# Cybersecurity threatscape

## Q3 2019

###### ptsecurity.com


-----

#### Contents

###### Symbols used. 2

 Executive summary. 3

 Statistics 4

 Attack number. 7

 Attack methods. 8

 Malware use. 8

 Social engineering. 9

 Hacking. 10

 Web attacks. 10

 Credential compromise. 11

 Victim categories. 12

 Government. 13

 Industrial companies. 14

 Financial institutions. 16

 Science and education. 18

 What companies can do to stay safe. 20

 How vendors can secure their products. 21

 About the research. 23

 Group profiles. 24


-----

#### Symbols used

##### Attack targets

###### Computers, servers,  and network equipment

 Web resources

 Humans

 POS terminals and ATMs

 Mobile devices

 IoT

##### Attack methods

###### Malware use

 Credential compromise

 Social engineering

 Hacking

 Web attacks


##### Victim categories

###### Finance

 Government

 Healthcare

 Science and education

 Military

 Industrial companies

 Online services

 Hospitality and entertainment

 Transportation

 IT

 Retail

 Individuals

 Telecom

 Blockchain

 Other


-----

#### Executive summary

Highlights of Q3 2019 include:

� Unique cyberincidents are growing, with a six-percent increase in

their number compared to the previous quarter.

� Targeted attacks continue to predominate over mass ones: 65

percent of the total in Q3 versus 59 percent in Q2. Organizations

around the world are at risk of APT attacks. Top targets of APT

groups include governments, industrial companies, the financial

sector, and science and education.

� [TA505, an APT group, has expanded its reach to new countries](https://www.ptsecurity.com/ww-en/about/news/ta505-rising-to-become-worlds-most-dangerous-cybercriminal-group/)

and sectors.

� By a two-to-one ratio, data theft is a more common motivation for

attackers than direct financial gain.

� Personal data accounted for one quarter of all data stolen from or
ganizations. From individuals, data thieves most frequently made

off with usernames and passwords (which comprised 47% of data

stolen from individuals).

� Malware infections are on the rise. Three quarters of attacks on

organizations, and nearly two thirds of attacks on individuals, in
volved malware infections.

� Spyware was responsible for one in three malware infections

among both organizations and individuals. Just as ransomware

accounts for a high percentage of infections of organizations

(27%), adware hits individuals particularly hard (21%).

� In 81 percent of cases, malware infections of corporate infrastruc
ture started with a phishing message. For individuals, the most

frequent attack vector included visiting a malicious website: 35

percent of malware infections in Q3 took place in this way.


-----

#### Statistics

In Q3, data theft was the motivation for 61 percent of attacks on organizations and 64 percent of attacks

on individuals (compared to 58% and 55%, respectively, in Q2). Direct financial gain, at 31 percent, was

equally popular as motivation for attacks against both organizations and individuals. Attackers seeking

direct financial gain from organizations generally use ransomware to demand a ransom for decrypting

the victim's data. Against individuals, such direct gain tends to involve intrusive advertising and mobile

apps with subscriptions to paid services.


© Positive Technologies


Access to information

Financial profit

Hacktivism

Cyberwar


31%


7% 1% 61% 31% 5% 64%

in attacks in attacks
on organizations on individuals

Figure 1. Attackers' motives


Breaches of personal data remain a major concern. In Q3, personal data accounted for one fourth of all

[data stolen from organizations. The General Data Protection Regulation (GDPR) took force in 2018. This](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679)

[September, reports appeared of a EUR 645,000 fine for a Polish shopping site after a breach of personal](https://globaldatareview.com/article/1197780/poland-hits-shopping-site-with-its-largest-gdpr-fine-to-date)

data for over 2 million site visitors in the previous year.

One out of five (19%) of attacks in Q3 targeted individuals. Almost half (47%) of data stolen from individ
uals consisted of credentials. Users may fall victim to clever phishing attacks designed to trick them into

[revealing usernames and passwords. For example, over 200 clients of Halyk Bank in Kazakhstan failed](https://news.myseldon.com/en/news/index/213399649)

[to notice a slight discrepancy in the online address of the bank. As a result, they entered their credentials](https://news.myseldon.com/en/news/index/213399649)

on a fraudulent site designed to imitate the real one.

© Positive Technologies

7% 5% 3% 5% 25% 18% 12% 47%


in attacks in attacks
on organizations on individuals


Personal data

Credentials

Payment card information

Corporate secrets

Medical records

Client databases

Personal correspondence

Other


14% 18% 23%


23%

Figure 2. Types of data stolen


-----

The high proportion of targeted attacks is a trend we have noticed accelerating in 2019. From 47 percent

in the first quarter, they rose to 59 percent in the second quarter and now 65 percent in the third quarter.

We associate this trend with increased activity by APT groups. In Q3, the PT Expert Security Center (PT

ESC) detected attacks by APT groups including TA505, RTM, Cobalt, Bronze Union, APT-C-35, KONNI,

and Gamaredon.

Attackers continue to be interested in government targets. Such targets accounted for 23 percent of

attacks, representing an increase of 4 percentage points over Q2. Attackers also pursue targets relating

to industrial companies, finance, and education and science. We will detail some of these attacks later

in this report.

