DOCSLIB.ORG

Attack Landscape H2 2019

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Attack Landscape H2 2019 ATTACK LANDSCAPE H2 2019 2019 wrapped up with high-impact ransomware attacks on enterprises, as well as continued high rates of attack traffic throughout our global network of honeypots. Honeypot traffic was driven by action aimed at the SMB and Telnet protocols, indicating continued attacker interest in the Eternal Blue vulnerability as well as plenty of infected IoT devices. The end of the year also served as the end of the decade, prompting a look back at where we’ve come since 2010. In this report, we cover the attack traffic seen by our global network of honeypots over the last six months of 2019, as well as malware seen by our customer endpoints throughout the year. We also take a trip down memory lane, revisiting cyber security highlights of the decade. Attack Landscape H2 2019 2 HONEYPOT ATTACK TRAFFIC: WHO’S AFTER WHO? In the first half of 2019, we documented1 a jump in cyber attack traffic to our global network of honeypots from millions of hits to 2.9 billion. In the second half of the year, this frenetic pace of attack traffic continued but at a slightly reduced rate, with 2.8 billion hits to our servers. DDoS attacks drove this deluge, accounting for two thirds of the traffic. Total Global Honeypot Attacks Per Period H1 2019 H2 2019 2900 M 2800 M Our honeypots are decoy servers set up in countries around the world to gauge trends and patterns in the global cyber attack landscape. Because honeypots are decoys not otherwise meant for real world use, an incoming connection registered by a honeypot is either the result of a mistyped IP address, which is rather uncommon, or of the service being found during an attacker’s scans of the network or the internet. 99.9% of traffic to our honeypots is automated traffic coming from bots, H2 2018 malware and other tools. Attacks may come from any sort of infected connected device – a traditional computer, smartwatch or even IoT H2 2017 813 M 546 M toothbrush can be a source. H1 2018 H1 2017 231 M 246 M 1 https://blog.f-secure.com/attack-landscape-h1-2019-iot-smb-traffic-abound/ Attack Landscape H2 2019 3 The country whose IP space played host to the greatest number of attacks was the US, followed by China and Russia. Germany, a regular to the top 10 list, dropped off the list to number 12 with 43 million attacks, while attacks from Ukraine’s IP space were enough to replace Germany in the number four spot. Top Source Countries H2 2019 Top Source Countries H1 2019 USA Top targeted port: 23 556 M China 702 M China Top targeted port: 1433 430 M United States 479 M Russia 22 335 M Russia 381 M Ukraine 445 121 M Germany 155 M Philippines 445 91 M Philippines 129 M United Kingdom 23 80 M Ukraine 92 M Singapore 445 78 M Netherlands 56 M Hong Kong 445 65 M Brazil 52 M France 23 55 M Armenia 45 M Netherlands 22 46 M India 44 M The list of source countries must be taken with a grain of salt, as attackers can route their attacks through proxies in other countries to avoid identification by authorities. In addition, we do not mean to imply that this activity is predominantly nation-state behavior. The majority of these attacks are instigated by cyber criminals who are carrying out DDoS attacks and sending malware for financial gain. Attack Landscape H2 2019 4 Top Destination Countries H2 2019 Top Destination Countries H1 2019 United Ukraine 357 M States 296 M China 239 M Austria 294 M Austria 230 M Ukraine 276 M United United States 190 M Kingdom 185 M Netherlands 185 M Netherlands 160 M Poland 161 M Italy 159 M United Kingdom 136 M Nigeria 119 M Italy 136 M Poland 109 M Hungary 107 M Czechia 104 M Bulgaria 89 M Ireland 94 M Ukraine was the top attack destination, followed by China, Austria and the US. The top aggressors hitting the Ukraine were the United States, the Ukraine itself, and Russia. In the number two spot, the top countries hitting China were China itself, the United States and France, while Austria was hit by China, Russia and the United States. Attacks hitting the United States came from primarily the US, followed by Russia and China. Attack Landscape H2 2019 5 PORTS AND PROTOCOLS Top TCP Ports Targeted H2 2019 SMB port 445 took the position as most-targeted port over the period, indicating that, as in the first half of the year, attackers are still keen to use SMB worms and exploits 445 - SMB 526 M such as Eternal Blue. For example, Trickbot, one of the top spam payloads we observed 23 - Telnet 523 M hitting endpoint devices, leverages Eternal Blue as a means of spreading. There were 526 22 - SSH 490 M million hits on SMB this period, slightly less than the previous period’s 556 million. 