Construction was among the top five business sectors targeted by cyberattacks in the second quarter of 2018, according to the latest “threat report” released earlier this month by eSentire, the largest pure-play managed detection and response service provider.
Based on intelligence gathered from more than 2,000 proprietary network and host-based detection sensors distributed globally in multiple industries, eSentire estimates that the number of attacks on Microsoft Internet Information Services (IIS) jumped to 1.7 million in the second quarter, from 2,000 in the first quarter. Most sources targeting IIS web servers originated from China-based IP addresses: according to Shodan, the global search engine for Internet-connected devices, there are 3.5 million IIS web servers exposed (with 1 million in China). The compromised servers largely originated from the Tencent and Alibaba sites.
eSentire observed IIS and WebLogic attacks originating from servers hosting Apache, RDP, SQL, IIS, and HTTP API services. Most of the records included known potential vulnerabilities based on server software version. Vulnerability records for attacking servers showed a steady increase. The majority of this growth appeared to come from Apache HTTP Servers, version 2.4.23. In the same period, records reporting vulnerabilities in IIS 7.5 and HTTP Server 2.4.10 appeared to diminish.
Four million potentially hostile events resulted in 57,000 alerts having been sent from eSentire’s SOC (Security Operations Center) between April 1 and June 30, 2018. Normalizing by sensor count, the top five affected industries were Biotechnology, Accounting Services, Real Estate, Marketing, and Construction. Regardless of industry, most attackers are probably looking to drive ad revenue or adopt compromised servers into their attack infrastructure, the report suggests.
The reason attacks continue, posits the report, is because most organizations have internal systems they hesitate to update for fear it will change or break something. These systems are sometimes accidentally exposed to background internet radiation which includes a firehose of exploits. Or, they are unaware that a patch is necessary or underestimate the gravity of failing to patch. This is an easily rectifiable problem that nevertheless lingers for many businesses.
There also was an increase, in general, in phishing attacks that used shipping invoice lures, despite an overall decline in the use of DocuSign—which facilities the exchanges of contracts and signed documents—as lures. Construction, Education, and Marketing experienced the largest amount of confirmed phishing attacks, with DocuSign dominating the lures observed; likely, these industries make frequent use of DocuSign in handling digital invoices and quotes due to remotely based business relationships and employees.
Construction was vulnerable to phishing attacks that used DocuSign as their primary lure. Image: eSentire
Real Estate experienced high volumes of D-Link home router exploit attempts. Marketing was subjected to a high volume of D-Link exploit attempts and a sizable degree of malicious PowerShell activity. And Construction experienced a large amount of Drupalgeddon2 attacks (the name given to an extremely critical vulnerability Drupal maintainers patched in late March).
PowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators, and power-users can rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes. PowerShell commands let you manage computers from the command line.
In Q2 2018, the eSentire detection surface revealed that an obfuscated PowerShell realized an increase of 50% in commands, partly due to Emotet, a sophisticated malware.
Emotet, a four-year-old banking trojan, continues to evolve and emerge; antivirus solutions detected it, on average, only 22% of the time in the quarter. Emotet remains a popular choice for threat actors and was the most frequently observed malware due to numerous version updates and feature additions since it was first reported in 2014. Obfuscated malicious PowerShell commands increased 50% in Q2 2018.
Nearly half (49%) of Emotet samples included “invoice,” “payment,” or “account” in their file names. For Emotet’s competitor, Hancitor, fax documents were a popular lure (25%).
To protect against Emotet and to mitigate worming capabilities, Server Message Block Protocol (SMB) communications between systems in a network should be restricted via group policy settings or in the configuration of host-based Intrusion Prevention Systems (HIPS).
Malware, which is intended to damage or disable computers and systems, breaks down into four threat levels: malicious, suspicious, benign, and ambiguous (like false positives). Construction ranked fourth—behind Healthcare, Real Estate, and Marketing—for malware events (20 per sensor), and ranked second (after Accounting Services) for reputational blocks (about 5.25 alerts per sensor), which occur when known bad Internet Protocols (IPs) are detected trying to establish connections with monitored clients. Accounting Services and Construction are known to have large threat surfaces.
Some IPs only attempted an IIS or WebLogic exploit, while other IPs attempted both. The IPs attempting IIS and WebLogic persisted throughout the quarter, said eSentire, but those tended to rise with the emergence of other potential campaigns, indicating some threat actors may have an array of botnets in different configurations.
Related Stories
Engineers | Oct 12, 2023
Building science: Considering steel sheet piles for semi-permanent or permanent subsurface water control for below-grade building spaces
For projects that do not include moisture-sensitive below-grade spaces, project teams sometimes rely on sheet piles alone for reduction of subsurface water. Experts from Simpson Gumpertz & Heger explore this sheet pile “water management wall” approach.
Products and Materials | Sep 29, 2023
Top building products for September 2023
BD+C Editors break down 15 of the top building products this month, from smart light switches to glass wall systems.
Building Owners | Aug 23, 2023
Charles Pankow Foundation releases free project delivery selection tool for building owners, developers, and project teams
Building owners and project teams can use the new Building Owner Assessment Tool (BOAT) to better understand how an owner's decision-making profile impacts outcomes for different project delivery methods.
Fire-Rated Products | Aug 14, 2023
Free download: Fire-rated glazing 101 technical guide from the National Glass Association
The National Glass Association (NGA) is pleased to announce the publication of a new technical resource, Fire-Rated Glazing 101. This five-page document addresses how to incorporate fire-rated glazing systems in a manner that not only provides protection to building occupants from fire, but also considers other design goals, such as daylight, privacy and security.
Green | Aug 7, 2023
Rooftop photovoltaic panels credited with propelling solar energy output to record high
Solar provided a record-high 7.3% of U.S. electrical generation in May, “driven in large part by growth in ‘estimated’ small-scale (e.g., rooftop) solar PV whose output increased by 25.6% and accounted for nearly a third (31.9%) of total solar production,” according to a report by the U.S. Energy Information Administration.
Digital Twin | Jul 31, 2023
Creating the foundation for a Digital Twin
Aligning the BIM model with the owner’s asset management system is the crucial first step in creating a Digital Twin. By following these guidelines, organizations can harness the power of Digital Twins to optimize facility management, maintenance planning, and decision-making throughout the building’s lifecycle.
Sustainability | Jul 26, 2023
Carbon Neutrality at HKS, with Rand Ekman, Chief Sustainability Officer
Rand Ekman, Chief Sustainability Officer at HKS Inc., discusses the firm's decarbonization strategy and carbon footprint assessment.
Mass Timber | Jul 11, 2023
5 solutions to acoustic issues in mass timber buildings
For all its advantages, mass timber also has a less-heralded quality: its acoustic challenges. Exposed wood ceilings and floors have led to issues with excessive noise. Mass timber experts offer practical solutions to the top five acoustic issues in mass timber buildings.
Green | Jun 26, 2023
Federal government will spend $30 million on novel green building technologies
The U.S. General Services Administration (GSA), and the U.S. Department of Energy (DOE) will invest $30 million from the Inflation Reduction Act to increase the sustainability of federal buildings by testing novel technologies. The vehicle for that effort, the Green Proving Ground (GPG) program, will invest in American-made technologies to help increase federal electric vehicle supply equipment, protect air quality, reduce climate pollution, and enhance building performance.
3D Printing | Jun 20, 2023
World's largest 3D-printed building completed in Florida
Printed Farms, known for completing Florida’s first permitted 3D-printed house in Tallahassee, announces the completion of the world’s largest 3D-printed building: a luxury horse barn.