In Q1 2016, 227,000 malware samples were identified daily.

PandaLabs, the anti-virus laboratory of Panda Security , outlined in its quarterly report the main cyber security events for the first three months of 2016, also showing statistics of malicious programs and cyber attacks for a specified period of time.



The level of creation of malware continues to break all records, reaching 20 million new samples, which were identified in PandaLabs during the first quarter (an average of 227,000 samples per day).

')

More and more companies are falling into the trap of coders. In this report, you will learn all the news related to these types of attacks (including attacks on Linux, Mac, and even web pages). We will show how you can save several hundred million euros, as well as analyze the cyber attacks on hospitals that have occurred over the past few months.



Critical infrastructures are very sensitive areas that cyber criminals focus on. One of the biggest attacks recently occurred in Ukraine. In winter, for several hours, hackers were able to remotely turn off the power supply to about 200,000 people.



Attacks continue to grow in another direction: smartphones. In addition, thanks to the Internet of things, we learned how to attack such seemingly unusual objects from the point of view of attacks, like a doorbell.

Quarter in numbers

We started this year with more than 20 million new malware samples that were detected and neutralized in PandaLabs, the anti-virus laboratory of Panda Security (an average of 227,000 samples daily). This is slightly more than was detected in the first quarter of 2015, when approximately 225,000 samples were found daily.



Of all the samples, Trojans are the most destructive type of malware, remaining the “leader” over the past many years. Please note that the number of attacks using cryptographers, which also belong to this category of Trojans, has increased significantly.



The data below shows the distribution of malware created in the first quarter of 2016, by type of threat:





Trojans are the most popular type of malware, accounting for 66.81% of all samples created in the first quarter, which is higher than the previous year. In second place are viruses (15.98%), then - worms (11, 01%), potentially unwanted programs (4.22%) and spyware, and adware (1, 98%).



Thanks to data provided by Collective Intelligence, we can analyze infections caused by malware all over the world. Most infections are also caused by Trojans (65.89%). Let's see how infections are distributed by type of threat:





Taking into account the growth of infections with the help of cryptographers, Trojans again occupy the first place. They remain the most popular tool for conducting cyber-criminal attacks, because allow hackers to make money at the same time in a simple and safe way. Potentially unwanted programs ranked second with a quarter of infections, leaving behind spies and adware (4.01%), worms (3.03%) and viruses (1, 95%). Aggressive techniques used to distribute malware imply the use of completely legitimate programs of potentially unwanted programs. This approach allows to achieve high installation rates on users' computers.



If we look at the total share of infected computers of 33.32%, then it is slightly higher than last year due to the increase in the number of attacks using encryption and PNP. It should be noted that this percentage shows only cases of “encounters” with malware, but this does not mean that the computers were eventually infected.

China remains the leader among the most infected countries in the world (51, 35% of computers), followed by Turkey (48.02%) and Taiwan (41, 24%).



10 countries with the highest level of infection:





Asia and Latin America are the regions with the highest infection rates. Other countries with an infection rate higher than the world average: Uruguay (33.98%), Chile (33.88%), Colombia (33.54%) and Spain (33.05%).



Analyzing the less infected countries, we can see that almost all of them are located in Europe. As always, the Scandinavian countries occupied the entire “pedestal”: Sweden is the leader with an indicator of 19.80%, and near Norway (20.23%) and Finland (20.45%).



10 countries with the lowest infection rate:





Other countries, the infection rate of which is below the world average, but at the same time they did not hit the top ten: Australia (26.79%), France (27.20%), Portugal (27.47%), Austria (28.69% ), Canada (30.30%), United States (30.84%), Hungary (31, 32%), Italy (32.48%), Venezuela (32.89%) and Costa Rica (33.01% ).

A look at the quarter

Studying everything that happened over the past few months, we decided to introduce a new subsection, which will be devoted only to cryptographers. Yes, we have already considered these attacks in our reports, but since their prevalence continues to grow (especially in the corporate sector), we decided to isolate them separately.

Ciphers

We can assume the profitability of such attacks by the way they attack various platforms: in addition to the usual attacks on Windows, we also saw new and improved Linux / Encoder variants using the penguin operating system. Even Apple didn’t regret: we saw an encryption called KeRanger that infected Apple users. However, these attacks not only encrypt user files on computers, but they also began to attack websites, encrypting their contents.



In particular, we observed cases when hackers penetrated sites created using Wordpress, encrypted files, and changed pages of index.php or index.html, showing a message stating the need to pay a ransom for restoring a site. They also included a chat for contacting the hackers directly to "process" the payment.





Techniques are being improved, and in some cases they become too aggressive (as is the case with Petya), when instead of encrypted documents, threats penetrate directly into the computer's MBR, leaving it unsuitable for use before paying the ransom.



The abuse of PowerShell has also increased (as we predicted in the PandaLabs annual report for 2015), which is installed by default in Windows 10, which is increasingly used in attacks when it is necessary to avoid detection by security solutions installed on the victim's PC.



Attacks on companies are becoming more sophisticated. Recently, we have witnessed attacks when, after hacking the server of the company, actions are taken to infect the maximum number of PCs in the corporate network with the help of cryptographers (this way you can get more money).