© Positive Technologies


2%

3%

1% 79%


1% 4% 21% 23% 12%


Figure 3. Victim categories among organizations

8% 1% 34%


Government

Industrial companies

Finance

Science and education

Healthcare

Online services

IT

Retail

Transportation

Hospitality and entertainment

Telecom

Blockchain

Other


3% 3%


3% 4%


9% 9% Multiple industries


© Positive Technologies


4%

16%


in attacks in attacks
on organizations on individuals

28%

Figure 4. Attack targets


Computers, servers,
and network equipment

Web resources

Humans

IoT

Mobile devices

POS terminals and ATMs


As before, the most common cyberattack method is malware infection combined with social engineer
ing. In Q3, three quarters (74%) of attacks on organizations involved infection with malware, represent
ing an increase of 13 percentage points over Q2.


-----

© Positive Technologies


74%
Malware use

62%

69%
Social engineering

64%

11%
Web attacks
1%

11%
Hacking
11%

5%
Credential compromise
4%

4%
Other
1%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Organizations Individuals

Figure 5. Attack methods

© Positive Technologies

**Industry**

Per-industry classification
of cyberincidents by motive,
method, and target

**Total** **69** **28** **37** **11** **10** **8** **10** **29** **8** **7** **8** **4** **12** **65** **73**

Computers, servers, and network equipment 52 23 34 8 3 3 8 27 6 7 5 2 7 56 25

Web resources 14 2 1 1 7 4 2 1 2 2 2 4 6 6

Humans 3 1 2 2 1 1 1 3 20

Mobile devices 21

POS terminals and ATMs 2 1

IoT 1

Malware use 52 24 34 7 1 4 5 24 3 4 6 6 56 45

Social engineering 49 24 35 8 1 4 5 23 3 4 7 6 42 47

Credential compromise 3 1 1 2 1 1 1 1 1 3 3

Hacking 7 1 2 3 3 1 1 3 1 12 8

Web attacks 11 1 2 6 2 1 4 1 3 4 1

Other 2 1 1 2 2 2 2 1 1

Access to information 46 27 33 5 7 7 7 9 4 5 8 1 10 28 46

Financial profit 11 1 4 5 1 20 3 3 1 36 23

Hacktivism 9 1 3 1 2 1 2 1 1 4

Cyberwar 3

Darker colors indicate a greater
proportion of attacks within a particular industry 0% 10% 20% 30% 40% 100%

|Per-industry classification of cyberincidents by motive, method, and target|Col2|© Positive Technologies Industry|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|||Government|Finance|Industrial companies|Healthcare|Online services|Hospitality and entertainment|IT|Science and education|Retail|Telecom|Transportation|Blockchain|Other|Multiple industries|Individuals|
|Total||69|28|37|11|10|8|10|29|8|7|8|4|12|65|73|
|||||||||||6||5|||||
|Computers, servers, and network equipment Web resources Humans Target Mobile devices POS terminals and ATMs IoT||52|23|34|8|3|3|8|27||7||2|7|56|25|
|||14|2|1|1|7|4|2|1|2||2|2|4|6|6|
|||3|1|2|2||||1|||1||1|3|20|
|||||||||||||||||21|
||||2||||1||||||||||
|||||||||||||||||1|
||||||||||||||||||
|Malware use Social engineering Credential compromise Method Hacking Web attacks Other||52|24|34|7|1|4|5|24|3|4|6||6|56|45|
|||49|24|35|8|1|4|5|23|3|4|7||6|42|47|
|||3|1|||1|2|1|||1|1|1|1|3|3|
|||7|1|2||||3|3|1|1||3|1|12|8|
|||11|1|2||6|2|1||4|||1|3|4|1|
|||2|1|1|2|2|||||2|||2|1|1|
||||||||||||||||||
|Access to information Financial profit Motive Hacktivism Cyberwar||46|27|33|5|7|7|7|9|4|5|8|1|10|28|46|
|||11|1|4|5|||1|20|3|||3|1|36|23|
|||9|||1|3|1|2||1|2|||1|1|4|
|||3|||||||||||||||
||||||||||||||||||
||||||||||||||||||


-----

#### Attack number

160 143

140

114 113

120 103 100

95

91

100

80

60

40

20


© Positive Technologies


0

01 02 03


04


11


12


07


09


05


06


08


10


45

40

35

30

25

20

15

10

5

0


2018 2019

Figure 6. Number of incidents per month in 2018 and 2019 (1 = January, 12 = December)

© Positive Technologies

I II III IV I II III IV I II III IV


July August


September


All incidents Government Industrial companies

Finance Science and education

Figure 7. Number of incidents in Q3 2019 (by week)


-----

#### Attack methods

Here we will describe the attack methods used by criminals, based on some of the highest-profile cy
berincidents in Q3 2019.

##### Malware use

[During the third quarter, the PT ESC regularly recorded attacks by APT group TA505. The group's arse-](https://www.ptsecurity.com/ww-en/about/news/ta505-rising-to-become-worlds-most-dangerous-cybercriminal-group/)

nal includes Dridex (a banking trojan), Cryptomix (ransomware signed with certificates issued to dummy

legal entities), ServHelper and FlawedAmmyy (remote administration trojans), and Upxxec (a plugin able

to detect and disable a large range of antivirus software). The attackers made active use of phishing to

send messages to organizations around the world related to finance, industry, government, science, and

transportation. Some of their campaigns are analyzed in more detail in individual sections of this report.

