Kathy Gibson reports – Cybercriminals are most active on Fridays, which is the most popular day for them to launch attacks in South Africa.
This is one of the findings of the latest Trellix threat intelligence report, which analysed trends during the second quarter.
In the local market, the most prevalent threat tools used were pretty evenly spread among a number of tools, led by Red Line Stealer (8%), following global trends.
Red Stealer is a malware as a service (MaaS) tool, and is becoming more popular since it is easy for cybercriminals to deploy and very effective for attacks like spear-phishing.
Tomer Shloman, security researcher in the threat intelligence group of the Trellix Advanced Research Centre, believes we will see more attacks using Red Stealer in the weeks ahead.
Carlo Bolzonello, threat intelligence specialist and Trellix country lead South Africa, says the biggest threat actor in the local environment is still Lazarus, with Mustang Panda, Vice Society, APT42 and Daggerfly following.
Detections indicate that government is the most attacked, at 26%, following by business services (16%), outsourcing and hosting (14%) and utilities (12%).
Bolzonello says there hasn’t been a huge increase in detections in the second quarter, but there has been a definite shift in the threat actor community.
As the most prolific threat actor, the Lazarus group is a state-sponsored North Korean group that has been in operation since 2009. “The Lazarus Group is a very strong adversary for most organisations, and it is worrying that they are so active in our market.”
Daggerfly is an emerging threat actor. It is believed to be linked to China and involved in APT attacks on the African telecommunications industry.
Bolzonello says Daggerfly appears to be most interested in gathering information. It infiltrates systems using PlugX loader and abusing anydesk remote software.
Once in place, it uses “living off the land” tools, and exfiltrates data.
“Having the information allows the group to either sell it off to interested parties, or even just gain a better understanding of how the network is mapped out,” Bolzonello explains.
“They stay persistent and, the longer they can stay in the environment, the more information they can gather.”