RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2023/04/11 16:47:45

Cyber attack models

.

Content

Main article: Cyberattacks

Classification of cyber attack models

In February 2017, TAdviser and Sec-Consult compiled the following classification of cyber attack models.

Crime as a Service

Main article: Crime-as-a-Service

Network infrastructure

Data Link Protocol Vulnerabilities

Security issues in Layer 2 of the OSI model. Attack model:

  • 802.1Q and ISL markup (tagging)
  • ARP falsification
  • Wireless Encryption Hack
  • DHCP Address Depletion
  • Double-encapsulated 802.1Q/nested VLAN attack
  • MAC overflow
  • STP manipulations

Network and Transport Protocol Layer Vulnerabilities

Safety issues in Layer 3, 4, and 5 of the OSI model. Attack model:

  • BGP manipulations
  • EIGRP manipulations
  • IGRP manipulations
  • OSPF manipulations
  • Network Packet Interception and Analysis
  • RIP manipulations
  • TCP/IP Sequence Number Prediction
  • SYN overflow

Problems with the firewall

Security issues related to firewall configuration. Attack model:

  • Bypass Firewall Rules
  • Insufficient packet filtering

Remediation Level

Server Patch Level

Known software bugs may be used, despite the fact that there is already a patch

Attack model:

  • Exploiting known application vulnerabilities

Server Configuration

Server Configuration/General Type

This class includes configuration errors that can be exploited by attackers for all types of server software.

Attack model:

  • Using Default Posted Entries
  • Enumerating User Accounts
  • Use of hazardous logging methods
  • Use non-compliant permissions for access
  • Using Unprotected Functionality
  • Collecting Internal Information
  • Guessing passwords
  • Read unencrypted sensitive data

Standard Software and Proprietary Applications

Authentication issues

The web application does not have sufficient authentication tools to protect its resources.

Attack model:

Authorization issues

An unauthorized or unprivileged user can access resources that are protected or must be protected.

Attack model:

  • Access to secure features
  • Access to protected resources

Business Logic Problems

An attacker may violate the application's business rules

Attack model:

  • Depending on the application

Disclosure

An attacker can collect information about the internal data of an application or server environment

Attack model:

  • Collecting information from code comments
  • Collect information from system and error messages
  • Read old, backup, and non-xref files

Facilitating client attacks (browser attacks)

This class of vulnerabilities refers to the Internet. It includes attacks targeting a web browser.

Attack model:

  • Cross-Site Request Falsification (XSRF)
  • HTML Substitution/Cross-Site Script (XSS)
  • HTTP Response Split/Header Substitution
  • Simulating Frames
  • Session Fixation

Interpreter Substitution/Input Validation Issues

The application passes the entered parameters to the database, to the APIs (APIs) of the operating system or to other interpreters without proper validation of the data.

Attack model:

  • File System Access
  • Code substitution
  • Command substitution
  • Format String Substitution
  • IMAP/SMTP substitution
  • LDAP substitution
  • ORM substitution
  • Character buffer overflow
  • Path traversal
  • Substituting SQL Statements
  • Substituting SSI
  • XML Substitution
  • Xpath substitution

Status/Session Management Issues

State or session variables are initialized and applied incorrectly.

Attack model:

  • Enumerating Session IDs
  • Using Session State Issues

Insecure management of trusted data

An attacker can manipulate trusted data and internal data of the application.

Attack model:

  • Manipulating internal application data about the client
  • Read application internal/client sensitive data

Functionality that is unnecessary and insecure

The application has inherently insecure functionality.

Attack model:

  • Using Sample Applications
  • Downloading arbitrary files

Insecure algorithms

The use of insecure algorithms allows vulnerable data to be compromised.

Attack model:

  • Encryption hacking
  • Using a weak random number generator
  • Using weak/insecure encryption algorithms

Denial of Service Vulnerability

The service can be disabled by an attacker.

Attack model:

  • Using Unlimited Resource Allocation
  • Blocking Customer Accounts

Viruses encoders

Sound attacks

Chronicle

2023: Positive Technologies unveils 10 popular attack techniques and a list of preventative measures for them

Positive Technologies on April 10, 2023 published a study on the detection and prevention of attacks that use the most popular MITRE ATT&CK techniques. The company's experts used the presented methods during pentests held in Russian organizations in 2022. The list of proposed preventive measures covers 29% of the requirements for the protection of information set out in the order of the FSTEC of Russia dated 11.02.2013 No. 17 "On Approval of the Requirements for the Protection of Information that is not a state secret contained in state information systems."

The study identified ten of the most popular and most used methods of attack by Positive Technologies pentesters.

Experts have selected ways to detect these techniques and proposed a list of preventive measures to prevent attacks. Experts called the main sources of events, the analysis of which will help identify the use of this or that method by an attacker:

  • OS event log, including those related to security audit and logon;
  • Network traffic
  • Application event log
  • Event log on the domain controller.

File:Aquote1.png
For example, consider a technique related to insecure storage of credentials (Unsecured Credentials). It was used in attacks in 79% of the organizations studied, - said Anton Kutepov, head of community development at Information Security Positive Technologies. - To minimize the chances of success for an attacker, we recommend that you regularly search for files containing passwords and train users to competently store confidential information. In addition, you need to differentiate access to shared resources so that only some employees can use certain folders. Among other things, you should set a corporate rule that prevents passwords from being stored in files.
File:Aquote2.png

In order to prevent and timely detect attacks, it is necessary to implement an information security event monitoring system (SIEM system), filter network packets using firewalls of different levels (WAF, NGFW), and analyze network traffic using NTA products. In addition, it is worth purchasing tools for detecting and responding to threats at end nodes (EDR-, XDR-solutions).