In Q3, our experts also detected new activity by Bronze Union (also known as LuckyMouse or APT27),

which uses ZxShell malware for remote access. The malware components had been digitally signed with

compromised certificates belonging to various companies. Once installed, ZxShell is difficult to detect

with normal antivirus techniques: the attackers place a special rootkit on infected systems to swap out

the installation paths to malware modules with the paths to legitimate utilities upon access.

Figure 8. ZxShell installer signed with a compromised certificate

[The operators of the Sodinokibi ransomware, which we already covered in the second quarter, continue](https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-2019-q2/)

[to act aggressively. A breach of cloud provider PerCSoft resulted in encryption of data belonging to](https://www.zdnet.com/article/ransomware-hits-hundreds-of-dentist-offices-in-the-us/)

[the company's client base of approximately 400 dental clinics. In August, over 20 Texas communities](https://dir.texas.gov/View-About-DIR/Information-Security/Pages/Content.aspx?id=155)

[fell victim to this ransomware. The attackers constantly invent new methods for placing Sodinokibi on](https://www.trendmicro.com/vinfo/in/security/news/cyber-attacks/texas-municipalities-hit-by-revil-sodinokibi-paid-no-ransom-over-half-resume-operations)

victim computers.


-----

In the third quarter, mining software fell to 3 percent of attacks on organizations and just 2 percent of

attacks on individuals. In our view, this is because attackers are gradually switching to malware with

multifunction capabilities. One example is the Clipsa trojan, which can stealthily mine cryptocurrency,

steal passwords, tamper with addresses of cryptocurrency wallets, and launch brute-force attacks

against WordPress sites.


2% 11% 34%


35%


© Positive Technologies

Spyware

Adware

Banking trojans

RATs

Cryptolockers

Droppers

Multifunctional malware

Miners

Other


1%
3%
3%

6%

1%
5%

12%


9%

in attacks in attacks
on organizations on individuals

23%

26%

Figure 10. Malware distribution methods

##### Social engineering


2%


2%
5%

in attacks in attacks
on organizations on individuals


23% 27%


7%


7% 11% 21%

Figure 9. Types of malware


[In late August, Emotet (one of the largest botnets in the world) resumed activity after a lull of several](https://www.bleepingcomputer.com/news/security/emotet-revived-with-large-spam-campaigns-around-the-world/)

months. The botnet's operators offer malware as a service (MaaS): by providing access to Emotet
infected computers, they enable other cybercriminals to infect victims with additional malware. Since

September, they have been sending out malicious mailings disguised as invoices, financial documents,

[and even a free version of the new book by Edward Snowden. The attachments to these messages](https://www.bleepingcomputer.com/news/security/emotet-tries-to-infect-you-by-claiming-its-snowdens-book/)

infect the victim with the Emotet trojan. With it, the botnet operators can place yet more malware on

compromised devices, such as the Trickbot trojan or Ryuk ransomware, which are frequently found

[together on infected machines.](https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/)


1% 81%


5% 2% 35%


© Positive Technologies

Email

Compromised servers
and workstations

Websites

Official app stores

Chat and SMS
messages

Fake updates

Social networks


For attackers, social engineering is a perennial favorite. This method figured in 69 percent of attacks

on organizations in the third quarter, compared to 37 percent in the second quarter. Cybercriminals

continue to rack up huge amounts by forging messages or employing business email compromise

(BEC) to send phishing messages. They present themselves as belonging to a trusted company (such

as a vendor) and send an invoice with their own bank account number. In the state of North Carolina,

[Cabarrus County received an email stating that the account number of the county's construction con-](https://www.bleepingcomputer.com/news/security/north-carolina-county-lost-17-million-in-bec-scam/)

tractor had changed. Not realizing that the message was a fake, the county transferred $2.5 million to


-----

[an account belonging to cybercriminals instead of the contractor. A similar attack hit Toyota Boshoku](https://www.toyota-boshoku.com/global/content/wp-content/uploads/190906e.pdf)

[Corporation, which lost a whopping $37.5 million. According to the U.S.-based Internet Crime](https://www.bleepingcomputer.com/news/security/business-email-compromise-is-a-26-billion-scam-says-the-fbi/)

Complaint Center (IC3), worldwide losses from BEC fraud in the last three years top $26 billion.

A malicious link, even if sent from a trusted address, can be blocked by email security gateways. But

[cybercriminals keep finding ways to evade anti-phishing systems. In Q3, attackers sent messages to](https://cofense.com/phishing-emails-using-sharepoint-slip-past-symantecs-gateway-attack-banks/)

bank employees with a link to a compromised SharePoint site. There the attackers had posted a doc
ument with another link, which led victims to a fake page asking for their username and password. If

the phishing link had been included directly in the email message, anti-phishing systems might have

blocked it. But SharePoint links had been whitelisted and therefore were not blocked.

