In the second quarter, a 40% increase in the number of attacked devices was recorded.

From the point of view of information security, the second quarter of 2017 was one of the worst in history. Without exaggeration, the WannaCry attack in May and the GoldenEye / Petya attack in June were out of competition, since almost all countries of the world and a huge number of companies have suffered from them, a number of which have been rebuilding their systems so far. According to various estimates, the total damage from these attacks ranged from 1 to 4 billion dollars.



These attacks are closely related to cyber wars and the efforts of various countries to combat them. Both attacks exploited a vulnerability discovered by the NSA, which was stolen by a group of hackers called Shadow Brokers and published in April. There is a number of evidence that points to North Korea as the source of the WannaCry attack, while, according to many experts, the GoldenEye / Petya attack was aimed at disrupting companies and institutions in Ukraine the day before their Constitution Day, and they suggest that this attack was Russia.

')

So far, we can’t officially say that a global cyber war is already underway, but in one way or another attacks such as WannaCry or Petya affect each of us. Against the background of the noise about these two notable attacks, other attacks calmly pass without proper attention. But these are not just serious attacks, but perhaps even more dangerous incidents. Daring attempts to influence elections in countries such as France and the United States, using cyber-espionage tactics in favor of candidates whose political views coincide with the goals of the authors of the attacks (as was the case with Trump in the United States and Le Pen in France) examples of hidden wars that are carried out in cyberspace and can significantly affect the events in the world.



Meanwhile, ordinary citizens daily face numerous cyber crimes, as a result of which attackers make huge profits at the expense of their victims.

Quarter in numbers

In our reports, as well as in those published by other developers of security solutions, we always provide similar statistics on malware: how many new threats appeared in the reporting period of time, what types of threats, etc. Although these numbers are interesting and can be a bright headline for news, this year we, at PandaLabs, decided to go ahead and show data that brings new meaning and have real value.



To calculate the statistics presented below, we decided not to consider all the threats that are detected by signatures (their number can reach hundreds of millions), since this is known malware, from which each user with a basic antivirus is protected to some extent. On the other hand, we also decided not to include heuristic detection, which is capable of detecting previously unknown threats.



This is due to the fact that professional hackers conduct minimal antivirus testing to check whether their “creations” go unnoticed, and these antiviruses include signature and heuristic detection. In other words, we can discard these numbers, as if users were always protected and there was never a real risk of infection.



We will consider only data on new threats that are not detected by signatures and heuristics: malicious attacks, fileless attacks and other attacks made using legitimate system tools, which is becoming increasingly common practice in corporate environments, as we have seen in GoldenEye / Petya in June.



But how will we measure what we cannot detect?



The fact is that in fact we can detect and stop such attacks, even if they have never been seen before with signatures or heuristics. To do this, we use a set of proprietary technologies that form what we call “Contextual Intelligence”, which allows us to identify malicious behaviors and create improved cyber-defense mechanisms against known and unknown threats.



This level of Contextual Intelligence has helped us achieve outstanding levels of detection in tests that simulate attacks taking place in the real world. In the AV-Comparatives tests in the first half of 2017, Panda Security showed the best results in the Real-World Protection Test , receiving the highest “Advance +” award with the help of our Panda Free Antivirus, the simplest solution in our range of information security solutions.



Next, we analyzed the data obtained about the attacks. Of all the machines that were protected by Panda Security solutions, 3.44% of them were attacked by unknown threats, up almost 40% from the previous quarter . If we look at the type of client, then among home users and small enterprises of such machines was about 3.81%, while among medium and large enterprises - about 2.28%.



Home users have far fewer defenses, with the result that they are more prone to attacks. Many attacks that were successfully implemented at home were easily prevented in corporate networks before they could have any impact.

Among our corporate clients are those who use traditional solutions, as well as those who have chosen our EDR solution ( Adaptive Defense ), which goes far beyond the antivirus and offers additional features, significantly expanding the levels of protection, classifying threats and implementing in real time monitoring all processes running on servers and workstations, as well as providing expert analysis, etc. As a result, the number of attacks that are able to overcome all levels of protection in the Adaptive Defense EDR solution is much less than sponding amount to only traditional security technologies.



2.67% of devices protected by traditional solutions were faced with unspecified threats, while such devices protected with Adaptive Defense were only 1.21%, which shows higher levels of attack prevention over time.



