Digital transformation for chiefs and owners. Volume 3. Cybersecurity. Dzhimsher Chelidze
to cybersecurity management, such as vulnerability management and software component upgrades, is also lacking in 93 percent of cases. This is in view of the fact that the damage from stopping business processes can be catastrophic, including with damage and destruction of equipment, man-made disasters. Companies are easier to follow hackers and pay ransom quietly.
What saves us now is that it is simply unprofitable for intruders to study technological parameters, to understand exactly what to change, because you can simply encrypt or steal confidential data. In my view, that is a key deterrent.
The general trend is also maintained here – the attacks are becoming more complex:
– using Malicious Software (71% Successful Attacks)
– social engineering (about 50%)
– exploitation of software vulnerabilities (41%).
Malware itself was distributed through IT equipment (49% of cases) and mail (43%). Interruptions to technological and business processes occurred in 47 per cent of cases. Additionally, mainly because of data encryption and data deletion software (vampers). During 2022, the share of ciphers increased from 53% in the first quarter to 80% in the third. The share of waxers reached 7% (in 2021 it was 1—2%).
The increasing share of vulnerability exploitation in attacks suggests that these methods are economically feasible, which already indicates a low level of protection in industry. And it was in software and hardware products designed for industry that the most dangerous vulnerabilities were discovered and corrected in 2021.
Industrialists and power engineers like and are aware of all risks, but the specificity of the industry does not allow to conduct full-scale exercises with the development of practical scenarios and the identification of unacceptable events. Therefore, there are now emerging cyber-test sites where you can use virtual or augmented environments without the risk of breaking processes and equipment, conducting any exercises and assessing the consequences. One such example is the Standoff event organized by PT.
In general, in 2021, the interests of hackers in Russia by branches of industry were distributed as follows:
– 31% aerospace industry;
– 23% of public organizations;
– 23% of IT-company;
– 15% Military Industrial Complex;
– 8% fuel and energy complex.
As for PT statistics, in their projects from the first half of 2020 to the second half of 2021 they managed to implement 87% of unacceptable events.
Finance
The financial sector is one of those who feel relatively well. The proportion of attacks on these organizations from the total number of attacks decreases from year to year. And most interestingly, there are no new groups seeking to withdraw money from banks. The reason for this is the maturity of the industry and the efforts of the Central Bank: regulations, investments in IT infrastructure and software, established information exchange. And this is understandable, if you steal money, you can see it here and now.
Organizations are attacked again through social engineering (47%) and the use of malware (downloaders, spyware, trojans, encryptors.
Theft of confidential information and stopping of key business processes (53% and 41% of cases respectively) were typical targets of bank attacks. Embezzlement was 6% successful.
Financial institutions are now under attack with the aim of:
– obtaining a better exchange rate;
– obtaining confidential information about the user and its use in other attacks by means of social engineering;
– increase system load and failures in users’ private offices.
In addition, there are still unsafe implementations of fast payment systems.
As a result, banks introduce all new security technologies:
– tighten the checks of KYC (mandatory verification of personal data of the client), including the development of services for checking documents (video calls with document recognition, downloading photos of documents, database checks, social activity assessment) to understand whether a real person is hiding behind an account;
– introduce machine learning systems to speed up, simplify and improve customer information retrieval, identify and block suspicious transactions.
As a result, the number of standard web vulnerabilities decreases, but the number of logical vulnerabilities, on the contrary, increases. And in many ways this is due to the development of ecosystems: the creation of more and more complex integrations, microservices, the introduction of voice assistants and chat bots.
However, there are two negative factors that allow PT specialists to find vulnerabilities in each organization that allow them to penetrate the internal IT infrastructure. First, security patches released by software developers are often ignored by the IT services of organizations and are not installed. Second, there is always a possibility of a vulnerability, which is still unknown to developers, but it was discovered by researchers of intruders. Such vulnerabilities are called “zero-bottom vulnerabilities”. Additionally, these factors are the key to getting the hacker inside the infrastructure, so you need to learn how to spot them in time.
In total, PT specialists were able to penetrate the internal network of organizations in 86% of cases. PT researchers also gained full control over the infrastructure and implemented unacceptable events: access to bank-critical systems, ARMA treasurers, money exchange servers. In total, PT experts managed to implement more than 70% of unacceptable events in each financial institution.
As a result, the extortionists will continue their attacks on the banks. So far, these attacks are easier to execute and cumulatively bring more profit than attempts to withdraw a large amount of money from accounts. However, now one of the main targets of hackers will be the clients of banks that use online banking. According to the Central Bank of Russia, in 2020, 75% of adults used online banking. Therefore, hackers will continue to develop the direction of compromising banking applications. Additionally, the techniques of social engineering will remain in use.
The main method is phishing – it accounts for 60% of attacks. Hackers were happy to borrow on other people’s names, foreign companies that now need to repay these loans.
As a result, if it was previously profitable to attack companies with the aim of stealing money from accounts, the work done by the regulator, and the development of protection systems reduce the attractiveness of financial companies, need too high competence and technical equipment. However, industry is the opposite. There hackers are just interested in data about clients, internal users and any information that relates to trade secrets.
Again, this leads to an increase in attacks on confidential data (from 12% to 20%). Personal data (32%), accounting data (20%) and medical information (9%) are also popular.
In general, 14% of attacks were directed at ordinary people, and 88% of attacks were through social engineering. Additionally, the ultimate goal in 66% of the cases – accounting and personal data.
Closing the chapter, I will give some more examples of the most resonant attacks of 2022 on organizations from the commercial sector:
– Lapsus$ group has hacked a number of large IT companies. It was first attacked by Okta, which develops solutions for account and access management, including multi-factor authentication support. Nvidia’s GPU developer was then attacked, resulting in the theft of 1 TB of data, including video card driver source code and software signing certificates. The stolen Nvidia certificates were used to distribute malware. In March, criminals were able to hack Microsoft and Samsung by stealing the source code of some products.
– The Swiss airline company Swissport, which operates at 310 airports in 50 countries,