The report also revealed that the high technology** industry in Singapore is the top target for threat actors in 2019. Companies in this sector are attractive targets as threat actors want to exploit their data centre infrastructure to expand their botnet activities as well as target other organisations whose servers are being hosted there, Ensign said.
In 2019, the top five target sectors in Singapore are:
 |
| Source: Ensign InfoSecurity.The top five most-targeted sectors in Singapore for cyberattacks. |
“Relevance and context are the most important elements when analysing cyber threat intelligence as threats and trends can differ across geographies, sectors and companies,” said Lee Shih Yen, Senior VP, Ensign Labs, Ensign InfoSecurity.
“Only by combining different global and local cyberthreat intelligence sources are we able to derive accurate and deep information about Singapore-specific threats and help organisations bolster their cybersecurity posture by providing contextualised, actionable insights.”
Waterhole attacks
Waterhole attacks were the most prevalent threat vector of 2019, contributing to nearly half (47%) of all detected cyberattacks in Singapore. Waterhole attacks occur when an attacker compromises a website and replaces its content with malicious payloads. Unsuspecting victims who then download content from these websites will infect their machines with malware.
This attack enables threat actors to execute supply chain attacks which infect servers containing updates of popular software, replacing these updates with malicious code to spread malware. The method allows threat actors to achieve mass infection, especially when the vulnerable web server is popular and trusted by end users.
Phishing
The other top threat vector in Singapore is phishing, also known as malspam. Nearly four in 10 (37%) of the cyberattacks detected in 2019 can be attributed to it. Phishing is an effective social engineering technique and a popular tactic for threat actors as it is easy to execute and able to target a wide pool of victims.
Oceanlotus was very active in 2019
Both waterhole attacks and phishing are the favoured techniques of the threat actor group, APT32. The report discovered that the increase in activities associated with APT32, also known as Oceanlotus, is higher than any other threat actor groups in Singapore in 2019.
APT32, which has been active since 2014, concentrates its activities in Southeast Asia and has targeted multiple private sectors and governments across the region.
In 2019, Ensign detected APT32-associated activities in 23 out of 34 sectors (68%) in Singapore. The spread of cyberattacks across diverse sectors aligns with APT32’s strategy of running opportunistic phishing email campaigns throughout the year.
From April to May 2019, Ensign detected a 500% spike in APT32 activities in Singapore’s manufacturing sector. From October to December 2019, Ensign found an 800% increase in APT32 activities, which is the result of seasonal phishing campaigns that this threat actor group was running during the shopping and festival seasons.
Emotet
The report also found that Emotet was the most prominent malware in Singapore. Ensign detected Emotet activities in 27 out of 34 (79%) sectors in 2019, impacting more than 1,200 companies. The widespread attacks across a broad spectrum of sectors indicate the attacks were likely opportunistic and in the form of spam campaigns.
In 1H19, especially from February to April, Ensign detected high volumes of probing activities on port 445, which is a port targeted by Emotet. It is likely that threat actors were scanning for vulnerable targets as part of their reconnaissance, the company said.
In Q419 (1 October to 31 December), Emotet phishing detections spiked by nine times compared to Q319 (1 July to 30 September). This can be attributed to the launch of phishing email campaigns by various threat actor groups.
In the same period, there was an 11 times increase in outgoing Emotet C2 (command and control) detections compared to Q319. The increase in outgoing traffic with Emotet indicators-of-compromise (IoCs) can be attributed to servers being infected by phishing spam campaigns.
Conventional and reactionary signature-based threat detection is inadequate in today’s cyberthreat landscape as modular, polymorphic malware, such as Emotet, are emerging faster than ever. Organisations need to have a proactive cybersecurity posture, and this not only requires access to hyperlocalised, actionable threat intelligence, but also behaviour-based security capabilities that can detect changes in adversary tactics and techniques based on the MITRE ATT&CK framework***,” added Lee.
Ensign InfoSecurity is the largest pure-play cybersecurity service provider in Asia. The company is headquartered in Singapore, and has offices in Malaysia, Hong Kong and South Korea. It has a workforce of over 500 cybersecurity professionals providing services in security advisory and assurance, architecture design, implementation, validation and management of advanced security controls, threat hunting, and incident response services.
*This report was generated using Ensign’s proprietary tools and data models, including Ensign's Singapore-centric Cyber Threat Intelligence, Cyber Threat Detection & Analytics engine, and the Ensign IP360 platform which profiles activities and behaviours of anonymous IPs in enterprise network traffic.
**With high technology companies, technological innovations and advanced systems, applications, and devices play a central role in their core business offerings and services. Some examples include cloud, data centre, and web hosting service providers.
***The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a knowledge base of cyberthreat tactics and technique which allows cybersecurity researchers, cyber threat hunters and red teamers to better understand cyber threats and assess an organisation's cyber risks. A red teamer is a person who can think like the enemy.
No comments:
Post a Comment