These things may be cool, but are they safe? – 10 minute mail

In the rush to embrace IoT devices, we shouldn’t trade in our privacy and security for the added convenience

Ours is an interconnected world. We have smart doorbells, so we can check on our smartphones who rang, smartwatches to track our children’s’ locations, and fitness trackers to see how we are doing with our physical health. The Internet of Things revolution has even swept our households with a whole range of smart home appliances ranging from smart tea kettles to smart washing machines to smart fridges.

All of this makes life easier, but it doesn’t necessarily mean that it makes our life more secure. Being able to manage most of your household from your smartphone may be convenient, but are the gadgets you choose safe? Here are some of the Internet of Things (IoT) gizmos that may, for convenience’s sake, infringe on your privacy.

Child trackers and watches

The priority of any parent is to keep their children safe. In a bid to keep track of their offspring in a steadily more digitized world, some parents opt for smartwatches with tracking capabilities, so they can see where their little ones are if they go out on a playdate, and even communicate with them if need be. But not all kid trackers are a great choice – if you want to buy an off-brand smartwatch, you should most definitely be picky about what you’re choosing.

Unfortunately, manufacturers may have gaping holes in, for example, the security of their servers … and that could inadvertently put your children at risk instead of keeping them safe. Case in point:  with one smartwatch model, researchers were able to access the location, phone number, photos, and conversations of well over 5,000 children, due to the manufacturer not securing their servers properly. By no means is that an isolated case, children’s smartwatches have raised privacy concerns before, in fact, the European Commission even ordered a recall of one such product.

Smart doorbells

These days, you needn’t even get up from your bed or couch to see who’s at the door or even to open it. Well, that’s the convenience a smart doorbell in combination with a smart lock affords you; you can just check from your smartphone. You might think that the convenience is usually worth the price, with an extra safety boon that some doorbells record all of the movement that takes place in front of them.

While everyone can appreciate the effort to keep your family and home safe, you have to do your due diligence on smart doorbells before buying one. For example, researchers have found that some smart doorbells perform unexpected tasks. One particular model uploaded snapshots every time someone moved in front of them; you’d think that was normal but, curiously, there was no way to access these snapshots or find out where they were being uploaded. It’s better to thoroughly research what you are buying so you reduce the odds of being the one that’s eventually spied upon.

Cheap smart security cameras

Keeping up with the security theme, another popular type of IoT device is the smart security camera. People tend to install them to keep track of what is happening inside and outside of their homes or small businesses. Since they are IoT devices, logically they are connected to the internet and their safety depends solely on how well the connection and the data are secured. If a cybercriminal is able to hack the device and gain remote access to it, they have a direct feed into your home, which is safe to say the worst-case scenario.

Unfortunately, cheap IP camera models aimed at protecting your family and belongings are among the most-hacked devices. And since cheap devices are manufactured in a similar manner, they share similar vulnerabilities. It isn’t just direct attacks customers should worry about, but bugs as well. One such bug in a Xiaomi device shared random images from strangers’ homes with other camera owners.

Smart home hubs

The smart home hub is at the center of your connected home devices — metaphorically speaking, we can call it the brain of the whole operation. It unifies all of the IoT devices under it – such as your security cameras, your smart doorbell, lights, and whatever other smart gadgets – and helps control them from one convenient place. And smart hubs aren’t just used to monitor and control smart homes, but they’re used to control environments in businesses as well.

By now you may have an inkling of where this is going. If a vulnerability is found and exploited it could mean that the bad actors could gain full access to devices in these monitored systems and to the sensitive data they contain. ESET IoT Research has found numerous serious vulnerabilities in three hubs, some of which would open up their systems to attack.

Final thoughts

If you are in the market for IoT devices that will make your life easier and more convenient, there are a number of rules that you should follow:

  • Before purchasing anything, always do your research. Read up on the device you’re thinking of buying, consider reading user reviews, and see if they can be trusted. Search Google for the brand name, and even the model name, together with “security vulnerability” or a similar word combination. If there were any security issues, confirm that they have been resolved and no longer affect the device.
  • Refrain from buying off-brand devices, if you cannot verify how they secure your data or where they upload it. Saving on a device may come at a heftier cost later on, such as your data being stolen.
  • Once you purchase a device, always update its firmware to the newest possible version. If a patch is released, install it immediately, since they are usually aimed at making your device more secure. If you don’t: hackers can exploit vulnerabilities to access your devices, something that you might have prevented if you had installed the patch that addresses these issues.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IT threat evolution Q1 2020. Statistics – 10 minute mail

These statistics are based on detection verdicts for Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network,

  • Kaspersky solutions blocked 726,536,269 attacks launched from online resources in 203 countries across the globe.
  • A total of 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 249,748 unique users.
  • Ransomware attacks were defeated on the computers of 178,922 unique users.
  • Our File Anti-Virus detected 164,653,290 unique malicious and potentially unwanted objects.
  • Kaspersky products for mobile devices detected:
    • 1,152,662 malicious installation packages
    • 42,115 installation packages for mobile banking trojans
    • 4339 installation packages for mobile ransomware trojans

Mobile threats

Quarter events

Q1 2020 will be remembered primarily for the coronavirus pandemic and cybercriminals’ exploitation of the topic. In particular, the creators of a new modification of the Ginp banking trojan renamed their malware Coronavirus Finder and then began offering it for €0.75 disguised as an app supposedly capable of detecting nearby people infected with COVID-19. Thus, the cybercriminals tried not only to scam users by exploiting hot topics, but to gain access to their bank card details. And, because the trojan remains on the device after stealing this data, the cybercriminals could intercept text messages containing two-factor authorization codes and use the stolen data without the victim’s knowledge.

Another interesting find this quarter was Cookiethief, a trojan designed to steal cookies from mobile browsers and the Facebook app. In the event of a successful attack, the malware provided its handler with access to the victim’s account, including the ability to perform various actions in their name, such as liking, reposting, etc. To prevent the service from spotting any abnormal activity in the hijacked profile, the trojan contains a proxy module through which the attackers issue commands.

The third piece of malware that caught our attention this reporting quarter was trojan-Dropper.AndroidOS.Shopper.a. It is designed to help cybercriminals to leave fake reviews and drive up ratings on Google Play. The attackers’ goals here are obvious: to increase the changes of their apps getting published and recommended, and to lull the vigilance of potential victims. Note that to rate apps and write reviews, the trojan uses Accessibility Services to gain full control over the other app: in this case, the official Google Play client.

Mobile threat statistics

In Q1 2020, Kaspersky’s mobile products and technologies detected 1,152,662 malicious installation packages, or 171,669 more than in the previous quarter.

Number of malicious installation packages detected, Q1 2019 – Q1 2020 (download)

Starting in Q2 2019, we have seen a steady rise in the number of mobile threats detected. Although it is too early to sound the alarm (2019 saw the lowest number of new threats in recent years), the trend is concerning.

Distribution of detected mobile apps by type

Distribution of newly detected mobile programs by type, Q1 2020 and Q4 2019 (download)

Of all the threats detected in Q1, half were unwanted adware apps (49.9%), their share having increased by 19 p.p. compared to the previous quarter. Most often, we detected members of the HiddenAd and Ewind families, with a combined slice of 40% of all detected adware threats, as well as the FakeAdBlocker family (12%).

Potentially unwanted RiskTool apps (28.24%) took second place; the share of this type of threat remained almost unchanged. The Smsreg (49% of all detected threats of this class), Agent (17%) and Dnotua (11%) families were the biggest contributors. Note that in Q1, the number of detected members of the Smsreg family increased by more than 50 percent.

In third place were Trojan-Dropper-type threats (9.72%). Although their share decreased by 7.63 p.p. against the previous quarter, droppers remain one of the most common classes of mobile threats. Ingopack emerged as Q1’s leading family with a massive 71% of all Trojan-Dropper threats, followed by Waponor (12%) and Hqwar (8%) far behind.

It is worth noting that mobile droppers are most often used for installing financial malware, although some financial threats can spread without their help. The share of these self-sufficient threats is quite substantial: in particular, the share of Trojan-Banker in Q1 increased by 2.1 p.p. to 3.65%.

Top 20 mobile malware programs

Note that this malware rankings do not include potentially dangerous or unwanted programs such as RiskTool or adware.

Verdict %*
1 DangerousObject.Multi.Generic 44.89
2 Trojan.AndroidOS.Boogr.gsh 9.09
3 DangerousObject.AndroidOS.GenericML 7.08
4 Trojan-Downloader.AndroidOS.Necro.d 4.52
5 Trojan.AndroidOS.Hiddapp.ch 2.73
6 Trojan-Downloader.AndroidOS.Helper.a 2.45
7 Trojan.AndroidOS.Handda.san 2.31
8 Trojan-Dropper.AndroidOS.Necro.z 2.30
9 Trojan.AndroidOS.Necro.a 2.19
10 Trojan-Downloader.AndroidOS.Necro.b 1.94
11 Trojan-Dropper.AndroidOS.Hqwar.gen 1.82
12 Trojan-Dropper.AndroidOS.Helper.l 1.50
13 Exploit.AndroidOS.Lotoor.be 1.46
14 Trojan-Dropper.AndroidOS.Lezok.p 1.46
15 Trojan-Banker.AndroidOS.Rotexy.e 1.43
16 Trojan-Dropper.AndroidOS.Penguin.e 1.42
17 Trojan-SMS.AndroidOS.Prizmes.a 1.39
18 Trojan.AndroidOS.Dvmap.a 1.24
19 Trojan.AndroidOS.Agent.rt 1.21
20 Trojan.AndroidOS.Vdloader.a 1.18

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products that were attacked.

First place in our Top 20 as ever went to DangerousObject.Multi.Generic (44.89%), the verdict we use for malware detected using cloud technology. They are triggered when the antivirus databases still lack the data for detecting a malicious program, but the Kaspersky Security Network cloud already contains information about the object. This is basically how the latest malware is detected.

Second and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.09%) and DangerousObject.AndroidOS.GenericML (7,08%) respectively. These verdicts are assigned to files that are recognized as malicious by our machine-learning systems.

In fourth (Trojan-Downloader.AndroidOS.Necro.d, 4.52%) and tenth (Trojan-Downloader.AndroidOS.Necro.b, 1.94%) places are members of the Necro family, whose main task is to download and install modules from cybercriminal servers. Eighth-placed Trojan-Dropper.AndroidOS.Necro.z (2.30%) acts in a similar way, extracting from itself only those modules that it needs. As for Trojan.AndroidOS.Necro.a, which took ninth place (2.19%), cybercriminals assigned it a different task: the trojan follows advertising links and clicks banner ads in the victim’s name.

