reason cybersecurity что это
Powerful end-to-end cybersecurity protection tailored to your needs
Reason Up for Growing Businesses
Strong cybersecurity protection for small businesses so they can focus on what really matters: their business’ growth.
Reason Labs for Partners
Provides research tools and easy-to-integrate security solutions such as the Reason SDK and Cloud API.
Reason in the news
Click below to read more
We bring you cutting-edge security
A state-of-the-art- engine
A state-of-the-art- engine
With one of the strongest engines in the AV industry, Reason continuosly updates and maintains a library of millions of suspected malicious files.
Leading innovative technology
Leading innovative technology
Reason’s innovative thinking and advanced technology enable comprehensive threat detection and real-time response.
Whether browsing the web, downloading files or emailing, you get powerful, real-time protection anytime, anywhere.
Deep intelligence and data analysis
Deep intelligence and data analysis
Facilitates in-depth knowledge and raw data analysis via Reason’s cybersecurity lab.
Reason Up for Growing Businesses
The ultimate cybersecurity solution designed for small businesses. Guards business owners and employees’ most valuable properties for a secure digital experience.
Обзор Reason Core Security
На официальном сайте Reason Core Security сообщается, что продукт предназначен для совместного использования с вашим текущим антивирусом и позволяет “обнаруживать и удалять все типы вредоносных программ, включая трояны Интернет черви, ботнеты, рекламное ПО, шпионские программы, ПНП и др.” Это очень четкое описание, которое, к сожалению, не подтвердилось в тестах.
В главном окне программы расположена большая кнопка “Скан” для запуска проверки, под которой расположена панель текущего статуса безопасности. Панель в левой части окна содержит статистические данные защиты, а верхнее навигационное меню организует быстрый доступ ко всем функциям. Комбинация светлого окна и темно-синего меню в целом выглядит приятно.
Отсутствует информация из лабораторий
Reason Core Security не участвует в тестирования ни одной из отслеживаемых PCMag лабораторий. Представитель вендора пояснил, что у компании есть основания сторониться крупных независимых лабораторий, но не захотел их публично оглашать.
В основе Reason Core Security применяются собственные антивирусные технологии компании, а не лицензированные версии движков известных вендоров, поэтому сложно даже косвенно судить об эффективности продукта в лабораторных условиях.
Катастрофически низкая эффективность блокировки угроз
Согласно заявлению официального представителя Reason Software, данный продукт использует преимущественно эвристические методы обнаружения, поведенческий анализ и технологии машинного обучения. Тем не менее, традиционные сигнатурные техники обнаружения также применяются. Если системы автоматического анализа не могут идентифицировать подозрительный файл, он отправляется на облачный сервер для глубокого исследования.
После открытия папки с вредоносными образцами и при перемещении зловредов в другую папку, Reason Core Security никак не реагировал. Однако при попытке запуска исполняемых файлов, антивирус приступил к своей работе. Действительно, методы поведенческого обнаружения не функционируют, пока не происходят действия, которые можно проанализировать.
Процесс тестирования проходил очень долго. После каждого обнаружения Reason Core Security тратил от 30 секунд до нескольких минут на удаление зловреда и в большинстве случаев запрашивал перезагрузку компьютера. Удаление одного из образцов затянулось на 15 минут, после чего антивирус предложил выполнить загрузку в безопасный режим. К сожалению, Reason Core Security предложил старые инструкции для загрузки Safe boot, которые не подходили к Windows 8 или Windows 10.
Среди 39% проигнорированных объектов были вредоносные программы различных типов, начиная от рекламного ПО и заканчивая троянами-шифровальщиками. Правда не стоит отрицать, что в условиях данного испытания поведенческая система обнаружения получила неполную информацию. В реальных условиях они могла проверить URL-адрес источника, поэтому в тесте на блокировку вредоносных ссылок ожидался более высокий результат.
Многие антивирусы блокируют посещение опасных ресурсов, но у Reason Core Security такая функциональность отсутствует. Кроме того, продукт не предлагает защиту от мошеннических сайтов, но все же сканирует все загружаемые файлы.
