Cybersecurity Trends from BI.ZONE
According to the most modest estimates, in 2017, global damage from cyber attacks amounted to a trillion dollars, according to the BI.ZONE annual survey for 2017-2018. It is almost impossible to assess the real damage, since 80% of companies hide cases of hacking and leaks. Experts predict that if nothing is done, in a few years the damage will increase to $ 8 trillion.
In the Binary District, we made a brief retelling of the BI.ZONE study on the new challenges of the digital world. We chose the main trends in the field of cybercrime and interesting facts from the research that caught our attention: how quickly the cybercrime world learns about vulnerabilities in MS Office, what the problem of the Internet of things is and why building protection of its infrastructure does not guarantee the complete security of the company.
Cyber attacks - in the top 3 global risks: they bring $ 1 trillion of damage - more than terrorism and man-made disasters (data from the World Economic Forum)
Every year the number of data leaks continues to grow. Literally the other day, the largest dump in history was posted on the network : the archive contained a collection of data from many leaks: 2.7 billion accounts, over 1.1 billion of which are unique combinations of email addresses and passwords.
Typically, attackers resell stolen data in the shadow segments of the Internet or use them to organize new attacks. Most often, criminals steal personal data (about 67% of cases), as well as financial information and credentials. In 2017, only 18% of the causes of leaks were accidental, the rest being an external or internal attacker.
Large corporations with thousands of employees most often become victims of leaks - and they suffer a huge loss from cyber attacks. For example, in the United States, an average data leakage costs the company $ 7.4 million. However, the damage from leaks can be not only direct, but also indirect. For example, in July 2017, hackers infiltrated the internal network of the HBO television company and pumped 1.5 TB of data, including the unreleased series of some TV series and the script for the not yet released Game of Thrones series. The attackers demanded a ransom of $ 6 million from HBO. The company did not pay, but still suffered reputational damage.
In some cases, attackers steal data not for immediate monetization, but for the development of future attacks. So, in June 2017, the source code of Windows 10 leaked - the archive, which is part of the Shared Source Kit and includes files with source codes of device drivers, was downloaded by unknown persons to the BetaArchive website. Such large leaks lead to the emergence of new waves of exploits that exploit previously unknown vulnerabilities in the OS code.
The damage from leaks grows with the number of leaks, they affect more and more people and companies. Failure to comply with the requirements for the protection of personal data can threaten not only fines, but also a blow to reputation, financial losses, customer outflow, and spending on analyzing the state of the infrastructure and strengthening its protection. It is much better to limit the last two steps - it is much cheaper.
Attacks on the financial sector are the most difficult and most frequent: according to BI.ZONE, every second attack is made on it. So, recently BI.ZONE analyzed in detail in her blog the attack of the Buhtrap group on Russian banks, which became known on December 19, 2018. Phishing mailing contained the executable file “md5: faf833a1456e1bb85117d95c23892368” , which took various names: “Reconciliation for December.exe”, “Doc-you wednesday.exe”, “Documents 19.12.exe”, “Closing documents wedu.exe”.
If you remember the previous attacks, then, for example, in Russia, the Carbanak group in 2017 was subjected to 200 banks. 11 of them could not resist hacking, which brought the attackers more than $ 16 million.
An interesting feature of Carbanak is the tactic of using the infrastructure of other organizations to send malware. In some cases, phishing emails were opened by employees who are directly responsible for cybersecurity.
The main method of initial penetration is Spear Phishing - specially prepared letters, taking into account the particularities of a company or an industry sector. The same Carbanak usually sends phishing emails from addresses that contain words related to banking: the names of companies producing equipment (Wincor-Nixdorf), payment systems (Visa, MasterCard, Western Union), etc.
Hackers follow cybersecurity news and quickly rework fresh exploits for use in attacks. According to BI.ZONE, since the release of the new exploit for MS Office until its use in the Carbanak mailing list, it takes less than a day (!).
In 2017-2018, the number of Supply Chain attacks increased by 200%. This strategy is based on the fact that attackers are trying to gain access to the infrastructure of the target organization not directly, but bypassing - by introducing malicious code into the programs of the least protected participants in the supply chain.
Most often, the ultimate goal of such attacks is the banking sector, the largest piece in this hacker cake.
