A new report from the CrowdStrike® Falcon® OverWatch™ team, “Observations from the Front Lines of Threat Hunting,” offers a unique perspective on today’s most sophisticated cyberattacks, compiled by expert hunters working at the forefront of cyber defense. The report details some of the more challenging intrusions the team has analyzed during the first half of 2018, and includes relevant images, graphs, references, and insights for each incident covered. The 2018 Falcon OverWatch mid-year report focuses on sophisticated and persistent intrusions, and should serve as a valuable resource for cybersecurity professionals who may be encountering the same threats in their environments.
Targeted Threat Activity Overview
The report begins with some statistics on intrusions the team has observed. OverWatch specifically hunts for targeted adversaries, so the report’s findings focus on state-sponsored and targeted eCrime intrusion activity. Of the observed targeted breach attempts, nearly half, 48 percent, were attributable to threats from state-sponsored entities. The report also shows that 19 percent of the targeted incidents were criminally motivated, while the perpetrators in the remaining 33 percent were unknown. Looking at how threats stack up by industry shows a somewhat more level playing field, although hospitality, professional services, and especially technology, stand out as the industries enduring more active adversary targeting.
Notable Observations from Targeted Intrusions
The report contains several important observations from OverWatch’s findings, and organizations would be wise to take heed of the prevalent and sophisticated threat tactics discussed. Many of these threat types will likely continue to be encountered in the foreseeable future.
Increasing Interest in Cryptocurrency Mining
The OverWatch team observed multiple intrusions where cryptomining techniques were used against organizations in the legal and insurance industries, after criminal perpetrators had gained privileged access to internal networks. We addressed Cryptomining in an earlier blog that looked at how it is transitioning from being a nuisance to a genuine business risk. In the mid-year report, the OverWatch team discloses that it has observed cryptomining dramatically impacting business operations in some organizations — impeding their ability to conduct business as usual for days or weeks at a time. Although cryptomining itself is legal, OverWatch has seen criminal actors deploying cryptocurrency miners in post-exploitation scenarios and using them to perform extensive lateral movement so they can create a large foothold in an environment and commandeer resources. The report goes on to detail cases where cryptomining was used against organizations for financial gain.
Lines Are Still Blurred
When CrowdStrike published its 2018 Global Threat Report, one of the key trends it revealed was the blurring of lines between statecraft and tradecraft. This means that less skilled criminal actors have increasingly adopted the more advanced tactics, techniques and procedures (TTPs) used by sophisticated nation-state adversaries. The OverWatch report finds this trend has continued, and cites the malicious use of TeamViewer software as an example.
The report offers details of how the TeamViewer remote administration software tool is still used by adversaries to facilitate remote access to targets and move laterally.
It Can Happen to Anyone
Another trend the OverWatch team observed dispels the notion that only large enterprise organizations are at risk of being targeted by advanced adversaries. In one case, after deploying the Falcon platform across a network, OverWatch quickly found evidence of an ongoing legacy intrusion. The team determined that the victim organization, a web-hosting company, was a smaller branch of the adversary’s primary target. The OverWatch team is moderately confident the adversary was taking advantage of an opportunity to build a malicious infrastructure that could facilitate future activities against their primary target. The team observed similar scenarios across numerous industries, illustrating how organizations of any size and in any sector can become victims to sophisticated and strategic attacks.
Some Prime Targets
The report also includes detailed descriptions of numerous attacks against a number of heavily targeted sectors, including the following:
- Policy NGOs: The team observed active use of China Chopper against several organizations overseas.
- Biotechnology Industry: The OverWatch team observed targeted adversary interest in biotech companies, likely motivated by industrial espionage.
- Technology Sector: Adversaries continue to plague the technology sector and have been observed using particularly creative techniques to evade detection, such as using legitimate Microsoft tools to decode binaries masquerading as Windows update log files.
The 2018 Mid-Year OverWatch report offers details on these examples and many more, giving you valuable insight into the threats you may be facing now and over the coming months.
Download the 2018 Mid-Year OverWatch Report.
Visit the CrowdStrike Falcon OverWatch web page,
Download the CrowdStrike 2020 Global Threat Report.
Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.