В тесте на блокировку вредоносных загрузок Reason Core Security заблокировал только 12% онлайн угроз, это снова самый низкий показатель среди всех протестированных решений. Во время очистки дополнительные уведомления не показывались, а удаление каждого объекта также занимало приличное время, даже несмотря на то, что эти файлы никогда не запускались.
Reason Core Security также предлагает защиту от установки потенциально нежелательных программ (ПНП). При установке программных пакетов продукт может автоматически снимать галочки и разрешать установку только основной полезной программы. В наше время —это действительно полезная функция.
Защита IoT устройств
Традиционные антивирусы работают на компьютерах и мобильных устройствах, но не уделяет внимание защиту других подключенных к сети интеллектуальных устройств, таких как система автоматического управления гаражными воротами, дверной звонок или смарт-холодильник. Для защиты данных устройств можно воспользоваться специализированными аппаратными решениями, например, Bitdefender Box.
Reason Core Security, естественно, не может конкурировать с этими аппаратными решениями. Тем не менее, как и бесплатный Bitdefender Home Scanner, Reason Core Security умеет выполнять сканирование домашней сети в поисках всех подключенных устройств и обнаруживать потенциальные проблемы безопасности.
Сканирования были бы более полезными, если корректно распознавались типы устройств, хотя бы компьютеров, смартфонов и принтеров. Также было бы нелишним предупреждение пользователей о возможных последствиях при выполнении рекомендаций.
Для проведения тестирования сетевых устройств Reason Core Security был установлен на физическую систему. Во время первоначального сканирования антивирус обнаружил три угрозы для незамедлительного удаления и 4 ПНП. Все опасные объекты оказались компонентами Symantec Norton Security Premium. Это не самое лучшее поведение для продукта, который позиционируется как дополнение к стационарной антивирусной защите.
Дополнительные инструменты
При выборе опции “Приложения” в основном меню открывается страница с различными мониторами активности и дополнительными инструментами безопасности. При выборе “Текущая активность” открывается окно со списком процессов, показателями потребления ОЗУ и ресурсов ЦПУ, а также уровнем безопасности, похожее на привычный Диспетчер задач. Тем не менее, функция завершения процессов не поддерживается.
При выборе вкладки “Сетевая активность” отображается использование сети отдельными процессами. Данная информация вряд ли будет полезная для обычного пользователя, но для технического специалиста она может представлять интерес.
Reason Core Security предлагает довольно функциональный менеджер автозагрузки. На странице “Автозапуск” показывается список всех приложений, который запускаются при старте система в соотвествии с записями реестра, ссылками в папке автозагрузки и запланированными заданиями. Кроме того, пользователи могут также отключать сервисы, драйверы, обработчики контекстного меню и фильтры Credential Providers.
Функция “Деинсталлятор” дублирует функции аналогичного системного компонента “Приложения и возможности” и дополнительно показывает уровень опасности установленных приложений. При попытке удаления самого Reason Core Security появилось интересное сообщение: “Silly rabbit, you cannot use Reason Core Security to uninstall Reason Core Security» (“Глупый кролик, нельзя просто взять и удалить Reason Core Security с помощью Reason Core Security”). Видимо, разработчики не лишены чувства юмора.
На странице “браузеры” показывает расширения, установленные в браузерах и отображает их уровень опасности. Даже безопасный Менеджер закладок в Chrome получил уровень угрозы “Средний”. Расширения Dashlane, Skype и Evernote также вызвали настороженность антивируса. Norton Safe Search в Firefox был идентифицирован как троян.
Пройдите мимо
Несмотря на то, что Reason Core Security позиционируется как дополнение к вашей антивирусной защите, продукт может ошибочно обнаруживать и блокировать защитные модули основного решения, как это было с Norton. На официальном сайте сообщается, что продукт удаляет все виды вредоносного ПО, но на деле он не справился с различными видами тестовых угроз и показал самые низкие результаты в тестах на блокировку вредоносных программ и ссылок. Единственной полезной функцией остается сканер устройств IoT, который также нуждается в улучшении. Сканер не смог обнаружить все устройства в сети, не смог определить тип абсолютного большинства устройств и предлагал не совсем корректные рекомендации по устранению проблем.
