Rapid7 Q2 Threat Report Cryptomining Malware on the Rise

Rapid7 have published the quarterly threat report with information about new attack evolving in the cyberspace beside the security event detection they have observed over this quarter. The report highlights more interest from attacker in financial data, customer information and sensitive information.

When we look into the SOC data we see that in April network access threat and advanced malware have been on the TOP 5 alerts while in June Bruteforce attack against local account was the top threat event. The rise of bruteforce is linked to SamSam ransomware and new RDP exploit that many attackers attempted during that period.



Username and Passwords captured on the honeypot showed uncommon compilation that don’t have default credentials but looks like used some specific algorithm to generate the list. “Stg1159$ QZAwxs008!@# Password3 Password Passw0rd P@ssw0rd1 P@ssw0rd masquerade KKmold#1013 hello AsDf1574 Administrator administrator administrador admin Aa123456 20220”

The report also include the rise of cryptomining activity in this quarter as in the past most common attack was to install a spam botnet on compromised servers or to run a C&C program but in modern attack cybercriminals exploit vulnerability to install a cryptominers.

You can find the R7 Q2 report over here: https://www.rapid7.com/globalassets/_pdfs/research/rapid7-threat-report-2018-q2.pdf