NTT Security has released its Global Threat Intelligence Center (GTIC) quarterly threat intelligence report for Q2 2017. The report makes for very interesting reading especially compared to the quarterly reports from other security vendors. The surprise in this report is that NTT Security has seen a 24% increase in attacks on customers over the quarter. It has also seen a 34% increase in attacks on manufacturers. The full report can be downloaded here (registration required).
According to Jon Heimerl, Manager, Threat Intelligence Communication Team, NTT Security: “Our Global Threat Intelligence Centers are constantly monitoring cyber activities on a global scale and providing us with great insight as to which industries cybercriminals are targeting, why they’re targeting these areas, and how they may do so moving forward. This latest GTIC 2017 Q2 Threat Intelligence Report documents that hackers continue to target the manufacturing sector, which should be a red flag for CISOs across this market segment.”
Email attacks, phishing and vulnerabilities
Unsurprisingly, email leads the way when it comes to malware distribution. The report says that 67% of all malware it saw being distributed was via email. This is a trend that is being seen by all security vendors. IT departments have invested in security plug-ins for their email. Given the amount of malware getting through there are questions over their efficacy.
Another defensive mechanism is to use aggressive spam filters. The problem is that this risks catching increasing amounts of real email. This results in users complaining about ineffective email and the business units demanding the detection level be reduced.
It is not just floods of spam email that are causing problems. There has been an increase in the number of phishing attacks especially those targeting specific users. These emails contain malicious attachments that contain PowerShell commands and VBA macros. When allowed to execute they install trojans or ransomware.
Vulnerabilities continues to proliferate. Vendors are struggling to keep up with the number being reported. Worryingly the number of unreported vulnerabilities that are released due to hacking attacks is also climbing. NTT Security says that 73% of attacks exploited software vulnerabilities.
Adobe Flash and Apache Struts worth a special mention
The Adobe Flash Player continues to be much loved by hackers. 98% of all vulnerabilities relating to Adobe products are against the Flash Player. Many of these attacks are believed to be as a result of hackers examining code that was stolen from Adobe a few years ago. This has allowed hackers to methodically trawl through the code to find errors that they can exploit.
The speed with which hackers can weaponise a vulnerability is shown with Apache Struts. NTT Security says it: “Detected attacks for Apache Struts, CVE-2017-5638, less than 48 hours after the initial Apache advisory, and less than 24 hours after the release of proof-of-concept (PoC) code.”
It also reports that Apache Struts became a top five attack within a week of being detected. This shows how quickly a new attack spreads across the hacker community. It also shows how hard it is for vendors to keep up with investigating and patching vulnerabilities.
Manufacturing the most targeted industry
One of the most interesting parts of this report is the focus on the most targeted industries. There are no surprises in the top five apart from the order.
- Business Services
It will be interesting to see how long it takes for healthcare to hit the number one spot. It is an easy target for many hackers due to the poor levels of security and the number of people with access to systems. The big surprise is that manufacturing is number one. This is despite manufacturers being loathe to use cloud services and have their factories connected to the Internet.
There were three types of attack:
Reconnaissance: This accounted for 33% of the attacks on this sector. The majority of attacks used widely available scanning tools to map manufacturers systems. Attackers were looking at what systems were being used, presumably to later match those systems with zero-day vulnerabilities.
Brute Force: Across the quarter, 22% of attacks tried to brute force their way into systems. There was a significant change in what was attacked over the period. Microsoft SQL Server was consistently targeted and NTT Security says it found thousands of public facing MSSQL servers. It is not clear what the attackers were after but the report highlights the January 2017 attacks on public-facing MongoDB databases. These were compromised and held for ransom. In May there was a two week focus on HTTP and in June an extremely large spike in SSH attacks. Both these attacks coincided with new types of attacks appearing.
Malware: Just 9% of attacks were malware. However, 86% of these were trojans that would allow attackers to install other malware later
Where are the attacks coming from?
Over the past few years the locations used by attackers has changed a lot. There are many reasons for this. Among those has been the availability of resources to host command and control (C&C) servers. Global coordinated action to take these servers down has caused attackers to move around.
France is now the country from which NTT Security detected the most attacks. 47% of the total attacks it recorded came from France. Many of these attacks were launched from systems hosted by ISP, Online SAS. However, NTT Security suggests that this may be due to attackers masking their real locations and using proxy configurations to point to Online SAS.
The Netherlands has also jumped up the list of countries into the number two spot. However, it was responsible for just 8% of recorded attacks. The disparity between it and France is marked and is the largest recorded gap between the top two countries. NTT Security only saw attacks from three IP addresses and unlike France, is confident these are an accurate report.
What does this mean?
Manufacturing is an industry that is generally risk adverse. It has been slower than many industries to adopt cloud computing preferring to keep control of its own IT assets. However, the risk of downtime to a manufacturer can be high. It is possible that many are slow to test and apply patches as they are over cautious. This means that they are open to attack from new vulnerabilities.
This does not explain why so many systems were found to be publicly visible. With many of those systems being databases, it suggests that manufacturers have not invested in cyber security. Attackers always go after the easiest targets. This is almost certainly why manufacturing has been the number one target this quarter.
The rise of email, spam and phishing to deliver malware is in line with the findings of other security vendors. However, the 24% increase in attacks recorded by NTT Security is high. This could be down to its customer base and industries that are lacking in cyber security awareness.