Last year, Trend Micro security solutions detected and blocked 52 billion cyberattacks carried out in a variety of ways – from primitive ransomware to sophisticated BEC campaigns. We have prepared a report 2019 Annual Security Roundup: The Sprawling Reach of Complex Threats, which details the changes in the landscape of cyber threats. In this post – the most significant figures that show the evolution of cybercriminals and their methods.
The main conclusion of the study is that financially motivated cybercriminals work together and compete daily to get the most out of their victims. The number of threats is growing along with their diversity, since investments in cloud platforms, as well as moving the infrastructure of companies into the clouds, have significantly expanded the attacked surface of modern enterprises. Among the main cybercrime tools that we recorded in 2019, the following can be noted:
- phishing and BEC;
- exploitation of critical vulnerabilities;
- supply chain attacks;
- mobile threats.
In 2019, ransomware maintained a leading position among other cyber threats. The number of incidents detected with this type of malware increased by 10% compared to 2018. The main targets for extortion campaigns are:
- healthcare, in which more than 700 organizations were affected by attacks;
- government organizations – in the United States alone, at least 110 state and municipal institutions became victims of ransomware;
- educational institutions.
Russia continues to lead in the number of ransomware viruses detected in Eastern Europe, accounting for 4.15% of the total number of encryptors in the world.
It is noteworthy that despite the increase in the number of attacks, new types of ransomware were recorded 57% less often. Most likely, the reason is that the developers of malicious campaigns focused on identifying the most affordable targets that are more likely to pay a ransom, rather than creating new tools.
The desire to increase the effectiveness of ransomware viruses has led to the creation of cybercrime collaborations. For example, the Sodinokibi ransomware was used to conduct coordinated attacks on 22 Texas state units. The proceeds of the attackers amounted to 2.5 million US dollars.
This series of attacks used a new method of cybercriminal earnings – Access-as-a-Service, in which some attackers sold or leased access to companies’ network infrastructure to others. As part of the service, at a price of 3 to 20 thousand US dollars, various services were offered, up to full access to servers and corporate VPNs.
Phishing and BEC
The number of recorded phishing attacks in 2019 decreased compared to 2018 both in recorded attempts to access phishing URLs and in the number of client systems that became victims of fraudulent attacks.
Reported Phishing Incidents 2018-2019 Source: Trend Micro
Despite the overall reduction in the number of attacks, targeted campaigns for users of the Office 365 service demonstrate a twofold increase. Their number increased by 101%.
Among the most popular phishing methods of 2019 are:
- compromising the SingleFile web extension to create fraudulent copies of legitimate authentication pages on various services;
- one-time password theft (OTP) using a fake bank page;
- Interception of web search results on Google to redirect victims to a phishing page;
- use of the “404 Not Found” pages for fake login forms.
In 2019, cybercriminals focused their efforts on the most profitable areas, which confirms the growing number of phishing attacks with compromised business correspondence (BEC).
In terms of the number of detected WEB threats, Russia is in fourth place in the world with 3.9% of global indicators. In the first positions are the USA, China and Brazil. Ukraine accounts for 1.3%, Kazakhstan – less than 0.5%.
Distribution of attacked posts in BEC attacks. Source: Trend Micro
The most popular targets in BEC attacks are financial executives, accounting departments, and professors.
Exploitation of critical vulnerabilities
Vulnerabilities in operating systems and services have been and remain a serious source of problems. In 2019, the Trend Micro Zero Day Initiative (ZDI) revealed a significant number of different vulnerabilities. And although there were fewer identified problems in general, the number of serious vulnerabilities increased by 171% compared to 2018.
The number of vulnerabilities of various levels identified in the framework of the Trend Micro Zero Day Initiative. Source: Trend Micro.
The level of their danger reflects the likelihood that these vulnerabilities will be actively used by cybercriminals as attack vectors.
Speaking of vulnerabilities, one cannot ignore the vulnerabilities of the Internet of things, which continue to be actively exploited by cybercriminals to create botnets. According to our data, the number of password attempts on IoT devices over the year increased by 180%.
Supply Chain Attacks
Instead of cracking well-protected banks, hackers prefer to obtain bank card data from more accessible places – for example, by attacking service providers for online marketplaces, online stores and other services with online payment.
Using attacks on suppliers, the Magecart and FIN6 groups were able to inject malicious code to steal payment information on many sites. Magecart has 227 hacked sites, and FIN6 has managed to compromise more than 3 thousand online sites.
Another popular area of attack was the compromise of development tools and popular libraries.
In June Docker Engine API Configuration Error Found – Community, which allowed attackers to compromise containers and launch AESDDoS, a type of malware for Linux that allows you to take control of a server and make it part of a botnet.
In the same month it became known CVE-2019-11246 vulnerability in Kubernetes command-line interface, the use of which allowed an attacker to use a malicious container to create or replace files on an affected host.
According to the study, Russia is in the top 15 countries by the number of detected types of malicious mobile applications, 1.1% of the global number of mobile malware is detected here.
In total, in 2019 Trend Micro recorded almost 60 million mobile malware, and in the second half of the year their number was almost halved.
One of the largest detected mobile threats in 2019 was related to several malicious Android apps downloaded 1 million times. These applications disguised themselves as a variety of filters for the smartphone’s camera and, after installation, connected to malicious management servers. During the analysis of the samples, it turned out that the malicious nature of the applications is rather difficult to detect. For example, one of such programs during installation removed itself from the list of applications. As a result, uninstalling it became almost impossible, because users could not even detect the presence of the program, not to mention the removal.
Protection against attacks in modern conditions requires the use of integrated solutions that combine the protection of gateways, networks, servers and end devices. It is possible to increase the level of IT security of a company using such methods of countering threats, such as:
- segmentation of network infrastructure, regular backups and continuous monitoring of network conditions;
- regular installation of updates for the OS and application software to protect against exploitation of known vulnerabilities;
- Using virtual fixes, especially for OSs that are no longer supported by developers;
- implementation of multifactor authentication and access policies for tools with support for separate administrator accounts, for example, for remote access to desktops, PowerShell and developer tools.