Rapid7 Quarterly Threat Report: 2018 Q3

Last updated at Mon, 28 Oct 2019 17:50:55 GMT

The leaves are falling and it’s getting colder, which means it’s time for our newest Quarterly Threat Report. This quarter has shown us that threat actors are still sending phishing emails, executing code, and making network connections to achieve their goals. In Q3, we saw user interaction events decreasing, banking trojans making their presence known, and the Mirai botnet showing no signs of going anywhere. Something new for this report is the addition of a section that contains host-, URL-, and IP-based indicators for you to use in your own detections.

User interaction: Adversaries taking a break

In Q3, we decided to try taking a look at our data in a new light and focused on user interaction incidents. These are incidents that require the end user to click on a link or browse to a website. Non-user interaction incidents can be anything from exploiting a device with an open vulnerability to using leaked credentials to log in to a user's account. We saw a drop-off in user interaction incidents this August, and our assessment is that this is due to summer vacations and the hurricane season. Many attacker campaigns require victims to be at their keyboards, and with users taking time away from their devices, adversaries were forced to look for other ways to compromise a system.

Banking trojans on the rise

This September, we saw that over half of our detected qualified incidents were directly related to the Emotet/Heodo campaigns and occured in a wide variety of industries. These types of campaigns are gaining steam, and US-CERT even issued an alert this July warning of this successful attacker campaign. The initial compromise starts with a phishing email, and once the malicious document is opened, the attacker then has access to stored credentials and other sensitive data and will then try to spread across the network. Detecting the malicious use of PowerShell in your environment is a great way to spot these attacks, as almost all of them use PowerShell to launch malicious scripts.

Mirai botnet: Staying power

Another problem that just will not go away is the Mirai malware/botnet. We have seen this threat for two years now, and it's only evolving since the public release of the original Mirai source code. For example, Satori malware is one such evolution of Mirai that we saw spike and go away in December 2017 using data from our our global network of honeypots, Project Heisenberg. Then, just when we thought it might be disappearing, we saw a resurgence starting in mid-July.

Read the Q3 Threat Report in its entirety for more information on the trends and activities we saw last quarter, and take advantage of some of our recommendations to keep your network safe.