5 min read
I (don't) like to MOVEit MOVEit
PacketWatch was made aware this morning of a critical vulnerability being actively exploited with a file transfer software MOVEit, from the company...
2 min read
The PacketWatch Intelligence Team
:
May 21, 2020 3:30:00 AM
Extensive Remote Workforce and Upcoming American Holiday Likely to Attract Significant Increase in Ransomware Attacks
Since May 4th, we have seen an eye-catching increase in cyber incidents, email compromise, and ransomware attacks.
As we approach the US Holiday, Memorial Day, we expect this increase to continue. To help improve your awareness, we offer the following trends and fairly consistent indicators pointing back to Eastern European and Russian criminal actors.
Here are some of the prevalent trends that we have seen recently:
We are sharing the following recommendations, in order of importance, based on recent research and incidents we’ve worked throughout May:
The knowledge we gain through our Incident Response Practice, often gets “re-invested” into PacketWatch as alerts and queries watching for anomalous trends and threats.
Following is a PacketWatch graph showing activity for the past week from Russian IP addresses. This activity is collected via an externally-facing PacketWatch node not filtered by a firewall, affording us tremendous visibility into the holistic nature of internet traffic.
As you’ll notice in the following graph, Russian activity last week noticeably spiked starting around 00:30 AM HRS on Friday, May 15, and subsided the following Tuesday morning.
When we break this traffic out by Autonomous System Number (ASN), we see that two ASN’s seem to be primarily responsible for this increase in traffic. Please see the following graph.
We traditionally see a surge in cyber attacks on or around major American holidays, since attackers are keen to exploit victims they suspect may be less vigilant due to vacations, remote work, or the typical excitement and distractions that accompany holiday activities.
Lately, the surge in attack traffic appears to be focused on ports 445, 23, and 3389 (SMB, Telnet, and RDP, respectively). These ports are typical threat vectors for wormable exploits and ransomware deployment. Based on the timing in this swell of activity as well as the targeted ports, we assess with moderate to high confidence that organizations with services open and responding on these ports may face significant targeting over the coming Memorial Day weekend.
Looking at Russian activity over the past week, we also see a fair amount of other traffic looking for interesting services such as Secure Shell (port 22, SSH) and port 5900. Port 5900 is associated with Apple’s remote network computing. Database administrators will be interested to see 1433, SQL, makes an appearance here as well.
5 min read
PacketWatch was made aware this morning of a critical vulnerability being actively exploited with a file transfer software MOVEit, from the company...
3 min read
Bottom Line Up Front (BLUF) Cropped screenshots on affected software leave behind image data that can be recovered, potentially revealing uncropped...
3 min read
Read our latest Enterprise Threat Intelligence Briefing on the Microsoft Outlook Elevation of Privilege Vulnerability, compiled by Kyle Nordby and ...