Trojan.AndroidOS.Hiddapp.ch (2.73%) claimed fifth spot. As soon as it runs, the malware hides its icon on the list of apps and continues to operate in the background. The trojan’s payload can be other trojan programs or adware apps.

Sixth place went to Trojan-Downloader.AndroidOS.Helper.a (2.45%), which is what Trojan-Downloader.AndroidOS.Necro usually delivers. Helper.a is tasked with downloading arbitrary code from the cybercriminals’ server and running it.

The verdict Trojan.AndroidOS.Handda.san (2.31%) in seventh place is a group of diverse trojans that hide their icons, gain Device Admin rights on the device, and use packers to evade detection.

Trojan-Banker.AndroidOS.Rotexy.e (1.43%) and Trojan-Dropper.AndroidOS.Penguin.e (1.42%) warrant a special mention. The former is the only banking trojan in the top 20 this past quarter. The Rotexy family is all of six years old, and its members have the functionality to steal bank card details and intercept two-factor payment authorization messages. In turn, the first member of the Penguin dropper family was only detected last July and had gained significant popularity by Q1 2020.

Geography of mobile threats

 

Map of infection attempts by mobile malware, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile threats

Country* %**
1 Iran 39.56
2 Algeria 21.44
3 Bangladesh 18.58
4 Nigeria 15.58
5 Lebanon 15.28
6 Tunisia 14.94
7 Pakistan 13.99
8 Kuwait 13.91
9 Indonesia 13.81
10 Cuba 13.62

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky mobile products in the country.

In Q1 2020, the leader by share of attacked users was Iran (39.56%). Inhabitants of this country most frequently encountered adware apps from the Notifyer family, as well as Telegram clone apps. In second place was Algeria (21.44%), where adware apps were also distributed, but this time it was the HiddenAd and FakeAdBlocker families. Third place was taken by Bangladesh (18.58%), where half of the top 10 mobile threats consisted of adware in the HiddenAd family.

Mobile banking trojans

During the reporting period, we detected 42,115 installation packages of mobile banking trojans. This is the highest value in the past 18 months, and more than 2.5 times higher than in Q4 2019. The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Agent (42.79% of all installation packages detected), Trojan-Banker.AndroidOS.Wroba (16.61%), and Trojan-Banker.AndroidOS.Svpeng (13.66%) families.

Number of installation packages of mobile banking trojans detected by Kaspersky, Q1 2019 – Q1 2020 (download)

Top 10 mobile banking trojans

  Verdict %*
1 Trojan-Banker.AndroidOS.Rotexy.e 13.11
2 Trojan-Banker.AndroidOS.Svpeng.q 10.25
3 Trojan-Banker.AndroidOS.Asacub.snt 7.64
4 Trojan-Banker.AndroidOS.Asacub.ce 6.31
5 Trojan-Banker.AndroidOS.Agent.eq 5.70
6 Trojan-Banker.AndroidOS.Anubis.san 4.68
7 Trojan-Banker.AndroidOS.Agent.ep 3.65
8 Trojan-Banker.AndroidOS.Asacub.a 3.50
9 Trojan-Banker.AndroidOS.Asacub.ar 3.00
10 Trojan-Banker.AndroidOS.Agent.cf 2.70

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by banking threats.

First and second places in our top 10 were claimed by trojans targeted at Russian-speaking mobile users: Trojan-Banker.AndroidOS.Rotexy.e (13.11%) and Trojan-Banker.AndroidOS.Svpeng.q (10.25%).

Third, fourth, eighth, and ninth positions in the top 10 mobile banking threats went to members of the Asacub family. The cybercriminals behind this trojan stopped creating new samples, but its distribution channels were still active in Q1.

Geography of mobile banking threats, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile banking trojans

Country* %**
1 Japan 0.57
2 Spain 0.48
3 Italy 0.26
4 Bolivia 0.18
5 Russia 0.17
6 Turkey 0.13
7 Tajikistan 0.13
8 Brazil 0.11
9 Cuba 0.11
10 China 0.10

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked by mobile banking trojans as a percentage of all users of Kaspersky mobile products in the country.

In Q1 2020, Japan (0.57%) had the largest share of users attacked by mobile bankers; the vast majority of cases involved Trojan-Banker.AndroidOS.Agent.eq.

In second place came Spain (0.48%), where in more than half of all cases, we detected malware from the Trojan-Banker.AndroidOS.Cebruser family, and another quarter of detections were members of the Trojan-Banker.AndroidOS.Ginp family.

Third place belonged to Italy (0.26%), where, as in Spain, the Trojan-Banker.AndroidOS.Cebruser family was the most widespread with almost two-thirds of detections.

It is worth saying a bit more about the Cebruser family. Its creators were among the first to exploit the coronavirus topic to spread the malware.

When it runs, the trojan immediately gets down to business: it requests access to Accessibility Services to obtain Device Admin permissions, and then tries to get hold of card details.

The malware is distributed under the Malware-as-a-Service model; its set of functions is standard for such threats, but with one interesting detail — the use of a step-counter for activation so as to bypass dynamic analysis tools (sandbox). Cebruser targets the mobile apps of banks in various countries and popular non-financial apps; its main weapons are phishing windows and interception of two-factor authorization. In addition, the malware can block the screen using a ransomware tool and intercept keystrokes on the virtual keyboard.

Mobile ransomware trojans

In Q2 2020, we detected 4,339 installation packages of mobile trojan ransomware, 1,067 fewer than in the previous quarter.

Number of installation packages of mobile ransomware trojans detected by Kaspersky, Q1 2019 – Q1 2020 (download)

Top 10 mobile ransomware trojans

Verdict %*
1 Trojan-Ransom.AndroidOS.Svpeng.aj 17.08
2 Trojan-Ransom.AndroidOS.Congur.e 12.70
3 Trojan-Ransom.AndroidOS.Small.as 11.41
4 Trojan-Ransom.AndroidOS.Rkor.k 9.88
5 Trojan-Ransom.AndroidOS.Small.as 7.32
6 Trojan-Ransom.AndroidOS.Small.o 4.79
7 Trojan-Ransom.AndroidOS.Svpeng.aj 3.62
8 Trojan-Ransom.AndroidOS.Svpeng.ah 3.55
9 Trojan-Ransom.AndroidOS.Congur.e 3.32
10 Trojan-Ransom.AndroidOS.Fusob.h 3.17

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by ransomware trojans.

Over the past few quarters, the number of ransomware trojans detected has been gradually decreasing; all the same, we continue to detect quite a few infection attempts by this class of threats. The main contributors to the statistics were the Svpeng, Congur, and Small ransomware families.

Geography of mobile ransomware trojans, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile ransomware trojans:

Country* %**
1 USA 0.26
2 Kazakhstan 0.25
3 Iran 0.16
4 China 0.09
5 Saudi Arabia 0.08
6 Italy 0.03
7 Mexico 0.03
8 Canada 0.03
9 Indonesia 0.03
10 Switzerland 0.03

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked by mobile ransomware trojans as a percentage of all users of Kaspersky mobile products in the country.

The leaders by number of users attacked by mobile ransomware trojans are Syria (0.28%), the United States (0.26%) and Kazakhstan (0.25%)

Attacks on Apple macOS

In Q1 2020, we detected not only new versions of common threats, but one new backdoor family, whose first member was Backdoor.OSX.Capip.a. The malware’s operating principle is simple: it calls the C&C for a shell script, which it then downloads and executes.

Top 20 threats to macOS

Verdict %*
1 Trojan-Downloader.OSX.Shlayer.a 19.27
2 AdWare.OSX.Pirrit.j 10.34
3 AdWare.OSX.Cimpli.k 6.69
4 AdWare.OSX.Ketin.h 6.27
5 AdWare.OSX.Pirrit.aa 5.75
6 AdWare.OSX.Pirrit.o 5.74
7 AdWare.OSX.Pirrit.x 5.18
8 AdWare.OSX.Spc.a 4.56
9 AdWare.OSX.Cimpli.f 4.25
10 AdWare.OSX.Bnodlero.t 4.08
11 AdWare.OSX.Bnodlero.x 3.74
12 Hoax.OSX.SuperClean.gen 3.71
13 AdWare.OSX.Cimpli.h 3.37
14 AdWare.OSX.Pirrit.v 3.30
15 AdWare.OSX.Amc.c 2.98
16 AdWare.OSX.MacSearch.d 2.85
17 RiskTool.OSX.Spigot.a 2.84
18 AdWare.OSX.Pirrit.s 2.80
19 AdWare.OSX.Ketin.d 2.76
20 AdWare.OSX.Bnodlero.aq 2.70

* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked

The top 20 threats for macOS did not undergo any major changes in Q1 2020. The adware trojan Shlayer.a (19.27%) still tops the leaderboard, followed by objects that Shlayer itself loads into the infected system, in particular, numerous adware apps from the Pirrit family.

Interestingly, the unwanted program Hoax.OSX.SuperClean.gen landed in 12th place on the list. Like other Hoax-type programs, it is distributed under the guise of a system cleanup app, and immediately after installation, scares the user with problems purportedly found in the system, such as gigabytes of trash on the hard drive.

Threat geography

Country* %**
1 Spain 7.14
2 France 6.94
3 Italy 5.94
4 Canada 5.58
5 USA 5.49
6 Russia 5.10
7 India 4.88
8 Mexico 4.78
9 Brazil 4.65
10 Belgium 4.65

* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 5,000)
** Unique users who encountered macOS threats as a percentage of all users of Kaspersky security solutions for macOS in the country.

The leading countries, as in previous quarters, were Spain (7.14%), France (6.94%) and Italy (5.94%). The main contributors to the number of detections in these countries were the familiar Shlayer trojan and adware apps from the Pirrit family.

IoT attacks

IoT threat statistics

In Q1 2020, the share of IP addresses from which attempts were made to attack Kaspersky telnet traps increased significantly. Their share amounted to 81.1% of all IP addresses from which attacks were carried out, while SSH traps accounted for slightly less than 19%.

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2020

It was a similar situation with control sessions: attackers often controlled infected traps via telnet.

Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2020

Telnet-based attacks

 

Geography of device IP addresses where attacks at Kaspersky telnet traps originated, Q1 2020 (download)

Top 10 countries by location of devices from which attacks were carried out on Kaspersky telnet traps.

Country* %
China 13.04
Egypt 11.65
Brazil 11.33
Vietnam 7.38
Taiwan 6.18
Russia 4.38
Iran 3.96
India 3.14
Turkey 3.00
USA 2.57

 
For several quarters in a row, the leading country by number of attacking bots has been China: in Q1 2020 its share stood at 13.04%. As before, it is followed by Egypt (11.65%) and Brazil (11.33%).

