Results of cyber activity in Q1 2017

Panda Security's anti-virus laboratory at Panda Security analyzed some of the trends in the billion-dollar cybercrime industry and presented basic data in its quarterly report for the first quarter of 2017 .

In the first quarter of 2017, some of the consequences of a situation where the world is increasingly dependent on the Internet, through which devices and processes in the real world are controlled, are noted. Many of them are unprotected.
')
There is a marked increase in the number of cyber attacks occurring daily, and they are becoming more complex than before. Due to their continuous development, it is now necessary to stay one step ahead of threats. Considering the statistics obtained in the first months of this year, three main success factors for cyber attacks were identified:

- More sophisticated threats, new attack vectors, and more attacks.
- More complex IT-environment with a huge number of devices, systems and connections.
- Traditional antiviruses develop along the same path as attacks, but not at such a speed.

If we had to single out one tendency that stands out from the others, then it is worth noting attacks that are becoming more targeted or “made to order” in accordance with the chosen victim. Now hackers interact with the victim's network and its real-time protection systems, adapting to them to achieve their goals.

In the first months of this year, the Internet of Things (IoT) gave a little surprise when smart TV was attacked by a cryptographer. LG TVs running Android are the first victims, showing that smart TVs can be remotely compromised using DTT signals.

Attack analysis

In our reports, as well as in reports of other manufacturers of security solutions, we often see approximately the same threat statistics: the number of new threats for a certain period of time, the types of threats, etc. Although these numbers are interesting and can be a bright headline of news, we asked ourselves in PandaLabs what we could show to assess the real risks of infection that users encounter at home and at work. We need data of real value.

To get them, we focused on incidents that all users should face. First, we decided not to consider the threats detected by signatures (their number can reach hundreds of millions), since this is known malware, from which each user with a basic antivirus is protected to some extent. On the other hand, we also decided not to include heuristic detection, which is capable of detecting previously unknown threats .

This is due to the fact that professional hackers conduct minimal antivirus testing to check whether their “creations” go unnoticed, and these antiviruses include signature and heuristic detection. In other words, we can discard these numbers, as if users were always protected and there was never a real risk of infection. But if we are not talking about what we discover ... then what kind of data can we provide on this issue?

Panda Security has always been committed to protecting customers, and therefore, several years ago, our laboratory created a new level of protection, which we decided to add to all of our products. It comes into play only when other levels of protection do not help.

Those. all that stops this level of defense are completely new attacks. With this system, we not only consider attacks that use malware, but also fileless attacks, as well as those that abuse legitimate software and utilities, which is increasingly observed in the corporate environment.

This extra-level allows you to show excellent detection levels in tests conducted by methods that mimic attacks in the real world. In the AV-Comparatives tests for the first quarter of 2017, we showed a 100% detection rate in two tests of the Real-World Test , and in the Malware Protection Test we showed the best result with 99.89% of detections and only 1 false positive.
Of all the devices protected by the Panda solution, 2.25% of them experienced attacks with completely unknown threats.

If you look at the type of clients, then among home users of such devices is 2.19%, and among companies - 2.45%. Although this may seem illogical, companies have much more sophisticated protection systems than home PCs, but we need to understand that companies face far more professional attacks. Companies have much more valuable information than home PCs.

Among our corporate clients there are those who use traditional solutions, and there are those who have already chosen the EDR solution ( Adaptive Defense ), which goes beyond the scope of the antivirus and offers additional features, advanced levels of protection, monitoring and real-time classification of all processes on servers and workstations in the enterprise network, expert analysis, etc.

Not surprisingly, the number of attacks that could not be stopped by all levels of protection in Adaptive Defense is much lower than that of traditional technologies. It seems logical, but is it really?

So, 2.83% of devices protected by traditional solutions, faced with attacks of unknown threats. And among the devices protected by our next generation solution, such devices are only 0.83%.