1433 - MSSQL 165 M 23145 8.3 M Top sources of SMB traffic 80 - HTTP 3.9 M 20 - FTP 3.3 M 3306 - MySQL 2.6 M 25 - SMTP 1.5 M 3389 - RDP 0.7 M Russia Top TCP Ports Targeted H1 2019 38 M 23 - Telnet 760 M 445 - SMB 556 M China 22 - SSH 456 M 81 M 1433 - MSSQL 260 M 3306 - MySQL 7.4 M Vietnam Venezuela 80 - HTTP 3.8 M 37 M 7547 - CWMP 2.3 M 41 M 25 - SMTP 1.7 M Philippines 20 - FTP 0.6 M 85 M 1 -agent 0.6 M Attack Landscape H2 2019 6 Telnet was a close second with 523 million hits. While that’s a reduction Malware found in honeypots from a high of 760 million in H1 of 2019, it’s a continued indicator that attacks on an ever-growing pool of IoT devices are still going strong. The ease with which attackers can acquire tools such as Mirai, which enable high-volume, low-sophistication attacks, continues to result in the Other:Malware-gen [Trj] compromise of large numbers of these poorly secured devices. Trojan.Linux.Mirai.K!c Backdoor.Linux.asqp Top sources of Telnet hits HEUR:Backdoor.Linux.Mirai.b UK Backdoor.Linux.Mirai.wan 19 M France HEUR:Backdoor.Linux.Mirai.ba 16 M Bulgaria United States 247 M 17 M Armenia Trojan.Linux.Mirai 26 M Most of the malicious traffic we see today is generated by Linux-based malware like Mirai. Attack Landscape H2 2019 7 SSH on port 22 followed with 490 million hits. SSH enables secure remote SQL-related attacks, which represent database attacks common in data breaches access and is commonly associated with full administrative access, as well as as well as attempts to spread cryptocurrency miners, remote access backdoors and IoT devices. Attacks against SSH represent attempts to brute force credentials, ransomware, followed, with China the overwhelming source of attacks on MSSQL. which are too often vendor default credentials of applications and devices. Russia, as usual, played host to the source of most of these attacks. Top Sources of SSH hits Top 10 Passwords used in honeypots admin taZz@23495859 vizxv 12345 default password Russia 263 M 1001chin ttnet Netherlands 29 M sh root Ireland 36 M Germany 29 M A great way to see what attackers are interested in is to check out the list of passwords they use. The everpresent “admin” is predictably in first place. The number two password of the period, “vizxv,” is a default for Dahua DVRs, and two other passwords on the list, “1001chin” and “taZz@23495859” represent the factory defaults for other Bulgaria 14 M embedded devices such as routers. Brute forcing factory default usernames and passwords of IoT devices continues to be an effective method for recruiting these devices into botnets that can be used in DDoS attacks. Attack Landscape H2 2019 8 THE YEAR IN MALWARE When it comes to malware, we turn to our customer endpoints to see what’s happening in the wild. In 2019, we identified four main infection vectors for the malware samples we have observed, most of which are ransomware variants. The most popular delivery method by far was via email and spam, which accounted for 43%. Nearly a quarter were second stage/followup payloads or were delivered manually through brute force or RDP attacks. We also saw delivery through exploit kits and malvertising as well as software cracks, fake installers, and bundled applications. Malware distribution methods 24% 43% Manually Installed / Email/Spam Second Stage Payload 10% Software Cracks / 10% Fake Installers / Exploit Kits / Bundled Applications Malvertising Attack Landscape H2 2019 9 With spam being the delivery method preferred by attackers, we saw three main types Spam payloads of malicious attachments, the most common being PDF attachments. ZIP files were also quite common. Malicious Word and Excel macro documents were also steady throughout the year, mainly serving as downloaders for malicious binaries such as emotet 18.69% Emotet, one of the most prevalent threats of the year. lokibot 12.34% remcos 8.32% Spam attachment file types agenttesla 7.76% Other trickbot 6.26% IMG/ISO 9% 2% azorult 5.23% Excel macro documents PDF formbook 5.23% 34% 7% ursnif 5.14% HTM/HTML hawkaye 4.95% 10% troldesh 4.67% nanocore 4.3% gandcrab 3.83% Word macro documents ZIP 21% 17% Emotet was observed in about 19% of first stage payloads. We also noticed a new trend in ISO and IMG files containing malicious executables. While low Like Emotet, Trickbot is delivered through malicious macro documents and has in volume, the trend was consistent throughout the year, probably because of its effectiveness infostealing capabilities.
