Quarter One and Two Report 2020

COVID-19 disrupted the activities of all New Zealand businesses and organisations this year. For CERT NZ, it meant the production of the 2020 Q1 report was interrupted. That's why this publication provides a half year picture of the data and trends in 2020, rather than the usual quarterly focus.

There are two parts to the report:

A Highlights Report focusing on selected cyber security incidents and issues.
A Data Landscape Report providing a standardised set of results and graphs for the quarter.

Quarterly Report: Highlights Q1 & Q2 2020 [PDF, 454 KB]

Quarterly Report: Data Landscape Q1 & Q2 2020 [PDF, 2.4 MB]

Accompanying the report is the 2020 Half Year Summary, giving an overview of what CERT NZ has seen and done in 2020.

Read the 2020 Half Year Summary

Q1 and Q2 highlights

Incident reports

Q1 reports 1,137
Q2 reports 1.965
Total 3,102 reports for Q1 and Q2

73% increase in reports from Q1 to Q2
42% increase in reports on 2019

$7.8 million total financial loss reported

Increases and decreases on 2019

Phishing and credential harvesting

15% increase in Q1 2020, 25% increase in Q2 2020.

Scams and fraud

33% decrease in Q1 2020, 229% increase in Q2 2020.

Incident reports by quarter 2019 – 2020 (year to date)

A total of 3,102 incidents reports were received in Q1 and Q2 2020. There was a 73% increase in incident reports from Q 1 to Q2 2020.

Full breakdown of indicent reports for 2019 Q1 to 2020 Q2:

2019 Q1: 992
2019 Q2: 1197
2019 Q3: 1245
2019 Q4: 1197
2020 Q1: 1137
2020 Q2: 1965

Financial loss

Total financial losses were $7.8m for Q1 and Q2 collectively.

Full breakdown of financial loss for 2018 Q3 to 2020 Q2:

2019 Q3: $3.0m
2018 Q4: $5.9m
2019 Q1: $1.7m
2019 Q2: $6.5m
2019 Q3: $3.8m
2019 Q4: $4.7m
2020 Q1: $6.0m
2020 Q2: $1.8m

Scam and fraud reports

Increase in reports of web cam extortion emails in Q2 – 478 in that quarter, up from 34 in Q1
119% increase in online trading scams during Q2 – from 112 in Q1 to 246 in Q2

If you have experienced a cyber security issue, report it to CERT NZ .

For more on the New Zealand threat landscape in Q1 and Q2 2020, See the CERT NZ Quarterly Report: Data Landscape [PDF 2.4 MB] [PDF, 2.4 MB].

Focus area: Multi-stage malware threats

Overview

Malware compromises are some of the most serious cyber security threats we deal with at CERT NZ. By its very nature, most malware aims to go unnoticed, which is why we often speak with people who have discovered all too late that they've been compromised. Many people only become aware of an attack after they've experienced harm from data loss, breached privacy, files held for ransom and credential thefts (leading to money being stolen).

In some cases we receive information from our partners with evidence of malware compromises before they have been detected by the end user. In these cases, CERT NZ immediately contacts the affected parties to inform them of the compromise. We then help them secure their accounts, remove the infection and put systems in place to safeguard against future threats.

We received 46 reports of malware incidents in Q1 and 2 2020 - a 20% increase on the 41 received in Q3 and 4 2019. Here's a look at two cases we've handled so far in 2020.

Qakbot

A malware variant known as Qakbot (also known as Qbot) has been observed globally since around 2007. It's used for cybercrime campaigns that steal sensitive information, like banking credentials, from infected users. Typically circulated via malicious email attachments, Qakbot is designed to evade anti-virus detection, infect computers and steal sensitive credentials stored in the systems they inhabit.

A common scenario is where businesses report to CERT NZ that their email account has been compromised, with further investigations revealing that the root of the compromise is linked to a Qakbot infection. We also receive reports from New Zealand and internationally-based security partners about the Qakbot activity they're observing.

Whenever CERT NZ receives reports of Qakbot activity affecting New Zealand IP addresses or email accounts, we reach out to the compromised businesses and help them get rid of the malware and restore their system.

Ryuk

Trickbot/Ryuk is an interesting ransomware variant. According to security firm CrowdStrike, 'Ryuk is specifically used to target enterprise environments'2. It is often installed on systems that have already been compromised with other criminal malware like Trickbot.

Once the attackers have stolen their desired information (such as data and credentials), they use the malware to download and install Ryuk to encrypt the system files for ransom, as a nasty way of ‘double monetising' the compromise. In January 2019 CrowdStrike also commented, 'since Ryuk's appearance in August (2018), the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD'.

The cases of Ryuk seen by CERT NZ came via one of our partners, who shared a number of IP addresses that had previously been compromised by another malware (such as Trickbot or Emotet) and the attackers were now using that compromise to deploy the Ryuk ransomware.

