Answer: Web attacks, Iranian terrorist groups, supply chain attacks, and even North Korean malware
Web App Attacks: By the Numbers
In the last two years, the number of new vulnerabilities has exploded.
In 2016, there were 6,447 vulnerabilities identified, and by 2018, that numbers skyrocketed to 16,555.
Many of these vulnerabilities were web application vulnerabilities, and with this dramatic uptick in web application vulnerabilities, it comes as no surprise that in 2018, web application attacks made up 32% of all attacks.
Finance, the most attacked sector saw 17% of all attacks across the globe, with web application attacks making up nearly half (46%) of all attacks directed at organizations in the finance sector.
US Declares IRGC a Terrorist Organization – Why That Matters for Cybersecurity
In early April of this year, the U.S. labelled the Iranian Revolutionary Guard Corps (IRGC) a foreign terrorist organization, and while this may initially seem as just another blip on the news radar, a deeper look reveals why this matters in the context of cybersecurity.
A quick look at the history books shows us that Iran has regularly responded to sanctions or perceived injustices by increasing cyber campaigns. It would be be easy to write this off as ‘a US problem’, but a glance at 2018 attack data tells a more compelling story: 48% of all Iranian activity targeted organizations in EMEA.
Iran has greatly increased their cyber capabilities over the past 10 years, and nation-state sponsored groups are now thrusting Iran into the limelight with cyber capabilities on par with the likes of China and Russia.
Operation ShadowHammer: Another Attack on the Supply Chain
Supply chain attacks are nothing new, but they tend to get much less media coverage than they deserve, with media outlets across the globe focusing their reporting more on breaches and other attacks.
While the jury is still out on why this is, it doesn’t take a rocket scientist to understand that, when it comes right down to it – supply chain attacks typically just aren’t that interesting to read about in your daily news feed. Attacks on the supply chain often feel far removed from where we sit at our desks or where we stand in our assembly lines.
Enter: Operation ShadowHammer.
In a campaign (still) impacting users around the globe, Operation ShadowHammer leverages as an attack vector what most of us would believe to be a reputable source – the ASUS Live Update Utility. The operation targeted ASUS users and delivered Trojanized updates signed with legitimate ASUS certificates.
The bottom line here is that, if you’re an ASUS user, you should definitely check your system to confirm or deny whether the backdoor still exists. ASUS released a diagnostic tool (.zip file download) specifically for this purpose.
North Korean Malware: HOPLIGHT Is Worth a Second Look
North Korea is no stranger to the malware game, so new malware attributed to Hidden Cobra, a North Korean, nation-state-sponsored Advanced Persistent Threat (APT) comes as no surprise.
What is surprising, however, is that the files contained in HOPLIGHT, the object of a Malware Analysis Report (MAR) from the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), is signed with a valid certificate.
This valid certificate accompanying the malware is signed by Naver, the largest search engine in South Korea. (Think of Naver as South Korea’s Google.) This enabled HOPLIGHT to evade basic anti-virus measures and leverage encrypted connections to communicate with its command and control (C2) servers.
I know this is an overview of the most recent GTIC Monthly Threat Report, but I would be remiss if I didn’t mention our annual report, the 2019 Global Threat Intelligence Report.