Research by Cisco Talos shows that cybercriminals stay undetected in corporate networks for an average of 17 to 44 days. The education sector remains the most affected by cyber attacks, with attackers increasingly using social engineering to impersonate IT personnel.
Cisco Talos writes in its latest quarterly report that all ransomware incidents involved remote access tools, a significant increase from previous quarters. They also saw a sharp rise in password-spraying attacks, in which hackers attempt to gain access by repeatedly trying different passwords.
New TorNet backdoor
Talos additionally discovered a new campaign that is particularly active in Poland and Germany. The attackers use sophisticated phishing techniques. They distribute several payloads, including Agent Tesla, Snake Keylogger and the new, undocumented backdoor TorNet. The distribution is done via PureCrypter malware. It relies on a scheduled Windows task, which can complete the infection despite low battery status. The campaign also connects the Windows machine to the TOR network by using TorNet for secret C2 communication and avoiding detection.
The attackers use more sophisticated methods to avoid detection. They temporarily disconnect the Windows systems before executing their payload, and then the connection is re-established. According to Cisco Talos, this indicates that the cybercrime campaign is trying to bypass detection by cloud security tools.
Tip: Dutch police and Cisco Talos take down Babuk Tortilla ransomware