Cybersecurity Trends from BI.ZONE
According to the most modest estimates, in 2017, global damage from cyber attacks amounted to a trillion dollars, according to the BI.ZONE annual survey for 2017-2018. It is almost impossible to assess the actual damage, since 80% of companies hide cases of hacking and leaks. Experts predict that if nothing is done, in a few years the damage will increase to $ 8 trillion.
In the Binary District, we made a brief retelling of a BI.ZONE study on the new challenges of the digital world. We chose the main trends in the field of cybercrime and interesting facts from the research that caught our attention: how quickly the cybercrime world learns about vulnerabilities in MS Office, what the problem of the Internet of things is and why building protection of its infrastructure does not guarantee the complete security of the company.
Cyber attacks are in the top 3 global risks: they bring $ 1 trillion of damage - more than terrorism and man-made disasters (data from the World Economic Forum)
Every year the number of data leaks continues to grow. Literally the other day, the largest dump in history was posted on the network: a collection of data from many leaks appeared in the archive: 2.7 billion accounts, over 1.1 billion of which are unique combinations of email addresses and passwords.
Typically, attackers resell stolen data in the shadow segments of the Internet or use them to organize new attacks. Most often, criminals steal personal data (about 67% of cases), as well as financial information and credentials. In 2017, only 18% of the causes of leaks were accidental, the rest being an external or internal attacker.
Large corporations with thousands of employees most often become victims of leaks - and they suffer a huge loss from cyber attacks. For example, in the United States, an average data leakage costs the company $ 7.4 million. However, the damage from leaks can be not only direct, but also indirect. For example, in July 2017, hackers penetrated the internal network of the HBO television company and pumped 1.5 TB of data, including the unreleased series of some TV series and the script to the not yet released Game of Thrones series. The attackers demanded a $ 6 million ransom from HBO. The company did not pay, but it still suffered reputational damage.
In some cases, attackers do not steal data for immediate monetization, but for the development of future attacks. So, in June 2017, the source code of Windows 10 leaked - the archive, which is part of the Shared Source Kit and includes files with source texts of device drivers, was downloaded by unknown persons to the BetaArchive website. Such large leaks lead to the emergence of new waves of exploits that exploit previously unknown vulnerabilities in the OS code.
The damage from leaks grows with the number of these leaks; they affect more and more people and companies. Failure to comply with the requirements for the protection of personal data can threaten not only fines, but also a blow to reputation, financial losses, customer outflow, and spending on analyzing the state of the infrastructure and strengthening its protection. It is much better to limit the last two steps - it is much cheaper.
Attacks on the financial sector are the most difficult and most frequent: according to BI.ZONE, every second attack is made on it. So, recently BI.ZONE analyzed in detail in her blog the attack of the Buhtrap group against Russian banks, which became known on December 19, 2018. Phishing mailing contained the executable file “md5: faf833a1456e1bb85117d95c23892368” , which took various names: “Reconciliation for December.exe”, “Doc-you wednesday.exe”, “Documents 19.12.exe”, “Closing documents wedu.exe”.
If you recall the previous attacks, then, for example, in Russia, the Carbanak group in 2017 suffered 200 banks. 11 of them could not resist hacking, which brought the attackers more than $ 16 million.
An interesting feature of Carbanak is the tactic of using the infrastructure of other organizations to send malware. In some cases, phishing emails were opened by employees directly responsible for cybersecurity.
The main method of initial penetration is Spear Phishing - specially prepared letters, taking into account the particularities of a company or an industry sector. The same Carbanak usually sends phishing emails from addresses that contain words related to banking: equipment companies (Wincor-Nixdorf), payment systems (Visa, MasterCard, Western Union), etc.
Hackers follow cybersecurity news and quickly rework fresh exploits for use in attacks. According to BI.ZONE, since the release of the new exploit for MS Office until its use in the Carbanak mailing list, it takes less than a day (!).
In 2017-2018, the number of Supply Chain attacks increased by 200%. This strategy is based on the fact that attackers are trying to gain access to the infrastructure of the target organization not directly, but bypassing - by introducing malicious code into the programs of the least protected participants in the supply chain.
Most often, the ultimate goal of such attacks is the banking sector, the largest piece in this hacker cake.
