Get best of the week

Attack on udalenka


In recent days, Russian news media has been full of reports that experts have noted an increase in cyberattacks against the background of the transition of people to udalenka. As they say, to whom the war, and to whom the mother is dear. Also, various companies specializing in information security agree that the nature of attacks in 2020 has changed. Let's see how the number of hacker attacks has grown from the moment people began to work in large numbers from home, what types of attacks on virtual servers and personal computers came to the top and how to protect yourself from them.

Hacker Attack Statistics


Over the past couple of weeks, the number of hacker attacks from several hundred has grown to 5 thousand per day. Specialists warn that websites with the words corona or covid mentioned in the domain, as well as files whose names mention coronavirus, pose a potential danger. But not only them.

Back in November 2019, Kaspersky Lab predicted that the so-called complex threats and targeted attacks (Advanced Persistent Threats, ART) would gain momentum in the coming year: this was the leak of biometric data, and the use of AI to profile the victim and create information fakes (deepfake), and targeted extortion. As for the latter, there were suggestions that attackers would deviate from the methods of distributing universal ransomware programs and concentrate on targeted selection of victims who were willing to pay a lot for recovering their data.

However, the pandemic sets its own rules and in the report of the same Kaspersky we see that, for example, this April the top of the threats is headed by an Intrusion attack using a universal ransomware program aimed at computers running Windows. It is being implemented in an attempt to exploit the vulnerabilities of SMB (Server Message Block), an application-level network protocol that works through TCP ports 139 and 445, which are used to provide shared access to files and printers, as well as to remotely access services.

Successful exploitation of these vulnerabilities could result in remote code execution on the attacked computers, which allows an attacker to download the ransomware and distribute it to other vulnerable nodes on the network.


Top threats from Kaspersky Lab in April 2020

In second place is the Bruteforce attack, which involves the selection of a password or encryption key for the RDP remote desktop protocol, which is Microsoft's proprietary protocol that provides the user with a graphical interface for connecting to another computer over the network. The RDP protocol is widely used by both system administrators and ordinary users to remotely control servers and other computers.

And below on the graph is the total number of company antivirus responses to threats from the list in April. There is a clear increase compared with the end of March and the beginning of April. All statistics can be viewed here .



By the way, the other day, the Laboratory discovered a modified version of the Android Trojan Ginp, which asks for a fee for showing people infected nearby with the SARS-CoV-2 virus.

A sharp five-fold increase in cyberattacks was recorded by the World Health Organization. Attacks were carried out both on company personnel and on the population.

Compared to the first quarter of last year, the intensity of DDoS attacks doubled in the same period of this year. In the largest DDoS attack of 2020 at the victim’s channels, garbage traffic with an intensity of 406 Gbit / s poured in, while the peak attack in the first quarter of 2019 was 224 Gbit / s. A total of 51 attacks were noted with intensities above 50 Gb / s, and the average intensity was 5 Gb / s versus 4.3 Gb / s last year ( Cnews, referring to the data of the company Link11).

The number of multi-vector attacks has increased from 47% to 64%; however, 66% of all multi-vector attacks consisted of two or three vectors used simultaneously. There were even 19 cases when attackers used 10 or more vectors! In 2019, there were no such attacks. The most commonly used methods are DNS reflection, CLDAP, NTP, and WS-Discovery (ibid.).

The number of attacks made from cloud-based botnets has increased: in the first quarter of 2020 about 47% of DDoS attacks came from such botnets compared to 31% of the previous year (ibid.).

In recent days, Sberbank has seen an increase in DDoS attacks on its systems. Since the beginning of the year there have already been 26 of them. However, the bank claims to be operating normally.

After the transition of children to distance learning, the number of cyber attacks on educational institutions increased four times in April. Most often, attacks on the information systems of schools and universities are carried out for the theft of personal data and contact information of students with a view to their further use in social engineering. Prankers who exploit vulnerabilities in online learning platforms are also “popular”, invading chats and conferences and interfering with the learning process (according to Infosecurity a Softline Company).

On the darknet, the number of offers for the sale of access to the servers of large world companies increased by 30 times: if a year ago they were offered only three, then in the first quarter of 2020 - 88! In a third of cases, these are companies with an average annual income of $ 23 billion to $ 45 billion, and the infrastructure of organizations has up to 6,000 computers. On illegal platforms, they sell only certain “ entry points ” to the internal infrastructure of companies. Most often, these are hacked credentials of a user or local administrator (RIA Novosti with reference to the data from Positive Technologies research center Positive Research).

The most common types of attacks on VPS and PC for 4 months of 2020


Spam and phishing attacks. In letters, attackers exploit the theme of the epidemic, with the help of which they obtain the necessary actions from users (for example, open an attachment) who start the execution of malicious code. As a result, hackers gain access to remote desktops, access to compromised machines, the ability to monitor the actions of the recipient, the possibility of any hacking up to encryption of the company's servers and other opportunities that social engineering offers attackers.