© Positive Technologies

Figure 11. Phishing attack involving compromised SharePoint resources

##### Hacking

As we regularly remind readers, it is critical to keep software up to date. When a software vulnerability

becomes known to the public, the first to get attacked are the organizations and individuals who have

failed to install the relevant updates quickly. In one example in Q3, the eGobbler criminal group respon
[sible for inserting malicious ads into web pages continued to exploit vulnerability CVE-2019-5840, af-](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5840)

fecting the Chrome browser for iOS, which had been patched back in June. But soon after the browser

[update was released, eGobbler found a new vulnerability, this time in the WebKit engine. The vulnera-](https://blog.confiant.com/malvertiser-egobbler-exploits-chrome-webkit-bugs-infects-over-1-billion-ads-6b8ccc41b0e6)

bility allows displaying pop-up ads every time the keyboard is used for site navigation. The vulnerability

has been fixed in iOS 13 and Safari 13.0.1.

[Last quarter, we mentioned critical RDS vulnerability CVE-2019-0708, better known as BlueKeep. In](https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-2019-q2/)

[August, Microsoft fixed another two vulnerabilities in RDS. These new critical vulnerabilities CVE-2019-](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181)

[1181 and CVE-2019-1182 resemble BlueKeep but affect more recent versions of Windows, including serv-](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181)

er versions.

##### Web attacks

[In late September, an exploit became public for a zero-day vulnerability in the vBulletin forum engine.](https://seclists.org/fulldisclosure/2019/Sep/31)

[News spread quickly of Remote Code Execution vulnerability CVE-2019-16759, exploitation of which](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759)

[does not require logging in to a vulnerable forum. Some security experts state that they had knowledge](https://twitter.com/cBekrar/status/1176803541047861249)

of the vulnerability years prior. At the end of September, the issue with vBulletin enabled attackers to

[breach the Comodo forums. Reports indicate that data for over 170,000 users is being sold on the](https://www.bleepingcomputer.com/news/security/comodo-forums-breached-data-of-over-170-000-users-up-for-grabs/)

darkweb.


-----

For users who make online purchases, MageCart JavaScript sniffers remain a hazard. These sniffers are

small scripts that attackers use to infect sites with online payment functionality. In Q3 2019, Trend Micro

[researchers discovered malicious scripts on the sites of two major hotel chains. The attacks affected](https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/)

guests who paid for their stays via mobile devices. Experts established that the hotels had fallen victim

[to a supply chain attack. MageCart sniffers were placed on the site by means of an infected JavaScript](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/supply-chain-malware)

library. This library was used by the company responsible for developing both of the hotel sites.

But web security is an issue for more than just online services and Internet stores. A file upload vulner
[ability in property management software SuperINN Plus enabled attackers to hack the application by](https://oag.ca.gov/system/files/Sark Notice of Data Security Incident (California)_1.PDF)

uploading a web shell (a PHP script that, when run on a server, enables remote command execution). In

[addition, the attackers were able to perform SQL injection. They obtained the encrypted card numbers,](https://www.ptsecurity.com/ww-en/analytics/knowledge-base/how-to-prevent-sql-injection-attacks/)

personal data, and contact details for over 43,000 people. The attackers are believed to have succeed
ed in obtaining the decryption key. This incident underscores the need to regularly audit the security of

web applications. Arbitrary File Upload is a widespread critical vulnerability, which in 2018 our experts

[found in one out of every four web applications tested.](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Web-Vulnerabilities-2019-eng.pdf)

##### Credential compromise

No company is immune to compromised credentials. In so-called credential stuffing attacks, criminals

try to obtain access to a system by re-using usernames and passwords already stolen in previous at
[tacks or acquired elsewhere (such on the darkweb). In Q3 2019, credential stuffing struck Transport for](https://www.infosecurity-magazine.com/news/tfl-suspends-oyster-site/)

London, which is responsible for managing the city's transportation network. The website for its Oyster

[system was temporarily closed due to the attack. Another victim was State Farm, a financial services and](https://www.zdnet.com/article/state-farm-says-hackers-confirmed-valid-usernames-and-passwords-in-credentials-stuffing-attack/)

[insurance company. Overall, research from Akamai indicates that from November 2017 through April](https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-financial-services-attack-economy-report-2019.pdf)

2019, 6.1 percent of credential stuffing attacks were directed at the financial sector.


-----

### Victim categories

###### In this section, we will go into detail on attacks affecting particular industries of interest in Q3 2019.


-----

##### Government

Malware use

Social engineering

Web attacks 16%

Hacking 10%


© Positive Technologies

75%

71%


Credential compromise

Other

20% 4% 76%

Figure 13. Attack targets


4%

3%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Figure 12. Government: attack methods used in Q3 2019

© Positive Technologies

17% 16% 67%


Figure 14. Data stolen


Computers, servers,
and network equipment

Web resources

Humans


Personal data

Client databases

Corporate secrets


Hackers eagerly eye government targets. Ministries and departments, agencies, and city governments

are at constant risk of sophisticated targeted attacks. We have noted that some criminal groups seeking

to steal money do so by attacking governments. In Q3 2019, the PT ESC detected phishing mailings by

TA505 to governmental entities in South Korea, China, Canada, and the United Kingdom.