Supply Chain attacks are dangerous because they are extremely difficult, and sometimes simply impossible to track and prevent. Instead of attacking the infrastructure of one well-protected organization, criminals gain access to the infrastructure of many companies that use compromised software from a weakly protected vendor.
The attack on the supply chain begins with the infection of a popular program. For example, in the case of the NotPetya cryptographer, distribution began after infection with MEDoc, a tax reporting program. As a result of the compromise of the MEDoc update servers, the attackers managed to inject a backdoor into the program code, through which the NotPetya executable file was then loaded. The consequences were sad: the damage to one company could reach more than $ 300 million, and global damage is estimated at $ 1.2 billion. The EternalBlue exploit played a role in this, because of which the cryptographer spread much faster.
One of the more notable trends in 2017-2018 was a sharp increase in the number of attacks on devices connected to the Internet of things.
The market for IoT devices is no longer a niche: there are currently more than 8.4 billion devices in the world, and according to forecasts, by 2020 their total number will reach 30 billion.
Low security of IoT devices leads to the fact that they can easily be compromised. and use to create botnets for organizing DDoS attacks. Also, smart devices are often a weak link in the organization's network, through which attackers can penetrate the company's internal network.
The main causes of vulnerabilities IoT devices:
Of the popular IoT botnets, you can remember JenX, who gained fame in February 2018. The botnet consists mainly of infected Huawei devices and devices using RealTek controllers. JenX offers its services in the organization of DDoS-attacks for a very modest price - for $ 20 you can order an attack with a capacity of about 300 Gbit / s.
The sphere of cybercrime is developing rapidly. The ability to quickly earn big money and excitement pushes intruders to improve their skills in order to constantly check the strength of the software and infrastructure of companies, finding new loopholes. The protection methods that worked yesterday will be obsolete tomorrow.
Together with BI.ZONE, we launch two offline courses on information security: “Web application security” and"Investigating cyber attacks for business . " Course speakers are leading cybersecurity experts, specializing in penetration testing and computer forensics, and instructors of relevant courses at the National Research Nuclear University MEPhI. The program of courses is based on real fresh incidents. Classes will be held at the Digital October site on February 16-17.
In the Binary District, we made a brief retelling of the BI.ZONE study on the new challenges of the digital world. We chose the main trends in the field of cybercrime and interesting facts from the research that caught our attention: how quickly the cybercrime world learns about vulnerabilities in MS Office, what the problem of the Internet of things is and why building protection of its infrastructure does not guarantee the complete security of the company.
Cyber attacks - in the top 3 global risks: they bring $ 1 trillion of damage - more than terrorism and man-made disasters (data from the World Economic Forum)
Data leakage
Every year the number of data leaks continues to grow. Literally the other day, the largest dump in history was posted on the network : the archive contained a collection of data from many leaks: 2.7 billion accounts, over 1.1 billion of which are unique combinations of email addresses and passwords.
Typically, attackers resell stolen data in the shadow segments of the Internet or use them to organize new attacks. Most often, criminals steal personal data (about 67% of cases), as well as financial information and credentials. In 2017, only 18% of the causes of leaks were accidental, the rest being an external or internal attacker.
Large corporations with thousands of employees most often become victims of leaks - and they suffer a huge loss from cyber attacks. For example, in the United States, an average data leakage costs the company $ 7.4 million. However, the damage from leaks can be not only direct, but also indirect. For example, in July 2017, hackers infiltrated the internal network of the HBO television company and pumped 1.5 TB of data, including the unreleased series of some TV series and the script for the not yet released Game of Thrones series. The attackers demanded a ransom of $ 6 million from HBO. The company did not pay, but still suffered reputational damage.
In some cases, attackers steal data not for immediate monetization, but for the development of future attacks. So, in June 2017, the source code of Windows 10 leaked - the archive, which is part of the Shared Source Kit and includes files with source codes of device drivers, was downloaded by unknown persons to the BetaArchive website. Such large leaks lead to the emergence of new waves of exploits that exploit previously unknown vulnerabilities in the OS code.