Load more

Recommended publications
  • Ransom Where?
    Ransom where? Holding data hostage with ransomware May 2019 Author With the evolution of digitization and increased interconnectivity, the cyberthreat landscape has transformed from merely a security and privacy concern to a danger much more insidious by nature — ransomware. Ransomware is a type of malware that is designed to encrypt, Imani Barnes Analyst 646.572.3930 destroy or shut down networks in exchange [email protected] for a paid ransom. Through the deployment of ransomware, cybercriminals are no longer just seeking to steal credit card information and other sensitive personally identifiable information (PII). Instead, they have upped their games to manipulate organizations into paying large sums of money in exchange for the safe release of their data and control of their systems. While there are some business sectors in which the presence of this cyberexposure is overt, cybercriminals are broadening their scopes of potential victims to include targets of opportunity1 across a multitude of industries. This paper will provide insight into how ransomware evolved as a cyberextortion instrument, identify notorious strains and explain how companies can protect themselves. 1 WIRED. “Meet LockerGoga, the Ransomware Crippling Industrial Firms” March 25, 2019; https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/. 2 Ransom where? | May 2019 A brief history of ransomware The first signs of ransomware appeared in 1989 in the healthcare industry. An attacker used infected floppy disks to encrypt computer files, claiming that the user was in “breach of a licensing agreement,”2 and demanded $189 for a decryption key. While the attempt to extort was unsuccessful, this attack became commonly known as PC Cyborg and set the archetype in motion for future attacks.
    [Show full text]
  • Monthly Threat Report November 2020
    NTT Ltd. Global Threat Intelligence Center Monthly Threat Report November 2020 hello.global.ntt report | GTIC Monthly Threat Report: November 2020 Contents Feature article: Security in the app economy 03 Spotlight article: The Trickbot takedown 07 Spotlight article: Snapshot of threats to retail 08 About NTT Ltd.’s Global Threat Intelligence Center 09 2 | © Copyright NTT Ltd. hello.global.ntt report | GTIC Monthly Threat Report: November 2020 Security in the app economy Lead Analyst: Zach Jones, Sr. Director of Detection Research, WhiteHat Security, US It used to be simple; a retailer Attack vectors and security spending when organizations are trying to enable was a retailer and a bank was are misaligned customer access in our ‘there’s an app for that’ world. The problem is that a bank. Initially, the role of According to our 2020 NTT Ltd. represents a pipeline where benign and Global Threat Intelligence Report, 33% software in non-technology malicious traffic alike enter networks of observed attacks globally were sectors stayed behind the straight through firewalls and DMZs. The application-specific and 22% of attacks protocol was never designed for secure scenes, supporting the core were web-application based. This means application delivery so building HTTP competencies of that industry, a total of 55% of attacks detected globally applications is prone to error. Threat like inventory management occurred at the application layer. for retailers and account actors will continue to abuse these virtual According to Gartner Group, the 2020 front doors and windows. They are easy management for banks. Security Market Segment spend is to access and are often the weakest link This is no longer the case.