File:Aquote1.png
Based on the D3FEND matrix, we have identified the security features needed to prevent, detect attacks that use ten techniques from the MITRE ATT&CK matrix and to respond. A dozen technicians were not chosen by chance: they, in combination with other methods, helped our specialists achieve their goals when testing for penetration, "said Yana Yurakova, an analyst at the Information Security Department of Positive Technologies. - In addition, we compared the requirements of the regulator with the preventive measures proposed by the information security community, and it turned out that they cover 33 out of 113 requirements of the order of the FSTEC of Russia No. 17. We can conclude that if you do not formally comply with the regulator's instructions, comply with them not only on paper, then the level of security of the company will noticeably increase.
File:Aquote2.png

2021: Hackers began infecting software at the source code stage

On November 1, 2021, scientists from the University of Cambridge published details of an attack that could be used to insert malicious code into legitimate software products through comment fields. Read more here.

2020

Kaspersky Lab named the most popular methods of penetration into corporate IT systems

In mid-September 2021, Kaspersky Lab named the most popular methods of penetration into corporate IT systems. Most often, in 2020, attackers resorted to hacking by brute force (brute force) - this method accounted for 32% of incidents against 13% a year earlier.

The popularity of brute force among hackers in Kaspersky Lab is associated with the massive transition of companies to remote work in a pandemic and the more frequent use of the remote access protocol (RDP). Attacks that begin with password selection are theoretically easy to detect, but in practice, only a small part of them can be stopped before damage is caused, experts say.

Kaspersky Lab named the most popular methods of penetration into corporate IT systems in 2020

According to the Kaspersky Global Emergency Response team, the second most common method of penetrating companies' systems is associated with exploiting vulnerabilities. The share of such incidents at the end of 2020 amounted to 31.5%. In the vast majority of cases, attackers exploited long-known but not closed holes on corporate devices, such as CVE-2019-11510, CVE-2018-8453 and CVE-2017-0144, the study said.

More than half of all attacks were detected within hours (18%) or days (55%). Some lasted an average of about 90 days.

The overwhelming number of money thefts and data leaks occurred in the CIS countries (67% and 57% of all such appeals in the world). The share of ransomware attacks in the region was 22%.

In order to minimize the likelihood of penetration into the corporate infrastructure, Kaspersky Lab recommends applying a reliable password policy using multi-factor authentications and access and identity management tools, regularly monitoring data on updates from manufacturers, scanning the network for vulnerabilities and installing patches in a timely manner, as well as regularly conducting trainings for employees to maintain their high level of awareness in the field. cyber security[1]

CISA spoke about implemented methods of hacker attacks in various industries

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the results of a risk and vulnerability assessment conducted during fiscal 2020 across industries. This became known on July 12, 2021.

The document details potential attack vectors that an attacker can use to compromise an organization's systems, taking into account the identified vulnerabilities over the past year. Both the CISA analysis and the accompanying infographic, which includes the success rate for each tactic and technique, correspond to the MITER ATT&CK knowledge base.

Infographic: CISA
Infographic: CISA

According to experts, most often criminals received initial access using phishing links (in 49% of cases). This is followed by the exploitation of vulnerabilities in applications (11.8%), followed by phishing investments (9.8%). The PowerShell command shell was used in 24.4% of cases, followed by the legitimate Windows Management Instrumentation tool (13%) and the command and script interpreter (12.2%).

Valid accounts were used to elevate privileges in 37.5% of cases, followed by the exploitation of privilege elevation vulnerabilities (21.9%), as well as the creation and issuance of tokens (15.6%). To move around the network, attackers mainly used the pass-the-hash method (29.8%), followed by the Remote Desktop Protocol (25%) and exploitation of problems in remote services (11.9%)[2].

Review of key tools for cyber attacks: Crypto miners dominate

On January 21, 2020, Check Point Research published the Cyber ​ ​ Security Report 2020. The report highlights the main tools cybercriminals use to attack organizations around the world and provides cybersecurity professionals and company executives with the information they need to protect organizations from ongoing cyberattacks and Fifth Generation threats.

The 2020 Security Report reveals major malware trends and methods that Check Point researchers observed in 2019:

  • Cryptominers still dominate the malware environment - Despite the fact that cryptomining has significantly decreased in 2019 (due to the fall in the cost of cryptocurrencies and the closure of the Coinhive mining service in March), 38% of companies around the world were attacked by cryptominers. Cybercriminals use cryptominers because the risks are low enough and the returns are high. Nevertheless, according to a survey by Check Point Software Technologies in the first half of 2019, the least companies in Russia feared crypto miners - only 7%

  • Increase-networks - boat 28% of organizations around the world were attacked, botnets which is 50% more than in 2018. Emotet was the most common malware ON for bots, mainly due to its versatility and ability to distribute other malware and. spam Other actions of the botnet, such as sextortion extortion - (based cyber fraud with e-mail on the exploitation of someone's sex life), and - DDoS ataks, also increased sharply in 2019.