SSH-based attacks

 

Geography of device IP addresses where attacks at Kaspersky SSH traps originated, Q1 2020 (download)

Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps.

Country* %
China 14.87
Vietnam 11.58
USA 7.03
Egypt 6.82
Brazil 5.79
Russia 4.66
India 4.16
Germany 3.64
Thailand 3.44
France 2.83

In Q1 2020, China (14.87%), Vietnam (11.58%) and the US (7.03%) made up the top three countries by number of unique IPs from which attacks on SSH traps originated.

Threats loaded into honeypots

Verdict %*
Trojan-Downloader.Linux.NyaDrop.b 64.35
Backdoor.Linux.Mirai.b 16.75
Backdoor.Linux.Mirai.ba 6.47
Backdoor.Linux.Gafgyt.a 4.36
Backdoor.Linux.Gafgyt.bj 1.30
Trojan-Downloader.Shell.Agent.p 0.68
Backdoor.Linux.Mirai.c 0.64
Backdoor.Linux.Hajime.b 0.46
Backdoor.Linux.Mirai.h 0.40
Backdoor.Linux.Gafgyt.av 0.35

* Share of malware type in the total amount of malware downloaded to IoT devices following a successful attack.

In Q1 2020, attackers most often downloaded the minimalistic trojan loader NyaDrop (64.35%), whose executable file does not exceed 500 KB. Threats from the Mirai family traditionally dominated: its members claimed four places in our top 10. These malicious programs will continue to rule the world of IoT threats for a long time to come, at least until the appearance of a more advanced (and publicly available) DDoS bot.

Financial threats

Financial threat statistics

In Q1 2020, Kaspersky solutions blocked attempts to launch one or several types of malware designed to steal money from bank accounts on the computers of 249,748 users.

Number of unique users attacked by financial malware, Q1 2020 (download)

Attack geography

To assess and compare the risk of being infected by banking trojans and ATM/POS malware in various countries, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

Geography of banking malware attacks, Q1 2020 (download)

Top 10 countries by share of attacked users

Country* %**
1 Uzbekistan 10.5
2 Tajikistan 6.9
3 Turkmenistan 5.5
4 Afghanistan 5.1
5 Yemen 3.1
6 Kazakhstan 3.0
7 Guatemala 2.8
8 Syria 2.4
9 Sudan 2.1
10 Kyrgyzstan 2.1

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

Top 10 banking malware families

Name Verdicts %*
1 Emotet Backdoor.Win32.Emotet 21.3
2 Zbot Trojan.Win32.Zbot 20.8
3 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 17.2
4 RTM Trojan-Banker.Win32.RTM 12.3
5 Nimnul Virus.Win32.Nimnul 3.6
6 Trickster Trojan.Win32.Trickster 3.6
7 Neurevt Trojan.Win32.Neurevt 3.3
8 SpyEye Trojan-Spy.Win32.SpyEye 2.3
9 Danabot Trojan-Banker.Win32.Danabot 2.0
10 Nymaim Trojan.Win32.Nymaim 1.9

** Unique users attacked by this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

Quarterly highlights

Ransomware attacks on organizations, as well as on city and municipal networks, did not ease off. Given how lucrative they are for cybercriminals, there is no reason why this trend of several years should cease.

More and more ransomware is starting to supplement encryption with data theft. To date, this tactic has been adopted by distributors of ransomware families, including Maze, REvil/Sodinokibi, DoppelPaymer and JSWorm/Nemty/Nefilim. If the victim refuses to pay the ransom for decryption (because, say, the data was recovered from a backup copy), the attackers threaten to put the stolen confidential information in the public domain. Such threats are sometimes empty, but not always: the authors of several ransomware programs have set up websites that do indeed publish the data of victim organizations.

Number of new modifications

In Q1 2020, we detected five new ransomware families and 5,225 new modifications of these malware programs.

Number of new ransomware modifications detected, Q1 2019 – Q1 2020 (download)

Number of users attacked by ransomware trojans

In Q1 2020, Kaspersky products and technologies protected 178,922 users from ransomware attacks.

Number of unique users attacked by ransomware trojans, Q1 2020 (download)

Attack geography

 

Geography of attacks by ransomware trojans, Q1 2020 (download)

Top 10 countries attacked by ransomware trojans

Country* %**
1 Bangladesh 6.64
2 Uzbekistan 1.98
3 Mozambique 1.77
4 Ethiopia 1.67
5 Nepal 1.34
6 Afghanistan 1.31
7 Egypt 1.21
8 Ghana 0.83
9 Azerbaijan 0.81
10 Serbia 0.74

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware trojans

Name Verdicts %*
1 WannaCry Trojan-Ransom.Win32.Wanna 19.03
2 (generic verdict) Trojan-Ransom.Win32.Gen 16.71
3 (generic verdict) Trojan-Ransom.Win32.Phny 16.22
4 GandCrab Trojan-Ransom.Win32.GandCrypt 7.73
5 Stop Trojan-Ransom.Win32.Stop 6.62
6 (generic verdict) Trojan-Ransom.Win32.Encoder 4.28
7 (generic verdict) Trojan-Ransom.Win32.Crypren 4.15
8 PolyRansom/VirLock Virus.Win32.PolyRansom,

Trojan-Ransom.Win32.PolyRansom

2.96
9 Crysis/Dharma Trojan-Ransom.Win32.Crusis 2.02
10 (generic verdict) Trojan-Ransom.Win32.Generic 1.56

* Unique Kaspersky users attacked by the specified family of ransomware trojans as a percentage of all users attacked by ransomware trojans.

Miners

Number of new modifications

In Q1 2020, Kaspersky solutions detected 192,036 new miner modifications.

Number of new miner modifications, Q1 2020 (download)

Number of users attacked by miners

In Q1, we detected attacks using miners on the computers of 518,857 unique users of Kaspersky Lab products worldwide.

Number of unique users attacked by miners, Q1 2020 (download)

Attack geography

 

Geography of miner attacks, Q1 2020 (download)

Top 10 countries attacked by miners

Country* %**
1 Afghanistan 6.72
2 Ethiopia 4.90
3 Tanzania 3.26
4 Sri Lanka 3.22
5 Uzbekistan 3.10
6 Rwanda 2.56
7 Vietnam 2.54
8 Kazakhstan 2.45
9 Mozambique 1.96
10 Pakistan 1.67

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks

We already noted that Microsoft Office vulnerabilities are the most common ones. Q1 2020 was no exception: the share of exploits for these vulnerabilities grew to 74.83%. The most popular vulnerability in Microsoft Office was CVE-2017-11882, which is related to a stack overflow error in the Equation Editor component. Hard on its heels was CVE-2017-8570, which is used to embed a malicious script in an OLE object inside an Office document. Several other vulnerabilities, such as CVE-2018-0802 and CVE-2017-8759, were also popular with attackers. In the absence of security updates for Microsoft Office, these vulnerabilities are successfully exploited and the user’s system becomes infected.

In second place were exploits for vulnerabilities in Internet browsers (11.06%). In Q1, cybercriminals attacked a whole host of browsers, including Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox. What’s more, some of the vulnerabilities were used in APT attacks, such as CVE-2020-0674, which is associated with the incorrect handling of objects in memory in an outdated version of the JScript scripting engine in Internet Explorer, leading to code execution. Another example is the previously identified CVE-2019-17026, a data type mismatch vulnerability in Mozilla Firefox’s JIT compiler, which also leads to remote code execution. In the event of a successful attack, both browser exploits cause a malware infection. The researchers also detected a targeted attack against Google Chrome exploiting the RCE vulnerability CVE-2020-6418 in the JavaScript engine; in addition, the dangerous RCE vulnerability CVE-2020-0767 was detected in a component of the ChakraCore scripting engine used by Microsoft Edge. Although modern browsers have their own protection mechanisms, cybercriminals are forever finding ways around them, very often using chains of exploits to do so. Therefore, it is vital to keep the operating system and software up to date at all times.

Distribution of exploits used in attacks by type of application attacked, Q1 2020 (download)

This quarter, a wide range of critical vulnerabilities were detected in operating systems and their components.

  • CVE-2020-0601 is a vulnerability that exploits an error in the core cryptographic library of Windows, in a certificate validation algorithm that uses elliptic curves. This vulnerability enables the use of fake certificates that the system recognizes as legitimate.
  • CVE-2020-0729 is a vulnerability in processing LNK files in Windows, which allows remote code execution if the user opens a malicious shortcut.
  • CVE-2020-0688 is the result of a default configuration error in Microsoft Exchange Server, whereby the same cryptographic keys are used to sign and encrypt serialized ASP.NET ViewState data, enabling attackers to execute their own code on the server side with system rights.

Various network attacks on system services and network protocols were as popular as ever with attackers. We continue to detect attempts at exploiting vulnerabilities in the SMB protocol using EternalBlue, EternalRomance and similar sets of exploits. In Q1 2020, the new vulnerability CVE-2020-0796 (SMBGhost) was detected in the SMBv3 network protocol, leading to remote code execution, in which regard the attacker does not even need to know the username/password combination (since the error occurs before the authentication stage); however, it is present only in Windows 10. In Remote Desktop Gateway there were found two critical vulnerabilities (CVE-2020-0609 and CVE-2020-0610) enabling an unauthorized user to execute remote code in the target system. In addition, there were more frequent attempts to brute-force passwords to Remote Desktop Services and Microsoft SQL Server via the SMB protocol as well.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2020, Kaspersky solutions defeated 726,536,269 attacks launched from online resources located in 203 countries worldwide. As many as 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-based attack sources by country, Q1 2020 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Bulgaria 13.89
2 Tunisia 13.63
3 Algeria 13.15
4 Libya 12.05
5 Bangladesh 9.79
6 Greece 9.66
7 Latvia 9.64
8 Somalia 9.20
9 Philippines 9.11
10 Morocco 9.10
11 Albania 9.09
12 Taiwan, Province of China 9.04
13 Mongolia 9.02
14 Nepal 8.69
15 Indonesia 8.62
16 Egypt 8.61
17 Georgia 8.47
18 France 8.44
19 Palestine 8.34
20 Qatar 8.30

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to providing statistical data.

On average, 6.56% of Internet user’ computers worldwide experienced at least one Malware-class attack.

Geography of malicious web-based attacks, Q1 2020 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q1 2020, our File Anti-Virus registered 164,653,290 malicious and potentially unwanted objects. 

