The experts at Positive Technologies have released their cybersecurity threatscape findings for the third quarter of 2019. The main trends highlighted in the report include an increase in the number of unique cyber incidents, a large amount of activity by APT groups engaged in targeted attacks, and a two-to-one greater incidence of data theft in comparison to direct financial gain as an attack motive.
Criminals pick their targets
The top trend experts identified is that targeted attacks continue to outnumber mass attacks. Targeted attacks accounted for 65 percent of the total in Q3, compared to 59 percent in Q2. The most common targets for attackers are governments, industry, finance, science, and education.
In Q3, the share of cyberattacks aimed at data theft grew to 61 percent of all attacks on organizations and 64 percent of all attacks on individuals (compared to 58% and 55%, respectively, in the second quarter). The share of attacks with direct financial motivation was 31 percent.
One out of five attacks was directed against individuals. Almost half (47%) of all data stolen from individuals consisted of credentials (usernames and passwords). In attacks on organizations, personal data made up 25 percent of all stolen information.
Changing attack methods
Positive Technologies noted a reduction in cryptocurrency miner attacks, to just 3 percent of attacks against organizations and 2 percent of attacks against individuals. This may be due to the gradual transition by attackers to malware with multifunction capabilities. One example is the Clipsa Trojan, which can stealthily mine cryptocurrency, steal passwords, tamper with addresses of cryptocurrency wallets, and launch brute-force attacks against WordPress sites.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies said: "Social engineering remains as popular as ever among attackers, and actually almost doubled in use between Q2 and Q3 - from 37 percent to 69 percent. Cybercriminals steal millions by forging messages and sending phishing emails. They present themselves as belonging to a trusted company and send an invoice with their own bank account number. This has generated some major returns for criminals targeting large organizations. For example, Cabarrus County, North Carolina received an email stating that the account number of the county's construction contractor had changed and - not realizing that the message was a fake - the county transferred $2.5 million to an account belonging to cybercriminals instead of the contractor.
“Malware infections are increasing as well. Three quarters of attacks on organizations, and almost two thirds of attacks on individuals, involved malware infections. While infection of corporate infrastructure usually starts with a phishing email, infection of individuals tends to involve compromised websites, as was the case in 35 percent of attacks on individuals.”
Organized cyber crime
During the quarter, the PT Expert Security Center (PT ESC) regularly detected attacks by APT group TA505. The group's arsenal includes Dridex (a banking Trojan), Cryptomix (ransomware signed with certificates issued to dummy legal entities), ServHelper and FlawedAmmyy (remote administration Trojans), as well as Upxxec (a plugin able to detect and disable a large range of antivirus software). The PT ESC also detected attacks by APT groups such as RTM, Cobalt, Bronze Union, APT-C-35, KONNI, and Gamaredon.
Positive Technologies also found in late summer that Emotet, one of the world's largest botnets, resumed operations after a lull of several months. The botnet's operators offer malware as a service (MaaS): by providing access to Emotet-infected computers, they enable other cybercriminals to infect victims with yet more malware, such as Trickbot and Ryuk.
In the researchers' opinion, the majority of cyberattacks are not made public due to the reputational risks they present. Positive Technologies experts regularly publish their own statistics and research in order to draw the attention of companies and ordinary individuals who care about the state of information security to the key motives and methods of cyberattacks, as well as to highlight the main trends in the changing cyberthreat landscape.