Managed detection and response insights

Bitdefender has released its threat debrief for July 2022 and there are a few findings there were of great interest.

Whether it’s a new breach or a recycled list, credential leaks remain a valid threat to organizations. Credentials, which are user emails and corresponding passwords for a given site or application, are a cybercriminal’s favourite data type because they allow them to masquerade as a legitimate user on a system.

There were several ways that attackers use compromised credentials. They may use combinations of usernames, emails, and exposed passwords to gain initial access through web portals or other remote accesses like RDP, VPN, or SSH through brute-forcing or credential stuffing attacks. Spammers and other social engineering attacks, such as phishing and spearphishing, might also use emails to attack corporate or personal emails that are likely active.

When it comes to credential leaks, some security measures that can be taken include the following:

1. Apply Multi-factor authentication
2. Awareness: Detection/crawling of dark web, closed sources, and paste sites to find leaked business credentials such as conducted by a cyber intelligence service included in Bitdefender MDR.
3. Business email addresses should only be used on business accounts.
4. Apply strong security practices when it comes to passwords.
5. Use a Password Manager
6. The password length is very important. Be sure to have 12-14 characters.
7. Including upper- and lower-case letters, numbers, and symbols adds complexity.
8. Length is more important than complexity, and points 6 & 7 combined make passwords even harder to crack.
9. For example, you can select a few random words, exchanging numbers and symbols for letters: Halloween Shoes Car becomes H@l10w3en$4oe&c@R.
10. Do not use the same password(s) across multiple accounts.
11. Update/change passwords at least every 90 days.
12. Whenever possible, enable password-less authentication, like OIDC(OpenID Connect), within your organization tools, and make sure third-party software and platform vendors are compatible with those standards in order to apply single-sign-on authentication.
13. Implement IP/URL reputation for endpoints to block access to credential-stealing sites.

After analysing the ransomware variants detected in June 2022, Bitdefender found 192 active ransomware families.
The most prevalent were:

• WannaCry (42 per cent of detections)
• GandCrab (15 per cent)
• Robin (13 per cent)

Bitdefender telemetry throughout June 2022 also discovered multiple trojans targeting the Android mobile operating system.
The most prevalent were:

• DN (54 per cent) – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.
• LC (10 per cent) – Malware that gathers sensitive information about a device (Device IDs, Subscriber IDs, MAC addresses) and sends them to a malicious C&C server. The C&C server responds by sending back a link to a payload that the malware downloads and executes.
• AYE (8 per cent) – Malware that tries to register as the default SMS application on the first run by requesting the consent of the user. If successful, it collects the user’s incoming and outgoing messages and forwards them to a Command & Control (C&C) server.

Spoofed Domains: The research also uncovered trends in homograph attacks, where attackers abuse International Domain Names to create websites that have very similar URLs to popular sites.

The most commonly encountered websites being spoofed were myetherwallet.com (23 per cent), facebook.com (21 per cent), and paypal.com (12 per cent).

Tags: BitdefenderCyber Security