In recent months, the spread of cryptographers has increased, and we have even seen cases of attacks on "top" sites (The New York Times, BBC, MSN, AOL, etc.) to infect visitors.



Web sites are not hacked: attacks are performed using advertisements displayed on them, managed by cyber-criminals and accessing a server with a certain type of exploit (Angler, etc.) in order to infect users who have not updated all applications.



According to a survey conducted by the Cloud Security Alliance, some companies are willing to pay up to a million dollars to restore their data. Although this may seem an exaggeration, it is worth bearing in mind that some attacks not only encrypt corporate information, but also copy it to themselves, with the result that even if there are backups, companies are forced to pay to prevent the publication of stolen information.



In January, The Economic Times in India reported that three large banks and one pharmaceutical company were the victims of an attack by encrypters.





The attack began with the hacking of IT managers from various companies, after which they infected PCs and other employees, and the ransom reached 1 Bitcoin for each infected PC. The total ransom has reached several million dollars.

One of the business sectors that purposefully suffers from such attacks is hospitals. In recent months, we have seen a multiple increase in attacks on them. Below we show the most shocking cases.



The Hollywood Presbytarian Medical Center in Los Angeles (USA) declared a “state of emergency” and left its employees without access to mail, medical records of patients and other systems. As a result, some patients did not receive treatment, and some of them were sent to other hospitals.



The requested ransom was $ 3.7 million. The hospital director agreed with the hackers and paid $ 17,000 to restore the hacked files. MedStar Health was forced to turn off some of its systems in Baltimore (USA) hospitals due to a similar attack.



Methodist Hospital in Henderson (Kentucky, USA) also became a victim. And in this case, they paid $ 17,000 (however, some sources reported that the amount of the ransom was much higher than this amount).



Prime Healthcare Management, Inc. also became a victim of cyber criminals. They had attacked two hospitals (Chino Valley Medical Center and Desert Valley Hospital). But in this case, the company did not pay the ransom.



But not only the hospitals in the United States suffered. In Europe, we have seen similar cases. Deutsche Welle reported that several German hospitals were attacked by cryptographers (for example, Lukas Hospital in Neuss and Klinikum Arnsberg in North Rhine-Westphalia). None of them paid a ransom.

Cyber ​​crime

Neiman Marcus reported that approximately 5,200 accounts of his clients were hacked by hackers. Apparently, the company did not suffer from identity theft, but hackers used accounts stolen from other companies to check which ones would work in this online store. This reminds us of the importance of two-step authorization.



The hotel chain Rosen Hotel & Resort was the victim of an attack from September 2014 to February 2016. She warned her customers that if at a specified time they used a bank card in any of the network’s institutions, their data could be stolen by hackers.





The Chilean group of hacktivists stole 304,189 records from CONADI, a government agency for the development of indigenous peoples. The hackers published a database along with a report that revealed weak security systems and demanded the resignation of the President of Chile.



US service Verizon fell victim to attack. Data belonging to 1.5 million of their customers were stolen. According to Brian Krebs, who discovered the incident, cyber criminals sold the stolen information for about $ 100,000 (they also sold it in installments for $ 10,000).



A new vulnerability in OS X could give hackers full access. The vulnerability could skip System Integrity Protection (SIP), first introduced in “El Capitan”.



When we talk about phishing, we usually think of typical letters, similar to the messages of our bank and trying to trick us into obtaining our registration data. However, there are more complex and ambitious attacks, such as the one suffered by Mattel, the maker of Barbie and Hot Wheels.





The Executive Director received a message from the newly appointed Director General with a request to transfer three million dollars to the account in China. After making the payment (which the general director was surprised at, since he did not send the application), Mattel contacted the US authorities and his bank, but it was too late, because money has already been transferred.



However, they were lucky, because there were official holidays in China, and therefore there was enough time to warn the Chinese authorities. They froze the bill and Mattel managed to get his money back.



This type of attack has become very popular. Hackers impersonate the head of the company and request money transfers from “their” employees. For deception, the information they publish on social networks is used, which makes it more believable.



The 21st Century Oncology Holdings clinic in Florida (USA), which specializes in cancer treatment, warned 2.2 million of its patients and staff in March that their personal data could be stolen.





The attack occurred in October 2015, but the FBI requested not to disclose this information as long as the investigation went. Hackers were able to steal personal data (name, social security number, diagnosis, treatment, health insurance data, bank card details, etc.).



Many people remember the famous "police virus", the predecessor of modern cryptographers, who posed as local law enforcement and demanded payment of a fine of 100 euros. One of these cyber gangs was caught by the Spanish police, and in the first quarter its members were convicted. The gang consisted of 12 people. The leader of the gang, Alexander Krasnokutsky, was sentenced to 6 years, his deputy Dmitro Kovalchuk received three years, the brothers Sergey and Ivan Barkov received two years each. The remaining members of the gang received 6 months in prison.



If Flash is the number one browser plugin to infect new victims (more holes and more attacks), then Java is next in line in second place. But in this regard, we have good news: Oracle, a Java developer, announced the closure of the product.