The RTM group has also turned its gaze to government. In Q3, PT ESC experts detected phishing mes
sages sent to governmental organizations in Russia and Belarus.

Figure 15. Phishing message from the RTM group to a Russian governmental organization


-----

PT ESC has also noted attacks on government entities by the Gamaredon group. The attackers are inter
ested only in entities related to the Ukrainian government: their C2 servers filter by geographic region.

In their attacks, the group uses a chain of scripts that download the Ultra VNC remote control utility to

the victim's computer.

Figure 16. Phishing message from the Gamaredon group supposedly from the OSCE

In addition in Q3, the PT ESC recorded attacks by APT-C-35 (also known as Donot). The group sent

phishing mailings containing an Office document linking to an RTF file, which contained an exploit for

[vulnerability CVE-2018-0802 in Microsoft Office Equation Editor. yty malicious modules were installed](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0802)

on compromised computers.

Ransomware operators also have governments in their sights. They hope to receive large payouts for

restoring encrypted files. And their appetites are constantly increasing. Besides Sodinokibi attacks on

governments in Texas, mentioned already in the report, another wave of attacks by Ryuk ransomware

[hit throughout the U.S. La Porte County in Indiana paid ransom of $130,000 to cybercriminals. In New](https://securityaffairs.co/wordpress/90848/cyber-crime/new-bedford-ryuk-ransomware.html)

[Bedford, Massachusetts, attackers demanded ransom of $5.3 million, but failed to receive it.](https://securityaffairs.co/wordpress/90848/cyber-crime/new-bedford-ryuk-ransomware.html)

[In 2018, we wrote about attacks on Click2Gov, an Internet portal used in many American cities to pay](https://www.ptsecurity.com/ru-ru/research/analytics/cybersecurity-threatscape-2018-q4/)

[for municipal services. A second wave of attacks was seen in Q3 2019. The victims in August were eight](https://geminiadvisory.io/second-wave-of-click2gov-breaches-hits-united-states/)

cities, six of which had already fallen victim to previous attacks on Click2Gov.

##### Industrial companies

© Positive Technologies

Social engineering 95%

Malware use 92%

Hacking 5%

Web attacks 5%

Other 3%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Figure 17. Industrial companies: attack methods used in Q3 2019


-----

© Positive Technologies

Corporate secrets

Credentials


5% 3% 92%

Figure 18. Attack targets


Computers, servers,
and network equipment

Humans

Web resources


25% 75%

Figure 19. Data stolen


In Q3, PT ESC experts detected attacks by the TA505 APT group on American companies in the

food industry, pharmaceutical companies, and medical equipment suppliers. The group also attacked

industrial and energy-related companies in South Korea and Taiwan, as well as high-tech engineering

companies in a number of European countries. The attackers sent phishing emails with Office documents

that infected victim computers with FlawedAmmyy remote administration malware. In addition, in July

our experts detected mailings to industrial companies in South Korea in which victims were infected

with the ServHelper trojan. The malware was disguised by the attackers as ISO files. The PT ESC has

identified two modifications of ServHelper: one can be used as a RAT, while the other acts as loader for

the legitimate remote control software NetSupport Manager.

Figure 20. Phishing mesage sent by TA505 to a Korean industrial company

[In August, reports appeared of an attack with LokiBot spyware on an American industrial company. The](https://www.fortinet.com/blog/threat-research/new-infostealer-attack-uses-lokibot.html)

malware was delivered to the company's infrastructure in an email message supposedly from a partner

company.

Restoring infrastructure at an industrial company after a targeted attack can take large investments of

time and money. At the end of the quarter, major German military equipment manufacturer Rheinmetall

[announced that it had been hit by a cyberattack. This led to interruptions in business processes at the](https://www.rheinmetall.com/en/rheinmetall_ag/press/news/latest_news/index_18496.php)

company's facilities in Brazil, Mexico, and the U.S. Downtime-related losses cost the company millions

of euros per week. Rheinmetall estimated that restoring operations would take from two to four weeks.


-----

[In August, reports appeared of an attack with LokiBot spyware on an American industrial company. The](https://www.fortinet.com/blog/threat-research/new-infostealer-attack-uses-lokibot.html)

malware was delivered to the company's infrastructure in an email message supposedly from a partner

company.

Restoring infrastructure at an industrial company after a targeted attack can take large investments of

time and money. At the end of the quarter, major German military equipment manufacturer Rheinmetall

[announced that it had been hit by a cyberattack. This led to interruptions in business processes at the](https://www.rheinmetall.com/en/rheinmetall_ag/press/news/latest_news/index_18496.php)

company's facilities in Brazil, Mexico, and the U.S. Downtime-related losses cost the company millions

of euros per week. Rheinmetall estimated that restoring operations would take from two to four weeks.

