The Second Quarter of 2017 has Become the One of the Largest From Cyber Attacks in History

From the point of view of information security, the second quarter of 2017 has become one of the most horrendous in history. Without exaggeration, the WannaCry attack in May and the GoldenEye/Petya attack in June were out of the competition, because Almost all the countries of the world and a huge number of companies have suffered from them, a number of which are restoring their systems to this day. Under different contracts, the total damage from these attacks amounted to 1 to 4 billion dollars.

• These attacks are associated with cyber-wars and the efforts of various countries to combat them. Both attacks took advantage of the vulnerability discovered by the NSA, which was stolen by a group of hackers called Shadow Brokers and published in April. GoldenEye/Petya was aimed at disrupting the work of companies and institutions in Ukraine the day before their Constitution Day, and they assume that behind this attack was Russia.
• While we can not officially say that there is already a global cyber war, in one way or another, attacks like WannaCry or Petya affect each of us. Against the backdrop of the noise of these two notable attacks, other attacks calmly pass without due attention. But these are not just serious attacks, but, possibly, even more, dangerous incidents. Daring attempts to influence elections in countries such as France and the US, using cyber espionage tactics in favor of candidates whose political views coincide with the goals of the authors of the attacks (as was the case with Trump in the US and Le Pen in France), here Vivid examples of hidden wars that are carried out in cyberspace and are able to significantly affect the events in the world.

Meanwhile, ordinary citizens are faced daily with numerous cyber-crimes, as a result of which intruders make huge profits at the expense of their victims.

Quarter in figures

• In our reports, as well as in those published by other developers of security solutions, we always provide similar statistics on malicious programs: how many new threats appeared in the reporting period, what types of threats, etc. Although these figures are interesting and can become a vivid headline for the news, this year we at PandaLabs decided to go further and show data that bring a new meaning and have real value.

To calculate the statistics presented below, we decided not to consider all the threats that are detected by signatures (their number may reach hundreds of millions), because This is a known malware, from which to any extent protected every user with a basic antivirus. On the other hand, we also decided not to include a heuristic detection that is capable of detecting previously unknown threats.

• This is due to the fact that professional hackers conduct minimal testing of antivirus software to check whether their “creations” remain undetected, and these antiviruses include signature and heuristic detection. In other words, we can discard these figures, as if users were always protected and there was never a real risk of infection.

We will only consider data on new threats, undetectable signatures, and heuristics: malicious attacks, non-file attacks, and other attacks performed using legitimate system tools, which is becoming a more common practice in corporate environments, as we could see in cases with GoldenEye/Petya in June.

But how will we measure what we can not detect?

• The fact is that in fact we can detect and stop such attacks, even if they have never been seen before by signatures or heuristics. To do this, we use a set of our own technologies that form what we call “Context Intelligence”, which allows us to identify malicious behavior patterns and create improved mechanisms for cyber-protection against known and unknown threats.

This level of Context Intelligence has helped us to achieve outstanding levels of detection in tests simulating attacks occurring in the real world. In AV-Comparatives tests in the first half of 2017 Panda Security showed the best results in Real-World Protection Test, having received the highest “Advance +” award with our Panda Free Antivirus, the simplest solution in our line of information security solutions.

• Next, we analyzed the received data about the attacks. Of all the machines that were protected by Panda Security solutions, 3.44% of them were attacked by unknown threats, which is almost 40% higher than in the previous quarter. If we look at the type of client, then among home users and small businesses such machines were about 3.81%, while among medium and large enterprises – about 2.28%.

Home users have much less protection, resulting in more susceptible attacks. Many attacks that were successfully implemented at home were easily prevented in corporate networks before they could have any impact.

• Among our corporate clients there are those who use traditional solutions, as well as those who chose our EDR-solution (Adaptive Defense), which goes far beyond the antivirus and offers additional functions, significantly expanding the levels of protection, classifying threats and realizing in real time Monitoring of all processes running on servers and workstations, and also providing expert analysis, etc. As a result, the number of attacks that are able to overcome all protection levels in the Adaptive Defense EDR solution is much less than the corresponding amount to only traditional security technologies.

2.67% of devices protected by traditional solutions, faced with unknown threats, while such devices protected with Adaptive Defense were only 1.21%, which shows higher levels of preventing attacks over time.

How are these attacks geographically distributed? We counted the percentage of machines attacked in each country. The higher the percentage, the higher the probability of being attacked using unknown threats in the country concerned.

