Chennai, NFAPost: Global Cyber Security Major K7 Computing’s, Cyber Threat Monitor Report, which provides deep and comprehensive analysis of the cyberattack landscape in India, reports that Chennai recorded the highest number of cyberattacks in the country during the Q4 2019-20 analysis.
The report analysed various cyberattacks within India during the period and found that threat actors targeted Chennai with a variety of attacks aimed at exploiting user trust and enterprise vulnerabilities.
The report has come up with a quantity called “Infection Rate” to highlight high-risk areas. The “Infection Rate” (IR) of an area is calculated as the proportion, as a percentage, of K7 users in that area who encountered at least one cyber threat event which was blocked and reported to K7 Ecosystem Threat Intelligence infrastructure. The higher the IR, the greater the proportion of users who encountered at least one cyber threat event, and therefore the higher the exposure of netizens of that area to cyber risk
The infection rate in Chennai stood at 42%, followed by Patna at 38% and Bengaluru, Hyderabad and Kolkata at 35% each.
K7 Computing’s Cyber Threat Monitor Report found that among Tier-I cities, Chennai, Bengaluru, Hyderabad and Kolkata recorded the highest rate of infections, while among the Tier-II cities, Patna registered the highest infection rate at 38% followed by Guwahati, Jammu and Bhubaneswar.
These attacks were designed to exploit user trust and scam people for financial gains. In Tier-I cities, threat actors predominantly targeted SMEs by exploiting vulnerabilities caused by the sudden shift to working from home and SMEs still being ill-equipped to handle cyberattacks. However, the report found that there was an 8% decrease in the overall rate of cyber-attacks in the country during the Q4 in comparison to the previous quarter.
Threat actors continued to exploit vulnerabilities in outdated software and operating systems in this quarter. Windows XP and Windows 7 were the most at risk as Microsoft has stopped providing updates and patches to these versions.
The report revealed that attacks by rootkits like Curveball, Remote Code Execution, phishing attacks based on Covid-19 trends, and DOS attacks were popular. Complex USB attacks also saw an increase; popular among these were crypto-mining malware.
Commenting on the report, K7 Computing founder and CEO J Kesavardhanan said SMEs and SOHOs must invest more in ensuring the safety of their IT infrastructure.
“We are seeing an increasing trend of threat actors targeting enterprises with complex viruses, Trojans, and even ransomware. On an individual level, the current risks facing users are fake apps, Covid-19 apps infected with malware, and phishing attacks. The most worrying of all is the new trend of many advanced threat actors offering malware as a service to cybercriminals,” said J Kesavardhanan, founder and CEO of K7 Computing.
Experts at K7 Labs predict that the number of Covid-19 themed attacks and complex Trojan attacks will continue to increase in the next quarter. This will be further exacerbated by the increase in threats from amateur attackers who purchase malware-related services to launch attacks at various individual and enterprise targets. To help mitigate these threats, experts at K7 Computing advise netizens to keep their systems updated with the latest patches, avoid using pirated software, install and use a reputed antivirus product, and practise proper digital hygiene.
Interestingly, the Tier-2 cities such as Patna, Guwahati, Lucknow, and Bhubaneswar weren’t any safer than Tier-1 cities. In fact, on average, they seem to be worse off. Could that be due to an awareness gap about cybersecurity? Patna experienced the highest percentile of cyberattacks during the period, identical to Chennai, and more than Hyderabad, Bengaluru, Mumbai, and Delhi.
Other Key Findings from the Study
· A high-risk read/include vulnerability, CVE-2020-1938, has been discovered in Apache Jserv Protocol (AJP) of Apache Tomcat between versions 6.x and 9.x
· CVE-2020-3142 is a newly discovered vulnerability that lets a user join a password-protected meeting without a password in Webex, the Cisco-owned video conferencing platform that caters to many of the most prominent enterprises from all over the world
· A Windows-based vulnerability that made it to the headlines is SMBGhost aka Eternal Darkness, a remotely exploitable vulnerability that is capable of exploiting a flaw found in Windows System Message Block version 3’s file-sharing protocol
· The three most prevalent Windows threats Adw.Dealply.91, Wrm.Gamarue.LNK, and Trj.ByteFence have recorded a presence of 17%, 16%, and 13% respectively
· SMB-based vulnerabilities continue to be the most exploited type by malware operators this quarter
Danger in the Internet of Things
· Modern IoT gadgets are riddled with flaws and vulnerabilities which invite threat actors to attack
· Many enterprises, irrespective of their size, are more likely to overlook IoT related security compared to other connected devices
· Popular Wi-Fi chipsets from Broadcom and Cypress have been affected by a vulnerability that allows unauthorised decryption of WPA2-encrypted traffic. It is believed that more than a billion devices could be exploited by this vulnerability
· The number of Trojan infections has increased by 14%
· Threat actors are increasingly rolling out complex Trojan-based apps that steal victims’ banking credentials
· The notorious Operation Cerberus banking Trojan was primarily seen targeting Indian banking users
· Many Potentially Unwanted Programs (PUPs) and adware were found, compared to malicious Trojans
· The frequency of adware has reduced by 9%, while PUPs and Trojans have shot up by 2% and 7% respectively
· Among the PUPs, MacKeeper topped the chart with a presence of 85% implying that most macOS users have been targeted by this infamous PUP
Two case studies the report observed recently to illustrate how adversaries are exploiting vulnerabilities and weaknesses to deploy lethal attacks.
Case Study 1: Logical Weaknesses of a WebLogic Server
The first case study as part of K7 Computing Cyber Threat Monitor Report finds that the attacker penetrated the network by exploiting a remote code execution vulnerability (CVE-2019-2725) in Oracle WebLogic Server (versions 10.3.60. and 220.127.116.11). Our analysis revealed that the system admin had skipped installing the required patch which Oracle had rolled out on 26 April 2019.
The vulnerability allows unauthenticated, remote code execution in the network, meaning that a hacker who successfully exploits the weakness would be able to control the device on the network from a remote location. The detailed attack process is as follows.
Case Study 2: The Myth of Being Secure
K7 Computing’s second cyber breach scenario, we tell you an even more scary story. Installing up-to-date security software in every system intertwined on a network comes under the basics of cybersecurity. Skipping such measures can make your network vulnerable to a myriad of cyberattacks, and so it happened in the case of the victim network we are presently discussing.
In this case, the security software repetitively detected and deleted coinmining malware, which subsequently reappeared. During the initial investigation, the report finds an unprotected internet-facing system existing on the network. The attacker compromised the system remotely and used it as a Launchpad to attempt to contaminate other protected systems on the network.
• The administrator should actively patch their OS and applications. (NB: CVE-2019-2725 is a critical bug with a high severity CVSS rating of 9.8/10 which means it must be patched ASAP).
• The administrator should not be lax in monitoring system logs and security notifications, especially about malware detected on the network.
• The administrator should not assume that the network won’t be hacked because it doesn’t hold any significant data that might interest malicious actors. Many attack tactics are automated and are not a targeted attack on a specific entity, so anyone with an unpatched vulnerability is a potential victim or collateral damage.
• Availability of off-the-shelf attack-tool packages and network enumeration tools make it essential for admins to monitor and filter data coming in and out of each system.
• The second case study reminds us of the adage: “All of us are safe or none of us are”. Having even a single unprotected system in the same network environment as the other critical systems is asking for trouble.