Departure and return
Dear readers, we are in the final stretch of the year. For this reason, we have decided to dedicate the last blog post of 2021 to a review of the major events that have taken place during the year and that have shaped the current cybersecurity landscape.
Firstly, it should be noted that, as in previous years, phishing campaigns targeting financial institutions and public institutions have been predominant and notorious during the course of the year. Customers of institutions such as CaixaBank, Santander, BBVA, ING, IberCaja, Caja Rural, Abanca and LiberBank have generally received fraudulent notifications through the mobile messaging system (SMS) or by email in which anonymous attackers attempted either to collect their personal and banking data or to deploy a family of malware on users' devices, impersonating one of the aforementioned banking institutions, among others.
This type of campaign has been extended to organisations such as the DGT, the Tax Agency or courier and packaging companies such as Correos, DHL, Seur, MRW or FedEx, although it is not a new event compared to previous periods of time, given that each year campaigns of this type are usually identified at different times of the year, with special emphasis on dates such as the tax return campaign, Black Friday or the Christmas holiday period.
However, while this trend already started to be observed during 2020, it is worth noting that during 2021 phishing campaigns targeting private sector organisations that have experienced a large increase in sales during the months of confinement and restrictions, such as Amazon, El Corte Inglés, Ikea or Mediamarkt, have continued to increase. An interesting point in this regard is that at the beginning of 2021, a good part of the phishing campaigns were aimed at spreading banking malware of Brazilian origin, such as Mekotio, Casbaneiro or BRATA, while others referred to themes related to the pandemic caused by the SARS-CoV-2 virus. However, the incidence of pandemic-related phishing campaigns dropped sharply from March onwards, although a certain reactivation has been detected in the last four months of the year.
On the other hand, it should be noted that throughout January and since last November there has been an upturn in cyberattack campaigns involving Emotet, which generally acts as a downloader, and Trickbot or Qbot, which act as end payloads in some cases, while in other cases they act as second-stage malware that ultimately deploys ransomware on the compromised system. What is most curious about Emotet is the ability of the actors developing it to keep the threat active, since the period of inactivity experienced during February to November was triggered by a joint operation by Europol and Eurojust that led to the dismantling of its infrastructure. However, its reactivation highlighted the current inadequacy of mechanisms to effectively mitigate the cyberthreats that are increasingly affecting today's societies.
Other cyberthreats that have experienced a significant increase in 2021 have been those related to data leaks and breaches. In this regard, during the first months of the year, even with the incidence of the pandemic at high levels, data leaks or the theft of confidential information were largely related to agencies involved in vaccination or organisations dedicated to researching the disease, while in the second four-month period this scenario ceased to be mentioned. However, in the last four months of the year, incidence related to exposure of sensitive medical information, such as COVID-19 testing and traceability data or vaccinated patient data, was again detected, showing that campaigns using SARS-CoV-2 disease as a lure or target become more prevalent as the number of infections increases and, therefore, their visibility in the media.
It is also noteworthy that throughout the year data breaches have affected a large number of prestigious and reputable companies, such as Intel, mobile network operators like ho. Mobile and T-Mobile, security firm Stormshield, anti-virus firm Emsisoft, investment banking firm Morgan Stanley, airlines Malaysia Airlines and Air India, petrochemical and energy company Shell, web hosting services Epik and GoDaddy, the Chilean division of Eleven Paths and Telefónica, the Peruvian division of Deloitte, Glovo, Banorte, Audi, Volkswagen, Zurich Seguros, StarHub, OrangeTee, EskyFun, Fortinet, Coninsa Ramón H, Oriflame, Panasonic or even platforms such as Facebook or LinkedIn, which in most cases resulted in the exposure of information related to hundreds of millions of users.
In addition to the above, it should be noted that cyber-attacks on supply chain related entities were also prevalent during January, due to the exploitation of vulnerabilities in SolarWinds Orion enterprise software, a campaign that had started the previous year. However, its incidence and notoriety quickly began to decline. With one exception, in March FireEye discovered a new malware family, SunShuttle, possibly linked to the previous campaign. However, with the exception of PHP Git in March or the Kaseya VSA cyberattack by REvil ransomware actors, no other major cyberattack campaigns targeting the supply chain have been detected during the rest of the year.