##### Financial institutions

© Positive Technologies


Social engineering

Malware use

Web attacks

Hacking

Credential compromise

Other

7% 7% 4% 82%


86%

86%

4%

4%

4%

4%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Figure 21. Financial institutions: attack methods used in Q3 2019

© Positive Technologies

33% 34%


Computers, servers,
and network equipment

Web resources

POS terminals and ATMs

Humans

Figure 22. Attack targets Figure 23. Data stolen


Client databases

Corporate secrets

Credentials


33%


[Cobalt, a financially driven APT group, remains active. Check Point announced attacks by Cobalt on](https://securityaffairs.co/wordpress/89194/cyber-crime/louisiana-schools-cyber-attacks.html)

banks in Kazakhstan in the third quarter. PT ESC experts detected phishing mailings to Russian and

European banks. As spear phishing emails, they are carefully prepared and well composed. In July, the

group sent messages from a hacked email address belonging to an employee of a Moscow airport.


-----

Figure 24. Malicious attachment from Cobalt phishing message

Figure 25. Phishing message, sent by the Cobalt group, supposedly from an airport employee claiming money owed for tickets

In the first half of September, the PT ESC noted phishing messages from TA505 to European and African

banks. The group used Office documents with macros as their attachment of choice. These extract a

DLL, save it, and run the new FlawedAmmyy loader.


-----

Figure 26. Phishing message from TA505 to a Serbian bank

Although the group concentrates on the industrial sector on particular, RTM regularly attempts to attack

financial institutions. In Q3, the PT ESC detected phishing mailings from the group to banks in Russia

and Belarus.

##### Science and education

© Positive Technologies


Malware use

Social engineering

Hacking

4% 3% 93%


83%

79%

10%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Figure 27. Science and education: attack methods used in Q3 2019

© Positive Technologies

14% 14% 43%

Personal data


Computers, servers,
and network equipment

Humans

Web resources

14% 15%

Figure 28. Attack targets Figure 29. Data stolen


Credentials

Payment card information

Corporate secrets

Other


-----

In Q3, the share of attacks targeting science and education grew to 9 percent, compared to 6 percent

in the quarter prior. One possible reason is the start of the academic year. Schools are on the receiving

[end of numerous ransomware attacks. Cyberattacks on Louisiana schools led to declaration of a state](https://securityaffairs.co/wordpress/89194/cyber-crime/louisiana-schools-cyber-attacks.html)

[of emergency.](https://securityaffairs.co/wordpress/89194/cyber-crime/louisiana-schools-cyber-attacks.html)

[The APT group Cobalt Dickens has resumed its hunt for intellectual property. Experts at Secureworks](https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again)

indicated that among the regular recipients of the group's phishing messages, there are 60 educational

institutions. In these messages, the criminals lured victims to fake library websites, on which users were

asked to log in. By entering their username and password on the page, users effectively handed their

credentials over to attackers.

[In summer 2019, Microsoft detected new malware, which was dubbed Nodersok. Most Nodersok in-](https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/)

fections (42%) are in the educational sector. Infections take place via malicious website advertising.

Compromise begins with download of an HTA file. The result of this multistage attack is that the comput
er is infected with malware that turns it into a proxy server for forwarding malicious traffic.


-----

#### What companies can do to stay safe

###### Use proven security solutions

� Centrally manage software updates and patches. To prioritize update plans

correctly, the most pressing security threats must be taken into account.

� Install antivirus software with a sandbox for dynamically scanning files and

the ability to detect and block threats such as malicious email attachments

before they are opened by employees. Ideally, antivirus software should

simultaneously support solutions from multiple vendors and have the ability

to detect signs of hidden or obfuscated malware, as well as block malicious

activity across diverse data streams: email, web traffic, network traffic, file

storage, and web portals. It should be able to check files both in real time

and retrospectively, by automatically re-scanning files when signature data
bases are updated to detect previously unknown threats.

� We also recommend using SIEM solutions for timely detection and effective

response to information security incidents. This will help identify suspicious

activity, prevent infrastructure hacking, detect attackers' presence, and en
able prompt measures to neutralize threats.

� Use automated software audit tools to identify vulnerabilities.

� Deploy web application firewalls as a preventive measure.

� Detect sophisticated targeted attacks in real time and in saved traffic with

deep traffic analysis. Using such solutions will allow you to detect previously

unnoticed attacks and monitor network attacks in real time, including use of

malware and hacking tools, exploitation of software vulnerabilities, and at
tacks on the domain controller. Such an approach quickly identifies attacker

presence in the infrastructure, minimizes the risk of loss of critical data and

disruption to business systems, and decreases the financial damage caused

by attackers.

� Employ specialized anti-DDoS services.

###### Protect your data

� Encrypt all sensitive information. Do not store sensitive information where

it can be publicly accessed.

� Perform regular backups and keep them on dedicated servers that are iso
lated from the network segments used for day-to-day operations.

� Minimize the privileges of users and services as much as possible.

� Use a different username and password for each site or service.

� Use two-factor authentication where possible, especially for privileged

accounts.

###### Do not allow weak passwords

� Enforce a password policy with strict length and complexity requirements.


-----

� Require password changes every 90 days.

� Replace all default passwords with stronger ones that are unique.

###### Monitor the security situation

� Keep software up to date. Do not delay installing patches.

� Test and educate employees regarding information security.

� Make sure that insecure resources do not appear on the network perimeter.

Regularly take an inventory of Internet-accessible resources, check their se
curity, and remediate any vulnerabilities found. It is a good idea to monitor

the news for any new vulnerabilities: this gives a head start in identifying

affected resources and taking necessary measures.

