Attacks against Remote Desktop Protocol endpoints have exploded this year, warns ESET's latest Threat Report

Security firm points to a 'stalkerware' epidemic, new Nobelium group activity

Security specialist ESET's latest Threat Report warns of a massive increase in attacks on Remote Desktop Protocol (RDP) endpoints – and new activity from the Nobelium gang against European government organisations.

ESET's figures show attacks on RDP servers having gone up 103.9 per cent since its T1 report in June - it publishes three a year - representing a total of 55 billion detected brute-force attacks, thanks in no small part to a campaign focused on Spanish targets.

"It seemed in T1 2021 that the growth of RDP attack attempts would be slowing down," ESET security awareness specialist Ondrej Kubovič told The Register.

"T2 2021 brought a bit of a surprise as the detections of RDP accelerated again. The trend suggests further growth in attack attempts and probably quite a steep one in T3, as this is typically the busiest part of the year."

"While there was a moderate increase in RDP attacks in some regions, massive attacks in August against Spanish entities were a runaway trend," senior malware researcher Ladislav Janko said.

"According to our telemetry the number of attacks against Spanish targets accounted for a third of global detections in August. Following Spain by a significant margin were Germany, the United States and Italy. We observed a similar trend also for SQL password-guessing attacks."

Although RDP attacks may have doubled, there was an interesting, if slight, downtrend in cryptocurrency-linked misbehaviour – but one which may already be reversing. "Our data suggest a strong connection between cryptocurrency price and cryptocurrency-related attacks – mainly when it comes to cryptomining," Kubovič told us.

"Our report even mentions PayPal's and Twitter's announcements which sent the prices of major cryptocurrencies up following this increase (visible in the trend toward the end of T2). If there are more high-profile adoptions/announcements supporting cryptocurrencies in the coming months, we expect their prices to grow and cryptomining to follow."

Despite a single-digit reduction in ransomware attacks, which ESET also linked to a slump in the cryptocurrency market, the company was clear that the problem is not going away. "The ransomware scene officially became too busy to keep track of in T2 2021, yet some incidents were impossible to miss," Roman Kováč, ESET's chief researcher officer, wrote in the report's foreword.

"The attack shutting down the operations of Colonial Pipeline – the largest pipeline company in the US – and the supply-chain attack leveraging a vulnerability in the Kaseya IT management software, sent shockwaves that were felt not only in the cybersecurity industry.

Unlike the SolarWinds hack, the Kaseya attack appeared to pursue financial gain rather than cyberespionage, with the perpetrators setting a $70m ultimatum – the heftiest known ransom demand to date."

The report also raised an alarm about targeted attacks by the Nobelium advanced persistent threat group, believed to be linked to the Russian government and accused of being behind the attack on SolarWinds' Orion IT monitoring platform last year which gave it a route into US government networks and the nation's courts system.

The researchers, however, found that the group's focus extended far beyond US borders. "In recent months, the Dukes [Nobelium] launched several spearphishing campaigns targeting European diplomats, think tanks, and international organisations," the report revealed. "ESET researchers identified victims in more than 12 different European countries."

"ESET telemetry shows that attackers sent spearphishing emails to several European diplomatic missions on July 13, 2021," the report continued. "These recent events show that even after the exposure of the SolarWinds campaign, the Dukes are still using Cobalt Strike as their main implant. Due to the group's persistence and the quality of its lures, it remains a prime threat to western diplomats, NGOs, and think tanks."

ESET is the second major company to warn of Nobelium's continuing actions so far this week, but while ESET's report named the commercial Cobalt Strike toolkit as the group's primary payload Microsoft found it had begun to use a custom malware dubbed FoggyWeb and designed to target Active Directory Federation Services (AD FS) servers.

The Threat Report also named the Gamaredon group as being "highly active" over the monitored period with a particular focus on government organisations in Ukraine. The group was found to have updated its toolkit, beginning to use the open-source network scanning tool Nmap in what the researchers described as a "more complex" payload.

One particularly depressing section of the report deals with the rise in "stalkerware" or the even-more-disgustingly-named "spouseware" often used in abusive relationships to monitor the abused party's messages, location, and even offline conversations. "If potential victims want to prevent anyone from manipulating their mobile device," Kubovič told us, "they must protect it with a strong passcode that is not easily guessed and not shared with anyone. However, we fully understand that stalking is oft-times interrelated to harassment and other forms of violence.

"Victims should carefully consider deleting any stalkerware or software with this type of functionality that they might find. As is pointed out by, whoever installed it will know that it was removed or disabled, and it could result in consequences. In extreme cases where cyberstalking is only one part of a very unhealthy and abusive relationship dynamic, victims can decide to reach out to law enforcement. That, however, requires careful preparation.

"On a safe device or through a trustworthy person," Kubovič continued, "they can contact organisations that offer help. If they do that on a mobile or any other device that has stalkerware or spouseware installed, the perpetrator will know about it. Another option for seeking help might be using a spare mobile phone with a new phone number, new email address, new passwords and enabled multi-factor authentication."

On the mobile front, the report highlighted how prevalent Android malware was – especially compared to malware written for Apple's iOS platform. "It is an open source system with many vendors having their own Android versions (with their own vulnerabilities and patching problems)," Kubovič proffered as a reason for Android's popularity among ne'er-do-wells.

"One notable difference though: most cases where iOS was (or has been) targeted were high-profile attacks targeting zero-days or leveraging zero-click attacks. Based on that, we could say Android is more interesting to the 'average' cybercriminal as means of earning money, whilst iOS is typically in the cross-hairs of sophisticated groups, nation states, and/or spyware companies, aiming at very specific users. This of course is not clear cut – more of a blurry border – and each of those actors can target both operating systems."

The report did highlight some positive changes being made in the Android ecosystem. "Android's new iteration promises to provide users with more control over, and transparency about, how their data is being handled," the researchers wrote. "For instance, Privacy Dashboard will provide a clear and simple overview of app accesses to the device location, microphone, and camera over the past 24 hours. Android 12 will also add indicators that show users in real time which apps are accessing their camera and microphone feeds."

"Since the pandemic hit, it seems updates have become even more crucial to the security posture," Kubovič opined on how orgs can protect themselves, "which has been evidenced by many attacks targeting recently published (and patched) vulnerabilities (e.g. VPNs, MS Exchange etc.). So if I had to pick one thing, it would be updates. Close second is a reliable security solution, which means independently tested AV for users and a complex security suite (Endpoint + EDR + password manager/ MFA + additional layers) for businesses."

The latest ESET Threat Report is available to download [PDF] now. Kubovič, however, would not be drawn on predictions for the coming year, which will instead form part of the company's final report of 2021. ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021