  • Targeted ransomware is hitting harder - the number of targeted attacks on organizations is relatively small, but they can cause significant damage: the 2019 attacks against US city administrations are an example. Attackers carefully select a victim for an extortion attack in order to receive the maximum income.

  • Attacks on mobile devices are declining - in 2019, 27% of organizations faced cyber attacks on mobile devices, compared with 33% in 2018. Organizations are aware of the threat and carefully protect employees' mobile devices. According to a survey by Check Point Software Technologies in the first half of 2019, in Russia, only 16% of IT professionals install or intend to use special software to protect mobile devices. More than half (52%) of respondents consider the ban on the use of personal smartphones on work issues to be the best protection.

  • Magecart attacks have become an epidemic - Such attacks inject malicious code into online store websites to steal customer payment data. In 2019, they reached hundreds of sites across all platforms, with both large and medium and small businesses ranging from hotel chains to online retailers.

  • Growth of cloud attacks - As of January 2020, more than 90% of enterprises use cloud services. 67% of security professionals complain about the lack of transparency in their cloud infrastructure, security and compliance. The scale of cloud attacks and violations continued to grow in 2019. Misconfiguring cloud resources is still a major reason for cloud attacks, but there has also been an increase in attacks targeting cloud service providers directly.

Chart shows the main categories of cyber attacks in the region EMEA
File:Aquote1.png
" In 2019, we've seen a wide landscape of threats. We live in an era of a cyber weapons race, and the increase in the number and level of complexity of attacks will increase. Even if an organization is equipped with the most comprehensive and modern security products, the risk of being hacked still remains, it cannot be completely eliminated. Organizations need to develop a proactive plan to get ahead of cybercriminals and prevent potential attacks. Detecting and automatically blocking an attack early can prevent damage. Check Point 2020 Security Report talks about the main trends that organizations should pay attention to and how they can win with key methods, "
File:Aquote2.png

The Check Point 2020 Security Report is based on data from ThreatCloud intelligence, an anti-cybercrime network that provides threat and attack trend data from a global network of threat sensors; data from Check Point studies over the past 12 months; and data from a survey of IT professionals and senior managers that assesses their preparedness for threats.

2019

The number of file-free attacks in the first half of the year increased by 265%

On August 30, 2019, it became known that Trend Micro Incorporated, the world leader in cybersecurity solutions, published a summary report for the first half of 2019. It notes a surge in the prevalence of file-free attacks aimed at hiding malicious actions: the number of detected threats of this kind showed a 265 percent increase compared to the first half of 2018.

The 2019 results thus support numerous projections made by Trend Micro in 2018. Namely, attackers now work smarter and focus on enterprises and environments that will provide them with the greatest return on their efforts.

{{quote 'author = says Kondrashin Mikhail, CTO of Trend Micro in Russia|Sophistication and cunning - this is how modern cyber threats can be characterized. Enterprise technologies and IT infrastructures are becoming more connected and more "smart." Attackers carry out deliberate, targeted, insidious attacks that invisibly use people, processes and technologies. From a business point of view, digital transformation and the transition to cloud technologies continue to gain popularity, which increases the area of ​ ​ vulnerability to corporate attacks. To navigate these changes, companies need a technology partner that can combine human expertise with advanced security technologies to better detect, match, respond, and address threats. }}

Along with the increase in the number of file-free threats in the first half of the year, there is a frequency of attacks by attackers that bypass traditional security filters, since they use system memory, are stored in the registry, or abuse legitimate tools. Exploit kits have also returned: their number showed a 136 percent increase compared to the first half of 2018.

Harmful ON to cryptocurrency mining retain its status as the most frequently detected threat in the first half of 2019, and attackers have increasingly used it to attack and servers cloud environments. In support of another forecast, routers the number of people involved in possible entry attacks jumped 64% compared to the first half of 2018, and more and more worm Mirai options are looking for open devices.

In addition, the number of digital extortion schemes showed an increase of 319% since the second half of 2018, which is in line with previous forecasts. Compromise of business email (BEC) remains the main threat: the number of detections of such threats has grown by 52% over the past six months. The number of ransomware-related files, emails and URLs also rose 77% over the same period.

Trend Micro detected and blocked 1.8 billion ransomware threats worldwide from January 2016 to June 2019. Russia It accounts for 4.15% of all infections in the to encoders Eastern region. Europe At - Ukraine 0.92%, which is globally 0.14%. In Central, in - Asia Kazakhstan 0.04%, globally 0.02%. In Western Asia, in - 0.10 Azerbaijan %, globally 0.04%; and c - 0.02% Georgia , which is globally 0.01%.

Russia is among the top 10 countries in which mobile ransomware viruses are recorded - up to 4.2% among other countries (February, 2019) and up to 785 locks (March, 2019)

In total, Trend Micro products blocked more than 26.8 billion threats in the first half of 2019, up 6 billion from the same period last year. It should be noted that 91% of them went to corporate networks by e-mail. Addressing these advanced threats requires deep, intelligent protection that can match data across gateways, networks, servers, and endpoints to best identify and stop attacks.

Ransomware replaced by more targeted types of attacks

On May 23, 2019, the company Fortinet released the results of its safety quarterly Global Threat Landscape Report.

