Risk and Resilience InsightsNovember 2019

INTRODUCTION

KEY TAKEAWAYS: ONE MINUTE READ

HOW THEY DID IT

ANALYSIS AND COMMENTARY ON THE GLOBAL THREAT LANDSCAPE

ZIPS & TRICKS: ABSTRACTS FROM MIMECAST GLOBAL

REGIONAL TRENDS

PREDICTIONS FROM THE MIMECAST THREAT CENTER

CONCLUSION

GLOSSARY

Table of Contents

In the Mimecast Quarterly Threat Intelligence Report: Risk and Resilience Insights, researchers analyzed global attack activity from July to September and uncovered a mixture of simple, low effort and low-cost attacks targeting Mimecast customers. At the same time, the data high-lights complex, targeted campaigns leveraging a variety of vectors and lasting several days. These sophisticated attacks are likely carried out by organized and determined threat actors, employing obfuscation, layering, exploits, and encryption to evade detection. This research will explore these themes through the lens of the four main categories of attack types discovered in the quarter: spam, impersonation, opportunistic, and targeted.

This report utilizes research conducted by the Mimecast Threat Center; its aim is to provide in-depth information about the nature of attack campaigns, to observe and anticipate the evolving nature of these threats, and to provide a set of recommendations to help guide organizations’ security decisions accordingly.

This report will consider every major campaign carried out by threat actors and identified from Mimecast’s detection data over an entire quarter – July through September 2019 – inclusive of billions of emails processed in this period. The report identifies the trends that emerge from attacks, and assesses the likely future trends and activity given threat actors’ current behaviors, events, and technology. Taken together, these factors will impact the cybersecurity landscape going into 2020.

Mimecast is a cybersecurity provider that helps thousands of organizations worldwide make email safer, restore trust and bolster cyber resilience. Email is the number one threat vector facing organizations today, and our fully-integrated, cloud-based services protect customers across the globe from incidents that typically start with email, including advanced cyberattacks, data loss, downtime, and human error. Mimecast services protect millions of employees at over 36,000 customers across a broad set of vertical markets in over 130 countries. Integrating with enterprise email platforms including Microsoft Exchange and Office 365, as well as Google, our services process more than two billion emails per day.

Introduction

Threat Intelligence ReportRisk and Resilience Insights

Key Takeaways: One Minute ReadMimecast threat researchers developed key insights about the types of attacks that proliferate each quarter, as well as new attacks cropping up. Overall, efforts to modify threats to evade detection within sandboxing continues swiftly, and some older forms of malware are being modified as extensively as newer forms to evade detection. Alongside this malicious software, threat actors’ impersonation efforts have continued to increase, with the inclusion of malicious voicemail messages in recent detections. The threat is evolving and more nuanced than ever before. Malware-centric campaigns are continuing quarter over quarter. These campaigns are increasingly sophisticated and continue to use a diverse range of malware during the different phases of an attack, which is clearly pronounced in analysis of the most persistent attacks spanning a period of several days. Subscription-based Malware-as-a-Service models also continue to increase the availability of simple attack methods to a wider audience, simultaneously keeping older, well-known malware in circulation. The use of fileless malware is also increasing, and criminals are putting greater efforts into the increased use of impersonation attacks against businesses.

Researchers detected and analyzed the following campaign insights:

• There were 25 significant campaigns against various business sectors this quarter, which incorporated Azorult, Hawkeye, Nanocore, Netwired, Lokibot, Locky and Remcos, and involve a combination of mass generic Trojan delivery with complex, simultaneous threats at the same time and/or in subsequent days. This discovery demonstrates a level of sophistication that goes beyond an opportunistic cybercriminal; in addition, due to the variety of businesses attacked, it’s highly likely the attacks were carried out by organized groups for monetary gain.

• Emotet activity essentially ceased over the summer, due to the shutting down of its C2 servers in May, but also demonstrating attackers’ tendencies to take weekends and summers off.

• Bulk emailing, or spam, remains a significant, high volume means to distribute malware, and it relies on human error for success.

• The volume of impersonation attacks remains high, and now includes voice phishing – an advancing trend observed in this report.

• The campaigns observed in this quarter range from relatively simple phishing campaigns to complex multi-vector campaigns alternating file types and attack vector, types of malware and vulnerabilities. Three particular campaigns in Australia, the UK and South Africa were determined vectors that took place over a number of days, all due to likely organized criminal threats.

How They Did It The Mimecast Threat Center Team conducted round-table discussions to produce this Report. Analysts utilize an uncertainty yardstick matrix which would be readily recognizable to any intelligence professional and which seeks to assign a probability percentage to any key assessments made and the likelihood of any predicted future outcomes being realized. Please see Figure A for the matrix utilized by the Mimecast Threat Center researchers, and the corresponding probabilities assigned to each assessment statement made throughout this report.

The team has the capability to research and study specific issues using the wealth of detection data collected by Mimecast but are also trained to utilize open source (OSINT) and research techniques to provide an in-depth analysis of an issue or attack, giving context to the range of threats and activity various threat actors take against customers. Working with a wide range of partner organizations including the security industry, academics, and law enforcement, the team aims to provide threat trends and insights to broadly increase cyber resilience for global enterprises and governments.

