Threat Actors Zero in on Education and U.S. Elections

After enterprises beefed up work-from-home security in the midst of a pandemic, threat actors saw diminishing returns and looked elsewhere for opportunities. In Q3, they zeroed in on the education sector and the U.S. elections. At the same time, attackers continued to assault companies in all industries – and especially healthcare and manufacturing – often through internet-connected devices. Nuspire’s Q3 Threat Landscape Report summarizes the quarter’s most active malware, botnets and exploits and provides recommendations to protect your organization.

When conditions change, threat actors regroup and refine their techniques. In Q3, assailants turned to public entities already burdened by pandemic concerns. Schools, colleges and universities were forced into online or hybrid learning models, a move that created new vulnerabilities. Attackers leapt into action using malware and ransomware. An Education Week article describes massive disruptions in several states.[1]

A top elections target was the U.S. Election Assistance Commission (EAC). The Nuspire team observed phishing attempts to guide victims to fake voter registration pages to harvest information. The EAC confirmed that phishing emails used EAC graphics in an attempt to trick recipients into providing their name, date of birth and other personal information into a malicious web form….[2]

Unpacking Q3’s Top Threats

According to Nuspire analysts, total malware activity increased 128% compared to Q2, which decreased 12% compared to Q1. Q3 activity trended upward throughout the quarter and peaked at a 670% increase from the beginning of the quarter. While Emotet remained a top offender, the largest contributor was Visual Basic for Applications (VBA) agents. This trojan utilizes Microsoft Office applications to deploy malspam campaigns that encourage users to open attachments in which malicious macros are embedded.

Botnet total activity decreased by 6% in Q3 compared to Q2, with phishing the most common spreader. The most active botnet observed by the Nuspire team was the H-Worm, which can execute files, reboot machines, conduct keylogging and steal information from web browsers. And it can customize communication ports for the C2 server to establish contact and provide visibility of operating systems, system users and attached USB devices.

Total exploit activity increased less than 2% from Q2, and the most active exploit was DoublePulsar. This exploit enables attackers to search for and gather exposed remote desktop protocol (RDP) connections that are sold in bulk on the dark web. In Q3, the Nuspire team noted more than 2,000 sales. Additionally, an HTTP Server Authorization Buffer Overflow attack successfully exploited a GitStack vulnerability, for which there is now a patch.

How to Combat

Threat actors aren’t going to let up, so keep your eye on two things: preparation and incident response. Both should be customized for your organization and industry. Having the right security controls minimizes the risk of breach, and the right incident response shortens dwell time and limits damage.

In every industry, cybersecurity awareness training should be a priority because most infections start through email when users interact with malicious attachments. Strengthen security further by following these best practices:

• Layer your defenses. No one technology is a silver bullet. Endpoint protection, next-generation antivirus, email/spam filtering, threat intelligence and threat hunting all have value. The right balance of technology and human intelligence prevents gaps in processes and visibility.
• Segregate your network. With the transition to work-from-home, segmentation now more than ever is key. High-risk devices like those connect to the internet should be segregated. In case you have a breach, segregation limits lateral attacker movement throughout your network.
• Patch your systems ASAP. Do not count on your broadband provider to patch! When you are notified of a vulnerability, so are threat actors. Apply patches as quickly as possible to thwart intruders. And at the same time, change administrator default credentials.

Simple actions make a big difference in protecting what’s valuable in your environment. Not sure about the security status of your network and every endpoint? Do a remote breach assessment.

For more information on the current threat landscape, including a list of indicators of compromise, download the Nuspire Q3 Threat Landscape Report.

[1] Education Week, Cyberattacks Disrupt Learning Even More During COVID-19, September 14, 2020.

[2] U.S. Election Assistance Commission News Alert – False Voter Registration Phishing Email.