BlackBerry recently released its Global Threat Intelligence Report, which provides a deep analysis of current cyber threats to help inform IT and security leader strategies. The report leveraged data and telemetry obtained from the company's artificial intelligence (AI)-driven products and analytical capabilities, as well as other public and private intelligence sources and insights from human threat researches and intel analysts. We had the opportunity to speak with Dmitry Bestuzhev, Most Distinguished Threat Researcher, BlackBerry, to learn more about the report's findings and what threats organizations should be particularly aware of.
What was most surprising about this year's report? (top stats you'd like to highlight)
The most alarming statistic BlackBerry’s Threat Research and Intelligence team uncovered was that in the 90 days between September 1 and November 30, 2022, our AI-driven prevention-first technology stopped 1,757,248 malware-based cyberattacks. This included 62 unique samples per hour, or one sample each minute.
The most common cyber weapons used in attacks included the resurgence of the Emotet botnet after a four-month dormancy period, the presence of the Qakbot phishing threat, which hijacks existing email threads to convince victims of their legitimacy, and the increase in infostealer downloaders like GuLoader.
We also found that MacOS is not immune. It’s a common misconception that macOS is a ‘safe’ platform because it’s used less among enterprise systems. This misconception could be lulling IT managers into a false sense of security. Many executives and developers use MacBooks, and both types of users have keys to this kingdom – and in many cases, malicious codes are sometimes explicitly downloaded by users. The most-seen malicious application on macOS was Dock2Master, which collects user data from its own ads. Our researchers noted that 34 percent of client organizations using macOS had Dock2Master on their network. The bottom line is that no platform is safe. These devices must be managed in a unified way, and we must follow the same principles of implementing less privilege. For example, unified management can go a long way in controlling platforms.
How has the threat landscape changed in the past year with hybrid workforces in full swing?
Hybrid and remote workforces are heightening the need for unified endpoint security use today and in the future. Remote employees don’t prioritize security when they purchase IoT devices for their homes and there is a substantial – and growing – gap in cybersecurity protection.
With the rise of remote and hybrid work, the more employees use external access, the most attackers take advantage by using information stealers. In the past, these were mostly used for fraud, to steal corporate credentials and sell them on the black market. Those credentials are abused by attackers to compromise networks and deploy ransomware.
What top threats should end-users be wary of during this time and how can they defend themselves?
This truly depends on your organization’s threat model. Most widespread malware families we’ve seen in the last 90 days include loaders, such as Emotet. It’s one of the most prolific threats and it’s seen a resurgence, using previously seen techniques along with a phishing campaign distributing malicious Microsoft Office documents. The malicious document tries to convince the victim to copy the document into a directory where Macros can be executed. Emotet is also known for dropping banking Trojan IcedID, which has strong connections to multiple ransomware groups.
Lockbit ransomware has been the most active and successful ransomware-as-a-service in 2022 and there’s no sign of them slowing down. LockBit evolved to its 3.0 version, which includes several anti-debugging techniques. This makes it harder to analyze, string encryption and other techniques borrowed from the now retired Blackmatter ransomware.
Infostealers like Redline are also a concern. Redline was the most active and widespread information stealer in this last quarter. It’s capable of stealing credentials from several targets, such as browsers, crypto wallets, and VPN software.