I Qualitative Term I Probability Range

Remote Chance ≤≈5%Highly Unlikely ≈10% - ≈20%Unlikely ≈25 – ≈35%Realistic Probability ≈40% – <50%Probable or Likely ≈55% – 75%Highly Likely ≈80% – ≈90%Almost Certain ≥≈ 95%

Figure A: The Mimecast Threat Center’s Uncertainty Yardstick

4

Threat Report

www.mimecast.com | ©2019 MimecastALL RIGHTS RESERVED | GL-1131

Spam Campaigns

In the first primary attack category, researchers found bulk email campaigns continue to be used to spread malware, targeting industry sectors including Legal services, Software and SaaS, and Banking, as shown in Figure C. Campaign volume was its highest during the week ending September 22, with more than 21 million threats blocked that week alone.

The increased spam activity in September coincides with the return of activity by the Emotet botnet on September 16, 2019, initially distributed with fileless malware on Day 1, but then resuming its more regular behavior in bulk emailing attachment spam. The spam module uses the botnet to send phishing emails containing malicious URLs or attachments; other significant campaigns have coincided with more targeted attacks against the range of business sectors identified within this report, and this vector denotes the most common, en masse form of attack still taking place. This form of cheap, low sophistication, high volume attack vector remains the predominant method to spread malware.

Analysis & Commentary on the Global Threat Landscape July - September 2019

The four primary threat categories analyzed in this report are spam, impersonation attacks, opportunistic attacks, and targeted attacks. Research shows these threats are widespread across all industry sectors and global regions; threat activity witnessed across Mimecast regions (global data centers that support the delivery of Mimecast cloud-based services) is continuing to increase over the previous year. Figure B illustrates the volume of threats blocked across these four primary categories, showing peak volume reached on September 18 with 1,136,000 combined threats detected on that day alone.

In addition to the four primary threat categories, the Mimecast Threat Center analyzed the landscape for targeted attacks and observations on malware.

Volume of Threats Blocked Across Four Primary Categories

2019-07-07

2019-07-14

2019-07-21

2019-07-28

2019-08-04

2019-08-11

2019-08-18

2019-08-25

2019-09-01

2019-09-08

2019-09-15

2019-09-22

2019-09-29

0

2000

4000

6000

80000

0.5M

1M0

2M

4M

6M0

5M

10M

15M

Week Ending

• Spam

• Impersonation Attacks

• Opportunistic Attacks

• Targeted Attacks

0 10M 20M 30M 40M

Manufacturing: Other

Retail & Wholesale

Finance: Banking

Professional Services: Legal

IT: So�ware &

SAAS

Figure B

5

Threat Report

www.mimecast.com | ©2019 MimecastALL RIGHTS RESERVED | GL-1131

Impersonation Attacks

Social engineering - most commonly done through impersonation tactics - remains an effective tactic for threat actors and has shown a sustained increase throughout 2019. Attackers impersonate domains, subdomains, landing pages, websites, mobile apps, and social media profiles, many times in combination, to trick the target organization and/or its employees into surrendering credentials and other personal information, initiating fraudulent wire transfers, or installing malware. This increase in impersonation attacks that rely on social engineering instead of tactics detectable through email scans suggests an improvement in the industry’s email scan efficacy.

Management and Consulting remains the primary target of impersonation attacks, accounting for 15 percent of threat volume as shown in Figure D. The Legal sector has also become a significant target for this type of attack during this quarter, accounting for 12 percent of the attack volume. Due to the heavily interpersonal, social nature of these industries, Management and Consulting and Legal industries are suffering approximately twice as many impersonation attacks as other sectors. In addition, individuals at the C-suite level and those in positions to escalate privileges or access funds, such as finance, HR, and IT, have been heavily targeted and are at an increased risk of attack via impersonation.

In fact, recent developments show the evolution of impersonation into voicemail phishing messages, as used against a leading UK energy company.1. It is almost certain this form of attack will be used again in the coming year; data shows impersonation attacks made up 26 percent of total detections from July-September, and perhaps more significantly, the volume of these attacks grew by 18 percent since the last report.

1. https://www.telegraph.co.uk/technology/2019/08/31/manager-energy-firm-loses-200000-fraudsters-use-ai-impersonate/

0 5M 10M 15M 20M

Travel, Hospitality & Catering

Real Estate

Finance: Banking

Professional Services: Legal

Professional Services: Management &

Consulting

0 0.5M 1M 1.5M 2M

Retail & Wholesale

Finance: Other Financial Services

Professional Services: Legal

Manufacturing: Other

Transportation& Storage &

Delivery

Figure E: Opportunistic attacks per sector

Opportunistic Attacks Opportunistic attacks are a continuing theme in the security industry; they utilize well-known malware and are expected to proliferate given they have shown sustained levels throughout 2019 and are relatively low effort for attackers.

Figure E shows that the Transportation, Storage and Delivery sector was subject to nine percent of the normalized opportunistic attack threat volume this quarter; it is consistently subject to sustained levels of threat and attack from all vectors. This is almost certainly due to the efforts of various APT actors, including state-sponsored APTs, to target the logistics and supply chains of their rivals.

The Legal sector suffered a significant seven percent of the attack volume. However, when compared to last quarter, these numbers are not as disproportionate, and data processing is no longer the clear focus of these attacks.

