Rising Threats

Attacks continue to skyrocket. While this is a claim that we have said in past reports, the trend only continues.

In the second quarter of 2022, CSPs using Allot Secure blocked malicious sites over 3.4 billion times. This is a increase from the previous quarter’s 2.33 billion blocks.

There were 45% more blocking events in the second quarter of 2022, compared to the previous quarter, and a whopping 6.8x increase from the same period last year (Q2 2021).

In the past few months, we’ve seen attacks targeting home and business routers, mobile devices, a rise in banking trojans, and gaming scams.

Allot is dedicated to protecting CSPs and their customers from all types of attacks including malware, ransomware, phishing, trojans, and more. This Q2 2022 Cyber Threat Report shows how European communication service providers that partner with Allot Secure were able to block all types of cyber threats and keep their consumer subscribers safe all year long.

This report covers April through June 2022. Our previous report covered January through March 2022.

Key takeaways

Threats are on the rise

  • CSPs running Allot Secure blocked 6.8x more blocks in Q2 2022 than the same period in 2021.
  • In Q2 2022, CSPs running Allot Secure blocked malicious URLs 3.4 billion times and viruses 2.7 million times.
  • Specific threats ebb and flow, but the trend is clearly increasing.

Changing threat landscape

  • Preblocks/URLs blocked increased by almost 1.5x (3.4 billion in Q2 2022 vs 499 million in Q2 2021).
  • Virus blocks skyrocketed – increasing by more than 5x (2.7 million in Q2 2022 vs 196,000 in Q2 2021)
  • Compared to Q2 2021, there was a rise in many threat types including adware, bitcoin trojans, malware, ransomware, and spyware. Notably, there was a slight decline in hacking. But users should not get complacent – Q2 2022 still saw over 111 million hacking blocks.

Your router is the front door for both home and business attacks

  • Your router is a potential attack vector and is the front door for many kinds of attacks
  • Home and small business routers were a major attack vector over the past several years. One major vulnerability was running amok for several years without anyone knowing it, until ZuoRAT was discovered in late June.
  • Once a vulnerability impacts your network through your home or business router, your entire network is at risk.

Main consumer messages

  • Allot NetworkSecure blocked cyber threats from harming subscribers 3.4 billion times in Q2 2022, compared to 2.3 billion times in Q1 2022.
  • Viruses increased more than 5x between Q2 2022 and the previous year. However, while it is popular to speak of all cyber threats as “viruses” and frequently solutions that block them are referred to as “anti-virus”, viruses make up only 0.08% of total blocks.
  • Major threats, representing hundreds of millions of blocks, also include phishing, hacking, malware, ransomware, and bitcoin trojans.

A comparative perspective

While it is easy to get distracted by minor fluctuations month over month, it is important to look at the big picture and identify key patterns.

Wow! Blocks skyrocketed when comparing Q2 2021 to Q2 2022. CSPs running Allot Secure blocked 582% more blocks in Q2 (April to June) 2022 than the same period in 2021.

Total blocks by quarter

While specific threats may ebb and flow, it is clear that the overall threat landscape continues to increase. As demonstrated in this report, however, while certain cyberattacks may spike and then fall, they are cyclical, and, when looked at over time, on a very clear uptick.

Pre-blocks by category

“Pre-blocks” is the name of the category assigned to the blocks that occur before a customer loads a malicious website. Pre-blocks have remained relatively stable over the past year.

Adware remains the most common threat.

Adware

Adware (in millions)

But it is, by far, not the only threat.

Malicious downloads, spyware, hacking, phishing, bitcoin trojans, and more remain threats. While their absolute numbers are lower than adware, they can cause more potential damage.

Pre-blocks

By zooming in to the other blocked categories we find the following:

Cryptothreat blocks

Cryptothreats have been increasing since April.  Cybercriminals know that the price of cryptocurrency is low, as more people with limited experience with crypto are joining the market as they see the low price as a chance to get into it.

Cybercriminals take advantage of these “newcomers” by copying crypto pool pages, using cryptocurrency as bait (free prizes, giveaways…), or developing crypto mining malware.

People may think that because cryptocurrency prices are down, cybercriminals don’t see it as an opportunity but the opposite is true.

It is expected that this category will continue to rise for the rest of the year.