� Filter traffic to minimize the number of network service interfaces acces
sible to an external attacker. Pay special attention to interfaces for remote

management of servers and network equipment.

� Regularly perform penetration testing to identify new vectors for attacking

internal infrastructure and evaluate the effectiveness of current measures.

� Regularly audit the security of web applications, including source-code

analysis, to identify and eliminate vulnerabilities that put application sys
tems and clients at risk of attack.

� Keep an eye on the number of requests per second received by resources.

Configure servers and network devices to withstand typical attack scenari
os (such as TCP/UDP flooding or high numbers of database requests).

###### Help clients to stay safe

� Improve security awareness among clients.

� Regularly remind clients how to stay safe online from the most common

attacks.

� Urge clients to not enter their credentials on suspicious websites and to not

give out such information by email or over the phone.

� Explain what clients should do if they suspect fraud.

� Inform of security-related events.

#### How vendors can secure their products

� All the measures described for organizations, plus:

� Implement a secure development lifecycle (SSDL).

� Regularly audit the security of software and web applications, including

source-code analysis.

� Keep web servers and database software up to date.

� Do not use libraries or frameworks with known vulnerabilities.


-----

#### How users can avoid falling victim

###### Do not skimp on security

� Use only licensed software.

� Maintain effective antivirus protection on all devices.

� Keep software up to date. Do not delay installing patches.

###### Protect your data

� Back up critical files. In addition to storing them on your hard drive, keep a

copy on a USB drive, external disk, or a backup service in the cloud.

� Use an account without administrator privileges for everyday tasks.

� Use two-factor authentication where possible, such as for email accounts.

###### Do not use trivial passwords

� Use complex passwords consisting of at least eight hard-to-guess letters,

numbers, and special characters. Consider using a password manager to

create and store passwords securely.

� Do not re-use passwords. Set a unique password for each site, email

account, and system that you use.

� Change all passwords at least once every six months, or even better, every

two to three months.

###### Be vigilant

� Scan all email attachments with antivirus software.

� Be mindful of sites with invalid certificates. Remember that data entered on

such sites could be intercepted by criminals.

� Pay close attention when entering passwords or making payments online.

� Do not click links to unknown suspicious sites, especially if a security warning

appears.

� Do not click links in pop-up windows, even if you know the company or

product being advertised.

� Do not download files from suspicious sites or unknown sources.


-----

#### About the research

In this quarter's report, Positive Technologies shares information on the

most important and emerging IT security threats. Information is drawn from

our own expertise, outcomes of numerous investigations, and data from

authoritative sources.

For the purposes of this report, any particular mass incident (such as a vi
rus attack in which criminals send phishing messages to a large number of

targets) is counted as one unique security threat. Terms used in this report:

A cyberthreat is a combination of factors and circumstances that create

the risk of information security compromise. In this report, we look at cyber
threats in terms of the actions of malefactors in cyberspace who attempt

to breach an information system in order to steal money or data, or with

other intentions potentially causing harm to government, business, or indi
viduals. Attacker actions may be directed against the target company's IT

infrastructure, workstations, mobile devices, other equipment, or at people

as a factor in cyberspace.

A cyberattack consists of unauthorized actions targeting information sys
tems by cybercriminals leveraging techniques and software to obtain ac
cess to information, impair the normal functioning or availability of systems,

or to steal, alter, or delete information.

An attack target is the target of unauthorized actions by cybercriminals. In

cases when social engineering is used to obtain information directly from

an individual, client, or employee, the attack target is "Humans." On the

other hand, when social engineering is part of an attempt to place malware

on corporate infrastructure or on the computer of an individual, the attack

target is "Computers, servers, and network equipment."

Attack motive is the overall goal of cybercriminals. If an attack results in

theft of payment card information, the motive is "data theft."

Attack methods are a set of techniques used to achieve a goal. For instance,

an attacker might perform reconnaissance, detect vulnerable network ser
vices available for connection, exploit vulnerabilities, and get access to re
sources or information. For the purposes of this report, such a process is

referred to as "hacking." Credential compromise and web attacks are put in

separate categories for greater granularity.

Victim categories are the economic sectors in which the attacked com
panies operate (or individuals, if the attack was indiscriminate with respect

to employer). For example, the "Hospitality and entertainment" category

includes companies providing paid services, such as consulting agencies,

hotels, and restaurants. The "Online services" category includes platforms

where users can fulfill their needs online, such as ticket and hotel aggrega
tor websites, blogs, social networks, chat platforms and other social media

resources, video sharing platforms, and online games. Large-scale cyber
attacks affecting more than one industry (most often, malware outbreaks)

have been placed in the "Multiple industries" category.

In our view, the majority of cyberattacks are not made public due to repu
tational risks. The result is that even organizations that investigate incidents

and analyze activity by hacker groups are unable to perform a precise count.

This research is conducted in order to draw the attention of companies and


-----

ordinary individuals who care about the state of information security to the

key motives and methods of cyberattacks, as well as to highlight the main

trends in the changing cyberthreat landscape.

