- The number of attacks on the RDP protocol decreased for the first time since the beginning of 2020 (-43%), with attack attempts against SQL (-64%) and SMB (-26%) also declining.
- Prior to the invasion of Ukraine, Russia and other Commonwealth of Independent States (CIS) countries were typically excluded from ransomware target lists, possibly because of criminals living in those countries or fearing counterattacks; in Q1 2022, Russia faced the highest share of detections (12%) in the Ransomware category.
- The war has brought an influx of phishing and deceptive campaigns taking advantage of people who are trying to support Ukraine; these were detected almost immediately after the invasion began. In March and April 2022, Emotet operators shifted gears, launching large spam campaigns using corrupted Microsoft Word documents, leading to a 113-fold increase in the number of detections in Q1 2022.
- Emotet campaigns were reflected in email threat categories, which grew by 37% in Q1 2022.
ESET has released its First Quarter 2022 Threat Report, the ESET Threat Report, summarizing key statistics from ESET’s detection systems and highlighting notable examples of cybersecurity research. The most recent concern in ESET’s Threat Report recounts the numerous cyber attacks connected to the current war in Ukraine, in which ESET researchers have analyzed or assisted in mitigation. This includes the return of the infamous Industroyer malware, attempting to target high-voltage electrical substations.
ESET’s telemetry has also recorded other changes in the cyber threat environment that may have a connection to the situation in Ukraine. Roman Kováč, Research Director at ESET (CRO), clarifies why this report is so focused on cyber threats related to this war: “Several conflicts are happening in different parts of the world, but for us, this one is different. Across the borders in western Slovakia, where ESET has its headquarters and several offices, Ukrainians are fighting for their lives and sovereignty.”
Shortly before the Russian invasion, ESET telemetry recorded a dramatic drop in Remote Desktop Protocol (RDP) attacks. The decline in these attacks comes after two years of steady growth – and it is explained in the Exploits section of ESET’s latest Threats Report that this turnaround may be related to the war in Ukraine. But even with this drop, almost 60 percent of the incoming PDR attacks seen in Q1 2022 originated in Russia.
Another side effect of the war: while in the past, ransomware threats seemed to avoid targets located in Russia, during this period, according to ESET’s telemetry, Russia was the most threatened country. ESET researchers have even detected screen lock variants using Ukraine’s national greeting “Slava Ukraini!” (Glory to Ukraine!). Since the Russian invasion of Ukraine, there has been an increase in the number of amateur ransomware and wipers. Their authors often lend support to one side of the conflict and position the attacks as personal revenge.
As expected, the war has also been exploited by spam and phishing threats. Immediately after the invasion, on February 24, scammers began taking advantage of people who were trying to support Ukraine, using bogus charities and fundraisers as bait. On that day, ESET’s telemetry detected a large spike in spam identification.
ESET’s telemetry also saw several other threats unrelated to the war between Ukraine and Russia. “We can confirm that Emotet – the infamous malware, spread mainly through email spam – is back after last year’s takedown attempts, and has fired again in our telemetry,” explains Kováč. Emotet operators fired off one spam campaign after another in the first quarter, with Emotet identifications growing by more than a hundredfold. However, as the Threat Report shows, the campaigns depending on malicious macros may have been the last, given Microsoft’s recent move to disable web macros via the default setting in Office programs. Following the move, Emotet operators have begun testing other vectors that compromise mostly smaller groups of victims.
ESET’s Q1 2022 Threat Report also reviews the most important information security findings over the past year, such as: the abuse of signed kernel driver vulnerabilities; high-impact Unified Extensible Firmware Interface (UEFI) vulnerabilities; cryptocurrency malware targeting Android and iOS devices; an as-yet-unattributed campaign in malware deploying DazzleSpy on macOS; and campaigns by Mustang Panda, Donot Team, Winnti Group, and the TA410 APT group.
The report also contains an overview of several talks given by ESET researchers in Q1 2022 and introduces planned talks for the RSA Conference and REcon conferences in June 2022, showcasing the discovery of Wslink and ESPecter in ESET research. These talks will be followed by a talk at the Virus Bulletin Conference in September 2022.
For more information, go to ESET’s First Quarter 2022 Threat Report on WeLiveSecurity.
*** Translated by DEFCONPress Team***