6

Threat Report

www.mimecast.com | ©2019 MimecastALL RIGHTS RESERVED | GL-1131

After analyzing data from all regions July-September 2019, the following patterns emerged:

ZIPs & Tricks: Abstracts from Mimecast GlobalThe trend data in this section of the report is based on Mimecast signature detections and does not include data from the other detection layers or applications available.

��� ��� ����������� ����

��� � ��� ��� � �� �� �� ��� ��� ���� ��������

�

����

��

����

��

����

• The overwhelming majority of attacks remain less sophis-ticated, volume forms of attack, although more complex attacks take place over a period of days. This is almost certainly a reflection of the increasing ease of access to online tools and kits for any individual to launch a cy-berattack. The trend also reflects the challenges of human error - even the simplest attacks can be successful. As attacks progress, they include more potent forms of malware and ransomware.

• File compression is an attack format of choice. Compressed files allow the inclusion of a more complex and potentially multi-malware payload, but also serve as a very basic means to hide the true file name of any items held within the container. The ZIP format of file compression dominated detections throughout the quarter; this has also been an ongoing trend throughout 2019 and is consistently the most commonly detected format for attack. It is highly likely that any permutation of a compression-related file format will feature prominently in future campaigns, and that continued use of any available form of file compression format will remain the most attractive to threat actors.

• Specific sectors are repeatedly targeted. The top sectors for attack globally are in order of targeting; Transportation, Storage and Delivery, Financial: Banking and the Professional Services: Legal sectors. These three sectors have consistently remained subject to generally high levels of attack throughout the last two quarters. The Banking sector has been subject to the highest volume of attacks – more than five of the identified campaigns targeted this sector in the Australian and South African regions – and the sector sustained an eight-day campaign in mid-July in South Africa.

• Impersonation attacks are on the rise. Impersonation attacks now include a range of voice messaging and a generally less coercive form of communication, which pre-sents as more nuanced and persuasive.

File Types Detections Trend - All Regions

• Sep

• Aug

• July

7

Threat Report

www.mimecast.com | ©2019 MimecastALL RIGHTS RESERVED | GL-1131

Regional TrendsThe regional data that follows is compiled from Mimecast’s own detection signatures and identifies the specific file type or attack vector employed and detected. Across the entire region there are significant reductions in detections visible every Saturday and Sunday.

Australia Australia is similar to other regions in that it was subject to high amounts of activity in the first two weeks of the quarter; ZIP files were the most common file type detected and the VBS file type saw increased use in mid-July, but activity has significantly reduced since. The Education sector was subject to the highest volume of attacks, followed by sustained levels of malicious activity against the Transportation, Storage and Delivery sector.

Australia has experienced multiple notable campaigns of significant volume against a variety of sectors this quarter:

1. The Legal industry was attacked on July 1, with 787 detections, July 8 (1,666 detections) and September 16 (2,226 detections); nearly all of the attacks used generic Trojanized ISO files through Andromeda, Noon, and Razy, and the attackers also sought to exploit CVE-2017-8570 and CVE-2017-11882. The Legal sector attacks are highly likely to have been organized criminal groups attempting to compromise their intended targets for monetary gain, given the access to significant funds which the sector is perceived to have. The Legal sector also has access to highly sensitive, valuable client information. Despite these factors, none of the targeted campaigns lasted for more than a day, and the attack vectors employed did not appear to significantly vary or evolve in terms of their complexity.

2. The Education sector was repeatedly attacked with a multitude of techniques. On July 18-19 there were 3,159 detections of phishing emails that used ZIP files to download the Krypt Trojan; there were 5,901 detections leveraging file compression attack vectors as a continued push to insert Locky ransomware and other generic Trojans on July 22-26; and 988 detections of a more diverse attack utilizing ZIP, RAR and RTF files containing generic Trojans such as Sonbokli and Eldorado on September 2. The attackers also sought to exploit the vulnerabilities CVE-2012-0158 and CVE-2017-11882.On September 16, the attack vector was changed to MSOffice 97-based documents specifically targeting Windows machines to execute a malicious macro, which comprised 95 percent of attacks and could have downloaded several different types of malware had it been successful. It is highly likely that the threat actor was the same as earlier campaigns, and that they varied their attack vector due to the lack of success in earlier campaigns.

Figure G:

��� ��� ����������� ����

��� � ��� ��� � �� �� �� ��� ��� ���� ��������

�

���

���

���

���

����

• Sep

• Aug

• July

8

Threat Report

www.mimecast.com | ©2019 MimecastALL RIGHTS RESERVED | GL-1131

Germany The beginning of the quarter saw its peak in terms of detections, which is a common factor apparent across all regions during this quarter. Unlike other regions, however, Germany experienced another peak at the beginning of August, and overall, German regional activity has been significantly different from that of other regions. For example, threat actors have utilized some threats unusual for this region, such as Ordinypt malware, which had not yet been detected in other regions. It is highly likely this malware will evolve to target a wider range of languages, and therefore regions within the next quarter.

3. In a similar but separate attack, the Higher Education sector was targeted on September 16. The campaign utilized the same diverse attack vector as the September 2 attacks against the education sector – 89 percent of the files were detected as the same type. Trojanized VBA and DOCX files were also detected.

