Get best of the week

Cyber ​​targets 2019 as trends 2020 - hackers have changed focus


Every year we record an increase in the number of cyber incidents: hackers come up with new tools or modify existing ones. What was 2019 like? At first glance, no surprises: the volume of incidents grew by as much as 30% and amounted to more than 1.1 million cases. But if you dig deeper, it becomes obvious: in the pursuit of “easy” money, the attackers shifted focus to new targets. In general, there have been more external attacks - their share has grown to 58% (54% a year earlier). At the same time, the share of complex attacks increased significantly: 55% of the events were detected using sophisticated intellectual defenses (in 2018, such incidents were 28%). Basic remedies in such situations are powerless. Below we will tell you what dangers companies faced in the past year and what to expect in the near future.

A little bit about methodology: how and what did we consider


All statistics presented here relate to our customers, and these are more than 100 organizations from different industries: public sector, finance, oil and gas, energy, telecom, retail. All companies represent the large enterprise and enterprise segment with an average number of employees from 1000 people and provide services in different regions of the country.

Our first priority is to provide protection, which means to identify the actions of the attacker at the approaches, before penetrating the infrastructure. This, of course, limits us in determining the goals of the attacker: direct gain, collecting sensitive information, securing in the infrastructure for the further sale of resources, hacktivism ... In order to make a balanced analysis of what is happening, we used a combined technique that relies on the characteristics of the attack.

When detecting incidents at an early stage (before the actual fixing of the attackers and the development of an attack in the infrastructure), we took into account the attack techniques and methods, the functionality of malware, attribution and data about the hacker group, etc.

Sometimes we detected attacks in the distribution phase of new connected customers, in this case, on compromised hosts, we took into account: their territorial distribution, functionality, the possibility of realizing one of the above goals, the dynamics and vector of movement of the cybercriminal.

If, as part of the investigation of incidents, clients not using Solar JSOC services detected attacks at the final stage, then the actual damage data became the key criterion determining the attack vector.

From statistics, we excluded the so-called simple attacks that did not lead to real information security incidents: botnet activity, network scanning, unsuccessful exploitation of vulnerabilities, and password guessing.

What exactly did we encounter in 2019?

Control is more expensive than money


Direct theft of funds is no longer in trend. In 2019, the number of such attacks decreased by 15%, although before that, the indicator had been steadily growing from year to year. Not least, this indicates an increase in the level of security in the credit and financial sphere. Fast and direct attack monetization is becoming increasingly difficult, and cybercriminals are switching to more affordable targets.

The number of attacks aimed at gaining control over the infrastructure increased by 40%. More than 16% of attacks aimed at objects of KII, while their goal was the segment of automated process control systems or closed segments. This is due to their low level of cyber hygiene and the frequent mixing of corporate and technological networks. During monitoring in 95% of organizations, we found at least two mixing points of open and closed segments.

The trend is alarming, because, penetrating the perimeter, attackers can examine in detail the internal processes of the company. There are many options, as they further use these points of presence: from industrial espionage to the sale of access on the darknet or direct blackmail.

External incidents


Types of External Attacks










VPO in a new way


In choosing tools for hacking infrastructure, hackers are conservative and prefer malware that is delivered to the user's machine via infected attachments or phishing links in emails. In 2019, this method was used in more than 70% of cases.

In general, attacks using malware are growing steadily - by 11% over the past year. At the same time, the malicious software itself becomes more complex: every fifth malware delivered to the user's machine with phishing mailings has built-in sandbox bypass tools.

VPO development trends


  • ( ) RTM. «» (, , ) C&C-, TOR. , , RTM, , .
  • 2019 Troldesh, , . , -.
  • 2019 stealer – Pony, Loki Hawkeye. , VBInJect ( VBCrypt). , VBInJect, . , .
  • . DDE (Microsoft Dynamic Data Exchange), Microsoft , .
  • Microsoft Office CVE-2017-11882 CVE-2018-0802. , , .
  • . – , .
  • Emotet ( , ). WordPress , . : , (: http://*.sk/isotope/fa9n-ilztc-raiydwlsg/ http://*.com/wp-content/uploads/hwqu-5dj22r-chrsl/ )
  • 2019 Windows – BlueKeep DejaBlue, RDP. in the wild . Eternal Blue. 2018 , , .


Attacks on web applications also show steady growth - their share over the year increased by 13%. The reason is simple - more and more companies and state organizations start their own Internet portals, but do not pay enough attention to the security of such resources. As a result, every third website has a critical vulnerability that allows it to gain privileged access to the server (web-shell).

Admin password: when simplicity is worse than theft


Relatively simple authentication data for web resource admin panels and RDP terminal servers also plays into the hands of cybercriminals. According to our data, if you use a weak administrator password and open access to these services from the Internet, it will take less than 5 hours before they are infected with malware. Most often it will be a miner, ransomware or a relatively simple virus, for example, Monero Miner, Miner Xmig, Watchbog, Dbg Bot or Scarab.

Woe from mind


DDoS attacks demonstrate significant technological progress. In 2019, attackers were 40% more likely to use IoT botnets to conduct DDoS. As you know, IoT devices are poorly protected and easily cracked, making DDoS attacks cheaper and more affordable. Given the constant increase in the number of such gadgets, perhaps in the near future we will face a new surge in this threat.

Dangers inside


Despite the growth of external attacks, internal incidents remain a serious threat. The number of leaks of confidential information continues to grow: they account for more than half of internal incidents, and in the coming years this indicator is likely to grow. But at the same time, the number of incidents related to violation of Internet access is significantly reduced. This indirectly shows the development of technology: many customers have migrated from old firewalls and proxies to more advanced systems.

Types of Internal Attacks









Sweeten the pill


There are also positive changes: companies began to make more efforts to protect the perimeter. If in 2018 more than 260 thousand Russian servers were vulnerable to EternalBlue, then in 2019 their number decreased to 49.7 thousand. Moreover, the dynamics of closing vulnerabilities in Russia is significantly higher than the world average - Russian servers account for less than 5% of the vulnerable ones in the world. Although approximately 40% of those servers that are still vulnerable are owned by large commercial or government companies.

More articles:


All Articles