According to the company, research shows that cybercriminals continue to improve the methods of their attacks, including using specially developed ransomware and creating individual code to carry out a number of targeted attacks, and even using LoTL attacks and a common infrastructure to expand their capabilities.

The main conclusions of the study:

  • The activity of criminals until the moment of compromise is three times higher during the working week, while traffic after compromise in this regard is less differentiated.
  • Some threats use a single common infrastructure more often than some unique or specialized ones. An example of technologies that cybercriminals have recently paid special attention to is web platforms that make it easier for users and enterprises to create websites.
  • Ransomware has not disappeared, but has become more targeted and targeted at wealthy users.
  • Attackers are increasingly using dual-use tools or tools already installed on target systems that allow cyber attacks.

The study, which aimed to find out whether attackers break their attacks into separate stages, carrying out them on different days of the week, showed that cybercriminals always strive to maximize the opportunities that arise. When comparing the volume of web filtering in two phases of phased cyber kill chain phases on weekdays and weekends, it turned out that activity before the moment of compromise is three times higher during the working week, while traffic after compromise in this regard is less differentiated. This is mainly due to the fact that searching for vulnerabilities often requires someone who could perform any actions, for example, follow the link in a phishing email. In contrast, there are no such requirements for active actions (command-and-control, C2), so such activity can be observed at any time. Cybercriminals understand this and try to maximize the possibilities during the working week, when users are most often on the Internet.

The degree of use of various threats of a particular infrastructure allows you to understand a number of important trends. Some threats use a single common infrastructure more often than some unique or specialized infrastructures. Almost 60% of threats were carried out within at least one common domain, and this, in turn, indicates that most botnets use the already formed infrastructure. The IcedID Trojan is an example of this "why buy or build when you can borrow" approach. In addition, when threats use some kind of common infrastructure, they tend to do so at the same kill chain stage. Situations where a threat uses a certain domain to study the situation and search for vulnerabilities, and then transmits C2 traffic in the same domain, occur quite rarely. This suggests that the infrastructure plays a special role in the implementation of malicious campaigns. Understanding which threats use the same infrastructure and at which points in the attack chain allows organizations to predict potential points of development and changes in malware or botnets in the future.

Attackers tend to move from one opportunity to another in entire clusters, targeting the most successfully exploited vulnerabilities and technologies currently on the rise to quickly take advantage of the opportunity. An example of technologies that cybercriminals pay special attention to for May 2019 are web platforms that make it easier for users and enterprises to create websites. These platforms, along with third-party plugins, continue to be a common target for cybercriminals. All this confirms the need to instantly install security updates, and also requires organizations to fully understand the constantly evolving world of cyber threats if they want to stay one step ahead of hackers.

In general, more targeted types of attacks have replaced previously popular ransomware, however, this does not mean that ransomware has completely disappeared from the horizon. Moreover, they have become more targeted and targeted at wealthier users. An example is the LockerGoga program, which is used for a targeted multi-stage attack. In terms of functional complexity, this program is not much different from other similar ransomware, but if most such tools use a certain level of obfuscation to disguise them from antiviruses, no significant obfuscation was found when analyzing this program. This suggests the target nature of the attack and that when creating this program, attackers knew that future victims would not specifically search for this malicious code. Another example is Anatova. Like most other ransomware, Anatova's main goal is to encrypt as many files as possible on the victim's system, with the exception of those files that could affect the stability of the infected system. In addition, the program bypasses computers that look like they were used to analyze malware or as bait. Both of these ransomware options indicate that security leaders must continue to install updates in a timely manner and back up data to protect against conventional ransomware. But to counter targeted threats and unique attack methods, more specialized protection is required.

Since attackers use the same business models as their victims to maximize the effect of their activities, attack methods often continue to develop even after a successful debut. To do this, attackers are increasingly using dual-use tools or tools already installed on target systems that allow cyber attacks. This tactic, dubbed "living off the land!" (LoTL) ("life on the foot") allows hackers to disguise their activities as completely innocent processes, thereby making them difficult to detect. These tools also greatly exacerbate the effects of the attack. Unfortunately, attackers can use a variety of legitimate tools that allow them to achieve their goals and lose sight. For competent protection against such attacks, organizations should restrict access to individual, sanctioned administration tools and log files in their environments.

To improve an organization's ability not only to adequately defend against threats, but also to prepare for the development and automation of future attacks, intelligent tools are needed to proactively analyze threats that would be available across a distributed network. The knowledge gained will help identify trends, assess the evolution of various methods aimed at the surface of a digital attack, and determine for yourself the priorities of the cyber giant, based on what exactly the activities of attackers are aimed at. The value of this analysis and the ability to take action on the basis of this data will be significantly reduced in the absence of security devices that allow real-time application of the obtained data. Only with a large-scale, integrated and automated platform approach to security can you provide fast and large-scale protection for the entire network environment, from the Internet of Things and peripherals to the core of the network and multi-cloud infrastructures.

File:Aquote1.png
Unfortunately, we continue to see that the cybercriminal community in its activities takes into account national strategies and methodologies, as well as the technical features of the devices and network technologies on which their attacks are directed. Organizations should review their strategies to better protect themselves from cyber risks and learn how to manage them more effectively. One of the first important steps is to consider cyber security as a science, and to treat the core of its infrastructure with maximum scrupulousness, for which, in turn, it is necessary to ensure high speed and network connectivity of cyber space for effective protection. Using a platform approach to security, micro- and macro-segmentation, machine learning technologies and automation as building blocks of artificial intelligence opens up huge opportunities to effectively counter cybercriminals.