If we talk about the geography of such unknown attacks, then we calculated the percentage of attacked devices for each country. The higher the percentage, the higher the likelihood of being attacked using unknown threats in the respective country:



Asia and Latin America are the regions with the highest infection rates.
Russia in this "rating" took 11th place with a rate of 3.58%.
Below you can see the top ten countries with the lowest level of infection:



Other countries, the infection rate of which is below the world average, but at the same time they did not hit the top ten: Canada (1.12%), Latvia (1.19%), Germany (1.20%), Spain (1.27% ), United Kingdom (1.29%), Australia (1.30%) and Slovakia (1.31%).

The evolution of threats

Do we live during a cyber-threat revolution? It seems so. Malicious programs are becoming more and more sophisticated, and attack techniques are constantly being improved. Now the target is no longer chosen by chance: the attacks are increasingly becoming directed and coordinated, using different directions of infection.

And do not forget about the motive of intruders: they are no longer seeking glory, because they are driven solely by financial benefits.



Hacker attacks tend to become more professional crimes. In the last months of 2016, we analyzed the specialization of “black” hackers, both in terms of developing services like Ransom as a Service (RaaS) and creating companies that offer services for conducting DDoS attacks (for example, Vdos).

Last year, this "industry" reached the level of income of 1 billion US dollars:

A look at the quarter

Ciphers

Cryptographic attacks are still on the rise, and this trend will continue as long as the victims pay a ransom. There are estimates that in 2016, groups of cyber criminals who specialize in cryptographers earned $ 1 billion. The problem is relevant all over the world, and therefore in many countries legislation is being improved to more effectively combat these types of crimes. For example, in California it is considered a crime to introduce coders.

However, new laws are not enough to restrain constant attacks and the creation of new families of encrypters. One of such families ( Spora ) began to spread at the beginning of this year, mainly in Russia.

The frequency of attacks on companies continues to grow. In addition to the very famous cipher family (Locky, Cerber, etc.), there are now more personalized types of attacks adapted to their victims. One of them was detected by PandaLabs in Q1: a cipher with its own interface ( WYSIWYE ), which allowed an attacker to select different folders whose contents will be encrypted, and the computers being attacked on the network, activate the auto-delete function, specify the mail address where the victim should be addressed to pay the ransom, etc .:



One of the most popular and relatively simple methods of penetrating the corporate network is brute-force attacks using the RDP protocol (remote desktop connection in Windows). The attackers are looking for computers on the Internet where this function is activated, and after finding a potential victim, they launch a brute force attack against it until they find their credentials. Once inside the system, they have complete freedom to do as they please.

In the 1st quarter of 2017, we saw enough cases of attacks by Russian hackers. All of them have similar patterns: by gaining access to a PC via RDP, they installed software for mining bitcoins in order to generate additional income, and then either encrypt files or block access to PCs. Moreover, they did not always use malware: for example, in one of the analyzed cases, they used the commercial application “Desktop Lock Express 2” to lock the computer:



We also witnessed a particularly cunning cipher clerk known as Popcorn Time. Its novelty lies in the terrible way of distribution, because victims are forced to work with cyber criminals to infect new users. Along with the requirement to pay 1 Bitcoin (approximately 800 euros) to restore access to encrypted files, it offers the possibility of a free recovery if the victim
will distribute it among his contacts.

The immediate consequences of a coder’s attack are obvious: you lose access to your files. However, there have been cases far beyond this, which was confirmed by hotel customers in Austria. Cyber ​​criminals were able to remotely block all electronic key readers in the hotel, because of which the guests could not get into their rooms. This happened with 180 clients in the first week of the season.
The hotel management decided to pay a ransom of 1,500 euros to regain control over their systems.

Cyber ​​crime

Cyber-crime is becoming increasingly professional, which means that there are highly specialized groups for different jobs: creating malware and exploits, distributing them, stealing information, laundering money, etc. A good example of this is the RDPatcher attack detected by PandaLabs. Its goal is to prepare the victim's PC for “rental” on the shadow Internet. After penetrating the PC, hackers set about creating its full profile, collecting all types of data about hardware, installed software, security solutions, connection speeds, visited sites, etc. All this is then laid out on the black market for sale and connected to a botnet.

