Online Threat
In 2019, we saw a significant increase in the number of exposed containers being vulnerable to attacks. We anticipate we’ll continue seeing additional instances of exposed containers posing risks to enterprises in 2020, and attackers will continue to innovate how they target businesses through the cloud since more organizations will continue adopting the technology. Even if the containers are not exposed insecurely for others to take advantage of, the systems can still suffer from vulnerabilities like traditional software and operating systems.
The trend of vulnerabilities in cloud software and apps is something that will continue to increase. An example of this is Unit 42’s discovery of the first crypto-jacking worm being spread using containers in the Docker Engine (Community Edition).
Additionally, we anticipate ransomware attacks to continue in 2020 and may even get worse, as in 2019 we saw an increasing number of Online Threat actors not only selling ransomware and ransomware-as-a-service, but also creating ransomware tutorials. Last year we predicted a rise in post-intrusion ransomware to disrupt entire businesses targeted specifically to lead to much larger ransom amounts. During the year we documented the LockerGoga malware family, which made an impact, especially in Europe.
Unit 42 researchers also analysed roughly 10,700 unique malware samples written in Go we obtained, and determined in July – based on timestamps – that Go-compiled malware had been steadily on the rise for a number of months in 2019. Additionally, 92% of the samples identified were compiled for the Windows operating system, indicating that this is the most heavily targeted system by Go malware developers. While Go malware still hasn’t gained a significant interest from malware developers, we anticipate Go-compiled malware to continue gaining popularity in 2020. It’s worth noting that Unit 42 has also seen nation-state adversaries using the Go language, amongst others, in the past. It seems this is mainly to change how their malware code looks when inspected by security scanners.
2019 key attack group updates
PKPLUG
After three years of tracking, Unit 42 published a profile in October on a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. We dubbed the Online Threat actor group (or groups, since our current visibility doesn’t allow us to determine with high confidence if this is the work of one group) “PKPLUG” and tracked in and around the Southeast Asia region, particularly Myanmar, Taiwan, Vietnam, and Indonesia; and likely also in various other areas in Asia, such as Tibet, Xinjiang, and Mongolia. This actor targeted Android devices with espionage malware as well as the traditional Windows targets using typical malware such as PlugX and Poison Ivy, as well as previously undocumented malware, Farseer, providing backdoor capabilities on victims’ systems.”
xHunt
Between May and June 2019, Unit 42 observed previously unknown tools used in the targeting of transportation and shipping organizations based in Kuwait, with one of the variations of these tools including dating back to July 2018. In September, we published how these tools show potential overlaps with OilRig ISMAgent campaigns, which are focused targeting organizations within the transportation and shipping industry in the Middle East. Due to these overlaps, we plan to continue tracking this activity very closely in 2020 to determine as much as we can about the Online Threat groups. Tools used in the xHunt campaigns had multiple Command & Control (C2) techniques including a novel capability to create draft emails to communicate with the Online Threat actor without having to actually send an email, making it potentially harder to detect the communication mechanism.”
BabyShark
In February, Unit 42 researchers identified and published a report about spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The malware, which we named “BabyShark,” exfiltrates system information to its C2 server once it infects a system and maintain persistence on said system, awaiting further instructions from the operator. “
Mirai
Variants of Mira, the infamous IoT/Linux botnet, were plentiful in 2019. Unit 42 discovered a new variant in January targeting enterprise wireless presentation & display systems; another in February compiled for new processors/architectures not previously seen before, and eight new exploits added in June to target a broader range of IoT devices. IoT devices continue to be a popular target among hackers, mostly because the awareness of IoT security is not as prevalent, and the expected number of IoT devices will only continue to grow in 2020, especially as 5G comes to fruition.