Phil Quade, Fortinet Information Security Director
File:Aquote2.png

Cybercriminals resort to increasingly sophisticated attack methods, including through IoT devices

Fortinet, a global developer of end-to-end integrated and automated cybersecurity solutions, released its Global Threat Landscape Report Global Cybersecurity Threats Survey results for the fourth quarter of 2018 on March 7, 2019.

File:Aquote1.png
The modern era is characterized by the convergence of the digital field and physical spaces. And although, from the point of view of our digital economy, this convergence promises unthinkable benefits and advantages, unfortunately, it carries with it very real risks in terms of cybersecurity. Cybercriminals are closely monitoring the development of the situation and are developing modern tools to exploit vulnerabilities, targeting this emerging digital convergence. The fundamental aspects of cybersecurity, including the ideas of transparency, automation and agile segmentation, are of particular importance and are a critical factor for prosperity in our digital future. Only in this way will we be able to protect ourselves from the malicious activities of attackers.
File:Aquote2.png

According to published data, cybercriminals resort to increasingly sophisticated attack methods, carrying them out, for example, through Internet of Things devices that are overwhelmingly unprotected, or adapting malware based on open source code to turn them into threats. Among the main findings of the study:

Fortinet Threat Landscape Index

Vulnerability Index Record Values

According to the Fortinet Threat Landscape Index, cybercriminals continued to work tirelessly even on holidays. After a dramatic start, the Exploit Index's gains stalled in the second half of the quarter. Despite the fact that the overall activity of cyber intruders has slightly decreased, the number of vulnerabilities per company (exploits per firm) has increased by 10%, and the number of recorded special vulnerabilities has increased by 5%. At the same time, botnets become more complex, and they are now more difficult to detect. The time of infection with botnet increased by 15%, to about 12 days per company. Since cybercriminals use automation and machine-based training to spread attacks, security departments need to use the same tools to counter such modern and sophisticated attack methods.

Q4 2018 Cyber Attacks in Numbers

Tracking tracking systems

The convergence of physical things and aspects of cybersecurity leads to the expansion of the attack surface, that is, leads to an increase in the number of attacked objects. Six of the twelve most common vulnerabilities were related to the Internet of Things, and four of the six most common vulnerabilities targeted IP surveillance cameras. Access to these devices allows cybercriminals to monitor privacy, plan illegal activities on a physical site, or access network systems to launch DDoS attacks or ransom attacks. It is important to understand that attacks can be carried out even through the devices that we use to control and ensure security.

Tools Open to All

Malicious open source tools are very useful for the community of information security professionals: with their help, specialists can test protection, researchers can study various threats, and workshop hosts can use real-world examples from practice. The source codes of such tools are published on numerous sites, for example, on GitHub. Since these codes are available to everyone, attackers can also use them for their illegal actions. In particular, they can adapt and modernize these malicious tools to implement threats, to a large extent to create the so-called ransomware, that is, malware for the purpose of extorting ransom. An example of where such malicious code was used to carry out attacks is the Mirai IoT botnet. Since its introduction in 2016, the number of different variants of this botnet has continued to grow steadily. For cybercriminals, innovation offers incredible opportunities.

The heyday of steganography

Advances in steganography allow you to breathe life into old types of attacks. Steganography is usually not used in the most common attacks, but last quarter the top list of the most active botnets was headed by Vawtrak. This indicates that attackers are taking a closer look at this type of attack. In addition, during the quarter, researchers found malware samples using steganography to hide malicious code directly in memes that spread across social networks. During the attack after trying to contact the command server, the code searches for images in the corresponding Twitter feed, downloads them and then searches for hidden commands in them for further distribution. This hidden approach shows that attackers continue to experiment with various options for developing their malicious code.

Distribution through advertizing ON

Free software products with ads placed in them are still not just annoying, but pose a threat. Globally, adware is the most common method of malware infection for most regions - it accounts for more than a quarter of all infections in North America and Oceania, and almost a quarter in Europe. Since adware is very common in mobile app stores, this type of attack poses a serious threat especially to unsuspecting mobile users.

Operational Technology Monitoring

Due to the ongoing convergence of information technology (IT) and operational technology (OT), in this period, relative changes in the spread and frequency of attacks on these environments were noted. Unfortunately, in most cases, both the spread and the frequency of attacks have increased. In particular, the return of the malicious Shamoon in the form of a wave of attacks in December indicates that these destructive attacks can be repeated with even greater force. A cyber attack targeting an OT system, or even simply devices connected to the network, such as valves, sensors or switches, can lead to devastating physical consequences, including critical infrastructure and services, the environment, or even threaten human lives.

The threat data presented in the study for the past quarter once again confirms many of the trends that were predicted by the global research firm FortiGuard Labs.

To anticipate intruders, organizations need to transform their security strategies as part of their overall digital transformation work. They need a security platform that covers the entire network environment, from IoT devices to cloud infrastructures, and that integrates all security elements to minimize today's threats and to protect the expanding surface of attacks. This approach will allow organizations to quickly and appropriately share threat information, reduce the necessary windows of detection, and provide an automated tool to neutralize today's threats.