#### Group profiles

APT-C-35 (Donot, SectorE02), active since 2016, attacks organizations in

South Asia: Pakistan, Bangladesh, Sri Lanka, Maldives, Myanmar, Nepal, and

countries of the Shanghai Cooperation Organization. The attackers take the

guise of governmental institutions, military entities, and telecom companies.

Bronze Union, also known as TG-3390, LuckyMouse, APT27, or Emissary

Panda, has been involved in cyberespionage attacks since 2010. To gain

a foothold on networks, the group often uses watering hole attacks: they

target the websites frequented by targeted users and place malware on

the websites in order to automatically infect visitors' computers. Currently

the group targets governmental entities and companies involved in indus
try, military manufacturing, energy, aerospace, and other high-tech fields

around the world.

Cobalt has been known since 2016 for its attacks on financial institutions.

The group started off by stealing from banks in CIS countries. Since 2017,

it has expanded its range of targets to include banks in Eastern Europe

and Southeast Asia. The group was named after Cobalt Strike, the pene
tration testing software used by the group to develop attacks within target

networks. Its primary method of breaching corporate networks is phishing

messages with malicious files in various formats: executable files, Office

documents with macros or exploits, LNK files, and passworded archives

containing executable files.

Cobalt Dickens first caught attention in 2017. In 2019, the group attacked at

least 380 post-secondary educational institutions in over 30 countries in or
der to obtain intellectual property. University faculty and students received

phishing messages claiming to come from libraries. The messages pointed

to phishing pages, where users were prompted to enter their credentials,

which were then used by the attackers to access research of interest.

eGobbler, known since early 2019, exploited Chrome vulnerability CVE
2019-5840 to show malicious advertising to users of iOS mobile devices. In

the second half of 2019, the group increased its reach to all WebKit brows
ers, including desktop versions, running on Windows, Linux, and macOS.

From August 1 to September 23, the group was able to show around 1.16 bil
lion impressions to potential victims, in the hope of drawing them to fraud
ulent and phishing-related sites.

Gamaredon has been active since 2013. The attackers focus exclusively

on Ukrainian governmental entities: their C2 servers perform filtering by

geographic region. In their attacks, the group uses a chain of scripts to

download the Ultra VNC remote management utility to the victim's com
puter. They use a self-developed framework named Pteranodon for full
fledged management of infected hosts. With it, the attackers can collect

information about the system and users, steal passwords, run scripts and

commands, and exfiltrate information to C2 servers.

KONNI has been active since at least 2014. The group's name comes from

the malware named KONNI, which it used in its attacks. The malware can


-----

steal files containing sensitive information, intercept and save passwords

entered by users, take screenshots, and run commands on infected com
puters. The main objective of the group is espionage and access to data.

The history of RTM dates back to 2016. The group attempts to access cor
porate bank accounts and steal funds. They use phishing messages to ob
tain access to corporate networks. Since the very start, the group has used

a consistent format in such messages. Positive Technologies data indicates

that in 2018 alone, the group carried out 59 mailings, the recipients of which

included financial institutions. In 2019, the group moved to use of the Bitcoin

blockchain. Most targets are financial institutions, although cases have also

included industry, government, and IT-related organizations. In addition,

the group has used .bit domains for C2. The .bit zone is powered by the

Namecoin blockchain, which acts as a censor-proof and confiscation-re
sistant alternative to traditional DNS registrars. Experts at the PT Expert

Security Center were able to use the blockchain architecture to devise an

algorithm for monitoring registration of new domains by RTM and changes

in their IP addresses. This enabled warning financial institutions and the se
curity community of new C2 servers in a matter of minutes (or sometimes

even before) they entered use by the attackers.

TA505 has operated since 2014. The group's targets include major financial,

manufacturing, transportation, and governmental organizations in Canada,

South Korea, the United Kingdom, the United States, and dozens of other

countries. Phishing messages are the group's main method for penetrating

target networks. With each new wave of attacks, the group has made quali
tative changes to its toolkit and advanced to more sophisticated techniques

for maintaining stealth. Since 2014, the group's arsenal has included the

[Dridex banking trojan, Neutrino botnet, and several families of ransomware,](http://blog.ptsecurity.com/2019/08/finding-neutrino.html)

including Locky, Jaf, and GlobeImposter. Since spring 2018 the group has

used the FlawedAmmyy remote access trojan, and since late 2018, the new

ServHelper backdoor.


-----

About
Positive Technologies


Positive Technologies is a leading global provider of enterprise security solutions for vulnerability and compliance management, incident
and threat analysis, and application protection. Commitment to clients and research has earned Positive Technologies a reputation as one
of the foremost authorities on Industrial Control System, Banking, Telecom, Web Application, and ERP security, supported by recognition
from the analyst community. Learn more about Positive Technologies at ptsecurity.com.


[ptsecurity.com](https://www.ptsecurity.com/ww-en/) © 2019 Positive Technologies. Positive Technologies and the Positive Technologies logo are trademarks or registered trademarks of
[info@ptsecurity.com](mailto:info%40ptsecurity.com?subject=) Positive Technologies. All other trademarks mentioned herein are the property of their respective owners.

Cybersecurity threatscape-2019-Q3 A4 ENG 0003 02


-----