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal-computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users**
1 Afghanistan 52.20
2 Tajikistan 47.14
3 Uzbekistan 45.16
4 Ethiopia 45.06
5 Myanmar 43.14
6 Bangladesh 42.14
7 Kyrgyzstan 41.52
8 Yemen 40.88
9 China 40.67
10 Benin 40.21
11 Mongolia 39.58
12 Algeria 39.55
13 Laos 39.21
14 Burkina Faso 39.09
15 Malawi 38.42
16 Sudan 38.34
17 Rwanda 37.84
18 Iraq 37.82
19 Vietnam 37.42
20 Mauritania 37.26

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q1 2020 (download)

Overall, 19.16% of user computers globally faced at least one Malware-class local threat during Q1.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IoT (Internet of Things) : taking the world by storm – Disposable mail news

IoT or Internet of things refers to billions of devices and machines in the world connected to the internet, sharing and collecting data.

Now, with the advancement in computing and wireless technology even something as small as a pill or as big as an aeroplane can become a part of IoT. Any device or machine that can be transformed into an IoT device is connected to the internet to communicate and transfer data and perform  functions without human involvement.

According to Gartner, a research and advisory company around 21 billion “connected things” right at this moment are working collecting data and performing tasks. They predict that by the end of 2020, the IoT market will grow 21% with 5.8 billion endpoints.

“Electricity smart metering, both residential and commercial will boost the adoption of IoT among utilities,” said Peter Middleton, senior research director at Gartner. “Physical security, where building intruder detection and indoor surveillance use cases will drive volume, will be the second-largest user of IoT endpoints in 2020.”

Be it consumer devices, smart devices, the medical sector, government, industrial sector like automobiles, productions nearly every enterprise use IoT devices in some form.

The utility of IoT devices is realized in this COVID-19 era where the ability to remote control devices and perform works is a great help. These millions of IoT endpoints are bridging the gap between the digital and physical worlds.

Mobilizing the World

The best example of IoT’s value is the ‘Medical Sector’ like Kinsa’s connected thermometer which sends the data to the company who uses it to flag possible COVID-19 outbreaks.

79 percent of healthcare providers with over $100 million revenue put IoT devices in production. Gartner also predicts a 13-percent rise in medical IoT spending for the next fiscal year.

As great are the benefits of Iot, the risks are ever-increasing. There are security risks as connecting to internet invites attack vendors that offline machines never face. Installing IoT devices are a great feat in itself with proper procurement, deployment, security, and monitoring.

But the rewards of IoT surpass the risk, they increase efficiency, provides a cutting edge technology, and most importantly the invaluable data. Ofcourse, one needs the right analytics tools and strategy that imputes building a whole analytics team and department. Experts do say, you would definitely fail in your first attempt but learn from the mistakes and get it right the next time


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

DDoS attacks in Q1 2020 – 10 minute mail

News overview

Since the beginning of 2020, due to the COVID-2019 pandemic, life has shifted almost entirely to the Web — people worldwide are now working, studying, shopping, and having fun online like never before. This is reflected in the goals of recent DDoS attacks, with the most targeted resources in Q1 being websites of medical organizations, delivery services, and gaming and educational platforms.

For instance, attackers in mid-March tried to disable the website of the US Department of Health and Human Services (HHS). The purpose of the attack was seemingly to deprive citizens of access to official data about the pandemic and measures taken against it. At the same time, unknown cyber actors spread misinformation in social networks and via text and e-mail about the introduction of a nationwide quarantine in the US. The attempt failed: the HHS website continued to function, despite the increased load.

The victim of another DDoS attack was the large Paris-based group of hospitals Assistance Publique-Hôpitaux de Paris. Cybercriminals attempted to disable the infrastructure of medical institutions. As a result, remote hospital workers were unable to use programs and corporate e-mail for some time. However, the attackers failed to paralyze the entire organization.

The food delivery services Lieferando (Germany) and Thuisbezorgd (Netherlands) found themselves in a more awkward situation. DDoS attacks on both companies meant that although they could accept orders, they could not process them and had to return customers’ money. What’s more, the cybercriminals targeting Lieferando demanded 2 BTC (a shade over US$13,000 at the time of writing) to halt the DDoS.

The German distance-learning platform Mebis was attacked on the very first remote school day. The service, which enables teachers in the federal state of Bavaria to exchange materials, homework, and tests with schoolchildren, was down for several hours.

Online games, whose popularity has soared under quarantine, were hit repeatedly. In particular, attackers flooded the servers of Battle.net and Eve Online with junk traffic, the latter facing nine straight days of bombardment. Belarusian company Wargaming also came under fire: players of World of Tanks, World of Warships, and other titles had problems with server speeds for several days. However skeptical users claimed that the problems had nothing at all to do with cybercriminals.

Australian authorities in late March reported a DDoS attack on the MyGov social services portal, but a couple of hours after the major announcement they were forced to admit they had made a mistake. It turned out that the site could not cope with the influx of perfectly genuine requests from citizens out of work as a result of the pandemic.

Besides DDoS attacks directly or indirectly related to the all-conquering coronavirus, this quarter saw a continuation of politically motivated attacks. In the second half of January, for instance, unknown cyber actors made two attempts to bring down the websites of government agencies and emergency services in Greece. Among the resources taken temporarily offline were the websites of the prime minister, several ministries, the fire service, and the police. The Turkish group Anka Neferler Tim claimed responsibility for the first attack, but the Greek authorities are not rushing to any final conclusions, especially since the perpetrators of the second attack have yet to announce themselves.

This year will see the next US presidential election, and the runup to it, as always, is accompanied by DDoS attacks. For example, a voter registration and information website was hit in early February. The attackers employed the PRSD (pseudorandom subdomain attack) technique to send numerous requests to non-existent subdomains of the site. However, the DDoS attempt failed: the resource was protected against attacks of this kind.

Financial institutions were not spared either. In February, the cryptocurrency exchanges OKEx and Bitfinex were subjected to sophisticated DDoS attacks. The first has assured that it handled the incident without detriment to users, while the second was forced offline for an hour. According to Bitfinex management, this was necessary to set up specialized protection. Whether the incidents were just similar or related is not known.

The BitMEX crypto exchange likewise announced a DDoS attack this quarter — not once but twice. Its access problems coincided with a sharp drop in the value of bitcoin, which prompted a wave of suspicion among customers. Some believe that the exchange intentionally went offline to prevent a mass sell-off. BitMEX later promised to pay compensation, but only to 156 users who had lost deals in the ETH/USD pair.

As in the previous quarter, ransomware attacks by well-known APT groups made the news. In late February, Australian financial institutions received e-mails demanding large sums in the cryptocurrency Monero. The attackers introduced themselves as the Silence group, and threatened DDoS attacks for non-payment. Earlier, e-mails with similar threats had been received by companies from Singapore, Turkey, South Africa, and other countries. The ransomers went by the various names of Cozy Bear, Fancy Bear, Anonymous, Carbanak, and Emotet in the hope that victims would google them and be scared into compliance.

Unlike these international ransomware groups, a teenager from Odessa who last year tried to DDoS a company that had refused to coooperate was caught by police in January 2020. The youngster wanted to force a Ukrainian internet service provider to hand over information about a customer. On being refused, he attempted to disable the company’s network. The attack was reported to be quite powerful.

Overall, the past quarter was fairly rich in arrests. In February, Arthur Dam was detained in the US charged with carrying out four DDoS attacks on the website of congressional candidate Bryan Caforio in 2018, taking it offline for a total of 21 hours. The prosecution noted that Dam’s wife worked for Caforio’s rival Katie Hill, who ultimately won the vote.

Another cybercriminal was detained in Krasnodar in mid-March for attacking the online store of a company in Cherepovets, Russia. Although he had carefully masked the source of the DDoS attack, cyber police managed to trace him. The individual claimed that he had simply wanted to demonstrate his skills and offer his services to the company to defend against DDoS attacks. However, the idea failed even before his arrest, since he was unable to bring down the site.

This guy is by no means the only “double agent” in the DDoS world. In New Jersey, Tucker Preston, founder of BackConnect, a DDoS mitigation firm, admitted to a similar crime. From December 2015 to February 2016, Preston hired third parties to bombard the New Jersey-based servers of an unnamed organization with junk traffic. The offense carries up to ten years in jail and a maximum fine of US$250,000.

The owners of a website allegedly used to launch custom DDoS attacks could also be forced to fork out. Video game publisher Ubisoft filed a lawsuit against the resource after a string of attacks on the servers ofTom Clancy’s Rainbow Six Siege. According to the developer, the site — which purportedly helps clients test their own security — actually specializes in DDoSing games. Ubisoft is seeking the closure of the resource and damages from the owners.

This quarter has been dominated by the coronavirus pandemic, which has shaken up many things in the world, including the DDoS market. Contrary to our forecast in the last report, in Q1 2020 we observed a significant increase in both the quantity and quality of DDoS attacks. The number of attacks doubled against the previous reporting period, and by 80% against Q1 2019. The attacks also became longer: we observed a clear rise in both the average and maximum duration. The first quarter of every year sees a certain spike in DDoS activity, but we did not expect this kind of surge.

Comparison of the total number of DDoS attacks in Q1 2020 and Q1 and Q4 2019; Q1 2019 is taken as the 100% reference value (download)

Duration of DDoS attacks in Q1 2020 and Q1 and Q4 2019; Q1 2019 is taken as the 100% reference value (download)

Against a backdrop of overall growth, the share of smart attacks remained virtually unchanged over the past year: the first quarters of 2019 and 2020 were at the same level, around 42%. This points to a rise in interest in DDoS attacks on the part of both professionals and amateurs: the number of overall attacks is growing at the same pace as the number of smart attacks, so the proportion has not changed.

Share of smart attacks in the total number of DDoS attacks in Q1 2020 and Q1 and Q4 2019 (download)

Interestingly, the number of DDoS attacks on educational and administrative web resources tripled compared to the same period in 2019. Moreover, such attacks in Q1 2020 amounted to 19% of the total number of incidents, against just 11% a year ago.

The upswing in cybercriminal interest in such resources could be linked to the spread of COVID-19, which has created more demand for distance-learning services and official sources of information. Since the start of 2020, the pandemic has affected all industries. So it is logical for it to impact the DDoS market too. Going forward, this effect may become even more pronounced.

Although it is difficult to predict anything at a time of such global instability, it can be assumed that the attacks will not decrease: many organizations are now switching to remote working, and with that the set of viable targets is increasing. If earlier the target in most cases was companies’ public resources, now key infrastructure elements, such as corporate VPN gateways or non-public web resources (mail, corporate knowledge base, etc.), may be at risk. This is opening up new niches for attack organizers, and could lead to DDoS market growth.

