Construction was among the top five business sectors targeted by cyberattacks in the second quarter of 2018, according to the latest “threat report” released earlier this month by eSentire, the largest pure-play managed detection and response service provider.
Based on intelligence gathered from more than 2,000 proprietary network and host-based detection sensors distributed globally in multiple industries, eSentire estimates that the number of attacks on Microsoft Internet Information Services (IIS) jumped to 1.7 million in the second quarter, from 2,000 in the first quarter. Most sources targeting IIS web servers originated from China-based IP addresses: according to Shodan, the global search engine for Internet-connected devices, there are 3.5 million IIS web servers exposed (with 1 million in China). The compromised servers largely originated from the Tencent and Alibaba sites.
eSentire observed IIS and WebLogic attacks originating from servers hosting Apache, RDP, SQL, IIS, and HTTP API services. Most of the records included known potential vulnerabilities based on server software version. Vulnerability records for attacking servers showed a steady increase. The majority of this growth appeared to come from Apache HTTP Servers, version 2.4.23. In the same period, records reporting vulnerabilities in IIS 7.5 and HTTP Server 2.4.10 appeared to diminish.
Four million potentially hostile events resulted in 57,000 alerts having been sent from eSentire’s SOC (Security Operations Center) between April 1 and June 30, 2018. Normalizing by sensor count, the top five affected industries were Biotechnology, Accounting Services, Real Estate, Marketing, and Construction. Regardless of industry, most attackers are probably looking to drive ad revenue or adopt compromised servers into their attack infrastructure, the report suggests.
The reason attacks continue, posits the report, is because most organizations have internal systems they hesitate to update for fear it will change or break something. These systems are sometimes accidentally exposed to background internet radiation which includes a firehose of exploits. Or, they are unaware that a patch is necessary or underestimate the gravity of failing to patch. This is an easily rectifiable problem that nevertheless lingers for many businesses.
There also was an increase, in general, in phishing attacks that used shipping invoice lures, despite an overall decline in the use of DocuSign—which facilities the exchanges of contracts and signed documents—as lures. Construction, Education, and Marketing experienced the largest amount of confirmed phishing attacks, with DocuSign dominating the lures observed; likely, these industries make frequent use of DocuSign in handling digital invoices and quotes due to remotely based business relationships and employees.
Construction was vulnerable to phishing attacks that used DocuSign as their primary lure. Image: eSentire
Real Estate experienced high volumes of D-Link home router exploit attempts. Marketing was subjected to a high volume of D-Link exploit attempts and a sizable degree of malicious PowerShell activity. And Construction experienced a large amount of Drupalgeddon2 attacks (the name given to an extremely critical vulnerability Drupal maintainers patched in late March).
PowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators, and power-users can rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes. PowerShell commands let you manage computers from the command line.
In Q2 2018, the eSentire detection surface revealed that an obfuscated PowerShell realized an increase of 50% in commands, partly due to Emotet, a sophisticated malware.
Emotet, a four-year-old banking trojan, continues to evolve and emerge; antivirus solutions detected it, on average, only 22% of the time in the quarter. Emotet remains a popular choice for threat actors and was the most frequently observed malware due to numerous version updates and feature additions since it was first reported in 2014. Obfuscated malicious PowerShell commands increased 50% in Q2 2018.
Nearly half (49%) of Emotet samples included “invoice,” “payment,” or “account” in their file names. For Emotet’s competitor, Hancitor, fax documents were a popular lure (25%).
To protect against Emotet and to mitigate worming capabilities, Server Message Block Protocol (SMB) communications between systems in a network should be restricted via group policy settings or in the configuration of host-based Intrusion Prevention Systems (HIPS).
Malware, which is intended to damage or disable computers and systems, breaks down into four threat levels: malicious, suspicious, benign, and ambiguous (like false positives). Construction ranked fourth—behind Healthcare, Real Estate, and Marketing—for malware events (20 per sensor), and ranked second (after Accounting Services) for reputational blocks (about 5.25 alerts per sensor), which occur when known bad Internet Protocols (IPs) are detected trying to establish connections with monitored clients. Accounting Services and Construction are known to have large threat surfaces.
