Emerging Threats

ThreatLabZ December 2021 Report: Holiday shoppers targeted, Log4j hits Apache installs, Cloud (In)Security, and DarkHotel resurfaces

Dec 21, 2021
ThreatLabZ December 2021 Report

ThreatLabZ, the embedded research team at Zscaler, continues to fire on all cylinders as we come up to the end of the year.We’ve recently seen a resumption of threat activity from the South Korea-based DarkHotel APT group and identified malicious campaigns targeting online holiday shopping. And we’ve been actively tracking exploits and remote code execution risks associated with the well-publicized Apache Log4j vulnerability. In addition, we’ve just produced our annual assessment of public cloud threat activity, “The 2021 State of Cloud (In)Security.”

Aggressive phishing, skimming attacks target holiday shoppers

Following the U.S. Thanksgiving holiday, “Black Friday” and “Cyber Monday” are perhaps the biggest shopping days of the entire year. And threat actors seek to take advantage.

This year, ThreatLabZ documented increases in phishing, scam, and skimmer attacks aimed directly at shoppers participating in the frenzied start to the holiday shopping season. In line with the huge spike in online transactions, we saw attackers luring victims with emails that offered heavy discounts but led to phishing pages, and others injecting malicious code into legitimate e-commerce websites to steal credit card information. New-domain registration also picked up, as threat actors schemed to create legitimate-looking fake websites with the sole purpose of stealing credentials.

Figure 1. This year, as in most years, we see an increase in the phishing, scam, and skimmer attacks around Black Friday & Cyber Monday.

Skimming activity has also picked up. In the past, the Magento e-commerce platform has been a frequent target, but this year we’re also seeing cybercriminals attack websites built on the WooCommerce platform. In one such skimming attack, a threat group was able to inject malicious javascript code into the site, code that captures and then exfiltrates payment data.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox. 

Read more about this year’s holiday-themed cyberattack activity here.

“Patch immediately”: Vulnerability in Log4j logging utility threatens Apache installs

A critical vulnerability (CVE-2021-44228) affecting deployments of Apache’s Java-based Log4j package could enable remote code execution: A threat actor could download and execute a malicious payload by submitting a specially crafted request to the vulnerable system.

Since the threat first surfaced earlier in December, the Zscaler ThreatLabZ team has seen repeated in-the-wild exploit attempts aiming to capitalize on the vulnerability, and expects the number of Log4j-targeted attacks to rise. The vulnerability impacts Log4j versions 2.0 to 2.14.1, as well as all of the applications that employ it.

The Apache Software Foundation has responded with a security advisory, as well as risk and remediation details. 

ThreatLabZ recommends affected organizations patch immediately and perform comprehensive security scans. They should also consider an internet attack surface analysis.

ThreatLabZ has issued its own security advisory and delivered a webinar on Log4j risk and remediation.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Learn more about what your organization can do to protect itself against the Log4j vulnerability here.

ThreatLabZ 2021 State of Cloud (In)Security report finds lack of enterprise discipline in security access controls, logging, configuration

ThreatLabZ’ aptly-named 2021 State of Cloud (In)Security report has provided yet more troubling figures on enterprise cloud security readiness. Each year, we compile anonymized cloud workload statistics to gauge the state of public cloud security around the world. Unfortunately, as this year’s results illustrate, security issues have proliferated.

Figure 2: State of Cloud (In)Security key findings

Among other findings, our analysis shows that nearly three-quarters of organizations do not use multi-factor authentication (MFA) for cloud access, more than half do not rotate access keys frequently enough, and almost all (92%!) do not log access to cloud storage (thereby complicating post-incident forensic investigation).

The ThreatLabZ team assessed Identity and Access Control; Logging, Monitoring and Incident Response; Infrastructure Security; Storage and Encryption; Cloud Ransomware; and Supply Chain Attacks in Cloud. In every area, a majority of enterprises were not employing best practices for cloud security.

In response to the findings, ThreatLabZ makes several recommendations for enterprise IT leaders:

  • Use zero trust network access (ZTNA) to secure user access to cloud applications. 
  • Use zero trust for cloud workloads. 
  • Log and monitor access and traffic.
  • Take responsibility for configuring and maintaining your own environment.

A cloud security posture management service can help identify misconfigurations, coupled with Cloud Infrastructure Entitlement Management can be used to identify permission issues and act as a logical progression from long-established identity and access management (IAM) and privilege access management (PAM) solutions built on least privilege approaches.

It’s essential to reiterate: Enterprise access to public cloud services can introduce risk, but only if that access is not properly governed and secured. Companies must apply added scrutiny to their public cloud operations, and move to securing a distributed workload.

Review the complete State of Cloud (In)Security report here.

South Korea-based DarkHotel APT group resurfaces with new threat activity

Last month, the ThreatLabZ team detected new activity which it quickly associated with the South Korea-based DarkHotel APT group. We identified a new variant of a previously-identified attack chain common to the threat group and saw new activity on command-and-control (C2) infrastructure associated with the group. Also, that activity was aimed at victims previously targeted by the group. 

DarkHotel tends to target individual senior-level business executives for the purposes of cyber espionage, and exploits vulnerable hotel WiFi networks to deploy malware on their machines. Dark Hotel also uses spear-phishing and peer-to-peer (P2P) attacks.

Figure 3. The new DarkHotel attack chain

The attack chain begins with deployment of a malicious document with embedded malware. Once that payload is placed on the victim machine (either via the hotel WiFi or through a spear-phishing campaign or P2P effort), it detonates, eventually placing three OLE objects, one of which is a “scriptlet” that executes and contacts a C2 server. That scriptlet also works to cover the malware’s tracks.

The malware eventually exfiltrates data to C2 servers with false domains designed to appear as Chinese government and academic systems.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.
Learn more about DarkHotel and its new attack chain here.

About ThreatLabZ

ThreatLabZ is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.

The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks more than 150 million threats to its 4000+ customers. Over the last six months, Zscaler monitored and secured over one trillion cloud application transactions. The Zscaler ThreatLabZ security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.

What to read next:

ThreatLabZ November 2021 Report: Multilogin utility gets exploited, phishing attacks target Indian banking customers, and new supply-chain attacks resurrect DanaBot malware

ThreatLabZ October 2021 Report: new Squirrelwaffle loader, expanded Trickbot attack vectors, and double-extortion AtomSilo ransomware

ThreatLabZ September 2021 Report: Fake Olympics streaming, new CloudFall campaign, and heightened skimmer activity signal busy fall cybersecurity season