2. https://geopoliticalfutures.com/the-importance-of-australia-to-the-united-states/ https://www.ussc.edu.au/analysis/the-future-of-the-us-australia-alliance-in-an-era-of-great-power-competition

4. The Banking sector was attacked on August 13 (1,874 detections) and the Insurance sector was attacked on August 22 (1,618 detections). The one-day campaign utilized the Cryxos RAT 1,728 times and comprised 92 percent of detections against this sector on that day.

The graph shows weekly peaks against the Education sector; these attacks are interesting as the Australian government has acknowledged these threats as a risk, given they took place soon after widely reported breaches at Australian universities. It is almost certain, given the complex, days-long, multi-vector nature of the campaign, that these attacks were interrelated, and state sponsored. Australia is almost certain to continue to suffer sustained and determined cyberattack campaigns, particularly against transportation and infrastructure given its strategic and geographic importance in the South China Sea and South East Asia areas. Additionally, Australia is positioned near to the Straits of Malacca, which is the world’s busiest trade route, carrying two-thirds of the world’s oil and a third of the world’s bulk cargo2. US strategic interests in the region are maintained by key strategic partnerships including South Korea, Japan, the Philippines and Australia.

Relative to its size, Australia has suffered sustained attacks and targeting of its education sector during this quarter. This threat was reported by media and acknowledged by the Australian government prior to this quarter, but this threat has clearly persisted. Given the lengthy, persistent campaigns targeting the education sector, the repeated nature of the threat and the resource and effort this requires it is almost certain that the threat actors involved represent an organized and determined criminal threat. Targeting is likely to be intended to impact or steal research and intellectual property, but also may be intended to monitor student activities or behavior.

As in other regions Lokibot, Nanocore and Nemcos feature significantly in any complex or persistent attack, with the addition of Nemucod, Cryxos and Locky appearing as threats to this region during this quarter. This is indicative of different threat actors targeting this region.

• Sep

• Aug

• July��� ��� ��������

��� ������� � ��� ��� � �� �� �� ��� ��� ���� ��������

0

10k

20k

30k

40k

50k

60k

70k

9

Threat Report

www.mimecast.com | ©2019 MimecastALL RIGHTS RESERVED | GL-1131

United KingdomThe Transportation, Storage and Delivery sector was the most attacked industry this quarter, followed by the Legal sector. Similar to other regions, file compression attack vectors were the most common due to their basic file obfuscation.

Similar to other regions, however, ZIP files are the most detected file type containing malware. RAR files, though, are more prominently detected in Germany; 33 percent of all detections were found to have utilized RAR files, which is nearly double most other regions. Other forms of file compression were present in Germany during the period as well, due to their simple obfuscation tactics: the VBS file type saw increased use from the end of July to mid-August, and the ACE file type has also been a significant attack vector.

The two distinct cyberattack campaigns within the German region during this quarter highlight a lack of significantly targeted behavior compared to other regions, with a range of disparate sectors targeted in both campaigns:

1. A general campaign deploying the Nymeria/Loda Trojan3 (ZIP). Nymeria/Loda is a keylogging remote access tool (RAT). 2. A volume phishing campaign targeted against a human services company utilizing the Wisdomeyes Trojan 4 in a variety of emails

with RAR files attached and containing a Win32 executable file. On July 18, 2019, a wide-ranging attack against the Science and Technology, Pharmaceuticals and Government and Human Services sectors utilized RAR, ZIP, VBS and RTF files in volume. These emails overwhelmingly employed generic Trojans such as Andromeda, Fareit, Krypt, Kryptik and Netwire. However, Lokibot, Ordinypt5 and the very old Mydoom worm also appeared in these detections. The attackers sought to utilize the following exploits: CVE-2012-0158; CVE- 2017-0199; CVE-2017-8570; CVE-2017-8759; CVE-2017-11882; CVE-2018-0802. In addition, these attackers used the MSOffice 2007 vulnerability CVE-2017-11882 far more frequently than any other exploit.

Of the 4,574 detections that day, 73 percent were Trojans with varying degrees of significant obfuscation employed. This was markedly different from the grid’s usual daily detection activity. In addition, the use of Nymeria/Loda is generally representative of opportunistic criminal behavior given its broad use across the region, but the attack on July 18 was more sophisticated. The attack employed a range of malware across other sectors in the quarter, suggesting this campaign was undertaken by an organized crime group with a specific objective for monetary gain.

3. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/NymeriaandThreatID=2147728477 https://www.virustotal.com/gui/file/29ff9482eecd8854c2a8aa8c7e6ba6b4e7fa44b9f304c0e11d7149eb9ecf1ae4/detection

4. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/WisdomEyes.A https://www.virustotal.com/gui/file/ede91703bb5a02965a53b95ae7c23456ab8b7eff5504a2364a60daf4d7b8bae2/detection

5. https://www.scmagazineuk.com/fake-resume-emails-attempt-spread-ordinypt-wiper-german-recipients/article/1599276

• Sep

• Aug

• July��� ��� ����������� ����

��� � ��� ��� � �� �� �� ��� ��� ���� ��������

�

����

����

����

����

 �

 ���

10

Threat Report

www.mimecast.com | ©2019 MimecastALL RIGHTS RESERVED | GL-1131

1. On July 8, 2019, a campaign against the Legal sector emerged with 7,018 detections, comprising high volumes of ZIP and RAR files with additional significant volume usage of ISO files in an attempt to evade detection. Generic and aging Trojans such as Andromeda, Eldorado and Fareit were utilized in concert with more recent and potent threats including Azorult, Remcos and Nanocore. Notably, attackers leveraged Barys malware, which implements Dropbox online file storage. The attackers attempted to exploit the following vulnerabilities: CVE-2010-3333, CVE-2012-0158 and CVE-2017-11882. The most attacked vulnerability was again CVE-2017-11882, an MS Office 2007 vulnerability.

