This month, GTIC researchers took a deeper look into several topics which are globally applicable; that is, they have implications to a multitude of individuals, organizations and sectors on a worldwide scale.  

Ransomware, Office 365, and Oracle products – all applications/tools which have the potential to widely impact organizations around the world – most of which enhance productivity and available services, but also can lead to complete disruption of any effective output if successfully attacked.

At 30 years old, ransomware still plagues the vast interwebs. Researchers have recently observed a trend of increased ransomware attacks targeting local governments. This seems a little odd, since government entities have historically been less likely to pay a ransom. These attacks have leveraged various forms of ransomware and have targeted every size organization in virtually every sector. 

Regardless of the targeted industry, attackers will continue to leverage ransomware – it’s effective, it’s lucrative, and it’s low risk. 

Don’t be caught off guard; attacks seem entirely opportunistic, not necessarily targeting the big guys in various industries, but rather casting a wide net, hoping for those bites that result in a payout. 

But not all attacks are opportunistic. From an O365 perspective, attackers are more focused in their targeting, focusing on enterprise networks for the sheer amount of data – and user credentials – available. Given just one set of legitimate credentials, attackers can effectively hide in the network, moving at their leisure, garnering potentially limitless sensitive information. Attackers’ targeting of O365 credentials prompted an advisory from the U.S. Department of Homeland Security (DHS) cautioning users and administrators of the risks.  

NTT Security researchers echoed these concerns, as data from the 2019 NTT Security Global Threat Intelligence Report (GTIR) showed, overwhelmingly, that the top credentials targeted in attacks during 2018 were Microsoft O365 credentials. 

NTT Security researchers also dug into a campaign suspected to be the work of Rocke threat actors, in recent and ongoing attempts to exploit an Oracle WebLogic vulnerability, CVE-2019-2725. GTIC researchers analyzed detections for exploit attempts against this vulnerability, as similar remote code execution (RCE) exploits have led to previous malware campaigns. If successfully exploited, a remote attacker could execute arbitrary code on a targeted machine.

Once proof-of-concept (PoC) code is available for flaws of this type in popular, globally-used products such as WebLogic, attackers almost immediately leverage these flaws, particularly if PoC code is available prior to patching.  

Again, it boils down to patching and preparedness. Upgrade your systems – especially those that have reached end-of-life (EOL) and are no longer supported.

Still, by far and away, attackers are gaining access via phishing or spear-phishing emails sent to unsuspecting – or all-too-trusting – users. That said, user training is imperative to protecting an organization’s network. Yes, this is easy to say, but users continue to fall for well-devised phishing emails. 

The May 2019 edition of the GTIC Monthly Threat Report provides insight and a few recommendations for these globally applicable issues – check it out here – and remember to always maintain a healthy level of paranoia.