Statistics

Methodology

Kaspersky has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q1 2020.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

  • In Q1 2020, most C&C servers were still registered in the US (39.93%), while most bots were in Brazil.
  • In terms of the dynamics of the number of attacks overall, this quarter was very similar to the last — with peaks of more than 230 attacks on February 14 and 15 and a drop to 16 attacks on January 25.
  • DDoS attackers were most active on Mondays, and more likely to rest on Wednesdays.
  • SYN flooding is still the most popular type of attack (and even strengthened its position with 92.6% of all attacks), while ICMP attacks unexpectedly jumped ahead of all other varieties into second place.
  • Windows botnets continue to gain popularity: the share of attacks using them grew by 3 p.p. to 5.64%.

Geography of unique IP addresses used in attacks

This quarter, we decided to look at the distribution by country of botnets and their component bots. To do so, we analyzed the location of the unique IP addresses from which attacks on our honeypots were registered.

First place in the TOP 10 countries by number of bots goes to Brazil, with 12.25% of unique IP addresses. In second place, less than one percentage point behind, is China (11.51%), while third position — by a much wider margin — is taken by Egypt (7.87%). The remaining TOP 10 countries scored from 6.5% to 2.5% of the total number of bot IP addresses. The rating also featured several Asian countries (Vietnam (6.41%) in fourth; Taiwan (3.96%) in seventh; India (3.65%) in eighth), plus Iran (5.56%) in fifth place, Russia (4.65%) in sixth, and the US (3.56%) in ninth. The TOP 10 is rounded out by Turkey, the source of 2.86% of unique addresses used for attacks.

Distribution of botnets by country, Q1 2020 (download)

Curiously, this distribution only partially correlates with the attack statistics. Whereas China has long occupied top spot in the ranking by number of attacks, and Vietnam is a regular visitor to the TOP 10, the leader of the rating by number of unique IPs, Brazil, has only been in the TOP 20 once this past year, taking 20th position in Q1 2019. More often than not, it appears only in the bottom third of the TOP 30, not unlike Iran, which closes off the TOP 5 by number of bots. As for Egypt (3rd place by number of bots), it is the source of very few registered attacks, so it generally lies outside even the TOP 30.

Botnet distribution geography

If individual attack devices are mainly located in South America, Asia, and the Middle East, C&C servers, as in the previous quarter, are more often registered in the US and Europe. First place by number of C&Cs is retained by the US, where in Q1 2020 almost 40% of the total were registered (down 18.5 p.p. against the end of last year). Second place is occupied by the Netherlands (10.07%), which climbed up from eighth, and third goes to Germany (9.55%), which last quarter was nowhere to be seen in the TOP 10. As we saw above, of the TOP 3 countries by number of C&C servers, only the US hosted a significant number of bots.

Fourth position by number of C&Cs went to another European country, this time France (8.51%), climbing two rungs up the ladder. China showed the exact opposite trend, falling from third to fifth (3.99% vs 9.52% in Q4 2019). Canada (2.95%) took sixth place, up from ninth, while seventh position was shared by Russia, Romania (back in the TOP 10 after a quarterly break), and newcomer Croatia. Each of these countries scored 2.43% of the total number of C&C servers. The TOP 10 is rounded out by another newcomer, Singapore, on 2.08%.

Distribution of botnet C&C servers by country, Q1 2020 (download)

Dynamics of the number of DDoS attacks

The dynamics of the number of attacks in Q1 2020 are in many ways similar to what we saw at the end of 2019. The peak indicators did not exceed 250 attacks per day (the hottest were February 14 and 15, that is, on and just after St Valentine’s Day (242 and 232 attacks, respectively), as well as the 3rd and 10th of that same month). The calmest days of the quarter were January 25 and March 18, when the number of attacks fell short of 20 a day (recall that the quietest day of Q4 2019 saw only 8 registered attacks).

Dynamics of the number of DDoS attacks in Q1 2020 (download)

In the past quarter, the number of attacks on Mondays increased significantly — by almost 4 p.p. If in the previous reporting period this day accounted for only about 14% of attacks, it now commands close to 18%. The calmest day of the quarter was Wednesday (a fraction over 11% of attacks, down 3.7 p.p. on the previous quarter), lagging only slightly behind (by 1.5 p.p.) the previous rating’s anti-leader in terms of attack intensity, Thursday.

Distribution of DDoS attacks by day of the week, Q4 2019 and Q1 2020 (download)

Types of DDoS attacks

The past quarter has seen some noticeable changes in the distribution of DDoS attacks by type: ICMP flooding added 2 p.p. and confidently moved from last to second place (3.6% against 1.6% in the previous reporting period). Accordingly, HTTP flooding finished bottom with its lowest score since January 2019 (a mere 0.3%). UDP and TCP flooding once again swapped places. The only non-mover was the top-placed SYN flooding, whose share continued to grow and reached a record high of 92.6% for the observation period (beating the previous record of 84.6% set last quarter).

Distribution of DDoS attacks by type, Q1 2020 (download)

Windows botnets are becoming more popular. If in the last reporting period they snatched just 0.35 p.p. from their Linux cousins, this time they took a 3 p.p. slice (up from 2.6% to 5.64% of attacks). That said, they are still far being a serious competitor: 9 out of 10 attacks continue to deploy Linux botnets (94.36%).

Ratio of Windows/Linux botnet attacks, Q4 2019 and Q1 2020 (download)

Conclusion

Q1 2020 did not bring any major shocks. The TOP 10 countries by number of C&C servers welcomed two new entries (Croatia and Singapore) and saw the return of two familiar faces (Romania and Germany). Although we observed some growth in Windows botnets and ICMP floods, this did not significantly affect the overall picture. Only the distribution of attacks by day of the week changed substantially, but even that points only to a redistribution of efforts, not a quantitative shift. The rise in the number of DDoS attacks on St Valentine’s Day followed by a lull was also a predictable seasonal phenomenon.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Three Botnets Abuse Zero-Day Vulnerabilities in LILIN’s DVRs! – Disposable mail news

Not of late, LILIN recorders were found to be vulnerable. Reportedly, botnet operators were behind the zero-day vulnerabilities that were exploited in the Digital Video Recorders (DVRs ) that the vendor is well known for.

Sources mention that the exploitation of the zero-day vulnerabilities had been a continuous thing for almost half a year and the vendor was unaware. Nevertheless, they rolled out a patch in February 2020.

Digital Video Recorders are electronic devices that collect video feeds from local CCTV/IP cameras systems and store them on different mass storage devices like SD cards, USB flash drives, disk drives, etc.

DVRs are a huge deal today given they are a major element for the security cameras that are used almost everywhere in these times.

With CCTV cameras raging, attacks especially designed for them have also risen equally. Malware botnets and other hacker operations have been targeting these widely used DVRs for quite some time now.

Per sources, the non-revised and out of date firmware stands to be the reason for these devices being hacked. Especially, the DVRs with default credentials are exploited to kick off DDoS and other IoT attacks.
Sources mention that security researchers found LILIN’s DVRs too were being exploited for almost half a year, since August last year by three botnets.

The vulnerability in the “NTPUpdate”, sources mention, allows attackers to inject and control the system’s commands. Via one of the ‘hardcoded credentials’ (root/icatch99 & report/8Jg0SR8K50) the attacker stands a chance to retrieve and alter a DVR’s config file, and later control commands on the device after the File Transfer Protocol (FTP) server configuration is regularly matched.

Per sources, the first botnet behind the zero-day vulnerability was the “Chalubo botnet” with a motive of exploiting the NTPUdate of the LILIN DVRs. The other two were employed by the “FBot botnet”

Reportedly, a couple of weeks after the previous attacks of the FBot, the Moobot botnet also tried its luck and succeeded on the second zero-day vulnerability.

There is no knowing as to what the exact motive was behind hacking the LILIN DVRs. Nevertheless, there has been a history of DDoS attacks, re-routing traffic, and proxy networks.

As it happens there are, per sources, over 5,000 LILIN DVRs that exist today thus making it quite a hefty task to update all of them immediately. But it’s a relief to know that the first step has been taken. There’s not much to worry about now given LILIN has released a firmware update along with solutions for mitigation.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

DDoS attacks in Q4 2019 – 10 minute mail

News overview

In the past quarter, DDoS organizers continued to harness non-standard protocols for amplification attacks. In the wake of WS-Discovery, which we covered in the previous report, cybercriminals turned to Apple Remote Management Service (ARMS), part of the Apple Remote Desktop (ARD) application for remote administration. The first attacks using ARMS were registered back in June 2019, and by early October the protocol was being used by DDoS-as-a-service providers; such attacks have since become widespread. According to the BinaryEdge portal, at the beginning of the quarter, nearly 40,000 systems running macOS with ARMS were available online.

Q4 was also marked by the growing number of peer-to-peer (P2P) botnets. Unlike the classic sort, these are independent of C&C servers, and thus more difficult to neutralize. In Q4 2019, researchers at 360 Netlab told about two new such botnets. The first, nicknamed Roboto, attacks Linux servers through a known vulnerability in the Webmin remote administration application. Experts note that the botnet has yet to carry out a DDoS attack, although it does have the functionality. The second P2P network, Mozi, is aimed at IoT devices and distributed using the DHT protocol, which is applied in distributed networks, such as BitTorrent, to quickly set up a P2P network. Mozi’s authors seemingly borrowed part of the code from the Gafgyt malware, which was designed to create a “classic” botnet.

Gafgyt’s developers also updated their creation. Researchers from Palo Alto Networks detected a new version of the malware that attacks Huawei HG532, Realtek RTL81XX, and Zyxel P660HN-T1A routers. The new version of the bot has even learned to wipe competitors from infected devices.

While some cybercriminals are updating their arsenal, others are using already proven tools and methods. For instance, in October and November 2019, researchers observed a wave of TCP reflection attacks. This method involves sending requests to legitimate services under the guise of the victim, who is then flooded with responses, so the IP addresses of the attackers do not light up. Over the past two years, such attacks have been on the rise. In October, the betting website Eurobet fell victim to cybercriminals, followed by several other sports betting organizations. Later that same month, a flurry of TCP reflection attacks hit financial and telecommunications companies in Turkey. Also named among the targets were Amazon and SoftLayer (a subsidiary of IBM).

Q4 saw attacks on Internet service providers in South Africa continue. In late October, cybercriminals overwhelmed Echo Service Provider — which serves the local providers Afrihost, Axxess, and Webafrica — with junk traffic. Clients of these organizations experienced downtime when connecting to foreign segments of the Internet. The attack reoccurred approximately one month later, and this time the list of victims included the providers RSAWEB and Cool Ideas.