The new and latest version of the plugin will be published in September of this year. Major browser makers have stopped supporting these plugins due to a variety of problems (mostly security related). Some have already planned to stop using them.



The FBI was able to identify 1,500 people selling child pornography.



Last year, they seized the Playpen servers, a site from the shadow Internet, which was published in August 2014 and allowed users to upload and download images on this topic. This site has grown to 225,000 registered users. For two weeks, the FBI, among other things, tried using its own servers and tools to set the IP address of site visitors.



If on a normal site it is quite easy to set the IP address of the visitor, then in the shadow Internet this task is much more difficult. In fact, Playpen visitors were hacked using vulnerabilities in some browsers for the shadow Internet. After you accessed the computer that visited this site, the utility collected the required information (IP address, MAC address, operating system version, user name, etc.).



Speaking of hacks by law enforcement agencies, in Germany the Ministry of the Interior allowed the use of Trojans to access computers and smartphones of suspects. The trojan was developed by the police themselves and allowed them to access the communications of these devices.

Mobile threats

We'll talk about phone vulnerabilities. We observed vulnerabilities that affect these devices from different angles: software installed by the manufacturer, device processor, operating system ...



SNAP is the name of the vulnerability for LG G3 phones. The problem occurs due to an error in the Smart Notice LG notification application that allows you to execute any type of JavaScript.



BugSec researchers who discovered this vulnerability reported it to LG, which quickly released an update to fix the incident.



Metaphor is the name of the vulnerability assigned by NorthBit. This vulnerability allows Android terminals to get bogged down in just 10 seconds after visiting a website containing a malicious media file.



Many techies know the name Snapdragon, which is arguably the most well-known Qualcomm processor used on more than 1 billion devices (mostly mobile). Colleagues from Trend Micro discovered two vulnerabilities in these processors that allow the hacker to gain root access to the device. Google has released an update that solves this problem.



Apple has been the main character in the past three months. First, an open letter was published by the company's head, Tim Cook, about user privacy after the FBI asked the company to provide them with a secret entrance to access iPhone devices when it comes to national security. But in fact, it all started with the San Bernardino attack, when the FBI seized an iPhone belonging to one of the terrorists and wanted to access the messages. Many technology companies supported Cook’s letter (Facebook, Google, Microsoft, Twitter, LinkedIn, and others.). In the end, the FBI was able to hack the terminal with the help of third-party specialists.

Internet of things

As we have seen in previous reports, the Internet of Things has a high chance of falling victim to attacks. Some manufacturers are aware of this problem. General Motors has introduced a new reward program for hackers who can find vulnerabilities in their machines. This is quite normal practice among technology companies (Microsoft, Google, Facebook and others have had similar programs for several years), but this is something new among traditional companies, for example, automakers. It is wonderful that General Motors has taken a similar initiative.



The Japanese automaker Nissan has disabled the application that allows owners of electric cars Nissan LEAF to control the heating and air conditioning system.





A researcher from Australia found that he can control these parameters in any Nissan LEAF simply by using a VIN number.



Gradually, we are introducing new "smart" devices into our home. Ring has a doorbell with a camera, a motion sensor and an integrated Wi-Fi connection. Pen Test Partners Company, studying one of these devices, found that by getting access to the device installation button, you can get registration data of the Wi-Fi network to which it is connected. The manufacturer quickly responded to this by releasing a new firmware that fixes this problem.

Cyber ​​war

Russian researchers from Industrial Controls Systems Supervisory Control and Data Acquisition (ICS / SCADA) have published a list of industrial equipment that comes with the same default passwords to force manufacturers to implement more effective security controls. The list has already been dubbed “SCADAPass”, and it contains the default registration data of more than 100 products from manufacturers such as Allen-Bradley, Schneider Electric and Siemens.



These products are primarily used in critical infrastructures. At the end of 2015, a cyber-attack on the power supply infrastructure was carried out in Ukraine. Approximately 225,000 residents of some regions of Ukraine were left without electricity (in the middle of winter!) As a result of this cyber attack. This attack was associated with a group of Russian cyber criminals known as “Sandworm”.



The US Department of Defense launched a special reward program called “Hack the Pentagon.” Hackers are offered rewards for finding vulnerabilities in web applications and networks related to the Pentagon.





Everyone can be a victim of information theft, including terrorist groups like ISIL. The deserter picked up a “flash drive” with information about 22,000 members of ISIL (before joining ISIL, candidates must fill out a form with all this information).



Three groups of Latin American hackers were able to hack servers belonging to the army of Bolivia, and then downloaded and published emails. They managed to easily access information using the old security hole in the VMWare Zimbra service, which was not closed by the army security services.

In March, the South Korean intelligence service admitted that it was the victim of an attack in which the mobile phones of 40 security agents in the country were compromised, accusing North Korea of ​​an attack. A few days later, the North Korean government announced its non-involvement in this attack.

Conclusion

As you can see, the year began quite intensely. We will closely monitor the development of cryptographers, because we will have to live with them for a long time. In addition, we should be very attentive to the Internet of things and the numerous security issues surrounding these devices.