Обзор Reason Core Security: Рейтинг PCMag
Правильное использование программы Reason Core Security для отслеживания вредоносного ПО
Даже лучшие антивирусы порой достаточно лояльны к рекламным приложениям и не видят в них никакого вреда. Тем не менее пользователю не очень приятно постоянно наблюдать всплывающие баннеры и закрывать окна. Для отслеживания софта, ответственного за их появление, разработаны специальные приложения, совместимые с фаерволом. Одним из таких является Reason Core Security: далее вы сможете подробнее ознакомиться с его способностями и функциями.
Как скачать Reason Core Security и удалить программу при необходимости
Некоторое время назад Reason Core Security распространялся бесплатно, теперь же при посещении официального сайта вы увидите, что это стоит денег — за программу просят 29 долларов в год (около 1800 рублей). Есть и пиратские версии, предлагаемые в виде архивов, торрентов и exe-файлов, но они несут в себе определённый риск – вместо защиты можно получить дополнительные проблемы.
К счастью, разработчики предлагают 30-дневную демоверсию, которая, к слову, не перестаёт работать по истечении этого срока – просто теряет часть функций. Её легко установить, а при желании – продлить лицензию платно. Это делается так:
Если софт по какой-то причине не желает деинсталлироваться, то попробуйте следующее:
Вкладка настроек для эффективной защиты системы
Использование Reason Core Security
По умолчанию программа добавляется в Autorun и запускается вместе с системой, чтобы постоянно контролировать другие приложения. Если вам это не подходит, то нажмите Win+R и в появившуюся строку впишите: msconfig. Вы увидите перед собой перечень всего ПО в автозагрузке и сможете убрать лишнее. Но в этом случае вам придётся периодически запускать Reason Core Security и проверять приложения вручную.
Когда окно программы открывается, то вверху и слева можно увидеть все разделы и инструменты для работы с приложениями:
К каждому пункту прилагается инструкция в виде вопросительного знака – нажмите и прочтите интересующую информацию.
Также приложением можно проверять скачанные файлы, архивы, торренты и папки: просто кликните по ним правой кнопкой и выберите «Проверить с помощью Reason Core Security».
What Is Cybersecurity?
Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.
Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, and attackers are becoming more innovative.
Contact Cisco
Secure your remote workforce, fast
If you’re looking to increase protection for your remote employees so they can work from any device, at any time, from any location, get started with the Cisco Secure Remote Worker solution.
What is cybersecurity all about?
A successful cybersecurity approach has multiple layers of protection spread across the computers, networks, programs, or data that one intends to keep safe. In an organization, the people, processes, and technology must all complement one another to create an effective defense from cyber attacks. A unified threat management system can automate integrations across select Cisco Security products and accelerate key security operations functions: detection, investigation, and remediation.
People
Users must understand and comply with basic data security principles like choosing strong passwords, being wary of attachments in email, and backing up data. Learn more about basic cybersecurity principles.
Processes
Organizations must have a framework for how they deal with both attempted and successful cyber attacks. One well-respected framework can guide you. It explains how you can identify attacks, protect systems, detect and respond to threats, and recover from successful attacks. Watch a video explanation of the NIST cybersecurity framework (1:54)
Technology
Technology is essential to giving organizations and individuals the computer security tools needed to protect themselves from cyber attacks. Three main entities must be protected: endpoint devices like computers, smart devices, and routers; networks; and the cloud. Common technology used to protect these entities include next-generation firewalls, DNS filtering, malware protection, antivirus software, and email security solutions.
Why is cybersecurity important?
In today’s connected world, everyone benefits from advanced cyberdefense programs. At an individual level, a cybersecurity attack can result in everything from identity theft, to extortion attempts, to the loss of important data like family photos. Everyone relies on critical infrastructure like power plants, hospitals, and financial service companies. Securing these and other organizations is essential to keeping our society functioning.
