BeyondTrust, provider of privileged access management solutions, has published the Malware Thread Report 2021 for the first time. To this end, the manufacturer’s incident response team examined real attacks together with affected customers over a period of one year and compared them with the one MITER ATT & CK-Framework away. Between the first quarter of 2020 and 2021, the security experts were able to identify 150 attack chains listed there. More than half of the incidents were caused by Emotet and Trickbot / RYUK, and another third by Loki, AgentTesla and NJRat.
More professionalism on the part of the attackers
One result of the researchers is the increasing professionalism of malware attackers. The latest generation relies even more on multi-level attacks and attacks entire company environments. A typical course with several actors, tools and platforms could look like this:
- The attackers rent the Necurs botnet and use it to distribute spam messages.
- The spam e-mails contain documents with malicious code in order to trigger a trickbot infection.
- Trickbot collects login data, accesses e-mails and uses “Network Lateral Movement” to move across the entire network. Stolen data is offered for sale or used for further attacks.
- After a corporate network has been extensively compromised, hackers sell the backdoor access to the network to the highest bidder.
- The buyer then distributes the RYUK ransomware via Trickbot command and control servers.
The comparison with the MITER ATT & ACK framework has proven to be an effective method for detecting and fending off many malware strains. Two thirds of the technologies recommended there rely on sophisticated rights management to minimize risks. The removal of admin rights and the implementation of application controls prevented the currently most common cyber risks and threats from malware, according to the results overview of the study. The full study is behind a registration available for free download.