dig back in our incident database to generate reports. One of our clients (who doesn’t receive a lot of alerts; they have tighter security than our average client) wanted us to highlight commonly detected incidents throughout our client base.
So, we generated a list of the top 5 most impactful detections we made since the beginning of 2021. Because everyone just loves listicles, I decided that this post could be both a celebration of our success as well as a threat guide for small businesses.
Let’s start with threat number five.
Top Detected Threat #5: Gamarue (USB Spreading Worm)
Gamarue/Andromeda is a piece of malicious software that adds a compromised machine to the botnet operated by the criminals. Once added to the botnet, the botnet operators have to ability to connect remotely to the machine, steal confidential information and load additional software. It is very common for a Gamarue infection to rapidly escalate as more malware is downloaded on the machine as part of Gamarue/Andromeda affiliate program, where the botnet operator earns money via pay-per-install schemes.
Another reason Gamarue/Andromeda infection can become quite severe is that some version of the malware spreads via USB key. When USB keys are passed around in the enterprise, a large volume of machines can get infected. Furthermore, the malware can persist even when the USB key is stored in a drawer somewhere, where no AV software can scan it, and generate reinfections when used again in the future.
In that sense, catching Gamarue before it wreaks havoc is a big win. Given this malicious software does not spread via the network and that we didn’t find any additional malware on the victim machine, I rank Gamarue as Threat #5.
Please also note that this detection is a newer one than the one described in this post. Naturally, having seen Gamarue in the past helped us to respond to this infection for a different client.
Top Detected Threat #4: Zusy (Banking Trojan)
The Zusy banking trojan is an offshoot of the well-known Zeus trojan. The main functionality of this trojan is to insert itself into web pages visited by the victim to steal login information to 3rd party websites, most notably banking sites.
Because the malware can see the information as the user is typing it, the malware can capture the login information even if the banking web site uses HTTPS. The cyber criminals can then use the stolen credentials to make fraudulent financial transactions.
Catching this threat early enables the victim to quickly identify stolen passwords and ideally change them before the malicious actor can make money transfers. In a sense, it is possible to avoid the impact.
Because there was a direct monetary component, we ranked this threat fairly high. However, we were not able to confirm if the victim had any access to sensitive 3rd party accounts, so this came in as Threat #4.
Top Detected Threat #3: Internal Spear Phishing Attack (Compromised Account Leveraged for Lateral Movement)
There is always someone that clicks (or opens documents attached to) phishing emails. However, even if awareness training can drive that number down to about 1-3% of your users for generic phishing emails, attackers can usually achieve 10-30% clickthrough rates by targeting the lure.
In this attack, we learned that the attacker had compromised an account to send incredibly targeted emails to other people in the company. Naturally, because the emails came from a compromised account, the provenance appeared to be from a trusted party. Furthermore, the attackers hosted their phishing campaign in a OneNote document on OneDrive (see here) so the website appeared legitimate. Because of this, we could see that a good number of people had visited the lure page.
This attack was clearly an attempt to leverage a compromised account to move laterally and gain greater access to the network. As such, it was assuredly the precursor attack to a big payoff for the attacker, via a business email compromise attack or a ransomware attack for example. Attackers do not invest the time and energy to set up these custom attacks if they don’t expect a good return. By catching this spear phishing attack, we not only managed to prevent the big payoff attack, but also to unravel the initial access the attackers had developed. The breadth of this phishing attack ranks it as Threat #3.
Top Detected Threat #2: Razy (Cryptocurrency Wallet Stealing Trojan)
The Razy trojan is another malicious software aimed at stealing victim credentials. However, the Razy trojan is specialized in stealing credentials to cryptocurrency wallets. At this point, astute readers may wonder why an infection with such a narrow impact ranks so highly in the list. As with most things in security, it depends on the business context.
In this case, the victim was a company who took advantage of our free proof-of-value period. Their main line of business was mining cryptocurrency and the person affected was the admin that was installing the cryptocurrency mining software on all of their machines. The individual in question had downloaded a “repacked” (read pirated) copy of Autodesk to read some documents and uninstalled it afterwards. Naturally, the trojan stayed on the machine.
Because of the nature of the business, this compromise could very well have led to significant losses for the business. As with other credential stealing attacks, detecting this one as soon as the compromise happened (and before the attack has a chance to harvest credentials and use them to steal the cryptocurrency) mitigates a lot of the business impact. That’s why I rank it as Threat #2.
Top Detected Threat #1: Emotet (Ransomware Precursor)
Readers of this blog should not be surprised that the top threat we detected at one of our customers is the Emotet trojan, which is often the precursor to Ryuk/Conti ransomware attacks. You can find all the details in this post.
For many small businesses, a ransomware attack is a life-threatening event. That is why it is so important to catch precursor malware like Emotet in the case of the Ryuk/Conti gang. In this case, responding early made the difference between re-imaging one machine vs potential loses in the range of $100,000 in direct costs, without factoring things like damage to the business’ reputation. Emotet easily ranks as Threat #1.
Celebrating the Big Catches
In making this list, I wanted to highlight the reasons why we should celebrate our “big catches” on the monitoring side. So, I tried to demonstrate the business impact of each of these threats and highlight how, by catching them, we are really helping our customers.
At the same time, looking at this list from the perspective of a business owner, you can gain a better understanding of the types of threats that are out there and what it can mean for your business. (Note: all of these were caught by our security monitoring after having bypassed AV).