CERT NZ proactively worked with the ISPs to identify the infected parties and provide them with advice on recovering from the compromise.

More information

QakBot Banking Trojan Causes Massive Active Directory Lockouts External Link

ProLock Ransomware Teams Up With QakBot Trojan to Infect Victims External Link

Preventions and mitigations

Malware is easier to avoid, than to fix. Implementing CERT NZ's critical controls will help organisations protect themselves from much of the malware circulating. The following controls are particularly relevant to preventing malware attacks:

Patching (updating) your software and system
Implementing and testing backups
Enforcing the principle of least privilege
Implementing network segmentation

See the full list of controls

Some key malware terms

Malware can be complicated! Particularly when talking about variants, families, stages and types. Some of the key things you need to know when talking about malware are included below.

Malware

– is short for 'malicious software'. Malware is designed to infiltrate, damage or obtain information from a computer system without the owner's

consent.

Virus

Viruses are malicious software or code designed to infect and spread throughout a computer after a user is tricked in to running it.

Worm

A worm is malicious software that self-replicates and is designed to infect other connected computers or networks without any interaction from a user.

Ransomware

A common malware variant with a specific purpose. If installed (usually by tricking a user into doing so, or by exploiting a vulnerability) ransomware encrypts the contents of the hard drive of the computer it is installed on, and demands the user pay a ransom to recover the files.

Trojan

Malicious software that attempts to hide its malicious code by masquerading as a legitimate program or file – such as a document or excel attachment to an email that actually is actually executable malware.

Variants

Over time, malware types have been added to by their original developers and others, resulting in different types of malware evolving from a common base. The new ‘variants' might be closely related to other malware and are often grouped into ‘families'. An example would be the Andromeda malware, which shares some features of earlier malwares like Dridex and Dorkbot.

Module/Stages

As a method of avoiding detection, malware authors have started breaking up malware into modules and stages. Typically, a smaller-sized initial stage is used to conduct the initial compromise which, once established, pulls down additional tools at different stages as required for the attacker's particular objectives.

Persistence

A lot of malware is designed to establish itself on systems and networks in a way that makes it very hard to remove, even if detected. Establishing persistence is one of the very first goals malware seeks to achieve when it is first executed on a system.

Remote Access Trojan (RAT)

A type of malware that, once executed, allows an attacker remote access to the infected computer or system.

More resources

A Layman's Glossary of Malware Terms External Link

Computer Security Resource Center Glossary External Link

Insight: Insecure computers used for bruteforcing attacks

CERT NZ received 21 reports of bruteforcing from New Zealand IP addresses in Q1 and Q2. Bruteforcing is where attackers try to gain access to systems by trying multiple passwords or passphrases in the hope of eventually landing on the correct one. They usually use automated tools or scripts to do this at a large scale, often using sets of common passwords obtained from data breaches.

Insecure computers connected to the internet are frequently targets of bruteforcing attacks. They can also be used to conduct bruteforcing attacks on other systems, enabling attackers to cover their tracks. Unpatched systems are particularly vulnerable to this type of misuse, and the use of multi-factor authentication is one of the best practical defences.

CERT NZ recently received alerts about bruteforce activity from an overseas CERT and from threat intelligence provided by AbuseIPDB. The alerts advised that a significant number of the bruteforcing attacks observed had come from New Zealand-based networks. CERT NZ contacted the ISPs who owned the IP addresses, who in turn began an internal investigation with their customers.

It is likely that the IP addresses were linked to previously compromised servers now being used as automated bots to conduct large scale bruteforce attacks.

AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet. Their mission is to help make the web safer by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online. Anyone can report suspicious IP addresses to their website.

AbuseIPDB External Link

Guides to both patching and multi-factor authentication can be found on the CERT NZ website:

Patching

Multi-factor authentication

Case study: NZTA vehicle license email scam

A sustained phishing campaign by scammers pretending to be the New Zealand Transport Agency (NZTA) has been seen throughout the first half of 2020.

In this campaign, waves of emails were sent to thousands of New Zealanders telling them to renew their vehicle registrations. Taking this action meant the user was directed to a fake NZTA website, from where the attacker could steal their credit card details. Perhaps even more concerning, is that the driver license details obtained by the attacker can be used to commit not only financial fraud, but also identity fraud. Driver license holders may not be aware of this until months or years down the track when they are denied credit.

It’s a good idea to check your credit status every year. That way, you can see if any accounts have been opened in your name.

Instructions on obtaining a free credit report External Link

A further 54 incidents involving phishing sites impersonating well known New Zealand brands were pro-actively identified from our threat intelligence data. This enabled CERT NZ to flag the problem with network operators, website hosting providers and major internet browsers, thereby limiting everyday New Zealanders’ exposure to the attacks.