269% increase in malicious web attacks

On February 26, 2019, it was reported that Trend Micro Incorporated provided an annual review of cyber attacks that companies around the world faced in 2018. The landscape of cyber threats in 2018 was a mix of old threats that resumed activity (phishing, ransomware viruses) and recently appeared (hidden mining, attacks on vulnerabilities of IoT devices, hardware vulnerabilities of processors).

File:Aquote1.png
author '= Mikhail Kondrashin, CTO of Trend Micro in Russia and CIS '
Every couple of years, the threat landscape changes radically, so even the most modern approaches to protection are rapidly losing their effectiveness. Modern enterprises need to approach security issues as flexibly as possible and regularly revise their previous decisions. Our 2018 Threat Report is a tool for shaping the right vectors for information security development in today's enterprise.
File:Aquote2.png

2018 began with the discovery of hardware vulnerabilities of processors - Meltdown and Specter. The patches, promptly released in January 2018, could not fix the vulnerabilities and in some cases caused user complaints about the "blue screens of death." By the end of 2018, it was not possible to completely eliminate the vulnerabilities.

Also, 2018 was remembered for the entry into force of the European General Regulation for the Protection of Confidential Data (GDPR). Regulators have already fined the first violators: a video surveillance system in Austria - 5,280 euros for violations in the storage and processing of information; social network in Germany - 9.2 million euros for storing passwords in unencrypted form; hospital in Portugal - 400 thousand euros for serious violations related to medical data.

The main cyber threat of the year was phishing. Compared to 2017, 269% increased the number of attacks using malicious web addresses, access to which was blocked. In addition, the number of blocked attempts by users with a unique IP address to go to a phishing site increased by 82%.

In total, in 2018, Trend Micro solutions blocked malicious URLs in Russia 6,876,981 times, in Ukraine - 1,442,481 times, in Kazakhstan - 71,147 times. In addition, 2,922,144 cases with infected software were recorded in Russia, while 1,353,474 in Ukraine, and 75,002 cases in Kazakhstan.

Attackers continue to compromise business correspondence (BEC). Using the method of social engineering, creating a familiar visual design and the context of the letter, hackers manage to bypass the security system and deceive the user. So, in 2018, such an increase was recorded by 28%.

File-free malware is another tool for attackers whose activity was recorded in 2018. This method increases the chance of remaining invisible when attacking and, accordingly, reaching the goal. At the end of 2018, over 140 thousand attacks were recorded.

The attackers also targeted office programs that are used in companies. Among vulnerabilities uncovered in 2018, 60% of cases were classified as "mid-level" threats, up 3% from 2017. And the number of vulnerabilities with a critical level of danger decreased from 25% (2017) to 18% (2018).

For example, in the case of Foxit, a solution for working with PDF files, the largest number of vulnerabilities was recorded - 257, followed by the results found in PDF programs from Adobe - 239, Microsoft - 124, Apple - 66 and Google - 4.

The wave of ransomware viruses has declined. Trend Micro analysts noted a sharp drop in their activity by 91%. However, the WannaCry ransomware retained its position and remained one of the main threats: in 2018, more than 600 thousand cyber attacks were detected.

In 2018, hidden mining reached its next peak - more than 1 million cases were recorded, which shows an increase of 237% over the year. The variety of attacks increased throughout the year: advertizing platforms, pop-up ads, malicious extensions browser , etc.

2017

Hackers could use subtitles to hack millions of devices

Check Point announced in May 2017 the discovery of a new attack vector threatening millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio. By creating malicious subtitles, hackers can gain control of any devices on which these media players are installed. These include mobile devices, PCs and Smart TVs.

"The process of producing subtitles is complex, using more than 25 different formats, each with unique features and capabilities. A fragmented ecosystem, along with limited security, implies the presence of many vulnerabilities, which makes it an extremely attractive target for attackers, says Omri Herscovici, team leader of vulnerability researchers, Check Point Software Technologies. - We found that malicious subtitles can be created and delivered to millions of devices automatically, bypassing security systems. As a result, hackers gain full control over infected devices and the data they contain. "

A team of Check Point researchers discovered vulnerabilities in four of the most popular media players: VLC, Kodi, Popcorn Time and Stremio - and reports them according to information disclosure instructions. By exploiting the vulnerabilities of these platforms, hackers are able to seize control of the devices on which they are installed.

Subtitles for movies and TV shows are created by many authors and uploaded to shared online vaults such as OpenSubtitles.org, where they are indexed and classified. Check Point researchers found that, thanks to the manipulation of the ranking algorithm, malicious subtitles are automatically downloaded by the media player, allowing the hacker to gain full control over the entire subtitle chain without involving users.

All four companies have fixed vulnerabilities on their platforms. Stremio and VLC have also released new software versions that include these changes. "To protect themselves and minimize the risk of possible attacks, users must make sure they are updating their media players to the latest versions," Hershovichi concluded.

Java Malware Campaigns

In April 2017, Zscaler experts noted a sharp increase in the number of malicious Java-based remote administration tools (jRAT).[3]

The scheme looks relatively simple: with the help of all kinds of tricks (primarily social engineering), attackers ensure that users open attachments to their letters; these attachments contain malicious JAR files. Usually letters look like messages from tax authorities or as orders of any goods or services. Once on the machine, a malicious JAR file downloads a VBS script that scans the system for firewalls and antiviruses. At the end of the scan, the JAR file is written to the Temp folder and started.