Most attacked countries

Salvador	10.85%
Brazil	10.04%
Bangladesh	9.77%
Honduras	9.44%
Russia	8.96%
Venezuela	8.87%
Colombia	8.29%
Pakistan	8.17%
Mexico	7.99%
Ecuador	7.67%

The opinion of the attacked countries

Australia	1.14%
Belgium	1.06%
Germany	0.97%
Japan	0.90%
Netherlands	0.87%
Denmark	0.71%
Finland	0.64%
Slovenia	0.64%
Norway	0.47%
Sweden	0.42%

This quarter was clearly marked by two main attacks. The first attack WannaCry happened in May, and it rushed to all corporate networks in every corner of our planet.

• The Wanna Cry is one of the biggest attacks in history. Although in the past there have been attacks, when the number of victims or the speed of their distribution was higher (for example, Blaster or SQL Slammer), the damage caused by those attacks remained in the shadow of their rapid spread. In the case of WannaCry, we are talking about a cryptographer with worm functionality, which means that each infected network could not avoid encryption.
• Please note that we are talking about more than 230,000 injured computers, with damage ranging from 1 to 4 billion US dollars. It turns out that the average damage was from 4300 to over 17000 dollars in terms of each computer. Therefore, we can say with confidence that this was the most destructive attack in history.

For a detailed analysis of what happened and the recommendations you need, you can look at the webinar about the WannaCry attack, conducted by PandaLabs Technical Director Luis Corrons.

• The second serious attack this quarter is GoldenEye/Petya, a kind of residual shocks after the earthquake of WannaCry. Despite the fact that most of its victims were concentrated in a certain region (especially in Ukraine), nevertheless, companies from more than 60 countries of the world suffered from it.
• A carefully planned attack was conducted using an accounting software called Medoc, which is very popular in Ukraine. Attackers hacked the update server of this program, and therefore any computer with the installed program Medoc could be automatically infected when installing updates.
• This attack was complex and very dangerous. Here, not only the encrypted files but also the main boot area in the cases where the connected user had administrative rights. At first, he seemed like an extortionist like WannaCry, but after a thorough analysis of this threat, we saw that the authors of the attack had no intention of allowing the recovery of encrypted data.
• It seems obvious that in the case of GoldenEye/Petya we are faced with a targeted attack designed to disrupt the operation of computers in companies and institutions in Ukraine. But as in the case of weapons of mass destruction, collateral damage is inevitable. After penetrating GoldenEye / Petya into the corporate network, it spreads using a wide range of effective techniques. Foreign companies with offices in Ukraine were also infected.

A few days after the attack, the Ukrainian government openly accused Russia of committing an attack.

In the presentation, which you can see here, PandaLabs performed the analysis of the key moments of this attack and its authors.

Cryptographers

• Wanna cry and GoldenEye/Petya diverted all the attention of the public, but there were a lot of other cryptographers. Nayana’s web hosting in South Korea was attacked, where encryptors encrypted data on 153 Linux servers.
• The attackers demanded a ransom of $ 1.62 million. The company negotiated with criminals and reduced this figure to 1 million dollars, paying it in three installments.

Cyber War

• Two major attacks in 2017 gave rise to suspicions that they could be followed by the governments of certain countries (DPRK in the case of WannaCry and Russia in the case of GoldenEye/Petya). But these are only two cases in the sea of more or less mysterious wars that occur in cyberspace.

The main players in this game of cyber-wars are ordinary suspects: the USA, Russia. but it’s surprising that China has somehow dropped out of this list in the last few months. It was not involved in all these scandals. The only explanation for this may be an agreement on cyber security signed between the US and China in 2015, although it is possible that they continue their attacks, which have simply not yet been identified.

• The US is clearly concerned about attacks on US companies and institutions. Samuel Lyles, Executive Director of the Cyber Division at the Department of Homeland Security (DHS), testified before the US Senate Intelligence Committee that hacker attacks supported by the Russian government are aimed at systems associated with presidential elections in more than 21 states.
• The Committee on Intelligence of the US Congress held hearings to discuss the consequences of Russian attackers’ attacks on the presidential election in 2016. Jeh Johnson, a former secretary of the Ministry of Internal Security in the Obama administration, recalled that Russian President Vladimir Putin ordered an attack to influence the outcome of the presidential election in the United States. He also argued that with the help of these attacks, hackers could not falsify the election results.