    [Show full text]
  • CYBER ATTACK TRENDS Mid Year Report 2021 CONTENTS
    CYBER ATTACK TRENDS Mid Year Report 2021 CONTENTS 04 EXECUTIVE SUMMARY 07 TRIPLE EXTORTION RANSOMWARE—THE THIRD-PARTY THREAT 11 SOLARWINDS AND WILDFIRES 15 THE FALL OF AN EMPIRE—EMOTET’S FALL AND SUCCESSORS 19 MOBILE ARENA DEVELOPMENTS 2 22 COBALT STRIKE STANDARDIZATION 26 CYBER ATTACK CATEGORIES BY REGION 28 GLOBAL THREAT INDEX MAP 29 TOP MALICIOUS FILE TYPES—WEB VS. EMAIL CHECK POINT SOFTWARE MID-YEAR REPORT 2021 31 GLOBAL MALWARE STATISTICS 31 TOP MALWARE FAMILIES 34 Top Cryptomining Malware 36 Top Mobile Malware 38 Top Botnets 40 Top Infostealers Malware 42 Top Banking Trojans 44 HIGH PROFILE GLOBAL VULNERABILITIES 3 47 MAJOR CYBER BREACHES (H1 2021) 53 H2 2021: WHAT TO EXPECT AND WHAT TO DO 56 PREVENTING MEGA CYBER ATTACKS 60 CONCLUSION CHECK POINT SOFTWARE MID-YEAR REPORT 2021 EXECUTIVE SUMMARY CHECK POINT SOFTWARE’S MID-YEAR SECURITY REPORT REVEALS A 29% INCREASE IN CYBERATTACKS AGAINST ORGANIZATIONS GLOBALLY ‘Cyber Attack Trends: 2021 Mid-Year Report’ uncovers how cybercriminals have continued to exploit the Covid-19 pandemic and highlights a dramatic global 93% increase in the number of ransomware attacks • EMEA: organizations experienced a 36% increase in cyber-attacks since the beginning of the year, with 777 weekly attacks per organization • USA: 17% increase in cyber-attacks since the beginning of the year, with 443 weekly attacks per organization • APAC: 13% increase in cyber-attacks on organizations since the beginning of the year, with 1338 weekly attacks per organization In the first six months of 2021, the global rollout of COVID-19 vaccines gave hope that we will be able to live without restrictions at some point—but for a majority of organizations internationally, a return to pre-pandemic ‘norms’ is still some way off.
    [Show full text]
  • Internet Security Threat Report Volume 24 | February 2019
    ISTRInternet Security Threat Report Volume 24 | February 2019 THE DOCUMENT IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENT. THE INFORMATION CONTAINED IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. INFORMATION OBTAINED FROM THIRD PARTY SOURCES IS BELIEVED TO BE RELIABLE, BUT IS IN NO WAY GUARANTEED. SECURITY PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT (“CONTROLLED ITEMS”) ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER FOR YOU TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT SUCH CONTROLLED ITEMS. TABLE OF CONTENTS 1 2 3 BIG NUMBERS YEAR-IN-REVIEW FACTS AND FIGURES METHODOLOGY Formjacking Messaging Cryptojacking Malware Ransomware Mobile Living off the land Web attacks and supply chain attacks Targeted attacks Targeted attacks IoT Cloud Underground economy IoT Election interference MALICIOUS
    [Show full text]
  • Security Now! #664 - 05-22-18 Spectreng Revealed
    Security Now! #664 - 05-22-18 SpectreNG Revealed This week on Security Now! This week we examine the recent flaws discovered in the secure Signal messaging app for desktops, the rise in DNS router hijacking, another seriously flawed consumer router family, Microsoft Spectre patches for Win10's April 2018 feature update, the threat of voice assistant spoofing attacks, the evolving security of HTTP, still more new trouble with GPON routers, Facebook's Android app mistake, BMW's 14 security flaws and some fun miscellany. Then we examine the news of the next-generation of Spectre processor speculation flaws and what they mean for us. Our Picture of the Week Security News Update your Signal Desktop Apps for Windows & Linux A few weeks ago, Argentinian security researchers discovered a severe vulnerability in the Signal messaging app for Windows and Linux desktops that allows remote attackers to execute malicious code on recipient systems simply by sending a message—without requiring any user interaction. The vulnerability was accidentally discovered while researchers–amond them Juliano Rizzo–were chatting on Signal messenger and one of them shared a link of a vulnerable site with an XSS payload in its URL. However, the XSS payload unexpectedly got executed on the Signal desktop app!! (Juliano Rizzo was on the beach when the BEAST and CRIME attacks occurred to him.) After analyzing the scope of this issue by testing multiple XSS payloads, they found that the vulnerability resides in the function responsible for handling shared links, allowing attackers to inject user-defined HTML/JavaScript code via iFrame, image, video and audio tags.