Allot blocked 3.4 billion connections to malicious websites in the second quarter of the year

Download blocks by category

Allot Secure detects malicious files and blocks them from being downloaded before they pose any danger to the user.

Download blocks are the blocks performed when a user attempts (intentionally or not) to download a malicious file.

Q2 2022 saw a significant decline in adware and trojan blocks. While they remain the largest blocks, there was a notable decline. Nevertheless, despite this decline, more viruses were identified in Q2 2022 than in the same period last year.

Of course, these trends are cyclical, and this does not mean we are out of the woods. It is plausible that there will be an increase before the end of the year.

We again see that adware and trojans are the most blocked categories. This is usually because one threat feeds the other. Once a trojan infects a user’s device it usually tries to download additional malware -- frequently adware.  Adware then shows ads that often lead the victim to download a trojan or another infected file.

Top viruses

Far less common were other types of threats. After a major spike in Q1 2022, we see a decline in banker trojans. Spyware also saw a decline from the previous quarter, though it is more prominent than in 2021.

Banker trojans

Even if we see a decrease in trojan bankers, those blocks are still relevant in the “URLs blocked.” The blocks come from different campaigns to spread these viruses.

Download blocks

If the cybercriminals launch a campaign during April and May, we will the the “damage” in the URLs blocked the following month as, if they manage to infect a device (that is not using the operator network and is using WiFi instead), we will be able to still block the virus by blocking the communication with the C&C server. This will be shown in the following months after the campaigns.

Later in this report, you can find different banking trojans that were part of cybercriminals' campaigns.

While other threat types were less common, some are far more dangerous. According to the IBM 2022 Cost of a Data Breach Report, the average cost of a ransomware attack — not including the cost of the ransom – was $4.54 million and they make up 11% of all data breaches. So, while ransomware attacks are far less common than other types of attacks, they are more dangerous and avoiding even a single ransomware attack saves millions.

In Q2 2022, Allot Secure protected European Internet users from downloading viruses 2.7 million times

Notable Attacks

Infected routers

In July 2022, the media reported that customers of a UK mobile operator were hit by a new exploit hijacking mobile routers and then spewing out cyber-attacks. The result? A compromised network and large data bill.

The operator sent out an email claiming that, since July 4, there has been a “spate of cyber-attacks” that have exploited flaws in “older firmware versions of several popular routers.”

ZuoRAT – Router’s rodent

On June 29, 2022, Black Lotus Labs, the threat intelligence arm of Lumen Technologies, revealed the existence of the ZuoRAT threat. The code appears to be a heavily modified version of the code behind the Mirai botnet. The source code for Mirai was leaked in 2016.

ZuoRAT is a multi-stage Remote Access Trojan (RAT) developed for small office/home office (SOHO) routers leveraging known vulnerabilities which allows the threat actor to compromise routers, gathering credentials, configuration data, browsing behavior, and hijacking DNS and HTTP internet traffic. In the next stage, enabled by a port scan of the adjacent network, the attacker would pivot to Windows workstations loading another RAT that masquerades as a legitimate application.

According to security researchers, the threat may have remained undetected for two years. Compromised routers were also used to further hide malicious activity.

The attacks started in October 2020 and targeted known vulnerabilities in routers from ASUS, Cisco, DrayTek, and NETGEAR. Attackers were then able to identify more devices on the network and move laterally (east-west) to attack additional devices within the network.

Roaring Mantis

The mobile threat campaign known as Roaming Mantis has been linked to a new wave of compromises directed against French mobile phone users, months after it expanded into Europe.

It all starts with a phishing SMS, a technique known as smishing, enticing users with package delivery-themed messages containing rogue links, that, when clicked, proceed to download the malicious APK file. It tricks Android users into downloading malware, while Apple users see a phishing page, designed to gain Apple login credentials.

According to Securelist, “The campaign in France and Germany was so active that it came to the attention of the German police and French media.”

Banking trojans

Cybersecurity researchers uncovered a new attempt to disseminate banking trojans on the Google Play Store. These droppers are hard to detect and very effective for distributing malware.

According to researchers from Trend Micro researchers, malicious software called DawDropper impersonates trusted apps to gain access to victims’ mobile devices.

DawDropper is used to distribute banking trojans such as Octo, Hydra (discussed below), Ermac, and TeaBot.

Without being part of this campaign, the Cerberus Banking Trojan has become more frequent - reaching a total of 1,264,306 blocks during June and July 2022,alone.