In June, the US government issued a warning, accusing the DPRK government of a series of cyber attacks conducted since 2009, and warning that in the future, new attacks could be committed. The warning from the Ministry of Internal Security and the FBI belonged to a group of hackers, “Hidden Cobra”, who, among other things, attacked the media, aerospace and financial industries, as well as critical infrastructure in the US and other countries.

• The name “Hidden Cobra” is not so well known, but this group is also known as “Lazarus Group,” and it was associated with attacks such as Sony’s hacking in 2014.
  Analyzing all the data and clues about the activities of Hidden Cobra / Lazarus Group, you can go straight to WannaCry itself, making the way to stop attacks on financial institutions, such as an attack on the Central Bank of Bangladesh.
• During the Gartner Security & Risk Management Summit in June in Washington, former CIA director John Brennan said that the alleged alliance between the Russian government and cyber-criminals who stole accounts at Yahoo is just the tip of the iceberg, and that The future cyber attacks of governments will use this formula and they will become more frequent.
• In the same speech, they said that the Russian special services, in fact, are not controlled by law, while in the United States everything is the opposite. Someone can find these statements strange because Everybody knows (thanks to WikiLeaks) that for many years the CIA has hacked routers of home, corporate and public Wi-Fi networks for secret surveillance.

In our last report, we talked about how France refused to use electronic voting methods for citizens living abroad due to the “excessively high” level of risk of cyber attacks. It turned out that there was at least one cyber attack and just a couple of days before the election, private information was published, and Emmanuel Macron quickly spread a press release that they had been hacked.

More recent studies have linked hacking to the “Fancy Bear” group, allegedly supported by the Russian government.

• According to information from the Financial Times, members of the British Parliament have been attempted to hack their email accounts using brute-force methods. In this attack, hackers who were sponsored by a foreign power are also suspected.
• This vortex of tricks and international conflicts has affected technological companies. The FSB of Russia has requested from CISCO, SAP, and IBM the source code of their security solutions to check possible backdoors. A few days later, the US government prohibited all federal agencies from using Kaspersky’s solutions because of their proximity to the Russian government and the FSB.

Cyber crimes

According to the report of the 2016 Internet Crime Report published by the IC3 (Internet Complaints Processing Center, refers to the US FBI), losses from cyber crimes increased by 24% and exceeded $ 1.3 billion.

We should keep in mind that this number only takes into account the damage reported in IC3, which estimates that it is only about 15% of the actual total losses. Hence, in 2016 only in the US, the total damage could amount to about 9 billion US dollars.

• The most popular exploits are used to launch “zero days” attacks, which by definition are not known to the software manufacturer and which allow hackers to hack computers even if their software is updated. In April, a vulnerability was discovered that affected different versions of Microsoft Word, and we know that it was used by hackers at least since January. In the same April, Microsoft published a corresponding update to protect users of Office.

Medical records of at least 7,000 patients have been compromised as a result of a security breach at the Bronx Lebanon Hospital Center in New York.

• There were other security incidents in which the attackers did not take part directly. In those cases, as a result of a technical error or simply by imprudence, data that must be seriously protected, in fact, became available to anyone who wanted to access them. This happened at the Automobile Association Automobile Association (AA), which in April left “open” 13 GB of data for several days, among which over 100,000 e-mail addresses associated with credit card information could be found.
• A similar case occurred in the US at an even higher level. The marketing companies that were hired by the Republican Party of the United States opened public access to the data of 198 million voters (there are a little more than 200 million voters in the US). These data, which were available for a couple of days, contained detailed information about each voter: name, date of birth, address, etc.
• In China, the illegal trade in data from Apple’s clients ended in the arrest of 22 people. All signs point to insiders, as some of the detainees worked in companies under a subcontract with Apple and had access to data that was later sold.
• InterContinental Hotels Group (IHG) reported that it fell victim to the theft of data affecting its customers. Although in February the company reported that about ten hotels were harmed from the attack, but now it has become known about the infection of POS-terminals in more than 1000 of its establishments. In its statement, the company confirmed the problems with the cards that were paid during the period from September 29 to December 29, 2016. The company also explained that they do not have information about unauthorized access to payment information after December 29, but there was no confirmation of the complete eradication of malicious programs until March 2017. Among the various affected networks of hotels owned by this group of companies were Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels and Crowne Plaza.
• Service OneLogin, which offers users a single entrance to all platforms in the cloud, providing a more convenient and safe operation, ironically also hacked. The company said on its blog that it was attacked, and hackers managed to infiltrate their data center in the US, accessing databases and leaving user information, applications and passwords open to hackers.

