Positive Technologies Research: UK faces a third of global cyber incidents

US is top, with Russia second, in list of countries experiencing the most cyber incidents

Forty-one percent of cyber incidents occurred in the U.S., the number of ransom trojans is going to increase due to a "ransom as a service" tool, and DDoS attack capacity—all due to vulnerabilities in smart devices. These observations and forecasts are explained in detail in new research detailing the latest cyberthreats by Positive Technologies and based on Q1 2017 data.

The most attacked country in Q1 was the U.S. (41% of all attacks), Russia took second place (10%), and Great Britain came third (7%). In total, at least 26 countries across the world suffered cyberattacks. A large number of attacks were targeted at state institutions (20%). This could be motivated by the heightened political environment, both external and internal, in many countries. One in every nine attacks was aimed at social networks, search engines, e-commerce, and other online services (11%). Finance performed slightly better— where 9% of all incidents were traced back to banks. These top three spheres are followed by education (8%), healthcare and services (7% each), industries (5%), and military (3%).

Positive Technologies security experts reviewed every incident against two aspects: what was attacked and how it was attacked. Thus, most attacks were targeted at the IT infrastructure of companies (40% of all attacks). Attackers were primarily focused on sensitive information (such as personal data, bank card owner data) that can be sold on the black market. However, experts note that cybercriminals appear to have lost interest in personal data, which has led to its cost reduction; the reason for that may be the glut in the market. In the UK, Lloyds Banking Group experienced a DDoS attack with hackers demanding 100 bitcoins (at the time of the attack, about $90,000) to terminate the onslaught.

The second popular type of attacks is against web applications (33%) that provide numerous opportunities for hackers—from obtaining sensitive information to penetrating into a company intranet. Most web attacks were implemented via vulnerable components (obsolete libraries and CMS systems), although some attacks also exploited web application vulnerabilities.

The number of attacks on POS terminals also increased significantly (3% of all attacks), almost six times higher than in Q1 2016 and equaling to 63% of all attacks of this type in 2016. Attackers used remote administration tools and trojans.

Looking at the most commonly used attack methods, the first worthy of mention is the use of malware. Experts at Positive Technologies have seen a significant growth in popularity of "ransomware as a service": malware creators in an increasing number of cases are not attacking organizations directly, instead they are selling these trojans to criminal groups. This model nets the malware developers payments for each Trojan they create and, rather than wasting time implementing an attack themselves, criminals perform the ‘grunt’ work leaving the malware developer free to work on their next new Trojan creation.

As for DDoS attacks, their capacity in Q1 2017 has increased significantly, as more and more IoT devices connect to botnets. For example, new malware ELF_IMEIJ.A detected in March 2017 was intended for IP cameras, video surveillance systems, and AVTech network recording devices. Moreover, over 185 thousand vulnerable IP cameras were revealed, which can also be a part of a new botnet.

"Attackers do not observe weekends or holidays, and our experience tells us the number of attacks will increase by the end of the year. While implementing an attack, they frequently use known vulnerabilities and similar methods. Therefore, it is important to detect and fix vulnerabilities without delay and improve the protection systems implemented, introducing effective solutions used for intrusion detection and prevention. It is also critical to support and develop centers that counter cyberthreats in all spheres. This approach ensures prompt exchange of information about cyber incidents and quite often helps to avoid significant losses," comments Olga Zinenko, an analyst at Positive Technologies.