Leonardo’s Cyber Threat Intelligence team issued its quarterly report on the top threats identified by the company’s Security Operation Centre between the start of October and the end of December 2022. The analysis revealed some common features for the period:
- Ransomware, either entirely new or updated with new tactics, techniques and procedures, is still the most widespread attack method.
- Cyber-attacks continue to exploit the weak link in the cyber security chain, the human one.
- With callback phishing, the attack victim unknowingly becomes a participant in the attack itself.
MUTANTS: RANSOMWARE TRANSFORMS ITSELF TO GO UNDETECTED
Ransomware confirmed as the leading cybercriminal threat in Q4 2022. Leonardo’s Cyber Threat Intelligence team again noted that ransomware – entirely new compared to previously used ones or employing updated tactics, techniques and procedures – emerged as the most prevalent malware.
But there are developments: the report stresses that even known ransomware still poses a severe threat. Like viruses that attack the human body, they ‘mutate’.
In this quarter, the team observed evolutions of existing malware, in particular ones that use various techniques to evade threat identification systems:
- Reprogramming in Rust, a cross-platform language that helps malware adapt to different operating systems such as Windows and Linux, used with RansomExx2;
- Intermittent encryption, a new method that does not encrypt all the data, but just attacks certain parts of the files. This dramatically increases the attack’s speed without reducing its effectiveness, and is used, for instance, by Agenda ransomware;
- Timestomping, used in Punisher, makes files appear to have been created outside the time frame of the incident, often years, making the attack much harder to detect.
In addition, some of the new ransomware identified by the team have special characteristics that significantly increase their ease of use, effectiveness and destructive capabilities. These include:
- Azov, a new ransomware that scans a system’s drives and encrypts files irreversibly: Azov’s special feature is that the victims cannot contact the operators to pay a ransom, like wiper software, making it impossible for them to recover the encrypted files.
- Octocrypter and Alice, two new ransomwares run on a Ransomware-as-a-Service (RaaS) model: they both have a creation feature that allows ‘customers’ to choose customised configurations, types of encryption, ransom notes and command and control to create an attack vector that fits their needs to perfection.
THE WEAK LINK: STILL HUMAN BEINGS
Regardless of the attack mode used, the weak link in the cyber security chain is still the human being. Indeed, cyber-attacks continue to exploit social engineering techniques, which seek to deceive the potential victim into parting with personal information and data, often by exploiting the person’s network of social relationships. The success of these techniques shows that knowing the risks is, unfortunately, still insufficient to enable people to react appropriately to ever-new and different techniques and ways of distributing threats.
In particular, in the October-December 2022 quarter, Leonardo’s Cyber Threat Intelligence team found many campaigns involving malspam (malware sent through email messages), mainly targeting Italian users, and phishing, designed to exfiltrate credentials and exploit known vulnerabilities to breach systems and then install malicious software.
CALLBACK PHISHING: THE VICTIM BECOMES A PARTICIPANT IN THE ATTACK
One particular phishing technique observed during the quarter is used by the threat actor Luna Moth, which makes the victim the central player in the attack. The technique is called ‘callback phishing’, or TOAD (Telephone-Oriented Attack Delivery). Here, the perpetrators trick the victim into installing a malicious application. The latter receives an email with an invoice, saying that their subscription to a service (which they never requested) is expiring with automatic renewal. The email contains a telephone number to contact to cancel the subscription. However, the cybercriminals who run the call centre guide the unwitting user into downloading software that, they tell them, should cancel their subscription but steals their data and information (also useful for stealing money).
This technique appeared in late 2022 in another malicious campaign that targeted Italian online banking users. The campaign sought to acquire access credentials to banking portals and distribute the Android ‘Copybara’ trojan, with which they could perform many intrusive actions and commit fraud.
This technique will probably become increasingly popular as it assures threat actors a considerable attack success rate for a minimal management cost.
For more information: cyberandsecurity@leonardo.com
Follow our social media channels Twitter, LinkedIn and Instagram to stay up-to-date on Leonardo initiatives.