Bitdefender Threat Debrief | November 2022

MDR Insights

MITRE Engenuity ATT&CK® Evaluation for managed services

MITRE, an internationally recognized organization known for the ATT&CK framework, released its first Engenuity ATT&CK® Evaluation for Managed Services results on November 9, 2022. The MITRE Evaluation tested several well-known MDR vendors, including Bitdefender. The evaluations serve as an impartial starting point to understand how managed security providers identify attacks, and what is delivered by the participants.  

The original ATT&CK framework has changed the way teams develop threat models and methodologies, and how we as security analysts investigate cyber attacks by looking for clues outside of raw indicators. Modern threat actors rely on a variety of evasion techniques, including living off the land by leveraging binaries, scripts, or libraries that are already on the target system (or can be downloaded without raising suspicion). Often, security tools detect only what they have been coded to catch, but ATT&CK forces security practitioners to look beyond those straightforward detections. Analysts apply a deep understanding of threats when uncovering malicious activity, while filtering out the noise and bringing actionable alerts to the customer. This is what makes MDR services invaluable in today’s cyber climate. 

During the weeklong exercise, our globally distributed teams were able to flex their collaboration muscles and ensure the processes Bitdefender has in place are effective to deliver the best outcomes for customers. As one of our guiding principles, Bitdefender MDR operated as closely as possible to our normal procedures. The Bitdefender Labs organization worked with our SOC analysts, investigating detections and attacker techniques, while the cyber intelligence unit (Cyber Intelligence Fusion Cell) provided additional context behind observed behaviors and potential investigational pivots to assist SOC hunts. Bitdefender MDR capitalized on lessons learned and continually strives to identify opportunities to improve our incident handling processes that ultimately make our service even better for our customers. 

The Bitdefender MDR team leveraged our native security stack to detect 100% of the attack steps, while providing actionable, summarized output with a clear timeline of the attack and recommended actions. The SOC used existing reporting mechanisms to deliver daily updates, as well as a post-incident report - just as we do in real-world incidents. 

For evaluations of the effectiveness of our underlying technology for prevention and detection capabilities, you can review results from the previous round of MITRE ATT&CK Evaluations, or results by an independent team from AV-Comparatives. Third-party, independent testing with a well-defined methodology offers invaluable insights into the capabilities of leading cybersecurity companies so you can make informed decisions. Cybersecurity is a game of cat and mouse, with both sides continuously innovating and improving tools and techniques, and security vendors need to prove their solutions are effective, accurate, and provide consistent results. 

Ransomware report

Spear phishing attacks are often used as an initial attack vector, and ransomware infection is often the final stage of the kill chain. For this report, we analyzed malware detections collected in October 2022 from our static anti-malware engines. Note: we only count total cases, not how monetarily significant the impact of infection is. Opportunistic adversaries and some Ransomware-as-a-Service (RaaS) groups represent a higher percentage compared to groups that are more selective about their targets, since they prefer volume over higher value. 

When looking at this data, remember these are ransomware detections, not infections. 

Top 10 ransomware families

We analyzed malware detections from October 1 to October 30. In total, we identified 189 ransomware families. The number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries. 

Top 10 countries

In total, we detected ransomware from 150 countries in our data set this month. Ransomware continues to be a threat that touches almost the entire world. Below is a list of the top 10 countries most impacted by ransomware. Many ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections. 

Android trojans

Below are the top 10 trojans targeting Android we have seen in our telemetry during October 2022.  

Downloader.DN – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants. 

SMSSend.AYE - Malware that tries to register as the default SMS application on the first run by requesting the consent of the user. If successful, it collects the user's incoming and outgoing messages and forwards them to a Command & Control (C&C) server. 

Banker.ACI, ACT, ACK - Polymorphic applications that impersonate legit apps (Google, Facebook, Sagawa Express ...). Once installed, it locates banking applications on the device and tries downloading a trojanized version from the C&C server. 

HiddenApp.AID - Aggressive adware that impersonates AdBlock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher. 

Triada.LC – Malware that gathers sensitive information about a device (Device IDs, Subscriber IDs, MAC addresses) and sends them to a malicious C&C server. The C&C server responds by sending back a link to a payload which the malware downloads and executes.  

Banker.XJ - Applications that drop and install encrypted modules. This trojan grants device admin privileges, and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive command and upload sensitive information. 

Agent.AQQ - A dropper malware is a trojan that hides the dangerous payload inside an app as an evasion technique. If it can avoid security defenses, this payload is deployed. The malicious payload is decrypted and loaded by the dropper. 

SpyAgent.EM - Applications that exfiltrate sensitive data like SMS messages, call logs, contacts, or GPS location. 

Homograph Phishing Report

Homograph attacks work to abuse international domain names (IDN). Threat actors create international domain names that spoof a target domain name. When we talk about “target” of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. You can read more about this type of attack in one of our previous reports. 

Below is the list of the top 10 most common targets for phishing sites. 

About Bitdefender Threat Debrief

The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.  

Bitdefender provides cybersecurity solutions with leading security efficacy, performance, and ease of use to enterprise organizations and consumers. Guided by a vision to be the world’s most trusted cybersecurity solutions provider, Bitdefender is committed to defending organizations and individuals around the globe against cyberattacks to transform and improve their digital experience. For more information, visit https://www.bitdefender.com.

 

We would like to thank Bitdefenders Tyler Baker, Alin Damian, Mihai Leonte, Andrei Mogage, Sean Nikkel, Nikki Salas, Rares Radu, Ioan Stan, Marius Tivadar, and Horia Zegheru (sorted alphabetically) for their help with putting this report together.