Construction was among the top five business sectors targeted by cyberattacks in the second quarter of 2018, according to the latest “threat report” released earlier this month by eSentire, the largest pure-play managed detection and response service provider.
Based on intelligence gathered from more than 2,000 proprietary network and host-based detection sensors distributed globally in multiple industries, eSentire estimates that the number of attacks on Microsoft Internet Information Services (IIS) jumped to 1.7 million in the second quarter, from 2,000 in the first quarter. Most sources targeting IIS web servers originated from China-based IP addresses: according to Shodan, the global search engine for Internet-connected devices, there are 3.5 million IIS web servers exposed (with 1 million in China). The compromised servers largely originated from the Tencent and Alibaba sites.
eSentire observed IIS and WebLogic attacks originating from servers hosting Apache, RDP, SQL, IIS, and HTTP API services. Most of the records included known potential vulnerabilities based on server software version. Vulnerability records for attacking servers showed a steady increase. The majority of this growth appeared to come from Apache HTTP Servers, version 2.4.23. In the same period, records reporting vulnerabilities in IIS 7.5 and HTTP Server 2.4.10 appeared to diminish.
Four million potentially hostile events resulted in 57,000 alerts having been sent from eSentire’s SOC (Security Operations Center) between April 1 and June 30, 2018. Normalizing by sensor count, the top five affected industries were Biotechnology, Accounting Services, Real Estate, Marketing, and Construction. Regardless of industry, most attackers are probably looking to drive ad revenue or adopt compromised servers into their attack infrastructure, the report suggests.
The reason attacks continue, posits the report, is because most organizations have internal systems they hesitate to update for fear it will change or break something. These systems are sometimes accidentally exposed to background internet radiation which includes a firehose of exploits. Or, they are unaware that a patch is necessary or underestimate the gravity of failing to patch. This is an easily rectifiable problem that nevertheless lingers for many businesses.
There also was an increase, in general, in phishing attacks that used shipping invoice lures, despite an overall decline in the use of DocuSign—which facilities the exchanges of contracts and signed documents—as lures. Construction, Education, and Marketing experienced the largest amount of confirmed phishing attacks, with DocuSign dominating the lures observed; likely, these industries make frequent use of DocuSign in handling digital invoices and quotes due to remotely based business relationships and employees.
Construction was vulnerable to phishing attacks that used DocuSign as their primary lure. Image: eSentire
Real Estate experienced high volumes of D-Link home router exploit attempts. Marketing was subjected to a high volume of D-Link exploit attempts and a sizable degree of malicious PowerShell activity. And Construction experienced a large amount of Drupalgeddon2 attacks (the name given to an extremely critical vulnerability Drupal maintainers patched in late March).
PowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators, and power-users can rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes. PowerShell commands let you manage computers from the command line.
In Q2 2018, the eSentire detection surface revealed that an obfuscated PowerShell realized an increase of 50% in commands, partly due to Emotet, a sophisticated malware.
Emotet, a four-year-old banking trojan, continues to evolve and emerge; antivirus solutions detected it, on average, only 22% of the time in the quarter. Emotet remains a popular choice for threat actors and was the most frequently observed malware due to numerous version updates and feature additions since it was first reported in 2014. Obfuscated malicious PowerShell commands increased 50% in Q2 2018.
Nearly half (49%) of Emotet samples included “invoice,” “payment,” or “account” in their file names. For Emotet’s competitor, Hancitor, fax documents were a popular lure (25%).
To protect against Emotet and to mitigate worming capabilities, Server Message Block Protocol (SMB) communications between systems in a network should be restricted via group policy settings or in the configuration of host-based Intrusion Prevention Systems (HIPS).
