Positive Technologies experts have analysed network activity of large companies (with over 1000 employees) in the key economic areas of Eastern European countries 1. Advanced network traffic analysis revealed suspicious activity in 97 percent of companies, and malware activity in 81 percent of companies.
The main evidence of potential compromise was suspicious activity in the network traffic of the company (97 percent of companies). In 64 percent of cases that was traffic hiding; VPN tunneling, connection to Tor anonymous network, or proxying. In one in every three companies, there were traces of scans of its internal network, which could potentially mean that hackers are gathering intelligence inside the infrastructure. This includes network scans, multiple failed attempts to connect to hosts, and traces of collecting intelligence on active network sessions on a specific host or in the entire domain.
"Traffic hiding is risky, because when the employees connect to Tor, set up proxy servers, and set up VPN to bypass websites blocking, the hackers can use the same technologies to communicate with command and control servers," says Evgeny Gnedin, Head of Information Security Analytics at Positive Technologies. "The attackers can use that to control the malware and trigger a payload attack."
This concern is backed by evidence which highlights that 81 percent of companies’ advanced network traffic analysis detected activity of some malware, such as miners (55 percent of the total number of infected companies), adware (28 percent), and spyware (24 percent). Around half (47 percent) of companies were plagued with several different types of malware.
The Positive Technologies specialists believe that non-compliance with information security policies found in 94 percent of companies has a direct impact on security deterioration, by practically opening the door for the hackers to exploit. In 81 percent of companies, sensitive data is transmitted in cleartext, allowing the potential hackers to search the traffic for logins and passwords moving between and across corporate resources. 67 percent of companies use remote access software, such as RAdmin, TeamViewer, and Ammyy Admin. Once inside the infrastructure, the attacker can use these tools to move along the network, all whilst remaining undetected by security tools.
Employees at 44 percent of companies use BitTorrent protocol for data transfer, such as downloading movies, for instance. The experts point out that, in addition to placing extra load on the communication link and reducing its throughput capacity, this increases the risk of malware infection. For example, torrents were used to distribute STOP ransomware, and the APT37 group also weaponised a YouTube video downloader app with a KARAE backdoor and distributed it on torrent websites.
The vast majority of threats (92 percent) were detected inside the perimeter. The experts believe this emphasises that internal network monitoring to ensure timely detection and response is just as important as preventing attacks on the perimeter. This includes network traffic analysis which can help in detecting attackers in the early stages of the attack.
- The study was carried out in 2019 as part of PT Network Attack Discovery pilot projects.