2. From July 24-26, 2019 the Insurance sector was attacked with 15,660 detections. The detections included a range of generic Trojans, although Nanocore B and Lokibot were both present. A courier delivery brand also featured significantly in phishing emails as an attack vector, although perhaps more significantly, the Remcos malware was detected in RAR files with Azorult and Nanocore, demonstrating the ability of file compression to obfuscate powerful malware. Additionally, the attackers attempted to exploit the following vulnerabilities: CVE-2012-0158, CVE-2017-0199, CVE-2017-8570, CVE-2017-8759 and CVE-2017-11882. The most attacked vulnerability was again CVE-2017-11882.

3. On July 29, 2019, the Manufacturing: Apparel/Textiles sector contained 7,237 detections; 27 percent of detections were obfuscated RTF files, which researchers note is highly unusual for UK activity, although ZIP and RAR formats also featured in attacks. The attack primarily utilized a range of generic Trojans for invoicing and order phishing emails with attachments - the most significant threat in these emails was Hawkeye malware. The vulnerabilities attacked included CVE-2012-1058, CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802. The most significantly attacked exploit was again CVE-2017-11882.

4. On August 7, the UK saw 10,729 detections against the Real Estate sector, made up of RAR and ZIP files containing purportedly scanned or copied documents. Among the typical generic Trojans such as Eldorado, Fareit, Kryptik and Sonbokli were more serious threats including Remcos and Nanocore malware. Unlike other campaigns, this wave of malware primarily relied on email infection and did not appear to attempt to exploit particular vulnerabilities, which is highly likely due to the detected malware’s capability to compromise both Mac and Windows machines. What’s interesting is that this attack complemented standard phishing attacks with the addition of specific malware attempting to compromise Macs - Windows vulnerabilities did not play a significant role in this particular campaign which sets it apart from every significant campaign in every other region during this quarter.

5. On August 27, 2019, the UK saw 6,622 detections against the Construction sector; this campaign utilized file compression attack vectors including RAR and ZIP files as well as VB droppers, accounting for a spike to 3,070 detections and comprising almost 11 percent of UK detections on this date. Notably, its use was trivial in the days immediately before and following this campaign. The vulnerabilities attacked included CVE-2012-1058, CVE-2017-8570 and CVE-2017-11882. The most significantly attacked exploit was again CVE-2017-11882.

6. Research also uncovered peaking Emotet activity, visible on September 16 and September 25, across all sectors with no apparent target vertical.

The UK region suffers cyberattacks across a range of its sectors; this quarter illustrated the diversity of the threat posed to various organizations and sectors given the nature of the businesses targeted by threat actors. The Transportation, Delivery and Supply sector has consistently been the top three targeted sectors throughout 2019 and this quarter; the UK Legal and Finance sectors are also persistently targeted due to the sensitive or valuable information they work with and the significant funds that either pass through or are available to them. All the significant campaigns witnessed in the UK during this quarter involved a combination of mass generic Trojan delivery combined with more complex threats at the same time and/or in subsequent days. This shows a level of sophistication beyond that of an opportunistic attacker, making it highly likely that all the identified attacks were carried out by organized criminal groups for monetary gain, particularly given the disparate sectors of the economy attacked.

However, seven campaigns emerged throughout the quarter as highly significant due to their complexity and volume:

11

Threat Report

www.mimecast.com | ©2019 MimecastALL RIGHTS RESERVED | GL-1131

United States of America

Due to the higher volume of customers centralized in the US, threat detections tend to be higher as well. Similar to the UK, the US showed a significant peak in activity in the first two weeks of the quarter. This activity can be attributed to the XLS file type, and as with other regions, compressed file formats were a common attack vector. Hawkeye, Netwire, Nanocore and Lokibot malware were the most significant threats deployed in this region during campaigns in this quarter, while every campaign utilized a mixture of generic Trojans with more significant threats.

The Manufacturing and IT sectors were the most attacked in the US this quarter, although a range of industries were impacted. All six US campaigns have been single-day attacks; this is markedly different from the other regions, namely Australia, the UK and South Africa, each of which have experienced more complex attacks over multiple days. The US appears not to have been subject to the extreme peak levels of more complex and evolving attacks during this quarter, and notably, the generic Trojans in the US this quarter included additional variants not apparent in attacks on our other regions.

