In the months of January and February, the NRD Cyber Security CyberSOC team sees that the main threat category types remain the same, but there is a significant increase in the number of alerts compared to the previous months. However, the number of incidents escalated as potential threats was slightly lower. This is due to an increase in background noise such as reconnaissance activities (passive scanning, active scanning, etc.) and initial access attempts (mainly phishing attempts).

Many of the cases shared between the project partners were related to the latter – phishing attempts. Overall, a large number of companies have been compromised and/or impersonated and are sending malicious emails. This month we have noticed that the majority of these either contain links or attachments that then attempt to download malware, and far fewer attempt to impersonate login pages and phish for credentials. While the ‘Mokėjimas’ (payment) theme alone may be too broad and result in too many false positives when used for detection – we have seen several such events over an extended period of time, all identified by protection software as different types of malware. However, combining the theme with additional rule logic (at least checking the TLD of the sender address, ideally checking for previous communications with such a domain) can result in a good detection rule.

Sample IOCs shared between NRD Cyber Security and Vilnius City Municipality Administration in February:

* The specific domains and sender addresses are not included as all the domain seem to be victims of Business Email Compromise. The information will be available for SOCshare project partners and community members in MISP for detection and correlation, however, as part of the project values it has been determined that sharing such information publicly may cause more harm to the already affected organizations than will provide benefit to the public.

Part-funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect the views and opinions of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.