The first quarter of 2018 saw a dramatic increase in the number of cyberattacks targeting consumer-grade routers many of which were in the education, construction, and biotechnology sectors due to their high concentration of the routers.
The eSentire Quarterly Threat Report noted a 539 percent uptick in attacks targeting the routers since Q4 2017 with the high threat volume of attacks likely indicating an over exposed threat surface in these sectors, the report found.
Researchers noticed attackers were using legitimate Microsoft binaries such as PowerShell and MSHTA which in the wrong hands, are powerful tools for downloading and executing malicious code in the initial stages of a malware infection.
MuieBlackCat and ZmEu Scanners were among the most popular tools used in the first quarter as they were both used to find vulnerabilities in php-based web servers. Threat actors also used OpenVAS and NMAP scanners as they are often used during the early reconnaissance phase of an incident or campaign, researchers said.
“The prevalence of brute force attacks and outdated exploit attempts implies that a high degree of automated, low-capability threats populate hostile internet traffic,” researchers said in the report. “These opportunistic threats are numerous, but rarely successful.”
The majority of these attacks involved information gathering scans, intrusion attempts, and reputation blocks. Intrusion attempts grew 36 percent largely to exploitation of a DNS manipulation vulnerability in consumer-grade routers, and accounted for 44 percent of the threat types observed.
Reputation block attacks accounted for 25 percent of attacks observed while information gathering attacks accounted for 23 percent of them. Malicious code and phishing attacks were also seen to a lesser extent.
Researchers noted that while phishing attacks represented a small percentage of the overall observed attacks they maintained a fairly consistent success rate and often lead to the complete compromise of a network when not quickly addressed.
Phishing attempts rose 39 percent across industries with exploits leveraging DocuSign, Office 365, and OneDrive and despite, DocuSign being the most popular lure used overall had the best success rate.
To prevent these kind of attacks, researchers recommend users log powershell activity across the network, block word document macros, enforce user education, restrict privileges, enforce user education, implement application whitelisting and maintain up to date antivirus defenses.