Kaspersky Lab’s Threat Review for 2016: servers for sale, global botnets and a strong focus on mobile
In 2016, the world’s biggest cyberthreats were related to money, information and a desire to disrupt
In 2016, the world’s biggest cyberthreats were related to money, information and a desire to disrupt. They included the underground trade of tens of thousands of compromised server credentials, hijacked ATM systems, ransomware and mobile banking malware – as well as targeted cyberespionage attacks and the hacking and dumping of sensitive data. These trends, their impact and the supporting data are covered in the annual Kaspersky Security BulletinReviewandStatisticsreports, published today.
In 2016 Kaspersky Lab research also discovered the extent to which companies struggle to quickly spot a security incident: 28.7% said it took them several days to discover such an event, while 19% admitted it took weeks or more. For a small but significant minority of 7.1%, it took months. Among those that struggled most, eventual discovery often came about through an external or internal security audit, or an alert from a third party, such as a client or a customer. Further details on how a delay in detection impacts business recovery costs can be found in the Executive Summary of the review.
Other things we learned in 2016:
That the underground economy is bigger and more sophisticated than ever: just look at xDedic – the shady marketplace for more than 70,000 hacked server credentials that allowed anyone to buy access to a hacked server, for example one located in an EU country’s government network, for as little as $6.
That the biggest financial heist did not involve a stock exchange as expected: instead it used SWIFT-enabled transfers to steal $100 million
That critical infrastructure is worryingly vulnerable on many fronts: as revealed at the end of 2015 and into 2016 by the BlackEnergy cyberattack on the Ukrainian energy sector that included disabling the power grid, wiping data and launching a DDoS attack. In 2016 Kaspersky Lab experts investigated industrial control threats and discovered thousands of hosts around the world exposed to the Internet, with 91.1% carrying vulnerabilities that can be exploited remotely.
That a targeted attack can have no pattern: shown by the ProjectSauron APT, an advanced, modular cyberespionage group that customized its tools for each target, reducing their value as Indicators of Compromise (IoCs) for any other victim.
That the online release of vast volumes of data can directly influence what people think and believe: as evidenced by the ShadowBrokers and other personal and political data dumps.
That a camera or DVD player could become part of a global Internet-of-things cyber-army: as the year ends it is clear that the Mirai-powered botnet attacks are only the beginning.
“The number and range of cyberattacks and their victims seen in 2016 has put the subject of better detection at the top of the business agenda. Detection is now a complex process that requires security intelligence, a deep knowledge of the threat landscape, and the skills to apply that expertise to each individual organization. Our analysis of cyberthreats over the years has revealed both patterns and unique approaches. This accumulated understanding underpins our active defense tools, as we believe protection technologies should be powered by security intelligence. It also sits at the heart of our growing number of partnerships and collaborations. We use the past to prepare for the future, so that we can continue to protect our customers from undetected threats, before they do any harm,” said David Emm, Principal Security Researcher, Kaspersky Lab.
The notable statistics for the year include:
36% of online banking attacks now target Android devices, up from just 8% in 2015.
262 million URLs were recognized as malicious by Kaspersky Lab products, and there were 758 million malicious online attacks launched across the world – with one in three (29%) originating in the US and 17% in the Netherlands.
Eight new families of Point-of-Sale and ATM malware appeared – a rise of 20% on 2015.
Attackers made use of the Google Play Store to distribute Android malware, with infected apps downloaded hundreds of thousands of times.
The Kaspersky Security Bulletin for 2016 comprises the following documents:
Kaspersky Lab researchers monitoring the various clusters of the long standing, Russian-speaking threat actor, Turla (also known as Snake or Uroburos) have discovered that the most recent evolution of its KopiLuwak malware is delivered to victims using code nearly identical to that used just a month earlier by the Zebrocy operation