How are these attacks distributed geographically? We calculated the percentage of attacked vehicles in each country. The higher the percentage, the higher the likelihood of being attacked using unknown threats in the respective country.











This quarter was clearly marked by two major attacks. The first attack of WannaCry happened in May, and she rushed to all corporate networks in every corner of our planet.

WannaCry is one of the biggest attacks in history. Although in the past there were attacks when the number of victims or the speed of their distribution were higher (for example, Blaster or SQL Slammer), the damage caused by those attacks remained in the shadow of their rapid spread. In the case of WannaCry, we are talking about a cryptographer with worm functionality, which means that each infected network could not avoid encryption. Consider that we are talking about more than 230,000 affected computers, while the damage ranged from 1 to 4 billion US dollars. It turns out that the average damage ranged from 4,300 to over 17,000 dollars per each computer. Therefore, it can be said with confidence that this was the most destructive attack in history.



For a detailed analysis of what happened and the necessary recommendations, you can watch the webinar about the WannaCry attack , which was conducted by the Technical Director of PandaLabs, Luis Corrons.



The second serious attack in this quarter is GoldenEye / Petya , a kind of residual tremors after the WannaCry earthquake. Despite the fact that the majority of its victims were concentrated in a particular region (especially in Ukraine), however, companies from more than 60 countries of the world suffered from it.



A carefully planned attack was carried out using accounting software called MeDoc, which is very popular in Ukraine. The attackers hacked the update server of this program, and therefore any computer with the installed MeDoc program could be automatically infected when installing updates.



This attack was complex and very dangerous. Here, not only are the encrypted files, but also the main boot area in this case, where the connected user had administrator rights. At first it seemed to be the same extortionist as WannaCry, but after conducting a thorough analysis of this threat, we saw that the authors of the attack had no intention of allowing the recovery of encrypted data.



It seems obvious that in the case of GoldenEye / Petya we are faced with a directed attack, designed to disrupt the work of computers in companies and institutions in Ukraine. But as is the case with weapons of mass destruction, collateral damage is inevitable. After GoldenEye / Petya has penetrated into the corporate network, it is distributed using a wide range of effective techniques. Foreign companies with offices in Ukraine were also infected.



A few days after the attack, the Ukrainian government openly accused Russia of committing an attack.



In the presentation that you can see here , PandaLabs has reviewed the key points of this attack and its authors.



Ciphers



WannaCry and GoldenEye / Petya distracted all public attention, but there were a lot of other cryptographers. Nayana web hosting was attacked in South Korea, where encryption encrypted data on 153 Linux servers.



The attackers demanded a ransom of $ 1.62 million. The company negotiated with criminals and reduced this figure to $ 1 million, paying it in three payments.



Cyber ​​war



Two major attacks in 2017 gave rise to suspicions that behind them could be the governments of certain countries (North Korea in the case of WannaCry and Russia in the case of GoldenEye / Petya). But these are only two cases in the sea of ​​more or less mysterious wars that occur in cyber space.



The main players in this game of cyber-wars are the usual suspects: the United States, Russia, the DPRK ... but surprisingly, China has dropped out of this list in the last few months, because he was not involved in all these scandals. The only explanation for this may be the cyber security agreement signed between the United States and China in 2015, although it is possible that they continue their attacks, which simply have not yet been revealed.



The United States is clearly concerned about attacks on US companies and institutions. Samuel Lyles, Executive Director of the Cyber ​​Division at the Department of Homeland Security (DHS), testified before the Senate Intelligence Committee that hacker attacks supported by the Russian government are aimed at systems related to presidential elections in more than 21 states.



The Congressional Intelligence Committee held hearings to discuss the implications of the Russian zakerkikh attacks on the 2016 presidential election. Jeh Johnson, the former secretary of the Department of Homeland Security in the Obama administration, recalled that Russian President Vladimir Putin ordered an attack in order to influence the outcome of the US presidential election. He also claimed that using these attacks, hackers could not falsify the election results.



In June, the US government issued a warning, accusing the DPRK government of a series of cyber attacks conducted since 2009, and warning that new strikes could be made in the future. The warning, which came from the Department of Homeland Security and the FBI, belonged to the Hidden Cobra group of hackers who, among other things, attacked the media, aerospace and financial industries, as well as critical infrastructure in the United States and other countries of the world.