Everyone also benefits from the work of cyberthreat researchers, like the team of 250 threat researchers at Talos, who investigate new and emerging threats and cyber attack strategies. They reveal new vulnerabilities, educate the public on the importance of cybersecurity, and strengthen open source tools. Their work makes the Internet safer for everyone.
Cybersecurity threatscape: Q1 2021
Contents
Summary
Highlights of Q1 2021 include:
To protect from cyberattacks, follow our general recommendations for ensuring personal and corporate cybersecurity. Also, given the specifics of the attacks in the past quarter, we strongly recommend that you install security updates in a timely manner and pay special attention to protecting virtual infrastructure. You can strengthen security at the corporate perimeter by using modern security tools, for example, web application firewalls for protecting web resources. To prevent malware infection, we recommend using sandboxes to analyze the behavior of files in a virtual environment and detect malicious activity.
Statistics
The number of incidents in Q1 2021 increased by 17% compared to the same period in 2020, and compared to the Q4 2020, the increase was 1.2%, with 88% of the attacks targeting organizations. Cybercriminals typically attacked government institutions, industrial companies, science and education institutions. The main motive for attacks on both organizations and individuals remains acquisition of data. Attackers’ main targets are personal data and credentials, and attacks on organizations are also aimed at stealing intellectual property.
77% of attacks were targeted
12% of attacks were directed at against individuals
Elusive malware
Ransomware is predictably the most popular type of malware. Its share, among other malware used in attacks on organizations, increased by seven percentage points compared to Q4 2020 and is now 63%. Emailing remains the prevailing method of delivering malware: attackers used it in six out of ten malware attacks on organizations. Individuals are still most often attacked by banking trojans, spyware, and malware that provides remote access to the device.
Malware developers continue to look for new ways of bypassing security measures. To achieve that goal, attackers, for example, use unpopular programming languages, as in the case of BazarBackdoor (RAT), which was rewritten in Nim; the ransomware operators of Vovalex and RobbinHood chose such uncommon languages as D and Golang, respectively, from the get-go.
Some attackers have upgraded their tools with features that erase traces of malicious activity—as seen in such miners as OSAMiner, Black-T and Pro-Ocean. The code of the OSAMiner cryptominer, which targets macOS-based devices, contains a function that allows killing the Activity Monitor process, along with other monitoring and anti-malware tools. Activity Monitor is the Mac equivalent of Task Manager. The Black T miner, which targets Unix systems, clears bash history after deploying its payload and erases all traces of its own activity. The added openly accessible function for hiding the process is called libprocesshider; if detected, it may lead security experts to assume the presence of a malicious load. This tool is also used by attackers who distribute the Pro-Ocean miner, which attacks Apache ActiveMQ, Oracle WebLogic, and Redis servers, and checks the target environment before installation. At this stage, it determines whether to hide the malware, and if, for example, the malware finds itself in the Tencent Cloud or Alibaba Cloud environment, it starts the process of deleting monitoring agents.
Having analyzed the latest attacks by the RTM APT group, the PT ESC team found that the attackers were using packers as a service to bypass security tools. This approach greatly complicates a search for known signatures, but behavioral analysis of files in the sandbox allows detecting malicious activity. In addition, the use of cryptors does not affect interaction between the malware and management servers, which means that they can be detected by analyzing network traffic.
A cryptor (packer) is a program that uses cryptographic methods to package malware in order to hide it from security tools during signature analysis.
Since the beginning of 2021, RTM has added the Quoter ransomware to their arsenal. According to researchers, if the banking Trojan has failed to complete its tasks and collect information from the infected host, the attackers launch Quoter onto the company’s network as Plan B. Following the example of other ransomware operators, RTM employ the strategy of double extortion in their attacks. The group still uses social engineering methods as the main method of delivery, sending phishing emails to victims.
The group’s activity in Q1 2021 decreased compared to Q4 2020, but this may indicate that the attackers are busy developing new attack techniques or refining existing tools for now.
Ransoms keep going up
Every third attack in Q1 involved ransomware operators. At the end of 2020, healthcare was the most frequently attacked sector, but in Q1 2021, the first place was shared by industrial, scientific and educational organizations. They amounted to 30% of all incidents involving ransomware; 28% of the attacks were directed at governmental and medical institutions.