    [Show full text]
  • Global Security Report End Year 2020 Executive Summary
    Global Security Report End Year 2020 Executive Summary The Zix | AppRiver Global Security Report for 2020 highlights the threats and trends Zix | AppRiver Security analysts saw throughout the year. In 2020, analysts saw attackers shift their tactics to take advantage of the unprecedented situation the world faced due to the Covid-19 pandemic. These attacks: • Aimed to take advantage of uncertainty surrounding the pandemic and the shift to “work from home” throughout much of the year. • Leveraged other world events, like the contentious US election, to distribute their attacks. • Multiplied "living off the land” attacks across many new and otherwise legitimate services. • Continued shift from high volume email blasts to a much more focused and customized attack style. • Posed impersonation attacks as internal executive communications and were persistent throughout 2020. In this report, we will take a deep dive into many of the threats and trends we saw in email security as well as discuss examples of prevalent attacks and explore potential impacts. Introduction Threat actors have always leveraged both local and world events to help spread their attacks. Never more so than in 2020. Early in the year, as the global pandemic came to fruition, attackers began launching spam, phishing and malware attacks utilizing interest in the pandemic. It wasn’t long before they had begun crafting attacks centered around the surge in remote work. Later in the year they took advantage of the contentious US Election cycle to distribute attacks. In 2020, Attackers continued to embrace the use of more targeted attacks versus the large volume email blasts we have seen in the past.
    [Show full text]
  • 2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals
    THREAT REPORT 2015 AT A GLANCE 2015 HIGHLIGHTS A few of the major events in 2015 concerning security issues. 08 07/15: Hacking Team 07/15: Bugs prompt 02/15: Europol joint breached, data Ford, Range Rover, 08/15: Google patches op takes down Ramnit released online Prius, Chrysler recalls Android Stagefright botnet flaw 09/15: XcodeGhost 07/15: Android 07/15: FBI Darkode tainted apps prompts Stagefright flaw 08/15: Amazon, ENFORCEMENT bazaar shutdown ATTACKS AppStore cleanup VULNERABILITY reported SECURITYPRODUCT Chrome drop Flash ads TOP MALWARE BREACHING THE MEET THE DUKES FAMILIES WALLED GARDEN The Dukes are a well- 12 18 resourced, highly 20 Njw0rm was the most In late 2015, the Apple App prominent new malware family in 2015. Store saw a string of incidents where dedicated and organized developers had used compromised tools cyberespionage group believed to be to unwittingly create apps with malicious working for the Russian Federation since behavior. The apps were able to bypass at least 2008 to collect intelligence in Njw0rm Apple’s review procedures to gain entry support of foreign and security policy decision-making. Angler into the store, and from there into an ordinary user’s iOS device. Gamarue THE CHAIN OF THE CHAIN OF Dorkbot COMPROMISE COMPROMISE: 23 The Stages 28 The Chain of Compromise Nuclear is a user-centric model that illustrates Kilim how cyber attacks combine different Ippedo techniques and resources to compromise Dridex devices and networks. It is defined by 4 main phases: Inception, Intrusion, WormLink Infection, and Invasion. INCEPTION Redirectors wreak havoc on US, Europe (p.28) INTRUSION AnglerEK dominates Flash (p.29) INFECTION The rise of rypto-ransomware (p.31) THREATS BY REGION Europe was particularly affected by the Angler exploit kit.
    [Show full text]
  • Government Hacking What Is It and When Should It Be Used?