In April 2017, Zscaler experts noted a sharp increase in the number of malicious remote administration tools based on Java

The code of the main malware has a complex structure in which individual modules are responsible for individual tasks - for example, for connections to the control server. The URL of the server from which it could download additional malicious modules is inscribed in the malware code. Interestingly, the same server located in the.ru domain zone was seen in the past in the spread of the Loki malware. By April 21, it is inactive. Malicious components are mostly downloaded from file-sharing resources such as Dropbox.

ZScaler experts noted that jRAT malware that they managed to intercept has a number of atypical features. The malware file is encrypted three times, the program code is equipped with powerful obfuscation. All this is done in order to prevent automatic detection by antiviruses and make manual or automated analysis difficult. In addition, the author of the malware even took into account the bit size of the operating system: 32-bit and 64-bit DLLs are provided for JAR files.

File:Aquote1.png
Attackers continue to improve their tools. The more money the malware can bring at least theoretically, the more efforts its authors will make to ensure its secrecy and prevent analysis, "says Ksenia Shilak, Sales Director of SEC-Consult Rus. - The surest way for users to protect themselves is not to open any attachments if they raise minimal suspicions, and not to run Java on a computer unnecessarily.
File:Aquote2.png

2016

Fortinet study

Cybercriminals take control of devices
  • IoT devices are extremely attractive to cybercriminals around the world. Attackers create their own "armies" of devices. The cheapness of organizing attacks, the highest speed and enormous scale are the foundations of the ecosystem of modern [4]
  • In Q4 2016, the industry was destabilized by the Altaba (formerly Yahoo) data breach and a DDoS attack on Dyn. In the middle of the quarter, the record figures recorded by the results of both attacks were not only surpassed, but also doubled.
  • Internet of Things (IoT) connected devices hit by the Mirai botnet have initiated a record number of DDoS attacks. After the launch of Mirai source code, botnet activity increased 25 times during the week. By the end of the year, activity had increased 125-fold.
  • A study of IoT-related exploit activity on several categories of devices found that home routers and printers were the most vulnerable, but DVR/NVR devices quickly outstripped routers. The number of affected devices in this category increased by more than 6 orders of magnitude.
  • The problem malware affecting mobile devices has also become of great importance. Despite the fact that this type of malware ON occupies only 1.7 percent of the total, one out of every five organizations that reported attacks using malware faced its mobile version. Almost all exploits were developed on the basis. In the Android structure of attacks using mobile malware, significant differences were identified depending on the region: 36 percent of attacks are in African organizations, 23 percent -, 16 Asia percent - North America and only 8 percent -. These Europe indicators should be taken into account when working with trusted devices in modern corporate networks.

Prevalence of large-scale automated attacks
  • The relationship between the number and prevalence of exploits indicates an increase in the degree of automation of attacks and a decrease in the cost of malware and distribution tools available on the deep Internet. Organizing attacks is easier and cheaper than ever.
  • The first place in the list of identified exploits that pose a significant danger was taken by SQL Slammer, which mainly affects educational institutions.
  • The second most common exploit is an attempt to conduct attacks on Microsoft's Remote Desktop Protocol (RDP) using the match method. The exploit runs 200 RDP requests every 10 seconds, which explains its significant activity in the networks of global organizations.
  • The third place in the list of the most common exploits was taken by a signature tied to the file manager Memory Corruption vulnerability. With Windows this signature, an attacker can remotely run arbitrary code execution inside vulnerable applications using a JPG file.
  • The highest abundance and prevalence rates were demonstrated by the H-Worm and ZeroAccess botnet families. With the help of both botnets, cybercriminals take control of infected systems and steal data or engage in advertising fraud and bitcoin mining. The largest number of attempts to carry out attacks using these two families of botnets was recorded in the technological and public sectors.

Ransomware continues to spread
  • Regardless of which industry they are used in, ransomware is noteworthy. Most likely, this effective attack technology will continue to develop within the framework of the concept of "ransomware as a service" (RaaS). Due to this, potential criminals who do not have the appropriate skills can download the tools and immediately put them into practice.
  • 36% of organizations recorded botnet activity associated with the use of ransomware. The TorrentLocker Trojan showed the greatest activity, Locky was in third place.
  • Malware belonging to two families - Nemucod and Agent - has become widespread. 81.4 percent of the malware samples collected belong to these two families. As you know, the Nemucod family is associated with ransomware.
  • Ransomware programs have been identified in all regions and industries, but they are most widely used in healthcare institutions. This is a very alarming trend: patient data is at risk, which, compared to other types of data, is more storage time and significance, which is fraught with serious consequences.

Trend Micro Study

The Rise of Corporate Mail Fraud

On March 1, 2017, Trend Micro Incorporated released its 2016 Annual Global Cybersecurity Report, 2016 Security Roundup: A Record Year for Enterprise Threats.