In about seven out of ten ransomware attacks on organizations, email was used as a method of delivering the malware, and in a quarter of cases, attackers exploited vulnerabilities and searched for unprotected resources accessible from the Internet.
The 5 most active ransomware programs in Q1 2021
New players appearing on the scene
In early 2021, several new ransomware programs appeared: Cring, Vovalex, Babuk Locker, Phoenix CryptoLocker, Hog, and Humble.
Hog is currently targeting individuals. Its operators decrypt the victims’ devices only if they connect to their Discord server. The use of Discord was previously seen in other hackers’ attacks and is becoming a frequent practice. Hog operators could be testing new techniques.
Astronomical ransoms
Due to the fact that some companies refuse to pay the ransom, ransomware operators are forced to come up with new tactics. These days, if the company is refusing to pay, the attackers threaten to report the attack and the data theft to its customers. The fraudsters expect that the customers will persuade the company to pay a ransom to prevent the disclosure of their data.
Old players making a comeback
The WannaCry ransomware that thundered around the world four years ago is back in the game. According to Check Point, the number of affected organizations in March 2021 increased fortyfold compared to October 2020. The malware is being distributed using the EternalBlue exploit. The extortionists mostly attack government institutions and defense contractors, while the industrial sector ranks second, and financial organizations and medical institutions rank third and fourth, respectively.
New features
REvil has acquired a new feature: the ability to run the encryption process in Windows safe mode, which enables the malware to bypass security measures. Conti (Ryuk) developers have supplemented it with the ability to spread to other devices within the domain. It is distributed over the network through shared network resources, where it creates copies of itself, and files are launched by creating tasks in the Windows task scheduler.
Secure storage of stolen data
Darkside operators, who attacked the Brazilian electric power company Companhia Paranaense de Energia (Copel), stealing about 1 TB of sensitive information, use their own method of data storage. They do not store stolen information on specially created private websites, as this is not safe. Instead, they have developed a distributed database: the data is stored on different servers. This helps to limit the number of individuals who can look at the data and avoid losing access to stolen information due to possible blockages.
Figure 14. DarkSide ransomware tool detected using PT Sandbox
Fear of liability
Ziggy operators, in the wake of the news about the capture of the attackers who distributed Netwalker and the destruction of the Emotet botnet infrastructure by law enforcement agencies, announced the end of their hacking career and promised the victims who paid them a ransom to return the money.
Insecure software
The first quarter of 2021 will be remembered for aggressive exploitation of vulnerabilities in the Microsoft Exchange Server software (ProxyLogon vulnerabilities) and Accellion FTA. The ProxyLogon vulnerabilities were exploited by distributors of the Black Kingdom and DearCry ransomware tools, Lemon_Duck cryptocurrency miner operators, and other APT groups.
Vulnerabilities in the outdated Accellion FTA data transfer software were exploited by Clop operators and the cybercriminal group FIN11: about 100 organizations were affected. About a quarter of these organizations suffered from major data breaches: the Singapore-based mobile operator Singtel, law firm Jones Day, universities in Miami and California, U.S. Bureau of Shipping, rail operator CSX, and aircraft manufacturer Bombardier. Centene, which was also affected by the vulnerabilities, filed a lawsuit against Accellion. The claim demands reimbursement of expenses associated with recovering from the attack.
The vulnerability CVE-2015-1427 in Elasticsearch allows attackers to bypass the sandbox protection mechanism and execute arbitrary commands. This quarter, it was used by operators of three botnets: z0Miner, Skidmap, and WatchDog. Another botnet, FreakOut, expanded with the help of vulnerabilities in TerraMaster (CVE-2020-28188), Zend Framework (CVE-2021-3007), and Liferay Portal (CVE-2020-7961).
