Kaspersky Security Bulletin 2015: Threats evolved as predicted

As the year wraps up, Kaspersky Lab released its reports on the overall status of global cybersecurity.

As the year wraps up, Kaspersky Lab released its reports on the overall status of global cybersecurity. Meet “Kaspersky Security Bulletin 2015. Evolution of cyber threats in the corporate sector”.

Corporate-related figures

  • In 2015, one or more malware attacks were blocked on 58% of corporate computers. This is a 3 p.p. rise from the previous year.
  • 29% of computers – i.e. almost every third business-owned computer – were subjected to one or more web-based attacks.
  • Malware exploiting vulnerabilities in office applications were used 3 times more often than in attacks against home users.
  • File antivirus detection was triggered on 41% of corporate computers (objects were detected on computers or on removable media connected to computers: flash drives, memory cards, telephones, external hard drives, or network disks).

APTs and future

The defining feature of 2015 were APT-type attacks targeted against businesses. It was predicted last year, and the prediction was totally correct. If previous APTs were launched (or sponsored) by nation states, this year targeted attacks and campaigns were observed hitting financial organizations such as banks, funds and exchange-related companies, including cryptocurrency exchanges. As it is easy to see, criminal APT operators were mostly interested in financial gain (see our reports on Carbanak and Grabit, for instance).

This does not mean, however, that data gathering/cyberespionage campaigns have gone to the background. They are still there, too.

For 2016, APTs are predicted to transform into something else: according to Kaspersky Lab’s GReAT team, APTs will be replaced by deeper, embedded attacks that are harder to detect and trace back to the perpetrators, as the cybercriminals will gladly drop both the “advanced” and “persistent” elements for the sake of overall stealth. Furthermore, the “APT theater” will grow, as more and more “commercially-motivated” players (including hackers-for-hire) will arrive. These will prefer re-purposing the off-the-shelf malware to minimize their initial investments.

Tools o’thievery

Securelist’s new report also provides a lot of statistical insights into corporate-oriented attacks of 2015. For instance, more than a half of the web-based attacks were executed via malicious URLs (i.e. infected web-sites), while the Top 10 of web-based malicious programs consists almost exclusively of objects used in drive-by attacks.

Local threats are topped by a rather vague definition – DangerousObject.Multi.Generic. In fact this is an umbrella verdict for various malicious programs that were detected with the help of cloud technologies.

Cloud technologies work when antivirus databases do not yet contain signatures or heuristics to detect a malicious program but the company’s cloud antivirus database already includes information about the object. When a client company cannot send statistics to the cloud, Kaspersky Private Security Network is used instead, meaning that network computers receive protection from the cloud.

Attacked in a different manner

Summing up, Securelist points out at the following pecularities of attacks on corporate users:

  • exploits for vulnerabilities found in office applications are used three times more often than in attacks on home users;
  • use of malicious files signed with valid digital certificates;
  • use of legitimate programs in attacks, allowing the attackers to go undetected for longer.

Also a rapid growth in the number of corporate user computers attacked by encryptor programs (i.e. ransomware) has been observed this year. In 2015, Kaspersky Lab solutions detected ransomware on more than 50,000 computers in corporate networks, which is double the figure in 2014. The emergence of Linux Encryption malware is also intriguing and troubling at the same time.

A detailed report is available at this link. It also covers yet another widespread problem – attacks on PoS terminals. But this topic will be covered separately next week.

Stay tuned.