[German]ESET has presented its Thread Report 2022 with various statistics and explains, for example, the drastic drop in RDP attacks at the beginning of 2022. Palo Alto Networks provides an overview of which ransomware groups have which share of infections. LockBit currently seems to be by far the most successful group. The "flop of the week" is about a USB security stick from Verbatim that is easy to hack.
Advertising
ESET Thread Report 2022
Security vendor ESET has released its 54-page Thread Report T1 2022, which includes statistics on what's been going on in 2021 through Q1 2022 in terms of malware and cyberattacks. For example, ESET is involved in the current Ukraine conflict, analyzing cyberattacks related to the ongoing war and mitigating them if necessary. In the process, it was discovered that the notorious Industroyer malware, which attacks high-voltage switchgear, is back.
Just before the Russian invasion, ESET telemetry recorded one of two sharp declines in RDP attacks (see above tweet). For more than two years, attacks on RDP to try passwords had been steadily increasing. That changed radically, as brute-force attempts against RDP dropped 41% on Jan. 10 and the number of unique clients dropped 40% between T3 2021 and T1 2022. ESET researchers' explanation for the drop in RDP attacks are:
- End of the pandemic, so less work from home;
- increased awareness of this type of threat by IT departments and improved security of corporate environments;
- and this trend could be related to the war in Ukraine.
But even with this decrease by 3. Almost 60% of the inbound RDP attacks observed in T1 2022 occur from Russia. Here are the statistics of the sources of RDP attacks:
- Almost 60% of the reported 121 billion RDP attack attempts came from Russia,
- followed by Germany (16%) and the US (5%).
- The countries where most RDP passwords were guessed (via brute force) were France (16%), Spain (14%) and Germany 8%).
Another side effect of the war: while ransomware threats have tended to avoid targets in Russia in the past, according to our telemetry, Russia was the most frequently attacked country during this period. Lockscreen variants were even detected that included the Ukrainian national greeting "Slava Ukraini" (Glory to Ukraine). It comes as little surprise to the researchers,
Unsurprisingly, the war was also exploited by spam and phishing threats. And what about the "hit list" of the most frequently exploited vulnerability?
Advertising
In December 2021, the Log4J vulnerability explosively became the second most abused external network attack vector, accounting for 13% of attacks and stealing glory from ProxyLogon (1%). More details can be found in the 2022 Thread Report.
Attack statistics of ransomware groups
I also found interesting the statistics on the distribution of ransomware cases across different actors published by Palo Alto Network in this post. According to the overview in the following tweet, LockBit is the most successful, followed by Conti Group.
Since its launch, the LockBit 2.0 RaaS group has recruited partners via recruitment campaigns on underground forums, making it particularly prolific in the third quarter of calendar year 2021. LockBit 2.0 operators claimed to have the fastest encryption software of any active ransomware strain in June 2021. Accordingly, the group claims that this contributed to their effectiveness in this area.
Palo Alto's team continuously monitors network attacks and looks for insights that can help defenders. In a recent report, Network Security Trends: November 2021 to January 2022, Unit 42 summarized key trends in network security. For example, cross-site scripting continues to be a commonly used technique. Among some 6,443 newly disclosed vulnerabilities, the researchers found that a large proportion (nearly 10.6 percent) still involve this technique.
Also, the number of serious network attacks increased in the last quarter analyzed (2021). For the first time, high severity attacks accounted for more than half of the observed attacks. Starting the week of December 6, large amounts of traffic to critical vulnerabilities related to the Apache log4j remote code execution vulnerability were observed. In the past quarter, attempts to exploit recently disclosed and severe vulnerabilities continued to represent the majority of observed threats.
Hackable USB security stick
Verbatim offers a USB security stick (Keypad Secure) for storing data with AES encryption. The USB stick even has its own keyboard for entering a PIN code. However, a security researcher discovered that this USB stick had vulnerabilities that could be used to bypass the security mechanisms and access the encrypted data. The flash memory was not soldered, but was an SSD with an M.2 connector. So he attached the SSD to a computer and was able to crack the passcode within seconds – also because the USB stick did not delete the data after 20 incorrect entries.
Advertising