    Government Hacking What is it and when should it be used? Encryption is a critical component of our day-to-day lives. For much of the world, basic aspects of life rely on encryption to function. Power systems, transport, financial markets, and baby monitors1 are more trustworthy because of encryption. Encryption protects our most vulnerable data from criminals and terrorists, but it can also hide criminal content from governments. Government hacking is one of the approaches national security and law enforcement agencies use to obtain access to otherwise encrypted information (e.g. the FBI hired a hacking company to unlock the iPhone at the center of the San Bernardino case2). It complements their other efforts to obtain exceptional access3 by asking or requiring tech companies to have the technical ability to decrypt users’ content when it is needed for law enforcement purposes. The Internet Society believes strong encryption is vital to the health of the Internet and is deeply concerned about any policy or action that might put that in jeopardy — regardless of its motivation. Government hacking poses a risk of collateral damage to both the Internet and its users, and as such should only ever be considered as a tool of last resort. Government hacking defined We define ‘government hacking’ as government entities (e.g. national security or law enforcement agencies or private actors on their behalf) exploiting vulnerabilities in systems, software, or hardware to gain access to information that is otherwise encrypted, or inaccessible. Dangers of government hacking Exploiting vulnerabilities of any kind, whether for law enforcement purposes, security testing, or any other purpose, should not be taken lightly.
    [Show full text]
  • Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2
    Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE OF CONTENTS 2016 Internet Security Threat Report 2 CONTENTS 4 Introduction 21 Tech Support Scams Go Nuclear, 39 Infographic: A New Zero-Day Vulnerability Spreading Ransomware Discovered Every Week in 2015 5 Executive Summary 22 Malvertising 39 Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015 8 BIG NUMBERS 23 Cybersecurity Challenges For Website Owners 40 Spear Phishing 10 MOBILE DEVICES & THE 23 Put Your Money Where Your Mouse Is 43 Active Attack Groups in 2015 INTERNET OF THINGS 23 Websites Are Still Vulnerable to Attacks 44 Infographic: Attackers Target Both Large and Small Businesses 10 Smartphones Leading to Malware and Data Breaches and Mobile Devices 23 Moving to Stronger Authentication 45 Profiting from High-Level Corporate Attacks and the Butterfly Effect 10 One Phone Per Person 24 Accelerating to Always-On Encryption 45 Cybersecurity, Cybersabotage, and Coping 11 Cross-Over Threats 24 Reinforced Reassurance with Black Swan Events 11 Android Attacks Become More Stealthy 25 Websites Need to Become Harder to 46 Cybersabotage and 12 How Malicious Video Messages Could Attack the Threat of “Hybrid Warfare” Lead to Stagefright and Stagefright 2.0 25 SSL/TLS and The 46 Small Business and the Dirty Linen Attack Industry’s Response 13 Android Users under Fire with Phishing 47 Industrial Control Systems and Ransomware 25 The Evolution of Encryption Vulnerable to Attacks 13 Apple iOS Users Now More at Risk than 25 Strength in Numbers 47 Obscurity is No Defense
    [Show full text]
  • Internet of Things Botnet Detection Approaches: Analysis and Recommendations for Future Research
    applied sciences Systematic Review Internet of Things Botnet Detection Approaches: Analysis and Recommendations for Future Research Majda Wazzan 1,*, Daniyal Algazzawi 2 , Omaima Bamasaq 1, Aiiad Albeshri 1 and Li Cheng 3 1 Computer Science Department, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah 21589, Saudi Arabia; [email protected] (O.B.); [email protected] (A.A.) 2 Information Systems Department, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah 21589, Saudi Arabia; [email protected] 3 Xinjiang Technical Institute of Physics & Chemistry Chinese Academy of Sciences, Urumqi 830011, China; [email protected] * Correspondence: [email protected] Abstract: Internet of Things (IoT) is promising technology that brings tremendous benefits if used optimally. At the same time, it has resulted in an increase in cybersecurity risks due to the lack of security for IoT devices. IoT botnets, for instance, have become a critical threat; however, systematic and comprehensive studies analyzing the importance of botnet detection methods are limited in the IoT environment. Thus, this study aimed to identify, assess and provide a thoroughly review of experimental works on the research relevant to the detection of IoT botnets. To accomplish this goal, a systematic literature review (SLR), an effective method, was applied for gathering and critically reviewing research papers. This work employed three research questions on the detection methods used to detect IoT botnets, the botnet phases and the different malicious activity scenarios. The authors analyzed the nominated research and the key methods related to them. The detection Citation: Wazzan, M.; Algazzawi, D.; methods have been classified based on the techniques used, and the authors investigated the botnet Bamasaq, O.; Albeshri, A.; Cheng, L.