It also saw unique C&C URLs increase with the appearance of 33 different new related C&Cs during June and July. This gives us the hint of a new campaign (due to the appearance of these new C&C) successfully protected.

Cerberus banking trojan

This trojan can harm a device in many ways:

  • Download and install other malware.
  • Use a subscriber’s computer for click fraud.
  • Record a subscriber’s keystrokes and visited sites.
  • Send a user’s information – including usernames and browsing history – to a remote malicious hacker.
  • Give remote malicious hackers access to PC/terminal.
  • Turn random web page text into hyperlinks.
  • Popup fake updates for any device.
  • Send fake messages of infection in the terminal.

As a banker trojan, Cerberus is known for stealing personal information and banking credentials. It is also a “dropper” that contains additional malicious apps within its payload.

Hydra banking trojan

“Hydra” is a banking trojan, whose purpose is to steal banking credentials from the victim, targeting Android users of crypto apps and pin apps of Huawei and Samsung phones. The trojan uses URLs as a  command & control URL, which provides the malware with new instructions or updates to improve its capabilities.

Once the malware is infecting the device, Hydra can:

  • Collect logging credentials from apps (such as cryptocurrency apps).
  • Modify the screen lock PIN and lock the device.
  • Steal cookies and banking credentials.
  • Control the internet connection of the infected device without the victim’s consent and even perform calls without user intervention.
  • Send bulk SMS text messages to all the subscriber’s contacts.
  • Use TeamViewer to see & do commerce actions on the infected devices.

The subscribers got infected by downloading an app named “Document Manager” which, after being installed, requires permission to download further applications from unknown sources.

Allot Secure blocked over 5.2 million blocks of the Hydra banker trojan.

Alienbot

AlienBot (also known as Alien) is a mobile banking malware targeting Android users. The AlienBot banker trojan steals credentials associated with financial accounts. It is distributed using a dropper spread via the Google Play store. Users download purportedly safe applications, but they are infected with this malware.

Allot Secure blocked over 500,000 instances of the Alienbot malware.

Threat Glossary

Term Definition
Phishing A technique to try to obtain sensitive data, through a false solicitation in email or a website. In a phishing attack, the perpetrator poses as a legitimate business or person.
Virus A computer program that can copy itself and infect a computer without permission or knowledge of the user.
Bitcoin trojan A type of trojan that acts as a specialized mining program and uses the computer's resources to generate units of a cryptocurrency
Trojan A computer program that seems to have a useful function, but also has a hidden and potentially malicious function that evades security systems.
Hacker An unauthorized user who attempts to or gains access to an information system
Malicious download Malicious downloads are the download of malicious software, either because the software was disguised as a legitimate application or it was downloaded without the user’s knowledge. Malicious downloads can also host Command & Control (C&C) servers of malware.
Malware A program that is inserted into a system, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim.
Ransomware Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access.
Root privileges This refers to a malicious user accessing data using the root user. A root user is a user authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
Banker trojan A banker trojan is a piece of malware that attempts to steal credentials from a financial institution's clients or gain access to their financial information
Spyware Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge.

#BeCyberSmart with Allot

While short-term analysis can provide early warning for new and emerging threats, it is critical to explore long-term trends. There will always be peaks and valleys in any threat landscape, and it is important to be vigilant and ready for any threat that may appear. However, comprehensive understanding requires examining the long-term trends, as well as how the threats behave in the wild.

It’s clear that the threat landscape continues to expand. Yes, this is something we’ve written in the past and it’s likely something you will read in future reports. But it’s true. The threat landscape continues to grow, and attackers get more sophisticated with innovative attack methods, while we add more and more connected devices to both our home and business networks.

So, what’s the takeaway? Stay vigilant and stay protected.

Consumers and small businesses cannot be expected to be CISOs. Rather, they expect security to be provided by their trusted partners – their Internet and mobile service providers.

At the same time, Communication Service Providers can differentiate in a crowded market, reduce churn, and increase revenue, by offering comprehensive network-based 360° security to their subscribers.

By using a service such as Allot Secure, CSPs can keep their subscribers protected from the changing threat landscape, ensure that subscribers are protected from the latest threats, and ensure that all of their devices across their home, business, and mobile network are protected – not simply on endpoints where an app happens to be installed – while also protecting them anywhere they are, even if they are  on someone else’s network.