The name “Hidden Cobra” is not as well known, but this group is also known as “Lazarus Group,” and was associated with such attacks as Sony's hacking in 2014.

Analyzing all the data and evidence on the activities of the Hidden Cobra / Lazarus Group, you can go straight to the WannaCry itself, stopping at the attacks of financial institutions such as the attack on the Central Bank of Bangladesh .



During the Gartner Security & Risk Management summit, which took place in Washington in June, former CIA director John Brennan said that the alleged alliance between the Russian government and cyber criminals who stole Yahoo’s accounts was just the tip of the iceberg, and future cyber attacks by governments will use this formula and they will become more frequent.



In the same speech, he declared that the Russian special services, in fact, are not controlled by law, while in the USA it is the opposite. Someone may find these statements strange, because everyone knows (thanks to WikiLeaks) that for many years the CIA has hacked into the routers of home, corporate and public Wi-Fi networks to carry out secret surveillance.



In our last report, we talked about how France abandoned the use of electronic voting methods for citizens living abroad due to the “excessively high” level of risk of cyber attacks. It turned out that there was at least one cyber attack and only a couple of days before the election, private information was published, and Emmanuel Macron quickly distributed a press release that they were hacked.



More recent studies have linked the hacking to the “Fancy Bear” group, allegedly supported by the Russian government.



According to information from the Financial Times, attempts were made to hack their email accounts with members of the British Parliament using brute-force methods. This attack is also suspected by hackers who were sponsored by a foreign power.

This whirlwind of tricks and international conflicts has affected technology companies. The FSB of Russia asked CISCO, SAP, and IBM for the source code of their security solutions to check for possible backdoors. A few days later, the US government banned all federal agencies from using Kaspersky solutions because of its proximity to the Russian government and the FSB.



Cyber ​​crime



According to the 2016 Internet Crime Report , published by IC3 (Internet Crimes Complaint Center, refers to the FBI), losses from cyber crimes increased by 24% and exceeded $ 1.3 billion.



We must bear in mind that this number takes into account only the damage reported by IC3, which calculated that this is only about 15% of the real total loss. It means that in 2016 only in the USA the total damage could amount to about 9 billion US dollars.





The most sought-after exploits are used to launch zero-day attacks, which by definition are not known to the software maker and which allow hackers to hack computers, even if their software is updated. In April, a vulnerability was discovered that affected various versions of Microsoft Word, and we know that it has been used by hackers since at least January. In the same April, Microsoft published a corresponding update to protect Office users.



Medical records of at least 7,000 patients were compromised by a security breach at the Bronx Lebanon Hospital Center in New York.



There were other security incidents in which attackers did not directly participate. In those cases, as a result of a technical error or simply through negligence, the data that should be seriously protected, in fact, became available to anyone who wanted to access them. This happened at the Automobile Association of Automobile Association (AA), which in April left “out in the open” 13 GB of data among which more than 100,000 email addresses could be found associated with credit card information.



A similar incident occurred in the United States at an even higher level. Marketing companies that were hired by the US Republican Party opened public access to 198 million voters (just over 200 million voters in the United States). These data, which were available a couple of days, contained detailed information about each voter: name, birth date, address, etc.



In China, the illegal trade in Apple customer data ended with the arrest of 22 people. All indications point to insiders, as some of the detainees worked in companies under a subcontract with Apple and had access to data that was later sold.



InterContinental Hotels Group (IHG) reported that it fell victim to data theft that affected its customers. Although in February the company reported that about ten hotels had suffered from the attack, but now it has become aware of the infection of POS-terminals in more than 1000 of its establishments. In a statement, the company confirmed the problems with the cards with which they paid during the period from September 29 to December 29, 2016. The company also explained that they did not have information about unauthorized access to payment information after December 29, but there was no confirmation of the complete eradication of malicious programs until March 2017. Among the various affected hotel chains owned by this group of companies were Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels and Crowne Plaza.

The OneLogin service, which offers users single sign-on to all platforms in the cloud, while ensuring more convenient and secure operation, has also been hacked, ironically. The company said in its blog that it was attacked, and hackers managed to penetrate their data center in the United States, gaining access to databases and leaving user information, applications and passwords open to hackers.



Mobile devices



Starting June 1, Google has offered higher rewards to those who find the most serious security vulnerabilities in their products (not previously discovered). The first reward has increased from 50,000 to 200,000 dollars, and the second from 30,000 to 150,000.



