Answer: Web attacks, Iranian terrorist groups, supply chain attacks, and even North Korean malware

Web App Attacks: By the Numbers

In the last two years, the number of new vulnerabilities has exploded.

In 2016, there were 6,447 vulnerabilities identified, and by 2018, that numbers skyrocketed to 16,555.

Many of these vulnerabilities were web application vulnerabilities, and with this dramatic uptick in web application vulnerabilities, it comes as no surprise that in 2018, web application attacks made up 32% of all attacks.

Finance, the most attacked sector saw 17% of all attacks across the globe, with web application attacks making up nearly half (46%) of all attacks directed at organizations in the finance sector.

Read the report.

US Declares IRGC a Terrorist Organization – Why That Matters for Cybersecurity

In early April of this year, the U.S. labelled the Iranian Revolutionary Guard Corps (IRGC) a foreign terrorist organization, and while this may initially seem as just another blip on the news radar, a deeper look reveals why this matters in the context of cybersecurity.

A quick look at the history books shows us that Iran has regularly responded to sanctions or perceived injustices by increasing cyber campaigns. It would be be easy to write this off as ‘a US problem’, but a glance at 2018 attack data tells a more compelling story: 48% of all Iranian activity targeted organizations in EMEA.

Iran has greatly increased their cyber capabilities over the past 10 years, and nation-state sponsored groups are now thrusting Iran into the limelight with cyber capabilities on par with the likes of China and Russia.

Get the full report.

Operation ShadowHammer: Another Attack on the Supply Chain

Supply chain attacks are nothing new, but they tend to get much less media coverage than they deserve, with media outlets across the globe focusing their reporting more on breaches and other attacks.

While the jury is still out on why this is, it doesn’t take a rocket scientist to understand that, when it comes right down to it – supply chain attacks typically just aren’t that interesting to read about in your daily news feed. Attacks on the supply chain often feel far removed from where we sit at our desks or where we stand in our assembly lines.

Enter: Operation ShadowHammer.

In a campaign (still) impacting users around the globe, Operation ShadowHammer leverages as an attack vector what most of us would believe to be a reputable source – the ASUS Live Update Utility. The operation targeted ASUS users and delivered Trojanized updates signed with legitimate ASUS certificates.

The bottom line here is that, if you’re an ASUS user, you should definitely check your system to confirm or deny whether the backdoor still exists. ASUS released a diagnostic tool (.zip file download) specifically for this purpose.

Check out the full report.

North Korean Malware: HOPLIGHT Is Worth a Second Look

North Korea is no stranger to the malware game, so new malware attributed to Hidden Cobra, a North Korean, nation-state-sponsored Advanced Persistent Threat (APT) comes as no surprise.

What is surprising, however, is that the files contained in HOPLIGHT, the object of a Malware Analysis Report (MAR) from the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), is signed with a valid certificate.

This valid certificate accompanying the malware is signed by Naver, the largest search engine in South Korea. (Think of Naver as South Korea’s Google.) This enabled HOPLIGHT to evade basic anti-virus measures and leverage encrypted connections to communicate with its command and control (C2) servers.

Read more in the full report.

Wrap-Up

I know this is an overview of the most recent GTIC Monthly Threat Report, but I would be remiss if I didn’t mention our annual report, the 2019 Global Threat Intelligence Report.

Check out the April 2019 GTIC Monthly Threat Report here (no sign-in required) and grab yourself a copy of the 2019 Global Threat Intelligence Report here.