The main conclusions of the study:

  • An increase in the number of cases of fraud using corporate mail: along with ransomware, fraud using corporate mail also turned out to be beneficial for cybercriminals - financial losses of companies from such attacks around the world in 2016 reached $140 thousand. This type of fraud shows the effectiveness of using social engineering methods in attacks on enterprises.
  • Variety of vulnerabilities: In 2016, Trend Micro and Zero Day Initiative (ZDI) discovered a record number of vulnerabilities, most of which were found in Adobe Acrobat Reader DC and Advantech's WebAccess solution. Both applications are widely used in organizations, in SCADA systems.
  • The Angler set of exploits lost ground: after the arrest of 50 cybercriminals, the Angler set of exploits began to go into the shadows until it finally ceased to exist. Despite the fact that it did not take long for fresh exploit sets to take its place, by the end of 2016 the number of vulnerabilities included in exploit sets had decreased by 71%.
  • Banking trojans and malicious software for ATMs: cybercriminals continue to use malware for ATMs, and. skimming banking Trojans However, in recent years, attackers' attacks have become more and more diverse and allow them to access personal information and user credentials that can be used to penetrate the corporate network.
  • Mirai botnet attack: In October 2016, hackers used poorly protected IoT devices for a DDoS attack that used ~ 100,000 devices. As a result, sites like Twitter, Reddit and Spotify have become unavailable for several hours.
  • Yahoo user data breach: The company suffered a major leak in August 2013 - ~ 1 billion user accounts were compromised. The incident became known three months after another leak, in September 2016, as a result of which another 500 million accounts were affected.
  • The growth of ransomware. See Ransomware ransomware ransomware for details

Trend Micro forecast for 2017

On December 8, 2016, it became known according to Trend Micro Incorporated forecasts - in 2017, the scope and depth of attacks will increase, as will the variety of tactical techniques of attackers.

Trend Micro Incorporated published The information security Next - Tier 8 Security Predictions for 2017 The[5]

File:Aquote1.png
Raimund Genes, CTO Trend Micro 'Next year will take the cybersecurity industry to new frontiers. In 2016, the threat landscape allowed cybercriminals to significantly increase the variety of attack methods and types of attacked targets. In our opinion, large changes in companies around the world will cause the need to comply with the requirements of the General Data Protection Regulation (GDPR). In addition, we predict the emergence of new methods of attacks on large corporations, the expansion of online extortion tactics that will affect an increasing variety of devices, as well as the use of cyber propaganda methods to manipulate public opinion.
File:Aquote2.png

In 2016, the number of vulnerabilities in Apple devices increased significantly, fifty of them were announced over the year. At the same time, in Adobe products this figure was 135, in Microsoft products - 76. This noticeable shift towards Apple will continue to intensify.

The Internet of Things (IoT) and Industrial Internet of Things (IIoT) will play an increasingly significant role in carrying out targeted attacks in 2017.

Such attacks will be highly profitable due to the ubiquity of connected devices, as well as the ability to exploit the vulnerabilities they contain and use unprotected corporate systems to disrupt business processes companies - as is the case with the malicious software Mirai. The increasing use of mobile devices to monitor control systems in production and infrastructure, coupled with the large number of vulnerabilities found in these systems, will pose a real threat to organizations.

Fraud using corporate mail (Business Email Compromise, BEC) and hacking business processes (Business Process Compromise, BPC) will continue to spread, representing a simple and effective method of corporate online extortion. Fraud using corporate mail, for example, can bring attackers $140 thousand, this only requires convincing the victim to transfer corporate funds to the account of fraudsters. At the same time, for comparison, hacking the financial transaction system, although it requires a lot of effort, can bring much more to attackers as a result − the amount can reach up to $81 million.

File:Aquote1.png
We see cybercriminals continue to adapt to the ever-changing technological landscape. If in 2016 there was a significant increase in the number of new ransomware, now it has noticeably decreased, so hackers will look for new ways to use existing varieties of such programs. Similarly, innovation in the field Internet of Things allows hackers to find other targets for attacks, and changes in software push them to look for new vulnerabilities.

Ed Cabrera, Chief Cybersecurity Officer, Trend Micro
File:Aquote2.png

Forecasts for 2017:

  • The growth of the number of new ransomware families will slow down and reach about 25%, but their impact will spread to Internet of Things devices, PoS terminals and ATMs.
  • Developers will not be able to timely protect IoT and Industrial IoT devices from DoS and other types of attacks.
  • Apple Adobe All new vulnerabilities will be discovered in the products and will be added to the exploit sets.
  • As 46% of the global population has access to the Internet, the role of cyber propaganda will increase in order to influence public opinion.
  • An example of an attack on Bangladesh's central bank in early 2016 proves that business process hacking attacks allow attackers to make significant profits. At the same time, corporate mail fraud practices will still remain an effective method of illegally enriching themselves using unsuspecting employees.
  • The entry into force of the General Data Protection Regulation (GDPR) will cause changes in regulations and administrative procedures, which, in turn, will have a serious impact on the costs of organizations and require them to completely revise data processing processes to meet new requirements.
  • New methods of conducting targeted attacks will be aimed at evading modern detection technologies and attacking companies in various fields.

Notes

  1. Kaspersky Finds Patch Management Combined With Robust Password Policies Reduces The Risk Of Cyberattacks To Businesses By Up To 60%
  2. , CISA talked about successful methods of hacker attacks
  3. Increase in jRAT Campaigns
  4. cybercrime. The Fortinet global threat study report presents data collected by FortiGuard Labs in the 4th quarter of 2016. Data was collected on a global, regional, sectoral and organizational scale. The focus was on three interconnected types of threats: exploit applications, malicious software and botnets..
  5. Next Tier - 8 Security Predictions for 2017.