Some IPs only attempted an IIS or WebLogic exploit, while other IPs attempted both. The IPs attempting IIS and WebLogic persisted throughout the quarter, said eSentire, but those tended to rise with the emergence of other potential campaigns, indicating some threat actors may have an array of botnets in different configurations.
Related Stories
| Jul 10, 2013
World's best new skyscrapers [slideshow]
The Bow in Calgary and CCTV Headquarters in Beijing are among the world's best new high-rise projects, according to the Council on Tall Buildings and Urban Habitat.
High-rise Construction | Jul 9, 2013
5 innovations in high-rise building design
KONE's carbon-fiber hoisting technology and the Broad Group's prefab construction process are among the breakthroughs named 2013 Innovation Award winners by the Council on Tall Buildings and Urban Habitat.
Sponsored | | Jun 30, 2013
Get your 'Early Bird' entry in for BD+C 30th Annual Reconstruction Awards
The deadline is for BD+C's 30th Annual Reconstruction Awards is July 19, but if you get me a draft of your entry by July 12 (earlier if possible, please!), we'll read it and give you feedback and suggestions that could help you win. We'll give you enough time to rework your entry in time to meet the deadline. We do this "Early Bird" service to help you put together the best possible entry - one that will answer any questions our distinguished jury members may come up with. However, we must emphasize that the BD+C Reconstruction Awards program is a juried competition, so there are no guarantees you'll win. We're just trying to improve your odds. Building Design+Construction is the only publication in its field to recognize the importance of reconstruction in all its forms - historic preservation, adaptive reuse, renovation, fitouts, and reconstruction with addition. And we've been doing it for 30 years. Incidentally, reconstruction accounts for 30-35% of all revenue for AEC firms, so it's a key component of the US/Canada design and construction industry. Send your draft entry to: rcassidy@sgcmail.com. And good luck!
| Jun 28, 2013
Calculating the ROI of building enclosure commissioning
A researcher at Lawrence Berkeley National Laboratory calls building enclosure commissioning “the single-most cost-effective strategy for reducing energy, costs, and greenhouse gas emissions in buildings today.”
| Jun 28, 2013
A brief history of windows in America
Historic window experts from Hoffmann Architects look back at the origin of windows in the U.S.
| Jun 28, 2013
Building owners cite BIM/VDC as 'most exciting trend' in facilities management, says Mortenson report
A recent survey of more than 60 building owners and facility management professionals by Mortenson Construction shows that BIM/VDC is top of mind among owner professionals.
| Jun 27, 2013
Thermal, solar control designs can impact cooling loads by 200%, heating loads by 30%
Underestimating thermal bridging can greatly undermine a building’s performance contributing to heating load variances of up to 30% and cooling load variances of up to 200%, says the MMM Group.
| Jun 20, 2013
Virtual meetings enhance design of University at Buffalo Medical School
HOK designers in New York, St. Louis and Atlanta are using virtual meetings with their University at Buffalo (UB) client team to improve the design process for UB’s new School of Medicine and Biomedical Sciences on the Buffalo Niagara Medical Campus.
| Jun 14, 2013
Purdue, industry partners test light steel framing for seismic safety
A partnership of leading earthquake engineering researchers from top U.S. and Canadian universities and design professionals from the steel industry have begun the final phase of a three-year project to increase the seismic safety of buildings that use lightweight cold-formed steel for their primary beams and columns.
| Jun 11, 2013
Finnish elevator technology could facilitate supertall building design
KONE Corporation has announced a new elevator technology that could make it possible for supertall buildings to reach new heights by eliminating several problems of existing elevator technology. The firm's new UltraRope hoisting system uses a rope with a carbon-fiber core and high-friction coating, rather than conventional steel rope.