Among the DDoS attacks launched against commercial organizations, worth highlighting is the campaign in October against financial institutions in South Africa, Singapore, and Scandinavia. The attackers sent emails to the victims, threatening to disable their systems and demanding a ransom; and to prove their intent, they carried out a short demonstration DDoS attack. For added effect, they posed as the infamous APT group Fancy Bear, inviting victims to look online for information about their past exploits. When the media reported the attacks, the ransomers renamed themselves Cozy Bear.

Curiously, the media failed to mention a single large-scale DDoS attack timed to coincide with the runup to the festive period. But political incidents did get coverage. For instance, on November 11 and 12, a month before the UK general election, attackers tried to disable the campaign site of the Labour Party.

In December, media outlets in Kyrgyzstan that had reported an investigation into the expenses of the wife of a former official suffered from DDoS attacks. A total of seven organizations were temporarily taken down by the hired hands of the disgruntled party. Another news portal later joined the list of victims, but perhaps for a different reason.

The Minecraft server of the Vatican (that’s right) was bombarded with junk traffic immediately after launch, in what could be described as an ideological attack. The purpose of the server was to create a “less toxic environment” for players, but the project attracted not only peace-loving players. The Vatican is now beefing up its protection. Ubisoft too was engaged in DDoS fire-fighting. The developer adopted a complex of measures to protect the servers of its video game Rainbow Six Siege, which had been on the receiving end of regular attacks. As a result, according to the company, the number of incidents decreased by 93%.

Law enforcement agencies were conspicuous in the struggle against DDoSers. For instance, in early November, Chinese authorities announced the arrest of a group which controlled a botnet of more than 200,000 infected sites. The operation took place in 20 cities; 41 people were detained. In the second half of the same month, the US sentenced Sergey Usatyuk to 13 months’ imprisonment for running DDoS-for-hire services together with an unknown accomplice in Canada. The cybercriminals had been active from 2015 to 2017. In the first 13 months of the operation, the service was used by 386,000 clients and 3.8 million DDoS attacks were carried out.

As we predicted, Q4 saw an increase in the number of attacks relative to the previous reporting period. Although the rise in the total number of incidents was modest, smart attacks grew by a quarter, which is a fair amount. What’s more, not only the number of attacks increased, but their average duration. This was expected, since Q4 is a period of retail warfare, and we observe an increase in attacks from October to December every year.

If we compare the Q4 indicators with those for the same period last year, we see a near doubling in 2019. The end of 2018 was really very calm; we only noticed renewed growth in the attack market after a significant drop, which we wrote about in last year’s report. Back then, we correctly predicted a further rise in the number of attacks. This is clearly seen when comparing full data for 2018 and 2019.

Comparison of the number and duration of DDoS attacks in Q3 and Q4 2019, as well as Q4 2018; the Q4 figures were taken as the 100% reference value (download)

Overall, in 2019 we observed clear growth in all indicators compared to 2018. The total number of smart attacks saw particularly significant growth, as did their average duration. Last year, we forecast a rise in DDoS attacks, but did not expect such a leap.

The maximum duration of attacks also climbed, but not as significantly. In calculating the indicators, we excluded from the statistics an abnormally long attack carried out in Q3 2019, because it was an outlier case that would have unfairly distorted the annual figures.

Comparison of the number and duration of DDoS attacks in 2018 and 2019; the 2019 figures are taken as the 100% reference value (download)

Although Q4 saw an increase in the number and duration of DDoS attacks relative to the previous reporting period, we link this to the specifics of the quarter, not to a market trend. Seems like the DDoS market have re-stabilized — we see no prerequisites for either a fall or further growth. There have been no high-profile arrests or closures of specialized websites for quite some time, and the cryptocurrency market is not showing explosive growth. Nor have any serious vulnerabilities that would facilitate attacks been found recently. Looking at the trends of past years, we expect a slight decline in Q1 2020, yet will hazard a prediction that in absolute terms it will still be higher than the same period for 2019. Last year was an interesting one in the world of DDoS attacks. Let’s hope that 2020 decides to be boring.

Statistics

Methodology

Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q4 2019.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

  • China again took first place in terms of number of attacks, although its share slightly decreased (58.46% against 62.97% in Q3).
  • Two newcomers entered the Top 10: Japan (straight in at number three with 4.86%) and Vietnam (0.68%), while South Africa and the Netherlands dropped out.
  • The Top 3 countries by number of targets traditionally coincides with leaders by number of attacks: China (53.07%), the US (22.01%), and Japan (6.14%).
  • The past quarter was characterized by a low number of attacks: the most active days saw just over 250 attacks, and the quietest only eight.
  • DDoS botnet activity was distributed fairly evenly throughout the quarter itself and on individual days of the week, with the safest and most dangerous days differing by just 2.5 p.p.
  • The three longest attacks lasted more than 20 days (494, 492, and 486 hours), which is almost twice as long as last quarter’s leader.
  • Among the attack types, SYN flooding (6%) still leads. The share of TCP-based attacks continued to grow and overtook UDP flooding, while ICMP flooding showed a significant increase.
  • The ratio of Windows and Linux botnets remained virtually unchanged, with the latter still responsible for the overwhelming majority (97.4%) of attacks.
  • The number of C&C servers in absolute terms more than halved. In the US, the absolute number changed slightly less, leading to a sharp increase in the country’s share in the overall picture (58.33% up from 47.55%), while the Netherlands this quarter fell from second position to the foot of the table.

Attack geography

In the past quarter, China held on to the lead in terms of number of attacks, although its share continued to decline (this time by 4.5 p.p. down to 58.46%). The US position did not change either, remaining in second place, with 17.49% of all attacks (almost the same as last quarter’s 17.37%). Third position enjoyed no such stability: Hong Kong, the previous occupier, fell two places to fifth (3.73% against 5.44%), making way for Romania (fourth place with 4.56%, up almost 3.5 p.p.) and Japan, which not only entered the Top 10 for the first time in a year, but shot straight into third place (4.86% against last quarter’s 0.2% and 18th place).

Another newcomer to the ranking is Vietnam. Having narrowly failed to reach the Top 10 in Q3 (11th place), at the end of the year the country experienced a rise of 0.13 p.p. in its share of attacks, enough to cross the threshold. South Africa flew out of the Top 10 almost as swiftly as it had flown in, swapping fourth place for 15th. Slightly less sharp, but also significant, was the drop in the share of attacks on targets in the Netherlands, relegating the country to 14th position.

There were no major changes in the rest of the Top 10, only some shuffling of places. Romania rose from sixth place to fourth with 4.56%; South Korea from eighth to seventh (0.94%), and Canada tenth to eighth (0.83%). The UK (1.01%) and Singapore (0.72%), meanwhile, fell slightly — from fifth to sixth and seventh to ninth, respectively.

Distribution of DDoS attacks by country, Q3 and Q4 2019 (download)

The geography of unique targets is traditionally similar to the distribution of the attacks themselves. The Top 3 in both cases is identical. The share of targets in China also fell against Q3, down to 53.07%; the US still accounts for around a fifth of targets (22.01%), while Japan’s share increased 20-fold to 6.14%.

The Top 5 was again rounded out by Romania and Hong Kong, but in reverse order: this time fourth place went to the latter (4.14%), and fifth to the former (1.95%). The UK (1.53%) retains sixth place in both categories. It is followed by Canada (0.93%) and Vietnam (0.84%). Propping up the Top 10 are Australia (0.82%), up from 14th place over the quarter, and Singapore (0.78%). As such, this quarter’s newcomers — Japan, Australia, and Vietnam — squeezed out the leaders by number of unique targets — South Africa, the Netherlands, and France, which occupied 14th, 12th, and 11th places this quarter, respectively.

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2019 (download)

Dynamics of the number of DDoS attacks

Q4 was even calmer than the preceding quarter. Even on the stormiest days (November 24 and December 11), the number of attacks barely exceeded 250 (recall that last year’s likewise relatively calm Q4 experienced a maximum of 457 attacks per day — almost twice as many). The total number of days that saw more than 200 attacks was also small — besides those already mentioned, October 6 and 7 and November 25 were also quite turbulent. Meanwhile, the quietest day, October 13, set a new record with only eight attacks recorded (the previous record-holder being May 25, 2018, with 13 attacks).

Curiously, this year there were no typical Q4 peaks on Black Friday and over Christmas: both periods were reasonably calm, and the attacks throughout the quarter were distributed fairly evenly.

Dynamics of the number of DDoS attacks in Q4 2019 (download)

The attack distribution by day of the week also flattened out considerably: the difference between the calmest and most dangerous day was only about 2.5 p.p. (having approached 7.7 p.p. in the previous reporting period). Attack organizers this quarter were particularly busy on Tuesdays (15.46%), and preferred to put their feet up on Thursdays (12.98%). The former first- and second-placed Monday (down 3.5 p.p.) and Sunday (up nearly 2.5 p.p.) showed the biggest change against the preceding quarter.

Distribution of DDoS attacks by day of the week, Q3 and Q4 2019 (download)

Duration and types of DDoS attacks

While the number of attacks fell, their duration rose significantly compared to the previous quarter. As such, the three longest attacks in the three-month period were ongoing for more than 20 days (494, 492, and 486 hours), while in the quarter before not a single one lasted 12 days. Nevertheless, the record for duration remains an attack carried out in Q2 2019 (506 hours, more than 21 days).

The average attack duration stayed approximately unchanged, while the share of the longest attacks (more than 140 hours) fell by a third to just 0.08%. Meanwhile, the share of the shortest attacks (up to 4 hours) also dropped in relative terms, decreasing by 2.5 p.p. to 81.86%.

But the proportion of attacks lasting 100–139 hours grew slightly (0.14%), as did attacks lasting 10–19 and 5–9 hours (5.33% and 10.19%, respectively). The two middle groups — attacks lasting 20–49 and 50–99 hours — fell insignificantly to 2.05% and 0.36%, respectively.

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2019 (download)

The share of SYN flooding this quarter amounted to 84.6%, while UDP attacks surrendered second place to TCP, but only by a whisker (5.8% of all attacks against the latter’s 5.9%). The popularity of TCP attacks thus continues to grow (recall that last quarter they moved past HTTP flooding). The bottom two places did not change, although the shares of both types in the total number of attacks increased slightly: HTTP gained 0.5 p.p. (2.2%), while ICMP added 1.1 p.p. (1.6%).

Distribution of DDoS attacks by type, Q4 2019 (download)

Linux botnets did not partake in the growth trend: this quarter their share marginally decreased to 97.4% (against 97.75% in the previous quarter). Accordingly, the share of Windows botnets grew by the same amount (0.35 p.p.) to 2.6%.