Supply Chain attacks are dangerous because they are extremely difficult, and sometimes simply impossible to track and prevent. Instead of attacking the infrastructure of one well-protected organization, criminals gain access to the infrastructure of many companies using compromised software from a weakly protected vendor.
The attack on the supply chain begins with the infection of a popular program. For example, in the case of the NotPetya cryptographer, distribution began after infection with MEDoc, a tax reporting program. As a result of the compromise of the MEDoc update servers, the attackers managed to inject a backdoor into the program code, through which the NotPetya executable file was then loaded. The consequences were sad: the damage to one company could reach more than $ 300 million, and the global damage is estimated at $ 1.2 billion. The EternalBlue exploit, because of which the cryptographer spread much faster, played a role in this.
One of the more notable trends in 2017-2018 was the sharp increase in the number of attacks on devices connected to the Internet of things.
The market for IoT devices is no longer a niche: there are currently more than 8.4 billion devices in the world, and according to forecasts, by 2020 their total number will reach 30 billion.
Low security of IoT devices leads to the fact that they are easily compromised and used to create botnets for organizing DDoS attacks. Also, smart devices are often a weak link in an organization's network, thanks to which attackers can penetrate the company's internal network.
The main causes of vulnerabilities IoT devices:
Of the popular IoT botnets, you can remember JenX, who gained fame in February 2018. The botnet consists mainly of infected Huawei devices and devices using RealTek controllers. JenX offers its services in organizing DDoS-attacks for a very modest price - for $ 20 you can order an attack with a capacity of about 300 Gbit / s.
The sphere of cybercrime is developing rapidly. The ability to quickly earn big money and excitement pushes intruders to improve their skills in order to constantly check the strength of the software and infrastructure of companies, finding new loopholes. The methods of protection that worked yesterday will become obsolete tomorrow.
Together with BI.ZONE, we launch two offline courses on information security: "Web Application Security" and "Investigating Cyber Attacks for Business . " Course speakers are leading cybersecurity experts, specializing in penetration testing and computer forensics, and teachers of relevant courses at MEPhI. The program of courses is based on real fresh incidents. Classes will be held at the Digital October site on February 16-17.
In the Binary District, we made a brief retelling of a BI.ZONE study on the new challenges of the digital world. We chose the main trends in the field of cybercrime and interesting facts from the research that caught our attention: how quickly the cybercrime world learns about vulnerabilities in MS Office, what the problem of the Internet of things is and why building protection of its infrastructure does not guarantee the complete security of the company.
Cyber attacks are in the top 3 global risks: they bring $ 1 trillion of damage - more than terrorism and man-made disasters (data from the World Economic Forum)
Data leakage
Every year the number of data leaks continues to grow. Literally the other day, the largest dump in history was posted on the network: a collection of data from many leaks appeared in the archive: 2.7 billion accounts, over 1.1 billion of which are unique combinations of email addresses and passwords.
Typically, attackers resell stolen data in the shadow segments of the Internet or use them to organize new attacks. Most often, criminals steal personal data (about 67% of cases), as well as financial information and credentials. In 2017, only 18% of the causes of leaks were accidental, the rest being an external or internal attacker.
Large corporations with thousands of employees most often become victims of leaks - and they suffer a huge loss from cyber attacks. For example, in the United States, an average data leakage costs the company $ 7.4 million. However, the damage from leaks can be not only direct, but also indirect. For example, in July 2017, hackers penetrated the internal network of the HBO television company and pumped 1.5 TB of data, including the unreleased series of some TV series and the script to the not yet released Game of Thrones series. The attackers demanded a $ 6 million ransom from HBO. The company did not pay, but it still suffered reputational damage.
In some cases, attackers do not steal data for immediate monetization, but for the development of future attacks. So, in June 2017, the source code of Windows 10 leaked - the archive, which is part of the Shared Source Kit and includes files with source texts of device drivers, was downloaded by unknown persons to the BetaArchive website. Such large leaks lead to the emergence of new waves of exploits that exploit previously unknown vulnerabilities in the OS code.
The damage from leaks grows with the number of these leaks; they affect more and more people and companies. Failure to comply with the requirements for the protection of personal data can threaten not only fines, but also a blow to reputation, financial losses, customer outflow, and spending on analyzing the state of the infrastructure and strengthening its protection. It is much better to limit the last two steps - it is much cheaper.
