Kaspersky Lab’s Threat Review For 2016: Servers For Sale, Global Botnets And A Strong Focus On Mobile

Evolving threat landscape reveals a growing need for security intelligence

In 2016, the world’s biggest cyber-threats were related to money, information and a desire to disrupt. They included the underground trade of tens of thousands of compromised server credentials, hijacked ATM systems, ransomware and mobile banking malware – as well as targeted cyber-espionage attacks and the hacking and dumping of sensitive data. These trends, their impact and the supporting data are covered in the annual Kaspersky Security Bulletin Review and Statistics reports, published today.

In 2016, Kaspersky Lab research also discovered the extent to which companies struggle to quickly spot a security incident: 28.7 per cent said it took them several days to discover such an event, while 19 per cent admitted it took weeks or more. For a small but significant minority of 7.1 per cent, it took months. Among those that struggled most, eventual discovery often came about through an external or internal security audit, or an alert from a third party, such as a client or a customer. Further details on how a delay in detection impacts business recovery costs can be found in the Executive Summary of the review.

Other things we learned in 2016:

1. That the underground economy is bigger and more sophisticated than ever: just look at xDedic– the shady marketplace for more than 70,000 hacked server credentials that allowed anyone to buy access to a hacked server, for example, one located in an EU country’s government network, for as little as $6;
2. That the biggest financial heist did not involve a stock exchange as expected: instead it used SWIFT-enabled transfers to steal $100 million;
3. That critical infrastructure is worryingly vulnerable on many fronts: as revealed at the end of 2015 and into 2016 by the BlackEnergy cyber-attack on the Ukrainian energy sector that included disabling the power grid, wiping data and launching a DDoS attack. In 2016, Kaspersky Lab experts investigated industrial control threats and discovered thousands of hosts around the world exposed to the Internet, with 1 per cent carrying vulnerabilities that can be exploited remotely;
4. That a targeted attack can have no pattern: shown by the ProjectSauron APT, an advanced modular cyber-espionage group that customised its tools for each target, reducing their value as Indicators of Compromise (IoCs) for any other victim;
5. That the online release of vast volumes of data can directly influence what people think and believe: as evidenced by the ShadowBrokers and other personal and political data dumps;
6. That a camera or DVD player could become part of a global Internet-of-things cyber-army: as the year ends it is clear that the Mirai-powered botnet attacks are only the beginning.

“The number and range of cyber-attacks and their victims seen in 2016 has put the subject of better detection at the top of the business agenda. Detection is now a complex process that requires security intelligence, a deep knowledge of the threat landscape and the skills to apply that expertise to each individual organisation. Our analysis of cyber-threats over the years has revealed both patterns and unique approaches. This accumulated understanding underpins our active defense tools, as we believe protection technologies should be powered by security intelligence.  It also sits at the heart of our growing number of partnerships and collaborations. We use the past to prepare for the future, so that we can continue to protect our customers from undetected threats, before they do any harm,” said David Emm, Principal Security Researcher, Kaspersky Lab.

An overview of intelligence-based security protection can be found here.

The notable statistics for the year include:

• 36 per cent of online banking attacks now target Android devices, up from just eight per cent in 2015.
• 262 million URLs were recognised as malicious by Kaspersky Lab products, and there were 758 million malicious online attacks launched across the world – with one in three (29 per cent) originating in the US and 17 per cent in the Netherlands.
• Eight new families of Point-of-Sale and ATM malware appeared – a rise of 20 per cent on 2015.
• Attackers made use of the Google Play Store to distribute Android malware, with infected apps downloaded hundreds of thousands of times.

The Kaspersky Security Bulletin for 2016 comprises the following documents:

Threat Predictions 2017 available here.

Story of the Year: The Ransomware Revolution available here. It also includes advice on how to stay safe and why not to pay the ransom.

Review of the Year: Executive Summary, available on Securelist.

Review of the Year: Full Report, available here.

Statistics, available here.