Ratio of Windows/Linux botnet attacks, Q3 and Q4 2019 (download)

Botnet distribution geography

In Q4 last year, the vast majority of botnets (58.33%) were registered in the US (up from 47.55% in the previous quarter). At the same time, the absolute number of C&C servers in the country almost halved.

The UK (14.29%) moved to runner-up spot, and China retained third (9.52%, roughly 3 p.p. higher than the quarter before). Fourth and fifth places this quarter went to Russia (3.57%) and Iran (2.38%), which climbed from 11th place. The combined share of other countries in the distribution of botnets is below 2%.

The most significant drop in the number of C&C servers was observed in the Netherlands, down from 45 to just one. In Germany and Vietnam, both in last quarter’s Top 10, no active botnets were registered this quarter.

Distribution of botnet C&C servers by country, Q4 2019 (download)

Conclusion

Q4 2019 saw stability in some areas and sharp changes in others. For instance, in the geographical distribution, Japan broke straight into the Top 3, while two of the previous quarter’s newcomers, contrary to the norm, secured a footing in the Top 10. At the same time, the geographical distribution of unique targets traditionally mirrors the distribution of the total number of attacks.

Another notable difference between Q3 and Q4 last year was the number and chronology of attacks. Thus, at the end of the year, the distribution by month, as well as by day of the week, was far more uniform. To the surprise of experts, the traditional peaks on Black Friday and over the Christmas and New Year season did not materialize. The duration of the longest attack almost doubled, coming dangerously close to the record set in Q2 2019.

Tellingly, in the last quarter of the year, the number of both attacks and C&C servers fell sharply, while the number of extra-long attacks (over 400 hours) was the highest ever recorded in the history of our observations. This is perhaps evidence of an upward trend in the number of complex and meticulously planned attacks, albeit at the expense of the total number of attacks.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

DDoS attacks in Q4 2019 – 10 minute mail

News overview

In the past quarter, DDoS organizers continued to harness non-standard protocols for amplification attacks. In the wake of WS-Discovery, which we covered in the previous report, cybercriminals turned to Apple Remote Management Service (ARMS), part of the Apple Remote Desktop (ARD) application for remote administration. The first attacks using ARMS were registered back in June 2019, and by early October the protocol was being used by DDoS-as-a-service providers; such attacks have since become widespread. According to the BinaryEdge portal, at the beginning of the quarter, nearly 40,000 systems running macOS with ARMS were available online.

Q4 was also marked by the growing number of peer-to-peer (P2P) botnets. Unlike the classic sort, these are independent of C&C servers, and thus more difficult to neutralize. In Q4 2019, researchers at 360 Netlab told about two new such botnets. The first, nicknamed Roboto, attacks Linux servers through a known vulnerability in the Webmin remote administration application. Experts note that the botnet has yet to carry out a DDoS attack, although it does have the functionality. The second P2P network, Mozi, is aimed at IoT devices and distributed using the DHT protocol, which is applied in distributed networks, such as BitTorrent, to quickly set up a P2P network. Mozi’s authors seemingly borrowed part of the code from the Gafgyt malware, which was designed to create a “classic” botnet.

Gafgyt’s developers also updated their creation. Researchers from Palo Alto Networks detected a new version of the malware that attacks Huawei HG532, Realtek RTL81XX, and Zyxel P660HN-T1A routers. The new version of the bot has even learned to wipe competitors from infected devices.

While some cybercriminals are updating their arsenal, others are using already proven tools and methods. For instance, in October and November 2019, researchers observed a wave of TCP reflection attacks. This method involves sending requests to legitimate services under the guise of the victim, who is then flooded with responses, so the IP addresses of the attackers do not light up. Over the past two years, such attacks have been on the rise. In October, the betting website Eurobet fell victim to cybercriminals, followed by several other sports betting organizations. Later that same month, a flurry of TCP reflection attacks hit financial and telecommunications companies in Turkey. Also named among the targets were Amazon and SoftLayer (a subsidiary of IBM).

Q4 saw attacks on Internet service providers in South Africa continue. In late October, cybercriminals overwhelmed Echo Service Provider — which serves the local providers Afrihost, Axxess, and Webafrica — with junk traffic. Clients of these organizations experienced downtime when connecting to foreign segments of the Internet. The attack reoccurred approximately one month later, and this time the list of victims included the providers RSAWEB and Cool Ideas.

Among the DDoS attacks launched against commercial organizations, worth highlighting is the campaign in October against financial institutions in South Africa, Singapore, and Scandinavia. The attackers sent emails to the victims, threatening to disable their systems and demanding a ransom; and to prove their intent, they carried out a short demonstration DDoS attack. For added effect, they posed as the infamous APT group Fancy Bear, inviting victims to look online for information about their past exploits. When the media reported the attacks, the ransomers renamed themselves Cozy Bear.

Curiously, the media failed to mention a single large-scale DDoS attack timed to coincide with the runup to the festive period. But political incidents did get coverage. For instance, on November 11 and 12, a month before the UK general election, attackers tried to disable the campaign site of the Labour Party.

In December, media outlets in Kyrgyzstan that had reported an investigation into the expenses of the wife of a former official suffered from DDoS attacks. A total of seven organizations were temporarily taken down by the hired hands of the disgruntled party. Another news portal later joined the list of victims, but perhaps for a different reason.

The Minecraft server of the Vatican (that’s right) was bombarded with junk traffic immediately after launch, in what could be described as an ideological attack. The purpose of the server was to create a “less toxic environment” for players, but the project attracted not only peace-loving players. The Vatican is now beefing up its protection. Ubisoft too was engaged in DDoS fire-fighting. The developer adopted a complex of measures to protect the servers of its video game Rainbow Six Siege, which had been on the receiving end of regular attacks. As a result, according to the company, the number of incidents decreased by 93%.

Law enforcement agencies were conspicuous in the struggle against DDoSers. For instance, in early November, Chinese authorities announced the arrest of a group which controlled a botnet of more than 200,000 infected sites. The operation took place in 20 cities; 41 people were detained. In the second half of the same month, the US sentenced Sergey Usatyuk to 13 months’ imprisonment for running DDoS-for-hire services together with an unknown accomplice in Canada. The cybercriminals had been active from 2015 to 2017. In the first 13 months of the operation, the service was used by 386,000 clients and 3.8 million DDoS attacks were carried out.

As we predicted, Q4 saw an increase in the number of attacks relative to the previous reporting period. Although the rise in the total number of incidents was modest (only 8%), smart attacks grew by a quarter (27%), which is a fair amount. What’s more, not only the number of attacks increased, but their average duration. This was expected, since Q4 is a period of retail warfare, and we observe an increase in attacks from October to December every year.

If we compare the Q4 indicators with those for the same period last year, we see a near doubling in 2019. The end of 2018 was really very calm; we only noticed renewed growth in the attack market after a significant drop, which we wrote about in last year’s report. Back then, we correctly predicted a further rise in the number of attacks. This is clearly seen when comparing full data for 2018 and 2019.

Comparison of the number and duration of DDoS attacks in Q3 and Q4 2019, as well as Q4 2018; the Q4 figures were taken as the 100% reference value (download)

Overall, in 2019 we observed clear growth in all indicators compared to 2018. The total number of smart attacks saw particularly significant growth (+43%), as did their average duration (+44%). Last year, we forecast a rise in DDoS attacks, but did not expect such a leap.

The maximum duration of attacks also climbed, but not as significantly. In calculating the indicators, we excluded from the statistics an abnormally long attack carried out in Q3 2019, because it was an outlier case that would have unfairly distorted the annual figures.

Comparison of the number and duration of DDoS attacks in 2018 and 2019; the 2019 figures are taken as the 100% reference value (download)

Although Q4 saw an increase in the number and duration of DDoS attacks relative to the previous reporting period, we link this to the specifics of the quarter, not to a market trend. Seems like the DDoS market have re-stabilized — we see no prerequisites for either a fall or further growth. There have been no high-profile arrests or closures of specialized websites for quite some time, and the cryptocurrency market is not showing explosive growth. Nor have any serious vulnerabilities that would facilitate attacks been found recently. Looking at the trends of past years, we expect a slight decline in Q1 2020, yet will hazard a prediction that in absolute terms it will still be higher than the same period for 2019. Last year was an interesting one in the world of DDoS attacks. Let’s hope that 2020 decides to be boring.

Statistics

Methodology

Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q4 2019.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

  • China again took first place in terms of number of attacks, although its share slightly decreased (58.46% against 62.97% in Q3).
  • Two newcomers entered the Top 10: Japan (straight in at number three with 4.86%) and Vietnam (0.68%), while South Africa and the Netherlands dropped out.
  • The Top 3 countries by number of targets traditionally coincides with leaders by number of attacks: China (53.07%), the US (22.01%), and Japan (6.14%).
  • The past quarter was characterized by a low number of attacks: the most active days saw just over 250 attacks, and the quietest only eight.
  • DDoS botnet activity was distributed fairly evenly throughout the quarter itself and on individual days of the week, with the safest and most dangerous days differing by just 2.5 p.p.
  • The three longest attacks lasted more than 20 days (494, 492, and 486 hours), which is almost twice as long as last quarter’s leader.
  • Among the attack types, SYN flooding (6%) still leads. The share of TCP-based attacks continued to grow and overtook UDP flooding, while ICMP flooding showed a significant increase.
  • The ratio of Windows and Linux botnets remained virtually unchanged, with the latter still responsible for the overwhelming majority (97.4%) of attacks.
  • The number of C&C servers in absolute terms more than halved. In the US, the absolute number changed slightly less, leading to a sharp increase in the country’s share in the overall picture (58.33% up from 47.55%), while the Netherlands this quarter fell from second position to the foot of the table.

Attack geography

In the past quarter, China held on to the lead in terms of number of attacks, although its share continued to decline (this time by 4.5 p.p. down to 58.46%). The US position did not change either, remaining in second place, with 17.49% of all attacks (almost the same as last quarter’s 17.37%). Third position enjoyed no such stability: Hong Kong, the previous occupier, fell two places to fifth (3.73% against 5.44%), making way for Romania (fourth place with 4.56%, up almost 3.5 p.p.) and Japan, which not only entered the Top 10 for the first time in a year, but shot straight into third place (4.86% against last quarter’s 0.2% and 18th place).

Another newcomer to the ranking is Vietnam. Having narrowly failed to reach the Top 10 in Q3 (11th place), at the end of the year the country experienced a rise of 0.13 p.p. in its share of attacks, enough to cross the threshold. South Africa flew out of the Top 10 almost as swiftly as it had flown in, swapping fourth place for 15th. Slightly less sharp, but also significant, was the drop in the share of attacks on targets in the Netherlands, relegating the country to 14th position.

