Nuspire released a report which outlines new cybercriminal activity and tactics, techniques and procedures (TTPs) with additional insight from Recorded Future.
“As companies return to a hybrid workplace, it’s crucial that they are aware of the evolving threat landscape,” said Craig Robinson, Program Director, Security Services at IDC. “The data highlighted in this threat report by Nuspire and Recorded Future shows that security leaders need to stay vigilant as threat actors see opportunity in the continued era of remote access.”
Increase in VPN attacks
In Q1 2021, there was a 1,916% increase in attacks against Fortinet’s SSL-VPN and a 1,527% increase in Pulse Connect Secure VPN. These vulnerabilities allow a threat actor to gain access to a network. Once they are in, they can exfiltrate information and deploy ransomware.
“2020 was the era of remote work and as the workforce adjusted, information technology professionals scrambled to support this level of remote activity by enabling a wide variety of remote connectivity methods,” said J.R. Cunningham, CSO at Nuspire. “This added multiple new attack vectors that enabled threat actors to prey on organizations, which is what we started to see in Q1 and are continuing to see today.”
Because of the significant increase in VPN and RDP vulnerabilities, the report discovers malware, botnet and exploitation activity are down compared to Q4, but threat actors are still on the prowl.
- Emotet botnet activity dropped -99.96% after the announcement of law enforcement seizing their infrastructure. This is likely attributed to the shutdown of the command-and-control infrastructure through a global initiative as announced by Europol during Q1. This collaborative effort by the United States, Netherlands, Germany, United Kingdom, France, Lithuania, Canada and Ukraine allowed law enforcement to seize Emotet servers and shut them down.
- ZeroAccess botnet activity surged during one week by 619,460% before trailing down into end of the quarter. ZeroAccess has come and gone over many Nuspire threat reports and will usually appear with massive bursts of activity before going quiet, sometimes for months before re-emerging again. This could be due to retooling/theming of malware associated with ZeroAccess.
- SMB login brute force attempts contained 69.73% of all exploit activity witnessed in Q1. Similar to the observed activity in Q4, these attacks came in a very active “wave” near the end of the quarter. The amount of activity pushed this exploit to the top witnessed exploit attempt. This is a trend that we can expect to continue. Organizations should be aware of their exposed services and ensure mitigations are in place to prevent these types of attacks.