T1 2021 Threat Report

Welcome to the T1 2021 issue of the ESET Threat Report!

D uring the first four months of this year, the COVID-19 pandemic was still the number one news topic around the world; however, it became notably less prominent in the threat landscape. One could say “fortunately”, yet as you’ll see on the next pages, we are continuing to see worrying examples of cybercrooks being able to rapidly abuse trending vulnerabilities and flaws in configuration with focus on the highest ROI. These abuses include the RDP protocol still being the number one target of brute-force attacks, increased numbers of cryptocurrency threats, and a steep increase of Android banking malware detections.

While examining these threats, our researchers also analyzed a vulnerability chain that allows an attacker to take over any reachable Exchange server. The attack has become a global crisis and our researchers identified more than 10 different threat actors or groups that likely leveraged this vulnerability chain. Many servers around the world stayed compromised, so in the United States, the FBI decided to solve this issue by using the access provided by the malicious webshells themselves as an entry point to remove the webshells, which demonstrated the US government’s commitment to disrupt hacking activity using any and all legal tools that apply, not just prosecutions.

Similarly, following a large-scale, global operation to take down the infamous Emotet botnet, law enforcement pushed a module to all infested devices, to uninstall the malware. Will this become a new trend? Will we see law enforcement adopt a more proactive approach to solving cybercrime cases in the future? We’ll keep an eye out for that.

Before you dive into our latest findings, we would like to highlight a slight change in the frequency of the reported data. Starting with this issue we will aim for a triannual version, meaning that each report will cover a four-month period. For easier orientation, in this report the T1 abbreviation describes the period from January until April, T2 covers May through August, and T3 encompasses September till December.

This report brings several exclusive ESET research updates and new findings about the APT groups Turla and Lazarus. On the testing front, we allow other organizations to dissect and test our products and cybersecurity approach. That is why we participated in the MITRE ATT&CK® Evaluations that emulated the Carbanak and FIN7 adversary groups and whose results were published at the end of April.

During the past few months, we have continued to share our knowledge at virtual cybersecurity conferences, where we disclosed our findings about an emerging trend that evolved from the living-off-the-land technique and an in depth analysis of Android stalkerware and its vulnerabilities. We’ve included that research in this report, which I invite you to read.

Stay healthy and if you can, get a COVID-19 shot.

Roman Kováč
ESET Chief Research Officer