In relation to the threat actor landscape, cyber-espionage campaigns by known cyber-attack groups have dominated, such as Volatile Cedar, which focused early in the year on intrusions on Oracle and Atlassian servers; Charming Kitten, which targeted high-profile targets in order to gather high-value information; MuddyWater, which focused its resources on deploying malware on government agencies in the United Arab Emirates and Kuwait; OceanLotus, which spread spyware families on human rights organisations in Vietnam; Lazarus, which targeted the defence sector; Cycldek, which focused its resources on attacking government and military organisations in Vietnam; Naikon, which targeted military organisations in Southeast Asia; Agrius and UNC215, which targeted Israeli targets; IndigoZebra, which impersonated the Office of the President of Afghanistan to infiltrate the Afghan National Security Council (NSC); SideCopy, which targeted the defence and military sector in India; LuminousMoth, which reportedly focused its resources on attacking government entities in Myanmar and the Philippines; TA456, which targeted the aerospace defence sector; APT29, which targeted the Slovakian government; Aggah, which targeted the Asian manufacturing industry; GhostEmperor, which reportedly targeted high-profile victims in Southeast Asia by exploiting vulnerabilities in Microsoft Exchange; Cyber Partisans, which targeted authorities and government entities in Belarus; and APT35, which reportedly published a spyware spoofing a VPN service on Google Play.
On the other hand, campaigns targeting the banking, economic and financial sector by threat actors such as FIN8, which in March developed new malware families for operations related to the theft of payment card information and was subsequently attributed with campaigns targeting US organisations; or the TA505 group, which has reportedly been stealing and publishing banking information for at least seven years.
In addition to the above, special emphasis should be placed on the campaigns directed against researchers related to the field of cybersecurity, which have predominated during the first months of the year and represent a certain paradigm shift with respect to previous years, during which threat actors directed their actions at economically lucrative sectors or those that allowed them to achieve certain interests pursued by the state or nation that supported them, as the case may be.
Likewise, the year 2021 has also seen an increase in the landscape of existing threat actors, as the profit made by already known groups has led to the emergence of others such as LazyScripter, which began by targeting a number of airlines; Zinc, which, as mentioned above, targeted researchers and IT security analysts; or Moses Staff, which targeted Israeli targets for political motivations.
However, as noted in previous blog posts, the most prevalent cyberthreats over the course of 2021 have been ransomware campaigns, which have been visible and noticeable every month of the year.
In this regard, campaigns carried out by ransomware actors whose infrastructure has finally been reduced to ashes have been identified, as in the case of the Egregor family, which, after affecting transport agencies such as Translink, was finally neutralised by the French and Ukrainian authorities as part of a joint operation. This was also the fate of the NetWalker, Avaddon and Babuk ransomware families, although in the latter two cases it was the actors themselves who decided to halt their activity, considering that they had achieved their objective after the compromise of the AXA insurance company in the first case and the massive leaking of Phone House information in the second.
In contrast, other ransomware actors are still active and have had more impact than ever, such as LockBit, which affected the consulting firm Accenture in August and Bangkok Airways in September. Pysa has also been prevalent in this regard, with notable campaigns such as one that affected the London Council in January; or the BitLocker ransomware, which reportedly targeted the healthcare sector. The Cl0p ransomware was also highly active throughout the year, despite the arrest of some of its members, having affected organisations such as the law firm Jones Day, the cybersecurity firm Qualys and the marine services division Swire Pacific Offshore (SPO), while the Ragnar Locker ransomware, continuing this trend, affected the Israeli company Ness Digital Engineering.
Other notable ransomware cyberattacks have included RansomExx, which affected medical insurer MNH, Ecuador's Corporación Nacional de Telecomunicación (CNT) and Taiwanese company Gygabyte; DopplePaymer, which impacted Kia Motors; DarkSide, which crippled the Colonial Pipeline and compromised Toshiba's French subsidiary; and BlackMatter, which would have targeted the organisations Olympus, NEW Cooperative and Marketron; or the novel Hive, which would have affected Mediamarkt on a large scale.
