Interactive Report Summary

Q1 2021 Threat Report

Malware, botnet and exploitation are down this quarter, but attackers continue to look for the next angle.
Download the Report

Top Findings at a Glance

Era of Remote Access

2020 shifted the workplace for numerous organizations into a remote-friendly atmosphere in efforts to combat the spread of COVID-19. While the workforce adjusted, system administrators scrambled to support this level of remote activity by configuring remote connections. Unfortunately, this added multiple new attack vectors that enabled threat actors to prey on organizations.

MALWARE

Decrease in total activity from Q4

-54.47%

BOTNET

Decrease in total activity from Q4

90,671 per week

EXPLOIT

Decrease in total activity from Q4

476,502 per day

Nuspire Culture - Nuspire MSSP meeting room

Malware activity began to trail off at the end of Q4 2020, and that trend continued throughout Q1 2021.

Hashes, domains and IP addresses for Emotet and Trickbot/BazarLoader malware.

Methodology

Hover over tiles to learn more

GATHER

Collects threat intelligence and data from global sources, client devices and reputable third parties.

PROCESS

Data is analyzed by a combination of machine learning, algorithm scoring and anomaly detection.

DETECT

Using Nuspire’s cloud-based SIEM, log data is ingested and alerts the security operations center (SOC). The SOC then notifies the client and works with them to remediate the threat.

EVALUATE

Analysts further scrutinize the research, scoring and tracking of existing and new threats.

DISSEMINATE

Analysts leverage the insights to constantly improve the SOC, alerting, and the community through the creation of detection rules, briefs, and presentations.

Q1 2021 in Review

January through March

Timeline graphic

JANUARY 18

FBI Warns of Vishing Attacks Targeting Corporate Credentials

JANUARY 27

Emotet Botnet Disrupted After International Coordinated Takedown

FEBRUARY 5

New SolarWinds Orion and Serv-U FTP Vulnerabilities Disclosed

FEBRUARY 19

Phishing Campaign on LinkedIn Detected Using “Private Shared Document”

FEBRUARY 26

VMware Patches Critical RCE Flaw in vCenter Server

MARCH 3

Qualys Client Data Potentially Leaked on Clop Ransomware Extortion Site

MARCH 8

Surge of New TrickBot and UNC1878 Infrastructure Creation May Signal Forthcoming Campaign

MARCH 9

CISA Releases Advisory “Strongly Urging” Organizations to Address Exchange Vulnerabilities

MARCH 10

Microsoft March 2021 “Patch Tuesday” Brings 89 New Vulnerabilities, 14 Critical and 2 Zero-Days

MARCH 18

CISA and FBI Release Joint Advisory Regarding TrickBot Malware Campaign

MARCH 30

PHP Git Repository Attacked With Malicious Commits

Let's Dive Into the Data

#
Activity
Average
0

Total Events

0

Unique Variants

-0.47%

Total Activity

Malware

Detection, Q1 2021

Total activity in Q1 declined by -54.47% from Q4

How to Combat
To strengthen your defenses against malware activity, you’ll need to adopt a multiprong approach including endpoint protection platforms and cyber awareness training.

Malware

The decrease in activity is attributed mostly to a significant decline in activity from Visual Basic for Applications (VBA) and agent variants as well as Emotet activity.

#
Activity
Average
0

Total Events

0

Unique Variants

-0.68%

Total Activity

Botnets

Detection, Q1 2021

Total activity in Q1 declined to 90,671 detections per week

How to Combat
To step up your efforts to stop botnet activity, which is usually detected post-infection, we recommend a focus on user awareness training, threat intelligence, next-generation antivirus and threat hunting.

Botnets

Overall, there was a -10.68% decrease in botnet activity observed when compared to Q4 2020, with a significant spike in activity in week 11 of the quarter. The overall decrease in activity likely can be attributed to the shutdown of the Emotet botnet.

#
Activity
Average
0

Total Events

0

Unique Variants

-076%

Total Activity

Exploits

Detection, Q1 2021

Total activity in Q1 declined by -21.76% from Q4

How To Combat
Stop exploits before they do harm by patching systems, using a firewall with IPS, monitoring security news and vendor security bulletins, and disabling unused services.

Exploits

Activity witnessed in Q4 2020 remained in decline until week 10 in Q1, when a sharp increase of SMB brute force attempts occurred before activity dropped back to levels witnessed through most of the quarter.

Remote Access Concerns Aren’t Going Anywhere

The remote workplace continues to be a challenge for organizations as telecommuting increasingly becomes a staple in our society. With this in mind, organizations must prioritize patching/mitigation of remote access vulnerabilities as soon as they are announced. Download the full report to find out how you can prepare and tighten your security controls around the expected challenges highlighted by our security experts.
Download the Report