It seems that the ingenuity of cyber criminals has no end. In one case, discovered by PandaLabs, we saw hackers avoid detection, using “goodware” to launch their attacks. After logging on to the computer, they left the backdoor using the key sticking function, so no need to install malware to log on to the system.

DDos attacks also deserve mention. In the second half of 2016, there were several high-profile attacks of this type, and in this quarter we saw even more such attacks, although they were not so violent in nature. At the beginning of the year, for example, Lloyds customers had problems accessing their accounts as a result of a DDoS attack. In January, the Italian police broke up a group of cyber-spies called Eye Pyramid, created by two relatives to hack government agencies, professional studios, entrepreneurs and politicians. They accessed the confidential information of their victims by installing a virus on their PCs, and carried out the theft of financial data and parameters of national and municipal security systems.

Among the victims were Italian Prime Ministers Matteo Renzi and Mario Monti, President of the European Central Bank Mario Draghi, as well as regional leaders, economists, businessmen and police commissioners.

Hacking accounts in social networks has become commonplace. One of the most striking cases in Q1 occurred in January, when the official New York Times Twitter account was hacked. Once control was restored, they removed posts posted by hackers:



An example of one of the tweets that was published on a hacked account. It states that Russia is going to launch an attack against the United States:



This group of hackers is known for hacking into accounts of other companies, for example, Netflix and Marvel.



Data theft also holds a special place in recent months. Sanrio, which owns the “Hello Kitty”, has stolen the personal data of 3.3 million of its clients, including such information as the clients name, date of birth, security issues for recovering passwords, etc.

We analyzed some ironic cases, as with the Israeli company Cellebrite, which facilitated hacking phones (or rather, extracting information from them), but suffered from hacking and theft of 900GB of customer data, database, as well as technical information about the company's products.

Even Apple at the beginning of this year was subject to cyber attack. A group of cyber criminals “Turkish Crime Family” blackmailed the company, demanding a ransom and promising to remotely erase the data from the iPhone, iPad and Mac devices to 250 million users. This group claimed that it has valid user credentials, although Apple denied that they were hacked, suggesting that this data could be obtained from third-party sites or as a result of re-use of passwords. Of course, the technology giant did not give in to a blackmail attempt.



Mobile devices

Although the number of new malicious programs created for mobile devices is still far less than what is created for PCs, but the trends are about the same.

For example, cryptographers are a technique that is perfectly transferred to mobile devices and guarantees attackers excellent results. A new threat under Android, known as “Charger”, steals contacts and SMS messages before locking the terminal, threatening to sell some of your information on the black market every 30 minutes if the required ransom (0.2 Bitcoin) is not paid.

Internet of Things (IoT)

For a period of time, many buildings were equipped with smart meters to record electricity consumption. Apart from the possible impact of such meters on the electricity bill (some consumer associations have already reported possible frauds with them), their widespread use may entail other, less well-known security risks.

As researcher Netanel Rubin explained at the last Chaos Communications Congress in Hamburg (Germany), smart meters are dangerous in some areas. First, since all the data on electricity consumption at home and in the office are recorded and sent to the electric company, the hacker who controls the device can view the information and use it for malicious purposes.
For example, it would be very useful for a burglar to know at what time of day the house or office is empty. He can also remotely find out which devices are in the room, because Each electronic device leaves its own unique “imprint” on the power grid.

Another common device is smart TV. Some of them have Android as an operating system, which, in addition to its advantages, has its drawbacks, which was shown by the American programmer Darren Couton when he posted a post on Twitter that his family’s TV was the victim of an attack. According to Couton, it all happened after someone from his family installed (apparently from a third-party site) an application for watching movies on the Internet.

His LG TV was produced in 2014, it worked under Google TV, a special Android version for smart TVs. After the TV was infected, the malware demanded $ 500 for the screen unlock code. This requirement was issued in the form of a notice from the US Department of Justice.



However, there are much more dangerous attacks that show us what to expect in the future. In February, during a cyber security seminar of the European Broadcasting Union, an exploit was created by security consultant Rafael Schiele, who allowed him to take control of smart TV without physically accessing him by sending an attack via a DTT signal.