Vulnerability (CVE-2017-6975) in the firmware of Broadcom Wi-Fi chips HardMAC SoC, which manifests itself when reconnecting to a Wi-Fi network, forced Apple to release an iOS update (10.3.1).



However, this vulnerability affects not only the iPhone and iPad, but also other mobile devices (for example, Samsung or Google Nexus), which received a new security update in April to fix this security issue.



Internet of things



We feel very comfortable living in an interconnected world. But the resulting convenience is just one side of the coin.



The other side is associated with various dangers, such as the WannaCry attack, which, thanks to the high development of the Internet and network technologies, had a much more serious impact.



Smart cities with hyper-high levels of network connections and consisting of a million devices connected to the Network are a good example of the introduction of technology into our daily lives. Worldwide, cities are becoming more “smart”, and it is predicted that by 2020 over 50 billion devices will be connected to the Internet. This will significantly increase the security risks that could adversely affect the operation of urban infrastructure, traffic lights or urban water supply systems. In June, WannaCry in Australia infected 55 cameras located at traffic lights and controlling speed, after a subcontractor connected the infected computer to the network in which they were located. After this incident, the police were forced to cancel the 8,000 fines issued.



April 7 at 23:30, 156 emergency sirens simultaneously sounded in Dallas (USA, Texas). The official authorities were able to turn them off only 40 minutes after the transfer of the entire emergency warning system to an offline mode (offline). Investigators still do not know who was behind this attack, which led to this incident.



Recently, a new vulnerability has appeared, from which Mazda cars have suffered. However, unlike other cases that we have seen in the past, in order to hack the car system, you need to insert a “flash drive” while the engine is running in a certain mode.

Conclusion

The Shadow Brokers group of hackers plans to continue publishing materials stolen from the NSA, so the race of cyber armies will only increase. In this regard, home and corporate users will need to take additional security measures.



The greatest risk of infection exists in home users and small businesses. Among the countries that are more at risk from unknown threats are El Salvador, Brazil, Bangladesh, Honduras, Russia and Venezuela.



WannaCry and Petya have shown us that governments around the world may not be shy about pushing a button when it is necessary to launch cyber attacks. Anyone who uses the Internet and the device connected to it can end up falling victim to global cyber warfare. Therefore, we urge all nations of the world to look for ways to conclude an international treaty (a kind of Geneva Convention) in order to limit the ability of states to commit cyber-attacks.



Encryption attacks are still on the rise, and the only explanation is that victims are still paying a ransom. Otherwise, attacks of this kind would have come to naught. It depends on all of us whether we can put an end to this madness: on the one hand, we must reliably protect ourselves from threats in order not to become a victim, and on the other hand, always have a backup copy of our data so that we don’t have to pay the ransom.



The most popular exploits for launching the so-called zero-day attacks are vulnerabilities that are not yet known to software manufacturers. Insider attacks also pose a huge risk to home and corporate users, as are attacks on POS terminals.





The constant increase in the number of Internet connections, ranging from mobile devices to all types of Internet of Things devices, significantly increases the number of attacks to levels that we have never encountered in the past.



This trend will continue to develop, because Soon tens of billions of devices will be connected to the Internet, and this number will only increase.

Recommendations

Traditional security solutions are still effective in protecting against most malware, but they are not able to fight off attacks that use non-malicious tools and other advanced techniques.

We must use security solutions that are adequate to the level of threats we face. Such EDR solutions (Endpoint Detection & Response, detection of attacks on end devices and response to them), like Adaptive Defense , are the only solutions that are able to provide all the necessary tools to protect against new threats and complex attacks.



The most important thing when protecting against attacks is having all the necessary information: what happened, when, how, was the data theft or not, etc. The security solution used should provide all this data both in real time and subsequently, as a result of which a thorough analysis of incidents can be performed. This is especially important for compliance with personal data protection legislation.

There should also be an action plan in case of an attack. Sooner or later, but each of us can become a victim of an attack, so clear actions can significantly minimize damage.



Many government agencies, private companies and public organizations in different countries of the world have already relied on our proposed strategy, making Adaptive Defense the best-selling security solution in the history of Panda Security. Large corporations in various sectors of the economy (finance, IT, weapons, energy, etc.) protect their systems with Adaptive Defense.