1. July 6, 2019: The Manufacturing sector experienced a campaign comprising 11,165 detections. One particular manufacturing location was attacked with a variety of generic malware Trojans including Fareit, Eldorado, Dapato, Zmutzy and Razy utilizing ZIP and RAR files as the primary formats; the documents featured Shipping and Purchase Order/P.O requests within document names. However, the Netwire RAT posed a more substantial threat, and 62 percent (6,955) of the attacks against this sector attempted to exploit the CVE-2017-11882 vulnerability on that day.

2. July 23, 2019: A campaign against the Construction sector comprised 5,061 detections, attacking a trio of construction and materials companies. This attack was predominantly phishing via invoices and scanned plan documents, and utilized fileless malware in 62 percent (3,165) of the detections. The most significant threat detected was Nanocore, and the CVE-2012-0158 and CVE-2017-11882 vulnerabilities were also significantly attacked.

3. September 1, 2019: A campaign against the Education sector comprised 4,853 detections. One particular organization in North Carolina was targeted by phishing emails with purchase orders. Nanocore and Lokibot were detected, and this campaign again focused on the use of fileless malware, featuring in 96 percent (4,656) of detections. There was no apparent effort to attack or exploit any vulnerabilities.

4. September 8, 2019: A campaign against the Energy and Utilities sector comprised 12,579 detections, with one particular company attacked. 94 percent of detections – the majority – were RAR-based, and fraudulently-branded courier delivery emails featured in this campaign. The more significant threats detected included Hawkeye and Lokibot delivered via RAR, and again, the CVE-2012-0158 and CVE-2017-11882 vulnerabilities were significantly attacked.

• Sep

• Aug

• July��� ��� ��������

��� ������� � ��� ��� � �� �� �� ��� ��� ���� ��������

�

����

����

����

����

����

 ���

����

12

Threat Report

www.mimecast.com | ©2019 MimecastALL RIGHTS RESERVED | GL-1131

South Africa

South Africa experienced the single longest running campaign from July 8-15, 2019 in any region during this quarter; the campaign employed a complex and varying array of generic Trojans, significant threats, exploits and file types. The July 4, 2019 campaign was likely an initial campaign by the same threat actors as the more sustained July 8-15 campaign, given the similarity of attack vectors to the initial phase of the lengthier campaign. It is almost certain that an organized criminal group or APT carried out these campaigns given the resources and effort it would require to sustain this level of determined attack over this lengthy a period.

Nanobot, Loki and Remcos were the most significant threats deployed against the sector; they were utilized in concert with a range of generic Trojans which included types specific to attacks on this region in this quarter. And, like other regions, South Africa detections contained ZIP files - the most detected file type containing malware – as well as RAR files, a consistent threat in South Africa as a proportion of detections than elsewhere, a trend shared with the UK.

5. September 25, 2019: A campaign against the Banking sector comprised 4,840 detections, and 30 percent of malware was Emotet while 42 percent were VBA files. Given Emotet’s significantly increased global activity on this day, it is highly likely that the Emotet threat actors specifically targeted this sector in the US for monetary gains.

6. September 25, 2019: A campaign against the Construction sector encompassed 3,768 detections. Similar to another US campaign, a number of fraudulent courier delivery emails appeared, leveraging generic Trojans such as Eldorado and Kryptik, while more significant threats included Lokibot, Hawkeye, and Emotet. This campaign featured 21 percent Emotet and 38 percent VBAs, with significant obfuscation and anti-analysis measures to evade detection.

Given the single-day attacks, bulk threats, fileless malware and additional significant threats, it is highly likely that all the campaigns in the US were carried out by organized criminal groups for monetary gain, except for the attack on the Energy and Utilities sector on September 8, 2019. Due to the nature of the single entity targeted in this campaign, the peak attack volume and the complexity of threat, it is highly likely that this attack was carried out by a state sponsored threat actor or an affiliated APT.

• Sep

• Aug

• July��� ��� ��������

��� ������� � ��� ��� � �� �� �� ��� ��� ���� ��������

�

���

����

����

����

����

����

����

����

13

Threat Report

www.mimecast.com | ©2019 MimecastALL RIGHTS RESERVED | GL-1131

1. July 4, 2019: A campaign against the Finance sector comprised 18,120 detections. The sector was attacked using generic phishing Trojans comprising 98 percent of the detections. The documents featured order inquiry and bank statement requests within document names. The attackers attempted to exploit the CVE-2012-0158 and CVE-2017-11882 vulnerabilities on this day.

2. July 8-15, 2019: The campaign against the Financial sector began on this day with 34,263 detections. The attack utilized ZIP, RAR, and HTML files containing generic Trojans such as Eldorado and Kryptik, which was very similar to the July 4 attack. Lokibot, Ponystealer, Remcos and Nanobot were also present at different stages of the attack, which encompassed 116,216 detections over eight days. The attackers also leveraged exploits CVE-2017-11882, CVE-2010-3333, and CVE-2012-1856.

3. August 6, 2019: A new one-day campaign against the Finance sector took place, with 19,648 detections. ZIP and RAR files were the primary means of attack, and generic Trojans including Kryjetor and Sonbokli were used.

4. September 25, 2019: A new campaign in the Finance industry targeted a South African bank, with 14,400 detections. Phishing represented 96 percent of the campaign, and it leveraged the Fareit Trojan. Although this attack was high volume, it did not include any significant Emotet activity and had no real sophistication of the nature witnessed elsewhere this quarter. It is highly likely it was an isolated campaign by an unidentified criminal threat actor due to the nature of the target sector. The attacks against the South African financial industry were lengthy and complex, leveraging a blend of techniques and malware to effect compromise. Notably, they represented the only sector of the South African economy to experience a campaign of this magnitude.