Malware, which is intended to damage or disable computers and systems, breaks down into four threat levels: malicious, suspicious, benign, and ambiguous (like false positives). Construction ranked fourth—behind Healthcare, Real Estate, and Marketing—for malware events (20 per sensor), and ranked second (after Accounting Services) for reputational blocks (about 5.25 alerts per sensor), which occur when known bad Internet Protocols (IPs) are detected trying to establish connections with monitored clients. Accounting Services and Construction are known to have large threat surfaces.
Some IPs only attempted an IIS or WebLogic exploit, while other IPs attempted both. The IPs attempting IIS and WebLogic persisted throughout the quarter, said eSentire, but those tended to rise with the emergence of other potential campaigns, indicating some threat actors may have an array of botnets in different configurations.
Related Stories
Geothermal Technology | Jul 29, 2024
Rochester, Minn., plans extensive geothermal network
The city of Rochester, Minn., home of the famed Mayo Clinic, is going big on geothermal networks. The city is constructing Thermal Energy Networks (TENs) that consist of ambient pipe loops connecting multiple buildings and delivering thermal heating and cooling energy via water-source heat pumps.
Smart Buildings | Jul 25, 2024
A Swiss startup devises an intelligent photovoltaic façade that tracks and moves with the sun
Zurich Soft Robotics says Solskin can reduce building energy consumption by up to 80% while producing up to 40% more electricity than comparable façade systems.
Codes and Standards | Jul 25, 2024
GSA and DOE select technologies to evaluate for commercial building decarbonization
The General Services Administration and the U.S. Department of Energy have selected 17 innovative building technologies to evaluate in real-world settings throughout GSA’s real estate portfolio.
Great Solutions | Jul 23, 2024
41 Great Solutions for architects, engineers, and contractors
AI ChatBots, ambient computing, floating MRIs, low-carbon cement, sunshine on demand, next-generation top-down construction. These and 35 other innovations make up our 2024 Great Solutions Report, which highlights fresh ideas and innovations from leading architecture, engineering, and construction firms.
Smart Buildings | Jul 1, 2024
GSA to invest $80 million on smart building technologies at federal properties
The U.S. General Services Administration (GSA) will invest $80 million from the Inflation Reduction Act (IRA) into smart building technologies within 560 federal buildings. GSA intends to enhance operations through granular controls, expand available reporting with more advanced metering sources, and optimize the operator experience.
Building Technology | Jun 18, 2024
Could ‘smart’ building facades heat and cool buildings?
A promising research project looks at the possibilities for thermoelectric systems to thermally condition buildings, writes Mahsa Farid Mohajer, Sustainable Building Analyst with Stantec.
Concrete Technology | Jun 17, 2024
MIT researchers are working on a way to use concrete as an electric battery
Researchers at MIT have developed a concrete mixture that can store electrical energy. The researchers say the mixture of water, cement, and carbon black could be used for building foundations and street paving.
Contractors | Jun 4, 2024
Contractors expect to spend more time on prefabrication, according to FMI study
Get ready for a surge in prefabrication activity by contractors. FMI, the consulting and investment banking firm, recently polled contractors about how much time they were spending, in craft labor hours, on prefabrication for construction projects. More than 250 contractors participated in the survey, and the average response to that question was 18%. More revealing, however, was the participants’ anticipation that craft hours dedicated to prefab would essentially double, to 34%, within the next five years.
MFPRO+ New Projects | May 29, 2024
Two San Francisco multifamily high rises install onsite water recycling systems
Two high-rise apartment buildings in San Francisco have installed onsite water recycling systems that will reuse a total of 3.9 million gallons of wastewater annually. The recycled water will be used for toilet flushing, cooling towers, and landscape irrigation to significantly reduce water usage in both buildings.
HVAC | May 28, 2024
Department of Energy unveils resources for deploying heat pumps in commercial buildings
To accelerate adoption of heat pump technology in commercial buildings, the U.S. Department of Energy is offering resources and guidance for stakeholders. DOE aims to help commercial building owners and operators reduce greenhouse gas emissions and operating costs by increasing the adoption of existing and emerging heat pump technologies.