Moving Target Defense Blog

In recent weeks we've seen threat actors stepping up ransomware attacks against hospitals at a moment when saving lives is their most important focus. To keep critical care operating uninterrupted, it’s become more important than ever for hospitals to harden their environment with ransomware prevention.Without secure  infrastructure, treatments and surgeries can and do grind to a halt. The operators of the Ryuk ransomware, for example, targeted 10 healthcare organizations over the course of the past month and are continuing to attack and encrypt data at healthcare organizations, according to Bleeping Computer.

Following the increase in Parallax RAT campaigns -- the new RAT on the block, Morphisec Labs decided to release more technical details on some of the latest campaigns that the Morphisec Unified Threat Prevention Platform intercepted and prevented on our customer’s sites.

Remote work is no longer limited to outside sales reps traveling across the country. Today, the remote employee movement has reached into practically every industry. So much so, in fact, that according to Owl Labs, 54 percent of people work remotely at least once per month, 48 percent work remotely at least once per week, and 30 percent work remotely full-time. This marks a substantial change from only a decade ago, when the only people working remotely were often contractors or sales reps.

We’re in the middle of a shift between on-premises server workloads and cloud workloads. The shift started around 10 years ago and will likely continue for the next two decades. After the past decade of cloud adoption, according to 451 Research, 90 percent of all organizations are using cloud technology and 60 percent of all IT workloads are conducted in the cloud.

EDITOR'S NOTE: The previous version of this blog post mis-identified the source of this attack as the FIN7 group; GRIFFON and OSTAP are both very long javascripts that have many similarities. This caused the confusion in identifying the attack as coming from FIN7. This is still an important find though, as Trickbot is one of the most advanced malware frameworks. 

Over the past few weeks, Morphisec Labs researchers identified a couple dozen documents that execute the OSTAP javascript downloader. 

Organizations in every industry and at every level of government face more cyberattacks each day. According to Ponemon Institute’s recent research, 68 percent of organizations note an increased frequency of attacks against their endpoints. Often, these threats are zero days, fileless attacks, in-memory exploits, and evasive malware designed to circumvent antivirus and endpoint detection and response solutions.

Protecting your organization from advanced threats has always been difficult. Adversaries innovate constantly, changing their attack vectors and finding new ways to infiltrate their target environment. The Trickbot trojan is one of the best examples; its authors have used news coverage from President Trump’s impeachment trial and the WSReset UAC Bypass among other changes to push the trojan past antivirus and malware scanners.

The Trickbot trojan is one of the most advanced malware delivery vehicles currently in use. Attackers have leveraged it to deliver a wide variety of malicious code, in many different methods. Just yesterday, Bleeping Computer reported that news articles from President Trump’s impeachment trial have been used to hide Trickbot from antivirus scanners.

Recently, news came out about a CVE-2020-0674 vulnerability in Microsoft’s Internet Explorer scripting engine based on how the browser handles memory. More specifically, within the JScript component of the scripting engine is an unspecified memory corruption vulnerability. What this means in practice is that any application that supports embedding Internet Explorer or its scripting engine can be leveraged as an attack vector.

Antivirus protection is a baseline cost of doing business for the modern organization. At first, companies and governments only needed signature-based antivirus that tracked known malware. As fileless malware and exploits accelerated, next-gen antivirus that leveraged AI and behavioral analysis came on the scene to respond.