Mimecast tracks growing Malware-as-a-Service trend in analysis of 202 billion emails

Mimecast reports a 145% increase in malware campaigns in the last quarter of 2019 with 61 significant campaigns. Emotet also came back to life on a scale not seen before across all regions Mimecast monitors. From October 2019 through December 2019, the email security company analyzed 202 billion emails and rejected 92 billion as malicious.

The Mimecast Threat Intelligence Report RSA Conference Edition 2020 reports that the emerging Malware-as-a-Service (MaaS) model means that simpler attack methods can reach more targets while keeping older, well-known malware active at the same time.

The report also noted that “…the 61 attack campaigns in this report showed a significant uptick in the use of short-lived, high-volume, targeted, and hybridized attacks against all sectors of the global economy, as opposed to days-long attacks.” Mimecast suggests that this shows threat actors are refocusing their efforts away from impersonation to deploy more ransomware.

SEE: Cybersecurity: Let’s get tactical (free PDF)

The RSA edition of the report highlights common Mimecast signature detections, describes the biggest attacks by world region, and suggests a few defenses.

Signature detections from 92 billion malicious emails

To identify these threats, Mimecast looked for byte sequences in network traffic or known malicious instruction sequences used by malware. 

ZIP files and DOC and DOCX formats – Bad actors have started using DOC and DOCX formats along with ZIP files to deliver malware. Compressed files allow for a more complex, potentially multi-malware payload, but also serve as a very basic means to hide the true file name of any items held within the container. Mimecast identified about 3 million malicious ZIP files throughout the quarter. 

Emotet and ransomware – Emotet is an effective malware delivery system because it is modular and can deliver a variety of payloads. Since June 2019, official advisories from the US, UK, and Canadian cyber centers have stressed the particular threat Emotet poses in the targeted delivery of ransomware. 

Transportation, storage and delivery, banking, and legal services – The transportation, storage and delivery, as well as the retail and wholesale sectors were disproportionately attacked this quarter, accounting for almost a third of the most significant global campaign activity. 

Impersonation attacks – These include a range of voice messaging and a generally less coercive form of communication, making this a more nuanced and persuasive threat. Mimecast suggests this type of attack decreased slightly because threat actors were making more money from ransomware attacks throughout the year.  

High-volume attacks – The return of Emotet as a paid-for service is leading this trend, according to Mimecast, in addition to the increasing easy access to online tools that allow any individual to launch a cyberattack. The trend also reflects the challenges of human error–even the simplest attacks can be successful.

Strengthening cyberdefenses

Attackers are sticking with high-volume, commodity malware or simple social engineering techniques as an overall strategy because these approaches still work.

Threat actors are continuing to use evasion techniques to avoid detection at the gateway and multiple layers of obfuscation to avoid detection at the endpoint. These layered attacks have now become commonplace for any determined attacker. To improve internal defenses, security departments should take these steps.

Emphasize the importance of security controls and resilience
What is the plan for maintaining business as usual after a data breach with a recovery time of six months? How do your cloud infrastructure, web-based email, and data archiving strategies support this disaster recovery plan?

Make patching a business priority, and reduce shadow IT
Cybercriminals continue to take advantage of common vulnerabilities and exposures, but patching can prevent this. Shadow IT increases the chance of malware delivery via outdated browsers or aging machines. 

Enforce a strict password regime for users and admins
Organizations should review administrative passwords and ensure they have modified any default admin passwords in the same way. These passwords are key to breaching a network, and strong password discipline should be the standard approach.

To improve internal defenses, security departments should increase security awareness training and implement two-factor authentication whenever possible as well. 

Also see