Speaking of vulnerabilities, we cannot fail to mention the incident with SonicWall, the manufacturer of information security systems, which was hacked via a zero-day vulnerability in the NetExtender and Secure Mobile Access VPN products in late January. It was followed by media reports of attacks on the company’s customers who were using the vulnerable solutions. For example, this opportunity was used by the UNC2447 group, which distributes the FiveHands ransomware (an updated version of DeathRansom) through the WarPrism loader or the SombRAT backdoor. According to researchers, the attackers were exploiting the vulnerability even before a security update appeared. Presumably, SonicWall did not alert its customers on time to the identified breach or a need to take protective measures.
Targeting virtual infrastructure
Q4 2020 saw a trend for attackers gearing their malware toward attacks on virtual infrastructure, and in Q1 2021, this trend consolidated. We can link this primarily to the global process of moving corporate IT infrastructure into a virtual environment. Attackers carefully monitor information about new vulnerabilities and try to find a use for these in their attacks as soon as possible. In early 2021, our experts helped to eliminate several critical vulnerabilities in VMware products, including CVE-2021-21972 in vCenter Server, which allowed remote code execution. At the time of publication, we estimate that the number of devices vulnerable to CVE-2021-21972 worldwide exceeded 6,000. After the vendor’s security updates appeared in early February and the bulletin was published, Bad Packets researchers discovered multiple network scans conducted to find vulnerable hosts.
Darkside, RansomExx and Babuk Locker operators are aggressively exploiting other vulnerabilities in VMware products to encrypt data stored on virtual hard drives, such as the remote code execution vulnerabilities CVE-2019-5544 and CVE-2020-3992.
Figure 15. An offer of access to networks using VMware ESXi
Attackers who distribute the Hildegard Trojan purposefully attack Kubernetes environments. To hide their malware, they use several techniques at once, including encrypting the payload, masking the malicious process as the bioset process in Linux and using the Dynamic Linker Hijacking technique.
Figure 16. An ad for virtual or cloud infrastructure hacking services
Gaining access to virtual infrastructure and cloud services is a fairly popular topic on the darkweb. The services of so-called brokers are also used by ransomware operators for acquiring credentials to log in to the systems. In addition to ready-to-use access to certain companies, attackers post offers to hack companies to order on darkweb message boards.
Targeting software developers and cloud services
The number of attacks on IT companies has not decreased since the beginning of Q4 2020. The main motive of hackers attacking this industry is to obtain data (66%). In 27% of the incidents, hackers sought financial gain, and in 15% of the cases, companies were hacked to facilitate subsequent attacks on their customers.
The consequences of the attack on SolarWinds were evident still even in early 2021. Thus, in early March, news about the attack on the IT company Robotron appeared in the media. The incident also affected the company’s customers who installed malicious updates for the Werkzeugkasten backup server. The investigation revealed that the company’s network was compromised as a result of the attack on SolarWinds. According to Robotron, the first victim to install malicious updates was a small company in the Netherlands (neither the name nor even the industry in which the company operates were disclosed). Under the guise of updates, the BlockKopieren ransomware was distributed.
Supply chain attacks did not spare information security companies. In early February, the French company StormShield reported that its systems had been hacked. Attackers compromised the technical support portal. As a result of the incident, the source code of the Stormshield Network Security software firewall was stolen. It can be assumed that the attackers will examine the stolen code to find vulnerabilities in the software. In early January 2021, Malwarebytes, which produces information security tools, suffered due to a vulnerability in an application that has privileged access to Microsoft Office 365 and Azure. Note that in half of the attacks on this industry, attackers exploited software vulnerabilities.
The share of RATs increased by 23 percentage points compared to Q4 2020. In one of the campaigns, the attackers distributed it under the guise of Xcode, a free IDE for the Apple ecosystem. SentinelOne researchers discovered this malware in the legitimate project TabBarInteraction. The campaign is aimed at developers who will then inadvertently distribute remote control malware to their clients as part of the project. Another attack aimed at software developers involved hacking the official PHP Git repository and adding malicious commits. It is noteworthy that the attackers managed to add well-known developers’ signatures to the commits.
Popular cloud services that facilitate interaction and simplify companies’ IT infrastructure also became a favorite target for attackers. The reason for this phenomenon is that by attacking a cloud service provider, hackers can gain access to the customers’ data, as it happened, for example, during the January incident with the Bonobos clothing store. The store suffered a data leak due to an attack on the cloud service provider that the company used to store customer credentials and personal data. A similar incident occurred with the network equipment manufacturer Ubiquiti.