It can be:

  • "Recommendations for protection against coronavirus." 
  • Appeals allegedly from the World Health Organization to download an important information document, send donations or contribute to vaccine development (WHO even issued a warning about this).
  • . / -.
  • « » , , , , , . — «».
  • « » - .


Phishing Alerts from Allegedly Pharmacy.ru

Attacks on Remote Desktops. A security error has been detected that allows an attacker to gain full control of a Windows-based computer through the remote desktop - BlueKeep (CVE-2019-0708). Over the past three weeks, the number of network nodes accessible via the RDP protocol has increased by 9% and amounted to more than 112 thousand. Now over 10% of such resources are vulnerable to BlueKeep (ibid.).

DDoS attacks on VPN.With the increase in remotely working employees, the use of VPN networks, involving access from many different points, has sharply increased. This allows DDoS attack organizers to overload networks and cause serious disruptions to all processes. It is important to apply proactive technologies to protection against DDoS attacks, the purpose of which is to prevent infection of the user's system, eliminate potential conflicts and threats before they occur, and not search for already known malware.

Attacks on network applications and APIs. Applications and services are vulnerable to attacks such as Layer 7 that target web application logic. Their main purpose is the exhaustion of web server resources when processing "heavy" requests, intensive processing functions or memory.


CERT-GIB

:


Summarizing the recommendations of experts from the first part of the article, we can distinguish the following general tips for ensuring information security in quarantine. Some of them will seem obvious to many for a long time, but recalling them will not hurt.

Check if the company on whose behalf the letter arrived. Does the company have social networks, any mention of it on the Internet. Fraudsters can use open information about the company from official sources, so if you still have doubts, ask the company for confirmation of sending this letter.

Check if the data in the sender field and in the automatic signature match. Oddly enough, quite often already here scammers make a mistake.

Look at the extension of the attached files.Do not open the executable file.

Install a reliable security solution for your mail server. It should be regularly updated and use current databases.

Use corporate laptops for remote employees. Install on it the corporate antivirus necessary for the software to work, provide two-factor authentication, disk encryption, a proper level of event logging, as well as timely automatic updating of all systems.

Install state-of-the-art antivirus protection on VPS. For example, we offer our customers an easy antivirus agentKaspersky for virtual environments, which provides: multi-level network protection against external and internal network attacks, application and device control, automatic protection from exploits, has built-in self-control. 

Configure remote access through a special gateway. For RDP connections, this is Remote Desktop Gateway (RDG), for VPN - VPN Gateway. Do not use a remote connection directly to the workstation.

Use two-factor authentication VPN access

Back up key data.

Install DDOS protection on the VPS. Cloud providers offer different conditions. Here, again, protection allows us to stably withstand 1500 Gbit / s. Traffic analysis takes place 24/7. In this case, payment is only for the necessary traffic.

Check the access rights of employees and perform network segmentation and separation of access rights.

Use PortKnocking , a server’s network protection based on a method that allows you to make a port “invisible” to the outside world and visible to those who know a predefined sequence of data packets that will open the port (for example, SSH).

Set restrictions on downloading third-party applications , especially online platforms and collaboration messengers, to prevent possible leakage of confidential information.

Check all services and equipment used for remote access for updated firmware and security patches.
 
Provide training on the basics of digital securitybefore employees leave for a remote mode of operation.

Insurance of IT risks , of course, will not help to recover data, but it will help to cover the damage from hacking computers. True, now in Russia this is a new type of product for insurance companies, so literally there are units. RUVDS offers its customers two insurance options: a general policy for all or special conditions for individual insurance, which are discussed individually in each unique case. 

Separately, we note problems with 1C on the remote. Putting boxed 1C to remote employees is expensive, unsafe, and often simply useless. Unaccustomed to this way of working, accountants will forget to synchronize data; errors in working with the system will require remote participation of the system administrator of the company or the representative of the program supplier (for a fee), there is a risk of draining the database to competitors. Exit: rent of remote VPS servers from 1C .

How to monitor your services for typical vulnerabilities


All monitoring scenarios are aimed at accumulating the data necessary for the most prompt and effective investigation of the incident. What is important to do first?

Monitor file storage access, use SIEM . Ideally, this is an audit setup for lists of files that employees on the remote site are not allowed to access. Minimum is setting up logging of storage accesses and file operations.


Illustration from the site styletele.com.

Log external addresses of users connecting for remote work. Use geo-referencing of users for this with the help of appropriate services (after making sure of their safety).

Identify domain and non-domain workstationswith a remote connection.

Monitor administrators' connections and make configuration changes to critical infrastructure services. Detect duplicate logins by remote and track failed connection attempts.

And in general: perform such actions in advance that will help increase the accuracy of identification of illegitimate connections in the mass of requests that are generated on the network during total remote access.

We hope the material was useful to you. As always, we will be glad to constructive comments on the article. Stay home and keep yourself and your business safe!

More articles:


All Articles