    [Show full text]
  • Threat Landscape Report
    QUARTERLY Threat Landscape Report Q3 2020 NUSPIRE.COM THIS REPORT IS SOURCED FROM 90 BILLION TRAFFIC LOGS INGESTED FROM NUSPIRE CLIENT SITES AND ASSOCIATED WITH THOUSANDS OF DEVICES AROUND THE GLOBE. Nuspire Threat Report | Q2Q3 | 2020 Contents Introduction 4 Summary of Findings 6 Methodology and Overview 7 Quarter in Review 8 Malware 9 Botnets 15 Exploits 20 The New Normal 28 Conclusion and Recommendations 31 About Nuspire 33 3 | Contents Nuspire Threat Report | Q3 | 2020 Introduction In Q2 2020, Nuspire observed the increasing lengths threat actors were going to in order to capitalize on the pandemic and resulting crisis. New attack vectors were created; including VPN usage, home network security issues, personal device usage for business purposes and auditability of network traffic. In Q3 2020, we’ve observed threat actors become even more ruthless. Shifting focus from home networks to overburdened public entities including the education sector and the Election Assistance Commission (EAC). Many school districts were forced into 100% virtual or hybrid learning models by the pandemic. Attackers have waged ransomware attacks at learning institutions who not only have the financial resources to pay ransoms but feel a sense of urgency to do so in order to avoid disruptions during the school year. Meanwhile, the U.S. Elections have provided lures for phishers to attack. Nuspire witnessed Q3 attempts to guide victims to fake voter registration pages to harvest information while spoofing the Election Assistance Commission (EAC). Like these examples, cybercriminals taking advantage of prominent media themes are expected. We anticipate our Q4 2020 Threat Report 4 | Introduction Nuspire Threat Report | Q3 | 2020 to find campaigns leveraging more of the United report each quarter is a great step to gain that States Presidential election as well.
    [Show full text]
  • APT and Cybercriminal Targeting of HCS June 9, 2020 Agenda
    APT and Cybercriminal Targeting of HCS June 9, 2020 Agenda • Executive Summary Slides Key: • APT Group Objectives Non-Technical: managerial, strategic • APT Groups Targeting Health Sector and high-level (general audience) • Activity Timeline Technical: Tactical / IOCs; requiring • TTPs in-depth knowledge (sysadmins, IRT) • Malware • Vulnerabilities • Recommendations and Mitigations TLP: WHITE, ID#202006091030 2 Executive Summary • APT groups steal data, disrupt operations, and destroy infrastructure. Unlike most cybercriminals, APT attackers pursue their objectives over longer periods of time. They adapt to cyber defenses and frequently retarget the same victim. • Common HPH targets include: • Healthcare Biotechnology Medical devices • Pharmaceuticals Healthcare information technology • Scientific research • HPH organizations who have been victim of APT attacks have suffered: • Reputational harm Disruption to operations • Financial losses PII/PHI and proprietary data theft • HC3 recommends several mitigations and controls to counter APT threats. TLP: WHITE, ID#202006091030 3 APT Group Objectives • Motivations of APT Groups which target the health sector include: • Competitive advantage • Theft of proprietary data/intellectual capital such as technology, manufacturing processes, partnership agreements, business plans, pricing documents, test results, scientific research, communications, and contact lists to unfairly advance economically. • Intelligence gathering • Groups target individuals and connected associates to further social engineering
    [Show full text]