Whiteboard Wednesday:

Quarterly Threat Report 2018 Q3

November 28, 2018

In this week’s Whiteboard Wednesday, Kwan Lin, Senior Data Scientist, covers some of the major topics from our Q3 Threat Report. These topics include user interaction vs. non-user interaction incidents, Emotet malware incidents, MikroTik devices, Windows Remote Desktop Protocol, and memcached. Learn about our research and findings on these topics, and how it can help you better secure your environment.

Video Transcript

Hi, my name is Kwan Lin, Senior Data Scientist at Rapid7. We recently released the 2018 Quarter Three Threat Report. And in this week's Whiteboard Wednesday I'd like to cover some of the major topics in the report.

Show more Show less

First, we tried to be different this time around. We segmented our available data into incidents that required user interaction, such as visiting malicious links, and incidents that did not, such as network misconfigurations. Non-user interaction incidents maintained a stable, cyclical pattern week over week. User interaction incidents on the other hand, started off at a comparably high level in July and tapered off dramatically starting around August.

A lot of our data comes from US organization, so it seems likely that the drop off in user interaction incidents is the result of employees being unavailable, due to August being a popular vacation month and September being filled with severe weather events that shut down businesses. We'll keep an eye on this slice of the data in periods to come to check if this particular theory holds true.

Now, in September half of the qualified incidents that we observed involved the Emotet Malware Campaign. Emotet infiltrates computers through such channels as spam or fishing emails. Once it successfully latches onto a machine, it injects malicious code that can be used to pilfer credentials, emails, and other sensitive pieces of data. Furthermore, once Emotet embeds itself it then attempts to spread further across the network.

Like the previous issue of the threat report, we also took a closer look at MikroTik devices. These devices are often routers with fairly large attack services and are often poorly maintained. Campaigns that target MikroTik devices usually involve cycling through default credentials or sets of common exploits to compromise them. Many of these compromised devices are co-opted to operate as cryptocurrency monitors or to modify web traffic that passes through.

When we scanned for MikroTik devices back in July, we found over 300,000 devices. Over half of which were used for mining purposes. In a recent followup scan of MikroTik devices, it appears as if the cryptocurrency miners have been neutralized. However, in August a number of new MikroTik vulnerabilities were disclosed. So while it seemed that things did get better, there are now additional channels through which MikroTik devices can be exploited.

We've also been paying particular attention to remote administration protocols. We took a closer look at the Windows Remote Desktop Protocol, RDP, and Virtual Network Computing, VNC. In the case of RDP we noticed that the total number of attacks have gone up, though the source of attacks has mostly leveled off. In the case of VNC the number of attacks has gone up drastically. In general, attacks directed at remote administration protocols have been more pronounced.

Throughout the year we've been keeping a close watch of memcached, an open-sourced distributed memory object caching system, that could be used as opponent DDoS amplification protocol. Such amplification attacks works by triggering an exchange using spook addresses which result in legitimate addresses being flooded with unsolicited replies. We've noticed periodic spikes every few months, but there was an especially large spike in memcached activity in September. Most of which originated from a single node in Indonesia that was also involved with other amplification DDoS attacks.

While our aim is not to alarm, it is important to be aware that certain techniques that appeared on the threat landscape only recently have truly become staples of malicious actor's arsenals. I hope you've found some of the details we've covered today helpful. We've only touched upon some of the major points covered in the full threat report. Topics present in the full report that we didn't touch upon in this presentation include threat event distributions and fishing attempts by industry, protocol poisoning, the state of eternal blue, and Morai and its derivatives amongst others.

We also offer recommendations for how you can better secure your environment based on our findings. To grab a copy of the full report, head on over to Rapid7.com. If you have any questions, feel free to reach out to us at research@Rapid7.com. Thanks for your time and good lick.

Q3 2018 Threat Report

Dive deeper into the findings from our full report.

Read More

How has the threat landscape changed?

Read our past quarterly threat reports to further understand how the threat landscape has changed throughout the years.

Learn More