Robots and personal assistants

The “Fourth Industrial Revolution” is on its way. A recent report by the World Economic Forum has given some statistics to date and a forecast for 2020. So in developed countries, during this time, 7.1 million jobs will close, and only 2.1 million will be created. In other words, 5 million jobs will be lost.

In another recent report by the Organization for Economic Cooperation and Development (OECD), Spain, Austria and Germany were identified as the countries that will have the greatest impact on the revolution of robots. In particular, in these countries, 12% of workers will be replaced by robots, and in the rest of the OECD member countries the average replacement rate will be 9%.



Based on these data, the European Parliament has developed a set of rules for regulating the relationship between robots, citizens and enterprises.

The proposed legislation is now being discussed in the European Commission, which will make the final decision on the limits of the introduction of robots into society. The goal is to minimize the possible negative effects of this.

In February, Google Home virtual assistants were suddenly activated throughout the US due to the fact that the voice in the Super Bowl commercial (the final game of the US National Football League) said the magic words “OK, Google.” That is, It turns out that the ability of Google Home to listen to people's conversations, patiently waiting for a voice command, makes it an ideal device for eavesdropping. These skills of a virtual assistant, combined with his ability to store audio files, can even be used in crime investigation. For example, police in a US town requested Amazon to access data from Amazon Echo, because he could store useful information for investigating a crime.

Cyber ​​war

Now more than ever, cyber-attacks and politics have intertwined. As a result of last year’s US elections, we are seeing a huge number of accusations against Russia. Before leaving his post, Barack Obama accused the Russians of conducting cyber attacks, which damaged the election campaign of Hillary Clinton in favor of Donald Trump. As a result, 35 Russian diplomats were expelled from the United States.

This whole story has influenced other countries of the world. For example, in France, citizens living abroad have refused e-voting due to the very high risk of cyber attacks. In the Netherlands, they went even further and announced that they would manually count the ballots on the night after the elections and report the results by telephone to avoid the risks of possible cyber-attacks. This statement came after security experts warned of potential vulnerabilities in software at polling stations.

In February, the Netherlands sent a proposal to NATO to create an international alliance on cyber defense to combat the growing threats of cyber attacks. This alliance will have to have every opportunity for defense, law enforcement and response to attacks.

In March, German Chancellor Angela Merkel announced that protecting Germany’s infrastructure from cyber attacks is one of her top security priorities. Soon after, it became known that the German army had formed its own cyber command center in order to strengthen its online defense. The new center will have 260 employees, but theoretically this number will increase to 14,500 by 2021.

But if among all the events in the world of cyber-wars and cyber-espionage should single out one, then they would be the case with the CIA / Wikileaks. On March 7, Wikileaks began publishing a series of documents called “Vault 7” containing technical details and descriptions of the tools used by the CIA for hacking smartphones, computers, and even smart TV.

Wikileaks is still continuing to publish documents on one of the sections of its website. It affects a huge number of tools and techniques. The documents leave no doubt that the CIA has at its disposal an extensive arsenal of cyber-espionage tools, and therefore can spy on almost any person. It is also true that the CIA has now lost complete control over these funds.

The good news is that this knowledge can be used to enhance your own defense against such attacks. The bad news: any other attacker can use the published information for their own malicious purposes, having studied the tactics developed by the CIA to violate the privacy of ordinary citizens.

Conclusion

Wikileaks will continue to publish information about Vault 7, and we will be able to analyze new “findings” in our next reports.

We should be on the lookout for the evolution of the Internet of Things, because These devices leave much to be desired from a security point of view.

Encryption attacks will continue to be leaders in terms of their number, and this trend will continue for as long as a substantial percentage of victims remain willing to pay the ransom, and security forces will not be able to track monetary transactions with bitcoins.

We will continue to monitor attacks on enterprises, as well as how cyber-criminals are increasingly using (and abusing) legitimate and non-malicious software to penetrate corporate networks and theft of information in order to go unnoticed by protection systems.