The South African region suffered four major campaigns during this quarter; the Financial sector suffered the brunt of the impact on a scale not experienced anywhere else.

“It is almost certain that an organized criminal group or APT carried out these

campaigns given the resources and effort it would require to sustain this level of

determined attack over this lengthy a period.

www.mimecast.com | ©2019 MimecastALL RIGHTS RESERVED | GL-1131

14

Threat Report

THE FUTURE OF CYBERATTACKS: Predictions from the Mimecast Threat Center Threat actors will continue to favor compressed file formats as a basic first tier of obfuscation. These are also attractive as they are widely supported by newly available products over time to ensure backwards-compatibility so that older formats for file compression can still be decompressed and opened. Older or obscure file types, if readable with newer software, will be utilized in attempts to evade antivirus solutions. These will be continuously updated with obfuscation through encryption and other techniques.

Voicemail impersonation will grow as an innovative means of attack. Scanner efficacy is currently high, meaning attachments will be on the decline. In the near term, industries will see the increased use of fileless malware via hyperlinks/URLs and the hosting of malicious content within cloud-based infrastructure; in addition, voicemail will feature more prominently. The potential for the addition of complexity and malicious payloads, as well as simple phishing, cannot be overlooked. In addition, because the processes and technology to automate voicemail attacks are already ubiquitous, these forms of voicemail phishing will become commonplace in 2020. In fact, the level of complexity this can already reach is clearly illustrated by recent reports related to a spoofed voicemail potentially having utilized artificial intelligence (AI) to defraud a UK energy company boss with the subsequent loss of £200,000. While the following examples are simple, they are representative of the ease with which this attack vector can be used.

Sample A Voicemail spam and phishing. The message body and attached MP3 audio message both make the same statements, and this message was almost certainly generated via a commercial Voicemail-to-Email service as claimed in the message. The message in a male, US-accented voice is, “Hi, this is John Doe from Acme Tech to review your policy information about the life insurance coverage that we helped you to obtain, please call us at 555-555-1234. It is important that you understand that your policies benefits can change over time, you wanna make sure you are aware of and understand them. It is also important for us to review your current beneficiary information. We’d like to spend a few minutes with you please call us back at 555-555-1234. We do look forward to speaking with you soon about the insurance policy you purchased through us. Thank you.” This number has been reported numerous times for both spamming and phishing .

Sample B Phishing attack. This attack claims to contain a voice message and asks the recipient to open the attached message file (an Outlook OLE 2.0 MSG) to listen to it. When you do that, you see three buttons that at first glance seem to be related to the voice message, but all three point to the same shortened URL (hxxp://x.co/6nayX). This link has now been shut down, therefore returns a 404 error. However, URL scanners still recognize the shortened URL as phishing.

Transportation, infrastructure and logistics will remain a priority target. This prediction is particularly true for state-sponsored threat actors as they seek to degrade the logistical and supply capability of rivals. This activity will increasingly target the maritime domain due to its strategic importance to international trade, as well as the supply of any forces deployed overseas. This activity will take place on all sides as nation-states hone their cyberattack and defense capabilities.

Widespread adoption of 5G and the proliferation of IoT will lead to more sophisticated malware and higher attack volume. Longer term, this will be due to the increase in packet sizes and the volumes of data companies and governments can send, thereby increasing the opportunity for attackers to gain access to higher volumes of valuable data. Mobile technology will become more vulnerable to attack; the attack surface available for threat actors to exploit will continue to increase. IoT devices must be secured, or risk greater attack.

15

Threat Report

www.mimecast.com | ©2019 MimecastALL RIGHTS RESERVED | GL-1131

What can you do?This research demonstrates attackers’ ability to adapt to email scan efficacy and overall detection methods, creativity in deployment of both simple and complex threats, and broad approach to different industries. Despite these challenges, a proactive approach to cybersecurity involves monitoring the external environment for cyber threats and adopting tools such as network penetration testing, strict controls governing access to internal systems, vulnerability scanning tools, data encryption, timely security updates, and network monitoring to detect system breaches when they happen.

Make patching to remain up to date a business priority, and clearly detail the enhanced level of threat faced by older, unsupported or obsolete technologies when they are still used to do business.

Increase user awareness and keep users informed on current, prevalent threats; this should be a priority to avoid the risk posed by simple human error. Indeed, this is of paramount importance now, given the mounting risk around impersonation attacks and voicemail phishing attacks.

1 2 3

Given the determination our criminal adversaries routinely show, the Mimecast Threat Center recommends:

Adopt a stance stressing the importance of security controls and resilience in the face of ever-evolving threats. With the specter of a cyberattack that ransomware poses, now is the time for organizations to seriously consider their ability to recover from a successful attack when it happens to them and consider in detail how the organization might continue “business as usual” under circumstances where there is a potential recovery time of six months and the loss of crucial data. Only fallback capabilities in relation to cloud and web-based email and data archiving can provide this kind of business continuity.

