Moving Target Defense Blog

The term “advanced persistent threats” describes the highly evolved nature of today’s cyberattacks. Hackers have developed sophisticated techniques – in-memory exploits, living-off-the-land attacks, remote access trojans, and more – that allow them to evade detection and attack in obscurity. However, as much as these techniques have changed over time, the underlying goal, or “tactic” as MITRE calls it in their ATT&CK framework, remains the same: stealing something valuable.

Since early March, the team at Morphisec Labs has been supporting enterprises as they shift to distributed workforces in response to COVID-19. From assisting hospitals with securing their remote workers to uncovering new weaknesses in collaboration applications that could pose a threat to business continuity, we’ve been working hand-in-hand with customers, counterparts at security companies, and authorities to stay ahead of defending against a rapidly evolving cyberattack landscape.

When it comes to public health, good cyber hygiene is paramount in avoiding infection. For companies looking to prevent cyber attacks, the same logic applies. According to a report by Accenture, the average number of security breaches a company faces each year has increased by 67 percent since 2014. Additionally, Ponemon Institute found that the average cost of successful attacks increased 78 percent between 2017 and 2019, from $5.01 million to $8.94 million.

The Morphisec Labs team has tracked an obfuscated VBScript package in campaigns since March 2020. Initially, the malware campaign was focused on targets within Germany, but has since moved on to additional targets--excluding any IP address within Russia or North Korea.

As part of a rapid change in the work environment during the COVID-19 pandemic, Morphisec Labs has been tracking the change in the attack trend landscape. This has included the evolution of adware, PUA, and fraudulent software bundle delivery beyond a consumer problem into a significant attack vector on enterprise employees.

If you rely on a cloud-based Virtual Desktop Infrastructure (VDI), you’re hardly alone. Projections suggest the market for this technology will grow from about $3.6 billion in 2017 to more than $10 billion in 2023, but the ceiling could actually be much higher as the Coronavirus pandemic drives demand for exactly what virtualized desktops have to offer.

Ursnif/Gozi Introduction:

Morphisec has been tracking an uptick in the delivery of Ursnif/Gozi during the COVID-19 pandemic. Specifically, we have noticed a significant spike both in numbers and sophistication. The latest delivery methods will many times involve old-school Excel 4.0 macro functionality, which historically is a blind spot for AV detection as it has nothing to do with the VBA macro engine and is integrated as part of the workbook. INQUEST reported the use of similar techniques as part of a Zloader delivery campaign. Interestingly, in the latest campaign, it looks like the malware writers removed the image from the Excel document to avoid OCR heuristic detection following the INQUEST article.

The term “new normal” means different things to different people. For some, the term is synonymous with a return to the office (just with a few tweaks), while others think that co-located teams are gone for good. The reality is probably somewhere in between. Household names like Google and Facebook are planning for a future where most of their employees work remotely most of the time. And where big tech goes, other organizations tend to follow.

Millions of desks are sitting empty because of the COVID-19 epidemic, turning remote work into the “new normal.” Sudden as this transformation may be, however, it’s actually an acceleration of existing trends.

The rise of fileless attacks in the past 10 years has stymied even the best antivirus software. Traditional AV is designed to detect known signatures of known malware and prevent it from executing. Fileless attacks lack a signature, which allows it to handily bypass traditional antivirus products.