The damage from leaks grows with the number of leaks, they affect more and more people and companies. Failure to comply with the requirements for the protection of personal data can threaten not only fines, but also a blow to reputation, financial losses, customer outflow, and spending on analyzing the state of the infrastructure and strengthening its protection. It is much better to limit the last two steps - it is much cheaper.
Attacks on the banking sector
Attacks on the financial sector are the most difficult and most frequent: according to BI.ZONE, every second attack is made on it. So, recently BI.ZONE analyzed in detail in her blog the attack of the Buhtrap group on Russian banks, which became known on December 19, 2018. Phishing mailing contained the executable file “md5: faf833a1456e1bb85117d95c23892368” , which took various names: “Reconciliation for December.exe”, “Doc-you wednesday.exe”, “Documents 19.12.exe”, “Closing documents wedu.exe”.
If you remember the previous attacks, then, for example, in Russia, the Carbanak group in 2017 was subjected to 200 banks. 11 of them could not resist hacking, which brought the attackers more than $ 16 million.
An interesting feature of Carbanak is the tactic of using the infrastructure of other organizations to send malware. In some cases, phishing emails were opened by employees who are directly responsible for cybersecurity.
The main method of initial penetration is Spear Phishing - specially prepared letters, taking into account the particularities of a company or an industry sector. The same Carbanak usually sends phishing emails from addresses that contain words related to banking: the names of companies producing equipment (Wincor-Nixdorf), payment systems (Visa, MasterCard, Western Union), etc.
Hackers follow cybersecurity news and quickly rework fresh exploits for use in attacks. According to BI.ZONE, since the release of the new exploit for MS Office until its use in the Carbanak mailing list, it takes less than a day (!).
Supply Chain Attacks
In 2017-2018, the number of Supply Chain attacks increased by 200%. This strategy is based on the fact that attackers are trying to gain access to the infrastructure of the target organization not directly, but bypassing - by introducing malicious code into the programs of the least protected participants in the supply chain.
Most often, the ultimate goal of such attacks is the banking sector, the largest piece in this hacker cake.
Supply Chain attacks are dangerous because they are extremely difficult, and sometimes simply impossible to track and prevent. Instead of attacking the infrastructure of one well-protected organization, criminals gain access to the infrastructure of many companies that use compromised software from a weakly protected vendor.
The attack on the supply chain begins with the infection of a popular program. For example, in the case of the NotPetya cryptographer, distribution began after infection with MEDoc, a tax reporting program. As a result of the compromise of the MEDoc update servers, the attackers managed to inject a backdoor into the program code, through which the NotPetya executable file was then loaded. The consequences were sad: the damage to one company could reach more than $ 300 million, and global damage is estimated at $ 1.2 billion. The EternalBlue exploit played a role in this, because of which the cryptographer spread much faster.
IoT botnets
One of the more notable trends in 2017-2018 was a sharp increase in the number of attacks on devices connected to the Internet of things.
The market for IoT devices is no longer a niche: there are currently more than 8.4 billion devices in the world, and according to forecasts, by 2020 their total number will reach 30 billion.
Low security of IoT devices leads to the fact that they can easily be compromised. and use to create botnets for organizing DDoS attacks. Also, smart devices are often a weak link in the organization's network, through which attackers can penetrate the company's internal network.
The main causes of vulnerabilities IoT devices:
- most users don't change default passwords,
- updates do not come out, or they are difficult to install,
- There are no uniform standards and safety requirements.
Of the popular IoT botnets, you can remember JenX, who gained fame in February 2018. The botnet consists mainly of infected Huawei devices and devices using RealTek controllers. JenX offers its services in the organization of DDoS-attacks for a very modest price - for $ 20 you can order an attack with a capacity of about 300 Gbit / s.
The sphere of cybercrime is developing rapidly. The ability to quickly earn big money and excitement pushes intruders to improve their skills in order to constantly check the strength of the software and infrastructure of companies, finding new loopholes. The protection methods that worked yesterday will be obsolete tomorrow.
Together with BI.ZONE, we launch two offline courses on information security: “Web application security” and"Investigating cyber attacks for business . " Course speakers are leading cybersecurity experts, specializing in penetration testing and computer forensics, and instructors of relevant courses at the National Research Nuclear University MEPhI. The program of courses is based on real fresh incidents. Classes will be held at the Digital October site on February 16-17.