Attacks on the banking sector
Attacks on the financial sector are the most difficult and most frequent: according to BI.ZONE, every second attack is made on it. So, recently BI.ZONE analyzed in detail in her blog the attack of the Buhtrap group against Russian banks, which became known on December 19, 2018. Phishing mailing contained the executable file “md5: faf833a1456e1bb85117d95c23892368” , which took various names: “Reconciliation for December.exe”, “Doc-you wednesday.exe”, “Documents 19.12.exe”, “Closing documents wedu.exe”.
If you recall the previous attacks, then, for example, in Russia, the Carbanak group in 2017 suffered 200 banks. 11 of them could not resist hacking, which brought the attackers more than $ 16 million.
An interesting feature of Carbanak is the tactic of using the infrastructure of other organizations to send malware. In some cases, phishing emails were opened by employees directly responsible for cybersecurity.
The main method of initial penetration is Spear Phishing - specially prepared letters, taking into account the particularities of a company or an industry sector. The same Carbanak usually sends phishing emails from addresses that contain words related to banking: equipment companies (Wincor-Nixdorf), payment systems (Visa, MasterCard, Western Union), etc.
Hackers follow cybersecurity news and quickly rework fresh exploits for use in attacks. According to BI.ZONE, since the release of the new exploit for MS Office until its use in the Carbanak mailing list, it takes less than a day (!).
Supply Chain Attacks
In 2017-2018, the number of Supply Chain attacks increased by 200%. This strategy is based on the fact that attackers are trying to gain access to the infrastructure of the target organization not directly, but bypassing - by introducing malicious code into the programs of the least protected participants in the supply chain.
Most often, the ultimate goal of such attacks is the banking sector, the largest piece in this hacker cake.
Supply Chain attacks are dangerous because they are extremely difficult, and sometimes simply impossible to track and prevent. Instead of attacking the infrastructure of one well-protected organization, criminals gain access to the infrastructure of many companies using compromised software from a weakly protected vendor.
The attack on the supply chain begins with the infection of a popular program. For example, in the case of the NotPetya cryptographer, distribution began after infection with MEDoc, a tax reporting program. As a result of the compromise of the MEDoc update servers, the attackers managed to inject a backdoor into the program code, through which the NotPetya executable file was then loaded. The consequences were sad: the damage to one company could reach more than $ 300 million, and the global damage is estimated at $ 1.2 billion. The EternalBlue exploit, because of which the cryptographer spread much faster, played a role in this.
IoT botnets
One of the more notable trends in 2017-2018 was the sharp increase in the number of attacks on devices connected to the Internet of things.
The market for IoT devices is no longer a niche: there are currently more than 8.4 billion devices in the world, and according to forecasts, by 2020 their total number will reach 30 billion.
Low security of IoT devices leads to the fact that they are easily compromised and used to create botnets for organizing DDoS attacks. Also, smart devices are often a weak link in an organization's network, thanks to which attackers can penetrate the company's internal network.
The main causes of vulnerabilities IoT devices:
- most users don't change default passwords,
- updates do not come out, or they are difficult to install,
- There are no uniform standards and safety requirements.
Of the popular IoT botnets, you can remember JenX, who gained fame in February 2018. The botnet consists mainly of infected Huawei devices and devices using RealTek controllers. JenX offers its services in organizing DDoS-attacks for a very modest price - for $ 20 you can order an attack with a capacity of about 300 Gbit / s.
The sphere of cybercrime is developing rapidly. The ability to quickly earn big money and excitement pushes intruders to improve their skills in order to constantly check the strength of the software and infrastructure of companies, finding new loopholes. The methods of protection that worked yesterday will become obsolete tomorrow.
Together with BI.ZONE, we launch two offline courses on information security: "Web Application Security" and "Investigating Cyber Attacks for Business . " Course speakers are leading cybersecurity experts, specializing in penetration testing and computer forensics, and teachers of relevant courses at MEPhI. The program of courses is based on real fresh incidents. Classes will be held at the Digital October site on February 16-17.
Source: https://habr.com/ru/post/437878/