Likewise, the well-known REvil ransomware is said to have affected companies such as Acer, the French pharmaceutical and dermocosmetic group Pierre Fabre, the Brazilian judicial system of Rio Grande do Sul, Apple (at least allegedly), and even Kaseya VSA, the company that distributes management software used by a wide range of organisations around the world. In addition, during the first quarter of the year, Ryuk is said to have plagued various Spanish public organizations such as the Spanish Public Employment Service (SEPE) and the National Institute of Social Security (INSS).
In addition to the above, special mention should be made of the Conti ransomware, which has been identified as a possible future successor to Ryuk, having joined the triad of Emotet, Trickbot and a certain ransomware family. Large-scale activities by Conti ransomware actors were also identified, such as the compromise of several hospitals in Ireland and a number of other organisations in the US healthcare sector, the compromise of the company GSS, which affected the activities of Canal de Isabel II, and several Microsoft Exchange servers that were exploited using the ProxyShell vulnerability.
As we have seen, cyberthreats such as data leaks, cyberespionage, phishing and malware in all its variants are the order of the day. For this reason, we at Entelgy Innotec Security would like to conclude the year by highlighting a series of good practices aimed at all types of cyberspace users that were already discussed in the supplement Caja de herramientas del experto en ciberseguridad of the Karma role-playing game, in which we had the pleasure of collaborating, with the aim of ensuring that during 2022 we can reduce the incidence or, at least, the impact of some of the cyberthreats that were previously pointed out. Here are our 20 key recommendations:
- Keep your equipment, applications and software updated.
- Do not open emails from strangers and identify the sender correctly.
- Do not provide your personal data on social networks.
- Do not install applications or software from unofficial platforms. In addition, it is highly recommended to always use licensed software products, whether open source or closed source.
- Do not provide any information requested by e-mail, especially with regard to passwords or personal data.
- Avoid opening attachments and links to external websites from email, especially if they refer to online banking services, payment gateways or any other place where bank details are stored, as they could be fraudulent.
- Check for spelling mistakes, translation errors or grammatical errors in expression, as these could be clear indications that you have received a fraudulent e-mail.
- Check the address bar of your browser and check if it matches the address of the official website.
- Make sure you only enter your personal information and passwords on websites that use secure communication protocols (HTTPS), a valid digital certificate and include a padlock symbol, which indicates that the connection is secure.
- Use the second authentication factor on those websites that allow it.
- Always change your default credentials (e.g. Router, Wi-Fi networks...) following the standard set in step 12.
- Set up strong credentials (with eight or more characters, upper and lower case letters, numbers and special characters, not associated with your personal data) and change them from time to time, ideally every one to three months. If a leak of credentials for a service you use becomes known, make sure you do not use the passwords configured for that site ever again.
- Do not reuse your credentials in different services, and it is advisable to configure a different password for each of them. To make this task easier, you can make use of random password generators and managers in which you can specify the length of the password you wish to obtain and the type of characters you wish to include in it, as well as store them securely.
- Remove metadata from your documents and images before distributing or uploading them to any website or web page.
- Do not download pirated content and always check the extension of the files you get, as they could contain malicious software (for example, if you are downloading a document with an .mp4 extension, be suspicious if what you are really getting is an executable file with an .exe extension; if in any doubt, do not open it).
- Back up all information and data you value to a location external to your computer, to enable the information to be recovered in the event of loss.
- If you come across a potentially fraudulent website, email or content, report it to the authorities, your cybersecurity provider or alert the entity concerned, in order that action can be taken against the cybercriminals who developed it.
- Avoid connecting unknown removable devices to your computer.
- Avoid connecting your devices to public Wi-Fi networks or unknown wireless connections, especially when interacting with sensitive information. In case you need to connect to such networks, it is highly recommended to use tunneling tools or VPN services.
- Be aware of telephone calls from unknown numbers requesting personal or bank details urgently, as in these types of online scams the individual is urged to provide their details quickly, preventing them from verifying whether what they are being told is true. As a general rule, all services and entities that act legitimately, when requesting this type of data from the individual, make use of an automatic telephone system that contains a recording in which they request the necessary information, with the aim of ensuring that no one gets to know the required information.
Raquel Puebla González
Analista de Ciberinteligencia
Entelgy Innotec Security