Surge in Android banking malware and RDP attacks

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

A new report from cybersecurity firm ESET has revealed rapid abuse of trending vulnerabilities and configuration flaws by cyber crooks.

The T1 2021 Threat Report found 59.6% increase in Remote Desktop Protocol (RDP) attack attempts globally in T1 2021 vs T3 2020, while Android banking malware increased by 158.7% for the same period. Cryptocurrency threats increased by 18.6%.

The report, summarises key statistics from ESET detection systems and highlighting notable examples of ESETs cybersecurity research, including exclusive, previously unpublished updates on current threats.

ESET Research aims to have a tri-annual publication, meaning that each report will cover a four-month period. The T1 abbreviation describes the period from January to April, T2 from May to August, and T3 from September to December.

“During the first four months of this year, the COVID-19 pandemic was still the number one news topic globally; however, it became notably less prominent in the threat landscape,” says Roman Kov, chief research officer at ESET. 

“One could say fortunately, yet as you will see in our report, we are continuing to see worrying examples of cyber crooks rapidly abusing trending vulnerabilities and configuration flaws with a focus on achieving high returns on investment,” he says.

“These abuses include continued abuse of the remote desktop protocol (RDP), which remains the number one target of brute-force attacks, increased numbers of cryptocurrency threats, and a steep increase of Android banking malware detections.”

The featured story of the report recounts ESET Research’s analysis of a vulnerability chain that allows an attacker to take over any reachable Exchange server. The attack has become a global crisis and ESET researchers identified more than 10 different threat actors or groups that likely leveraged this vulnerability chain.

The research presented in the T1 2021 Threat Report brings several updates and new findings about the APT groups Turla and Lazarus. It also includes information about a malicious iOS tweak, which is an application that leverages runtime patching in order to change program behaviour, to execute shell commands on jailbroken and compromised iOS…


The M.T.A. Is Breached by Hackers as Cyberattacks Surge

The M.T.A.’s systems appear to have been attacked on two days in the second week of April, and the access continued at least until the intrusion was identified on April 20, the M.T.A. document shows. The hackers took advantage of a so-called “zero day,” or a previously unknown coding flaw in software for which a patch does not exist.

Hackers gained access specifically to systems used by New York City Transit — which oversees the subway and buses — and by both the Long Island Rail Road and Metro-North Railroad, according to the M.T.A. document outlining the breach. The hackers compromised three of the transit authority’s 18 computer systems, transit officials said.

But, Mr. Portnoy said, there was “no employee or customer information breached, no data loss and no changes to our vital systems.”

“Our response to the attack, coordinated and managed closely with State and Federal agencies, demonstrated that while an attack itself was not preventable, our cybersecurity defense systems stopped it from spreading through M.T.A. systems,” he added.

Once the broad intrusions that included the M.T.A. were identified in late April, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the National Security Agency and the F.B.I. issued an alert about the vulnerability.

The software company that owns Pulse Connect Secure, Ivanti, provided immediate steps to mitigate the damage and released a security update to fix the vulnerabilities. New York transit officials say they implemented the fixes within 24 hours of their release.

After receiving the warning from security officials, the M.T.A. quickly conducted the detailed forensics audit, which found malware in the authority’s Pulse Connect Secure applications, transit officials said. The malware included malicious software known as “web shells,” according to the M.T.A. document, that typically provide hackers a backdoor to remotely access — and in some cases control — certain servers over a long period of time.


Most wanted malware Dridex remains in top position amidst global surge in ransomware attacks

The Dridex trojan is the most prevalent malware for the second month running, according to Check Point Research.

The trojan is often used in the initial stages of ransomware attacks.

Check Point Research has published its latest Global Threat Index for April 2021. Researchers report that for the first time, AgentTesla has ranked second in the Index. 

This month, Dridex, a Trojan that targets the Windows platform, spread via QuickBooks Malspam Campaign. The phishing emails used QuickBookss branding and were trying to lure the user with fake payment notifications and invoices. The email content asked to download a malicious Microsoft Excel attachment that could cause the system to be infected with Dridex.

According to CPR, this malware is often used as the initial infection stage in ransomware operations where hackers will encrypt an organisation’s data and demand a ransom in order to decrypt it. 

Increasingly, these hackers are using double extortion methods, where they will steal sensitive data from an organisation and threaten to release it publicly unless a payment is made. 

CPR reported in March that ransomware attacks had seen a 57% increase in the beginning of 2021, but this trend has continued to spike and has completed a 107% increase from the equivalent period last year. Most recently, Colonial Pipeline, a major US fuel company, was the victim of such an attack and in 2020, it is estimated that ransomware cost businesses worldwide around $20 billion – a figure that is nearly 75% higher than in 2019.

For the first time, AgentTesla ranked in 2nd place in the top malware list. AgentTesla is an advanced RAT (remote access Trojan) that has been active since 2014 and functions as a keylogger and password stealer. This RAT can monitor and collect the victim’s keyboard input and system clipboard, and can record screenshots and exfiltrate credentials entered for a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).

This month there is an increase in AgentTesla campaigns, which spread via malspam. The email content is asking to download a file (it can be any file type) that could cause the…


Fileless Malware Attacks Surge by 900% and Cryptominers Make a Comeback, While Ransomware Attacks Decline

WatchGuard report uncovers massive increases in endpoint attacks, rising encrypted malware rates, new exploits targeting IoT devices, and more

SEATTLE, March 30, 2021 (GLOBE NEWSWIRE) — WatchGuard® Technologies, a global leader in network security and intelligence, multi-factor authentication (MFA), advanced endpoint protection, and secure Wi-Fi, today released its Internet Security Report for Q4 2020. The report includes exciting new insights based on endpoint threat intelligence following WatchGuard’s acquisition of Panda Security in June 2020. Among its most notable findings, the report reveals that fileless malware and cryptominer attack rates grew by nearly 900% and 25% respectively, while unique ransomware payloads plummeted by 48% in 2020 compared to 2019. Additionally, the WatchGuard Threat Lab found that Q4 2020 brought a 41% increase in encrypted malware detections over the previous quarter and network attacks hit their highest levels since 2018.

“The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections,” said Corey Nachreiner, chief technology officer at WatchGuard. “The attacks are coming on all fronts, as cyber criminals increasingly leverage fileless malware, cryptominers, encrypted attacks and more, and target users both at remote locations as well as corporate assets behind the traditional network perimeter. Effective security today means prioritizing endpoint detection and response, network defenses and foundational precautions such as security awareness training and strict patch management.”

WatchGuard’s quarterly Internet Security Reports inform businesses, their partners and end customers about the latest malware, endpoint and network attack trends as they emerge. Key findings from the Q4 2020 report include:

  • Fileless malware attacks skyrocket – Fileless malware rates in 2020 increased by 888% over 2019. These threats can be particularly dangerous due to their ability to evade detection by traditional endpoint protection clients and because they can succeed without victims doing anything beyond clicking a malicious link or unknowingly visiting…