Fortinet, a world leader in advanced cyber-security, has presented the results of its latest global IT threat study. The study shows how cybercriminals are building an "army of things," a serious security threat, and highlights the ever-changing and increasingly sophisticated methods of attack.
Infrastructure trends and their relation to risks
Detecting and stopping explosions, botnets and malware is becoming increasingly difficult due to the development of network infrastructure. The data shows that SSL encrypted traffic remained at around 50% and accounted for about half of all traffic generated by businesses. It is worth noting the increasing use of HTTPS protocol. While it provides privacy protection, it makes it difficult to detect threats that may be hidden in encrypted messages. Often, SSL traffic is not controlled due to the enormous costs associated with decrypting, controlling and reencrypting it. This forces IT professionals to balance security and performance.
In terms of applications used in enterprises, their average number of applications running in the cloud has increased to 63, which is about one third of their total number. This trend has significant
Security implications due to reduced visibility of data stored by cloud-based applications and limited insight into how the data is used and who accesses it. However, the use of social media, audio and video streaming and P2P applications has not increased rapidly.
The "Army of Things" being built in the digital half-world
Internet of Things (IoT) devices are greedy bites for cybercriminals around the world. They build their own "armies of things" that allow them to replicate attacks in a cheap and incredibly fast way and on a massive scale. This is the basis for the operation of modern cybercriminals. The IoT devices taken over by the Mirai botnet carried out DDoS attacks on a record scale. The release of the Mirai source code increased botnet activity by 25 times a week and by the end of the year by 125 times.
At the top of the threat list were blasters using several categories of IoT devices and looking for vulnerabilities in the security of home routers and printers. For some time, the top of this list were also DVRs and NVRs, whose use to carry out attacks has increased by as much as 6 times.
The number of attacks on mobile devices is increasing
More than before, malware for mobile devices has become a problem. While it accounts for only 1.7% of the total volume of malware, as many as 20% of enterprises admit that they have dealt with it - almost always on Android. In these cases there are significant regional differences: 36% of the attacks were directed against companies from Africa, 23% from Asia, 16% from North America and only 8% from Europe. This data is now used to identify trusted devices in enterprise networks.
Automated attacks on a massive scale have become widespread
The relationship between the number of blasts and their prevalence suggests increasing automation of attacks and lower costs of malware and tools distributed in darknet. It's cheaper and easier to carry out attacks than ever before.
SQL Slammer topped the list of detected explosives that pose a serious or critical threat, mainly to educational institutions. The second most common was an explosive indicating attacks using a forceful algorithm against Microsoft Remote Desktop Protocol (RDP). This explosion initiated 200 RDP requests every ten seconds, which explains the large number of such cases detected in companies worldwide. The third place was a signature associated with memory corruption in Windows File Manager, which allows the criminal to remotely execute any code in a given application using a .jpg file.
The most popular botnets were H-Worm and ZeroAccess. Both allow criminals to control the systems to suck the data, are used in what is known as "click fraud" (fraudulent or false clicks on a sponsored link or other form of advertising for profit) and to dig up bitcoins. Attempts to attack with these two botnets have been made most often in the technology and public sectors.
The ransomware is not going away
The popularity of this extremely cost-effective attack method will grow as RaaS (ransomware as a service) is becoming increasingly available, allowing even untrained criminals to download the right tools and use them against the victim. According to the results of the survey, 36% of companies detected botnet activity related to ransomware. The winner was TorrentLocker.
Two families of malware Nemucod and Agent also had their five minutes, 81.4% of the malware samples detected. The Nemucod family is commonly associated with ransomware, which is present in all regions and sectors, especially in the healthcare sector.
There are novelties, but older explorers are doing well
As many as 86% of companies have experienced attempted attacks using vulnerabilities older than ten years. Nearly 40% of them had to deal with explosions using even older, commonly known threats.
On average, there were 10.7 unique application exploitations per company. Approximately 9 out of 10 companies detected explosions posing a serious or critical threat. In general, Africa, the Middle East and Latin America had more and varied incidents in each threat category compared to the average number of blasting operations, malware and botnet families detected in companies in different regions of the world. These differences were particularly evident in the case of botnets.