According to the United States Cybersecurity and Infrastructure Security Agency, hackers managed to find a way to bypass two-factor authentication to compromise cloud services. This was achieved through a «pass the cookie» attack.
In this type of attack, attackers intercept the session of an already authenticated user or use stolen session cookies to authenticate with a web resource.
Wiretapping, interception of messages, and news about 5G
The number of attacks on telecom companies doubled compared to Q4 2020.
In 71% of the attacks, the attackers pursued the motive of obtaining data. The 5G technology turned out to be really interesting topic for hackers, perhaps due to the fact that they want to understand the features of its implementation in order to subsequently conduct attacks on subscribers. As part of a major cyberespionage campaign, hackers created a fake website that mimics Huawei’s official job portal. Upon visiting this resource, a malicious Flash application was installed on the victim’s computer, which acted as a loader for a subsequent installation of Cobalt Strike Beacon. At least 23 telecommunications companies fell prey to this campaign.
In early 2021, researchers from ClearSky reported on a campaign they identified, which collected sensitive data. Conducted by the Volatile Cedar cybercrime group, the campaign began in Q3 2020 and continues to this day. During the attacks, hackers exploit the web vulnerabilities CVE 2019-3396 (Atlassian Confluence), CVE 2019-11581 (Atlassian Jira) and CVE 2012-3152 (Oracle Fusion). among the victims of this campaign were, for example, the American telecom company Frontier Communications, the Egyptian mobile operator Vodafone Egypt, the Israeli National Information Technology Center, as well as the telecom companies Mobily and Saudinet in Saudi Arabia, and other major companies in the industry.
Malware was used in 91% of the attacks. Most (55%) of the incidents involved RAT, as in the case of USCellular. This fact may indicate that access to telecom companies is of high value to hackers: it can be sold on a darkweb forum or used in further attacks on subscribers.
Figure 20. An ad for access to the SS7 network and cybercriminal services
Access to telecom equipment can allow attackers to intercept calls and messages of subscribers, track their location, and conduct fraudulent operations.
Governmental institutions are the most frequently attacked organizations
Since 2017, governmental institutions have topped our rankings of the most frequently attacked organizations. For their malicious actions, hackers mainly used malware (63% of attacks) and social engineering techniques (56%). The exploitation of web vulnerabilities ranks third: the share of this method (22%) increased by 13 percentage points compared to Q4 2020. Most often, attackers exploited vulnerabilities that were popular in Q1 2021, such as the ProxyLogon vulnerability used, e.g., in the incident with the Norwegian parliament and a vulnerability in Accellion FTA, which affected the audit service of the state of Washington. The APT groups LuckyMouse, Tick, and Calypso, which target organizations in the United States, Europe, Asia, and the Middle East, including governmental agencies, were also seen exploiting the ProxyLogon remote code execution vulnerability (CVE-2021-26855). The purpose of these campaigns was to obtain data.
The share of ransomware operators in attacks on governmental institutions is increasing: they were found in 70% of malware attacks. In addition to ransomware, attackers also used banking Trojans (18% of malware attacks), RATs (13%), and spyware (8%).
Figure 22. Sample of phishing email from the APT group SideWinder for a targeted attack on the Embassy of Pakistan in China
About the research
In this quarterly report, Positive Technologies shares information on relevant global IT security threats. The information draws on our own expertise, the outcomes of investigations and data from authoritative sources.
We believe that the majority of cyberattacks are not made public due to reputational risks. The result is that even organizations that investigate incidents and analyze activity by hacker groups are unable to do a precise count of threats. This research aims to draw the attention of companies and common citizens who concern themselves with the state of information security to the key motives and methods of cyberattacks, and to highlight the main trends in the changing cyberthreat landscape.
In this report, each mass attack—for example, when attackers send phishing email to multiple addresses – is counted as a single incident. Definitions of terms used in this report are available in the glossary on the Positive Technologies site.