Cybersecurity Insights-1

Cybersecurity Insights-1

October 23, 2019 | Mina Hao

Executive Summary

It has been 31 years since China sent its first email to the world on September 14, 1987, thus triggering the development of the Internet in the country. From the Consumer Internet and the Industrial Internet to the Internet of Things, the Internet has been increasingly changing the way we communicate and do business and has reshaped the economic form of the country and expanded people’s living boundaries repeatedly. At the same time, the number of netizens in China reached 802 million, with an Internet penetration rate of 57.7%1(as of June 2018). The Internet has in fact become a necessity in the country’s economy and in people’s lives. As a result, the importance of cybersecurity has become even more apparent.
With the increasing importance of cybersecurity, cybersecurity incidents have been getting more and more attention. Five categories of security incidents have gotten the most attention: vulnerabilities, malware, DDoS, data breaches, and Internet of Things. As can be seen in our monitoring data, the peak of the first half of the year was in March. The main category of security incidents in this month was DDoS.

The key incidents were that GitHub suffered a traffic attack, with the peak reaching 1.35 Tbps; and five days later, a DDoS attack hit a service provider in the United States, setting a new peak record of 1.7 Tbps. In the second half of 2018, various categories of security incidents were on the rise, and this time, the main incidents were data breaches and malware.

The data breach affecting users of websites such as Facebook and AcFun, the discovery of new ransomware samples, the release of decryption tools of known ransomware, and new algorithms in samples are all closely related to the lives of the people. As a result of network interconnection, more people are realizing the importance of cybersecurity.

Security providers are also picking up the pace. In 2018, the RSA Conference theme was “Now Matters”; for 2019, “Better”. Joint defense and silo elimination have become the consensus in the industry, with the focus on laying a solid foundation, changing from being passive to being active, and paying attention to the improvement of implementation effectiveness and response timeliness. “Know yourself and your enemy, and you will never be defeated.” The reason Axonius became the Innovation Sandbox champion of RSA in 2019 is because it provides a more effective and meticulous capability of “knowing yourself”.

It improves asset visibility within the given scope and continuously evaluates and eliminates asset vulnerability. The most important threat intelligence in the capability of “knowing your enemy” has gradually become the core backend capability of security providers, and the delivery of data capabilities and defense capabilities is completed by embedding such threat intelligence into all security products and operating systems.

In 2018, 15% of the malicious IPs we monitored used a variety of attack methods. Moreover, as time goes by and as the chain of attack deepens or the profit target changes, the sources of attack change attack methods. For example, there is a 50% chance that a source of attack initiating Web attacks will attempt more complicated exploits in the future; a considerable part of the controlled source IPs participating in DDoS attacks had mining practices.

The sources of attack and the targets of attack are mainly in China and in the United States. As can be seen, the distribution of sources of attack and targets of attack corresponds to the economic
development and development of the computer industry of the regions. Moreover, we continued to analyze sources of attack which, in the past, we had observed engaging in multiple malicious practices, i.e., the so-called “repeat offenders” or recidivists. In the 2018 H1 Cybersecurity Insights, we pointed out that 25% of the “repeat offender” sources of attack were responsible for 40% of the attack incidents2.

Over the course of 2018, the monitored sources of attack increased from 27 million in the first half of the year to about 43 million. Recidivists accounted for 17%. The number of “repeat offender” warnings accounted for 35%, and the overall warning percentage was lower as compared to that in the first half of the year. However, recidivists are increasingly active, which illustrates the repeat use of attack resources to a certain extent. At the same time, 39% of the “repeat offenders” have been controlled by botnets, which also exposes the severe degree to which security improvement has long been lacking for this portion of public network resources.

In the areas of vulnerability announcements and exploits, the number of CVEs announced by the official NVD website was 15,800 in 2018, of which 4,096 were high-risk vulnerabilities. Vulnerabilities in devices have increased significantly, and attacks targeting device vulnerabilities are also increasing year over year. “EternalBlue” was exploited by a lot of malware and has gradually become one of the most utilized vulnerabilities.

In the area of Web attacks, more than 85% of the attacks targeting Web servers are still conventional attacks; however, exploits against Web service software have been increasing year over year. In Web vulnerabilities, deserialization vulnerabilities are particularly popular among hackers because  of their characteristics of simplicity and remote utilization. The time interval from the disclosure of a vulnerability to the appearance of a valid attack has been shortened to hours, which becomes a greater challenge to the conventional defense and upgrade strategy.

The scale of DDoS continues to increase, and the DDoS as a service is growing rapidly. DDoS reflection attacks have slowed down, and the combination of multiple attack methods deserves attention. Mining viruses are still growing. Although they are slightly impacted by the devaluation of cryptocurrencies, the overall popularity is second only to backdoor programs in the ranking of malware. There is a huge variety of worms, and some viruses have been active for years. The earliest discovery of most worm viruses was more than five years ago. The total number of the most active worm categories monitored in the entire year of 2018 was 39, of which viruses that were discovered more than five years ago accounted for over 60%. The Trojan activity has declined slightly; bootkits are still emerging.

Since 2015, bootkits have infected millions of computers and gone through a few iterations of update; a lot of varieties are still emerging and are never stopped. From the perspective of honeypot capture and botnet tracking, the largest number of malicious Internet of Things samples was in the families Mirai and Gafgyt. Unconventional Internet of Things devices are mainly exploited for DDoS attacks. In October 2018, there were still 26,000 Internet of Things devices controlled by Coinhive. The vast majority were still MikroTik routers. Brazil took the hardest hit. The difficulty in upgrading and patching Internet of Things devices is a huge challenge to the security of the Internet of Things.

To be continued.

1 http://www.cac.gov.cn/2018-08/20/c_1123296882.htm

2 https://nsfocusglobal.com/2018-h1-cybersecurity-insights