16

Threat Report

www.mimecast.com | ©2019 MimecastALL RIGHTS RESERVED | GL-1131

The most recent Quarterly Threat Intelligence Report released in August 2019 highlighted a blend of simple and complex attacks. These themes are again apparent this quarter: attackers are continuing to use high volume, commodity malware or simple social engineering techniques as a blanket strategy; at the same time, however, other attackers invest effort into a targeted industry attack, leveraging unique malware and smart attack techniques. However, as the detailed campaign research has shown in this report, high volume, unsophisticated attacks are often incorporated into more complex campaigns, sometimes spanning several days of varied threat activity, incorporating a number of attack vectors in sustained attempts to compromise their targets.

The “simple” tactics are also continuing to develop in complexity, with older file types and malware being recycled and modified, and levels of obfuscation added to attempt to evade detection. Threat actors are continuing to use of evasion techniques in efforts to avoid detection at the gateway, as they use multiple layers of obfuscation to avoid detection at the endpoint. The use of multiple forms of malware in a layered attack has now become synonymous with any determined attacker, and reconnaissance efforts by threat actors are continuing as well, as they try to evade detection and understand how to slip past increasingly sophisticated controls. Simple social engineering techniques continue to evolve as they attempt to stay ahead of user awareness and seek to take advantage of human error – which is responsible for the overwhelming majority of breaches.

Conclusion

Building your Threat Intelligence Program?Check out Gartner’s newsletter on

How To Apply Threat Intelligence to Your Security Program

GET MORE INFO

Glossary

Nanocore or Nanobot is a remote access tool (RAT) used to take over control of Windows computers. Nanocore has been available since 2013 and is sold for legitimate purposes online. It has been re-purposed by criminals and primarily infects targets via a ZIP archived executable or MSOffice documents containing macros. Loki or Lokibot is an information stealing, keylogger banking Trojan used against Windows computers. Lokibot has been available since 2017 and is primarily delivered by MSOffice documents containing macros. Remcos is a remote access tool (RAT) used to take control of Windows computers. Remcos appeared as a threat in 2016. It is spread through malspam campaigns and normally infects through attachments such as MSOffice documents. Azorult is a commonly bought and sold information stealer or keylogger used to attack Windows computers. Azorult first appeared in 2016 and has been repeatedly modified. Azorult has been seen in to use the ISO file format and VBS.

Hawkeye is yet another remote access Trojan (RAT) which is offered as-a-service. Hawkeye has been available since 2013. Nemucod is a downloader commonly spread through malspam containing malicious attachments that execute heavily obfuscated JavaScript. Its payload is normally Locky, Pony, Emotet, and Ursnif.

Locky is a form of ransomware delivered by the Necurs botnet. It has been active since 2016 and is primarily delivered via malspam documents including MSOffice documents and ZIP files. It is known to be particularly evasive. Netwired is a publicly available, multi-platform remote administration tool (RAT) in use since 2012; it has been repurposed by cyber criminals as malware. This RAT is particularly interesting for its claimed ability to infiltrate any operating system. Netwired has been known to be delivered by documents and exploits.

Barys The Barys Trojan is primarily utilised as a dropper for other malware but can also implement Drop Box online file storage. Normally delivered via malspam campaigns. Cryxos RAT Cryxos trojans display a notification message stating that the user’s web browser has been blocked due to an infection and that their personal details are being stolen. The user is advised to call a telephone number for assistance in removal. Some versions have been modified to be ransomware.

Targeted Attacks Throughout the quarter, Mimecast uncovered 25 significant campaigns threat actors carried out which demonstrate their capability to conduct complex, varying campaigns spanning several days of activity, leveraging a variety of attack methods. For example, this includes the use of bulk and attachment-based malware, fileless malware, URLs, exploits and a variety of complex malware which includes significant obfuscation. Malware Observed Across the Mimecast regions, researchers detected a complex range of malware, some of which has been around for many years and other more recent threats. Many threats are increasingly automated, which is apparent within the daily detections data over periods of time as there is little change in detection numbers from one day to the next in relation to many of the specific file types used in particular attacks. The following identified threats are described in order of the frequency of their individual use within the significant attacks detailed over this quarter:

Figure L identifies the file types detected as threats throughout this quarter by Attachment Protect. This data varies from detection data at the other layers between July to September 2019. All the detected threats within this dataset are categorized by the method of file type delivery utilized to deliver their malicious payload. The dominating file type used has varied considerably within the 3 month period and it is apparent that older file types are returning to usage in attempts by threat actors to circumvent detection efforts. Additional measures which are widespread and commonly employed are basic obfuscation via file compression, file renaming, double extensions and the increasing use of encryption and complex obfuscation. There has been a general trend to a move away from file attachments to URL links and this is developing further to being hosted within the cloud, as criminals take efforts to evade detection by any means possible. MSOffice documents remain a significant attack vector, whether hidden in archived containers such as ZIP and RAR files or attached as is. This is clearly as a result of the numerous exploitable vulnerabilities present within its various iterations, as our campaign analysis shows repeatedly, and particularly those versions which are older and no longer supported. In July 2019 threat actors began to deploy malware in volume utilising older archiving formats including the .ACE and .LHA formats. These threats are also detected and blocked by Mimecast before they reach Attachment Protect.

Figure L