Mobile devices

• Beginning June 1, Google began to offer higher rewards to those who find the most serious security vulnerabilities in their products (previously not detected). The first award has increased from 50,000 to 200,000 dollars and the second – from 30,000 to 150,000.

Vulnerability (CVE-2017-6975) in the firmware of Broadcom Wi-Fi HardMAC SoC chips, which manifests itself when reconnecting to a Wi-Fi network, forced Apple to release an iOS update (10.3.1).

• However, this vulnerability affects not only the iPhone and iPad but also other mobile devices (for example, Samsung or Google Nexus) that received a new security update in April to solve this security problem.

Internet of things

It became very comfortable for us to live in an interconnected world. But the amenities obtained are just one side of the coin.

The other side is connected with various dangers, for example, such as the attack of WannaCry, which due to the high development of the Internet and network technologies had a much more serious impact.

• Smart cities with hyper-high levels of network connections and consisting of a million devices connected to the network are a clear example of the introduction of technology into our daily lives. Throughout the world, cities are becoming more and more “smart”, and it is projected that by 2020 more than 50 billion devices will be connected to the Internet. This will significantly increase the security risks that will be able to negatively affect the operation of urban infrastructure, traffic lights or urban water supply systems. In June, WannaCry in Australia infected 55 cameras located at traffic lights and exercising speed control after the subcontractor connected the infected computer to the network in which they were located. After this incident, the police were forced to cancel 8,000 written fines.

April 7 at 23:30 156 emergency sirens simultaneously sounded in Dallas (USA, Texas). Official authorities managed to turn them off only 40 minutes after the entire emergency notification system was switched off to offline mode. Investigators still do not know who was behind this attack, which led to this incident.

• Recently, a new vulnerability appeared, from which the cars of Mazda suffered. However, unlike other cases that we observed in the past to hack the car system, it is necessary to insert a “flash drive” while the engine is running in a certain mode.

Conclusion

The group of hackers “Shadow Brokers” plans to continue publishing stolen materials in the NSA, so the race of cyber armies will only increase. In this regard, home and corporate users will need to take additional security measures.

The greatest risk of infection exists for home users and small businesses. Among the countries that are more at risk from unknown threats are Salvador, Brazil, Bangladesh, Honduras, Russia, and Venezuela.

• The Wanna Cry and Petya showed us that governments around the world may not hesitate to “press a button” when it is necessary to launch a cyber attack. Everyone who uses the Internet and a device connected to it can eventually become a victim of a global cyber war. Therefore, we urge all states of the world to look for ways to conclude an international treaty (a kind of analog of the Geneva Convention) in order to limit the ability of states to commit cyber attacks.
• Encryption attacks are still on the rise, and the only explanation is that the victims are still paying the ransom. Otherwise, attacks of this kind would have come to naught. It depends on all of us whether we can put an end to this insanity: on the one hand, we must reliably protect ourselves from threats so as not to become a victim, and on the other hand, always have a backup of our data so that we do not have to pay the ransom.

The most popular exploits for launching so-called “zero-day” attacks are vulnerabilities that are not yet known to software vendors. Insider attacks also pose a huge risk for home and corporate users, as well as attacks on POS-terminals.

The constant increase in the number of Internet connections, from mobile devices to all types of Internet devices, significantly increases the number of attacks to levels we have never encountered in the past.

This trend will continue to develop, as well. Soon tens of billions of devices will be connected to the Internet, and this number will only increase.

Recommendations

• Traditional security solutions are still effective in protecting against most malicious programs, but they are not able to combat attacks that use non-malicious tools and other advanced techniques.
• We need to use security solutions that are adequate to the level of threats we face. Such EDR-solutions (Endpoint Detection & Response, detection of attacks on end devices and respond to them), like Adaptive Defense, are the only solutions that can provide all the necessary tools to protect against new threats and complex attacks.
• Many government agencies, private companies, and public organizations around the world have already relied on our proposed strategy, making Adaptive Defense the best-selling security solution in the history of Panda Security. Large corporations in various sectors of the economy (finance, IT, armament, energy, etc. protect their systems with the help of Adaptive Defense.