Attacks against Remote Desktop Protocol endpoints have exploded this year, warns ESET's latest Threat Report
Security firm points to a 'stalkerware' epidemic, new Nobelium group activity
Security specialist ESET's latest Threat Report warns of a massive increase in attacks on Remote Desktop Protocol (RDP) endpoints – and new activity from the Nobelium gang against European government organisations.
ESET's figures show attacks on RDP servers having gone up 103.9 per cent since its T1 report in June - it publishes three a year - representing a total of 55 billion detected brute-force attacks, thanks in no small part to a campaign focused on Spanish targets.
"It seemed in T1 2021 that the growth of RDP attack attempts would be slowing down," ESET security awareness specialist Ondrej Kubovič told The Register.
"T2 2021 brought a bit of a surprise as the detections of RDP accelerated again. The trend suggests further growth in attack attempts and probably quite a steep one in T3, as this is typically the busiest part of the year."
"While there was a moderate increase in RDP attacks in some regions, massive attacks in August against Spanish entities were a runaway trend," senior malware researcher Ladislav Janko said.
"According to our telemetry the number of attacks against Spanish targets accounted for a third of global detections in August. Following Spain by a significant margin were Germany, the United States and Italy. We observed a similar trend also for SQL password-guessing attacks."
Although RDP attacks may have doubled, there was an interesting, if slight, downtrend in cryptocurrency-linked misbehaviour – but one which may already be reversing. "Our data suggest a strong connection between cryptocurrency price and cryptocurrency-related attacks – mainly when it comes to cryptomining," Kubovič told us.
"Our report even mentions PayPal's and Twitter's announcements which sent the prices of major cryptocurrencies up following this increase (visible in the trend toward the end of T2). If there are more high-profile adoptions/announcements supporting cryptocurrencies in the coming months, we expect their prices to grow and cryptomining to follow."
Despite a single-digit reduction in ransomware attacks, which ESET also linked to a slump in the cryptocurrency market, the company was clear that the problem is not going away. "The ransomware scene officially became too busy to keep track of in T2 2021, yet some incidents were impossible to miss," Roman Kováč, ESET's chief researcher officer, wrote in the report's foreword.
"The attack shutting down the operations of Colonial Pipeline – the largest pipeline company in the US – and the supply-chain attack leveraging a vulnerability in the Kaseya IT management software, sent shockwaves that were felt not only in the cybersecurity industry.
Unlike the SolarWinds hack, the Kaseya attack appeared to pursue financial gain rather than cyberespionage, with the perpetrators setting a $70m ultimatum – the heftiest known ransom demand to date."
The report also raised an alarm about targeted attacks by the Nobelium advanced persistent threat group, believed to be linked to the Russian government and accused of being behind the attack on SolarWinds' Orion IT monitoring platform last year which gave it a route into US government networks and the nation's courts system.
The researchers, however, found that the group's focus extended far beyond US borders. "In recent months, the Dukes [Nobelium] launched several spearphishing campaigns targeting European diplomats, think tanks, and international organisations," the report revealed. "ESET researchers identified victims in more than 12 different European countries."
- Researchers finger new APT group, FamousSparrow, for hotel attacks
- Boffins unveil SSD-Insider++, promise ransomware detection and recovery right in your storage
- ProxyLogon flaw, evil emails, SQL injections used to open backdoors on Windows boxes
- Jira Data Center user? Here's a critical Ehcache vulnerability to spoil your day
"ESET telemetry shows that attackers sent spearphishing emails to several European diplomatic missions on July 13, 2021," the report continued. "These recent events show that even after the exposure of the SolarWinds campaign, the Dukes are still using Cobalt Strike as their main implant. Due to the group's persistence and the quality of its lures, it remains a prime threat to western diplomats, NGOs, and think tanks."
ESET is the second major company to warn of Nobelium's continuing actions so far this week, but while ESET's report named the commercial Cobalt Strike toolkit as the group's primary payload Microsoft found it had begun to use a custom malware dubbed FoggyWeb and designed to target Active Directory Federation Services (AD FS) servers.
The Threat Report also named the Gamaredon group as being "highly active" over the monitored period with a particular focus on government organisations in Ukraine. The group was found to have updated its toolkit, beginning to use the open-source network scanning tool Nmap in what the researchers described as a "more complex" payload.
One particularly depressing section of the report deals with the rise in "stalkerware" or the even-more-disgustingly-named "spouseware" often used in abusive relationships to monitor the abused party's messages, location, and even offline conversations. "If potential victims want to prevent anyone from manipulating their mobile device," Kubovič told us, "they must protect it with a strong passcode that is not easily guessed and not shared with anyone. However, we fully understand that stalking is oft-times interrelated to harassment and other forms of violence.
"Victims should carefully consider deleting any stalkerware or software with this type of functionality that they might find. As is pointed out by stopstalkerware.org, whoever installed it will know that it was removed or disabled, and it could result in consequences. In extreme cases where cyberstalking is only one part of a very unhealthy and abusive relationship dynamic, victims can decide to reach out to law enforcement. That, however, requires careful preparation.
"On a safe device or through a trustworthy person," Kubovič continued, "they can contact organisations that offer help. If they do that on a mobile or any other device that has stalkerware or spouseware installed, the perpetrator will know about it. Another option for seeking help might be using a spare mobile phone with a new phone number, new email address, new passwords and enabled multi-factor authentication."
On the mobile front, the report highlighted how prevalent Android malware was – especially compared to malware written for Apple's iOS platform. "It is an open source system with many vendors having their own Android versions (with their own vulnerabilities and patching problems)," Kubovič proffered as a reason for Android's popularity among ne'er-do-wells.
"One notable difference though: most cases where iOS was (or has been) targeted were high-profile attacks targeting zero-days or leveraging zero-click attacks. Based on that, we could say Android is more interesting to the 'average' cybercriminal as means of earning money, whilst iOS is typically in the cross-hairs of sophisticated groups, nation states, and/or spyware companies, aiming at very specific users. This of course is not clear cut – more of a blurry border – and each of those actors can target both operating systems."
The report did highlight some positive changes being made in the Android ecosystem. "Android's new iteration promises to provide users with more control over, and transparency about, how their data is being handled," the researchers wrote. "For instance, Privacy Dashboard will provide a clear and simple overview of app accesses to the device location, microphone, and camera over the past 24 hours. Android 12 will also add indicators that show users in real time which apps are accessing their camera and microphone feeds."
"Since the pandemic hit, it seems updates have become even more crucial to the security posture," Kubovič opined on how orgs can protect themselves, "which has been evidenced by many attacks targeting recently published (and patched) vulnerabilities (e.g. VPNs, MS Exchange etc.). So if I had to pick one thing, it would be updates. Close second is a reliable security solution, which means independently tested AV for users and a complex security suite (Endpoint + EDR + password manager/ MFA + additional layers) for businesses."
The latest ESET Threat Report is available to download [PDF] now. Kubovič, however, would not be drawn on predictions for the coming year, which will instead form part of the company's final report of 2021. ®