There were no major changes in the rest of the Top 10, only some shuffling of places. Romania rose from sixth place to fourth with 4.56%; South Korea from eighth to seventh (0.94%), and Canada tenth to eighth (0.83%). The UK (1.01%) and Singapore (0.72%), meanwhile, fell slightly — from fifth to sixth and seventh to ninth, respectively.

Distribution of DDoS attacks by country, Q3 and Q4 2019 (download)

The geography of unique targets is traditionally similar to the distribution of the attacks themselves. The Top 3 in both cases is identical. The share of targets in China also fell against Q3, down to 53.07%; the US still accounts for around a fifth of targets (22.01%), while Japan’s share increased 20-fold to 6.14%.

The Top 5 was again rounded out by Romania and Hong Kong, but in reverse order: this time fourth place went to the latter (4.14%), and fifth to the former (1.95%). The UK (1.53%) retains sixth place in both categories. It is followed by Canada (0.93%) and Vietnam (0.84%). Propping up the Top 10 are Australia (0.82%), up from 14th place over the quarter, and Singapore (0.78%). As such, this quarter’s newcomers — Japan, Australia, and Vietnam — squeezed out the leaders by number of unique targets — South Africa, the Netherlands, and France, which occupied 14th, 12th, and 11th places this quarter, respectively.

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2019 (download)

Dynamics of the number of DDoS attacks

Q4 was even calmer than the preceding quarter. Even on the stormiest days (November 24 and December 11), the number of attacks barely exceeded 250 (recall that last year’s likewise relatively calm Q4 experienced a maximum of 457 attacks per day — almost twice as many). The total number of days that saw more than 200 attacks was also small — besides those already mentioned, October 6 and 7 and November 25 were also quite turbulent. Meanwhile, the quietest day, October 13, set a new record with only eight attacks recorded (the previous record-holder being May 25, 2018, with 13 attacks).

Curiously, this year there were no typical Q4 peaks on Black Friday and over Christmas: both periods were reasonably calm, and the attacks throughout the quarter were distributed fairly evenly.

Dynamics of the number of DDoS attacks in Q4 2019 (download)

The attack distribution by day of the week also flattened out considerably: the difference between the calmest and most dangerous day was only about 2.5 p.p. (having approached 7.7 p.p. in the previous reporting period). Attack organizers this quarter were particularly busy on Tuesdays (15.46%), and preferred to put their feet up on Thursdays (12.98%). The former first- and second-placed Monday (down 3.5 p.p.) and Sunday (up nearly 2.5 p.p.) showed the biggest change against the preceding quarter.

Distribution of DDoS attacks by day of the week, Q3 and Q4 2019 (download)

Duration and types of DDoS attacks

While the number of attacks fell, their duration rose significantly compared to the previous quarter. As such, the three longest attacks in the three-month period were ongoing for more than 20 days (494, 492, and 486 hours), while in the quarter before not a single one lasted 12 days. Nevertheless, the record for duration remains an attack carried out in Q2 2019 (506 hours, more than 21 days).

The average attack duration stayed approximately unchanged, while the share of the longest attacks (more than 140 hours) fell by a third to just 0.08%. Meanwhile, the share of the shortest attacks (up to 4 hours) also dropped in relative terms, decreasing by 2.5 p.p. to 81.86%.

But the proportion of attacks lasting 100–139 hours grew slightly (0.14%), as did attacks lasting 10–19 and 5–9 hours (5.33% and 10.19%, respectively). The two middle groups — attacks lasting 20–49 and 50–99 hours — fell insignificantly to 2.05% and 0.36%, respectively.

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2019 (download)

The share of SYN flooding this quarter amounted to 84.6%, while UDP attacks surrendered second place to TCP, but only by a whisker (5.8% of all attacks against the latter’s 5.9%). The popularity of TCP attacks thus continues to grow (recall that last quarter they moved past HTTP flooding). The bottom two places did not change, although the shares of both types in the total number of attacks increased slightly: HTTP gained 0.5 p.p. (2.2%), while ICMP added 1.1 p.p. (1.6%).

Distribution of DDoS attacks by type, Q4 2019 (download)

Linux botnets did not partake in the growth trend: this quarter their share marginally decreased to 97.4% (against 97.75% in the previous quarter). Accordingly, the share of Windows botnets grew by the same amount (0.35 p.p.) to 2.6%.

Ratio of Windows/Linux botnet attacks, Q3 and Q4 2019 (download)

Botnet distribution geography

In Q4 last year, the vast majority of botnets (58.33%) were registered in the US (up from 47.55% in the previous quarter). At the same time, the absolute number of C&C servers in the country almost halved.

The UK (14.29%) moved to runner-up spot, and China retained third (9.52%, roughly 3 p.p. higher than the quarter before). Fourth and fifth places this quarter went to Russia (3.57%) and Iran (2.38%), which climbed from 11th place. The combined share of other countries in the distribution of botnets is below 2%.

The most significant drop in the number of C&C servers was observed in the Netherlands, down from 45 to just one. In Germany and Vietnam, both in last quarter’s Top 10, no active botnets were registered this quarter.

Distribution of botnet C&C servers by country, Q4 2019 (download)

Conclusion

Q4 2019 saw stability in some areas and sharp changes in others. For instance, in the geographical distribution, Japan broke straight into the Top 3, while two of the previous quarter’s newcomers, contrary to the norm, secured a footing in the Top 10. At the same time, the geographical distribution of unique targets traditionally mirrors the distribution of the total number of attacks.

Another notable difference between Q3 and Q4 last year was the number and chronology of attacks. Thus, at the end of the year, the distribution by month, as well as by day of the week, was far more uniform. To the surprise of experts, the traditional peaks on Black Friday and over the Christmas and New Year season did not materialize. The duration of the longest attack almost doubled, coming dangerously close to the record set in Q2 2019.

Tellingly, in the last quarter of the year, the number of both attacks and C&C servers fell sharply, while the number of extra-long attacks (over 400 hours) was the highest ever recorded in the history of our observations. This is perhaps evidence of an upward trend in the number of complex and meticulously planned attacks, albeit at the expense of the total number of attacks.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Electric scooters vulnerable to remote hacks – 10 minute mail

A helmet may not be enough to keep you safe(r) while riding an e-scooter

Electric scooters are steadily becoming a popular alternative for short commutes. Besides convenience, however, they also introduce a range of cybersecurity and privacy risks, according to a study by the University of Texas at San Antonio (UTSA).

The review – which UTSA said is “the first review of the security and privacy risks posed by e-scooters and their related software services and applications” – outlines various attacks scenarios that riders might face, as well as how to tackle the risks.

Many e-scooters rely on a combination of Bluetooth Low Energy (BLE) and the rider’s smartphone internet connection to run, as well as send data to the service provider. This opens up a number of avenues for potential attacks. For example, bad actors could eavesdrop on the data being broadcasted, which could, in turn, lead to Man-in-the-Middle (MitM) and replay attacks. Those could allow hackers to remotely inject commands and injure the rider or pedestrians. Last year, this risk was already discovered in one of Xiaomi’s scooters.

A scooter’s battery, engine, breaks, headlights and controller chip are among the key components that can be targeted during a physical attack. Attackers can then swap out key components or install “malicious modules” allowing them to remotely control the scooter or gather private information on the sly. By remotely manipulating the brakes and acceleration, the bad actor can injure the rider and/or other people.

Micromobility apps usually track the e-scooters’ whereabouts, which means location spoofing is another thing to worry about. Bad actors can, for example, lure a rider to a secluded area to harm them. Alternatively, it can make the scooter hard to find by giving it a fake random location, which would result in lost revenue for the provider.

E-scooter providers require a wide range of information from the riders to sign up for their service. Usually, these include some form of identification, along with billing, contact and demographic information. The providers automatically collect additional data, such as riders’ locations and their smartphone information. Attackers with access to the data can create a comprehensive image of riders’ habits, places they frequent, and routes they are likely to use.

Most of the risks can be mitigated by implementing cybersecurity best practices. Employees recharging the scooters could check their mechanical or electrical components to make sure nobody had tampered with the scooters. As for the looming privacy risks, one of the best steps would be to implement a privacy-by-design approach for the applications, making the parts that handle data inaccessible to unauthorized personnel. In addition, data traffic monitoring would help the service provider to react to threats in real-time.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IoT laws are coming: What to expect – 10 minute mail

No more default logins on new IoT devices if UK legislators get their way

I just returned from CES, where virtually every aisle was chock-full of IoT devices. But how secure are they? While we’ve been promoting security on these devices for some time now, IoT developers have been slow to adopt. Lawmakers in California took some notice in 2018, and now it seems that legislators in the United Kingdom want to take things to the next level, too.

While it’s unclear whether the proposed legislation will be adopted, UK MP’s have this to say:

“Whilst the UK Government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design. Citizens’ privacy and safety must not be put at risk because some manufacturers will not take responsibility for ensuring that security is built into their products before they reach UK consumers.”

Whether or not the legislation is enacted, this sends a strong signal to the industry that government intervention seems likely. While other countries may take a wait-and-see approach, it seems likely further laws will be enacted around the globe over time.

The good news is that basic IoT security steps are not overly burdensome. Requiring the new owner to change the default login password when users log in for the first time is something the industry has known about for some time, and is not costly to implement.

Setting a lifespan for firmware updates certainly does cost more since companies would be paying to support firmware that would no longer directly result in revenue. Companies with longer term vision tend to already be thinking along those lines, but forcing them to state when support will end brings it to the fore.

It’s unclear whether customers understand the importance of knowing the support lifespan until it lapses years later and vulnerabilities are then discovered.

The industry counters obtusely by promoting frequent customer upgrades in light of new technological advances to their platforms, but it doesn’t always happen. Everyone knows someone with a 5- or 10-year-old home router, for which support has long since lapsed while the device itself is still actively in use.

And that’s the problem.

We see newly minted attacks against herds of common routers that show no signs of being retired anytime soon. These machines, once zombified, can be used to launch and amplify attacks worldwide, often without the knowledge of their owners.

Related reading: Secure your router: How to help prevent the next internet takedown

One more thing: the UK lawmakers seek to compel companies to maintain a security point-of-contact, something that’s all-but-impossible to find today, especially in smaller companies.

Will this legislation slow innovation? Somewhat, but hopefully the proposed changes would only require moderate efforts from good actors to implement. And whether or not this draft of proposed legislation becomes law, some soon will, so manufacturers would do well to take note.



Cameron Camp


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IoT laws are coming: What to expect – 10 minute mail

No more default logins on new IoT devices if UK legislators get their way

I just returned from CES, where virtually every aisle was chock-full of IoT devices. But how secure are they? While we’ve been promoting security on these devices for some time now, IoT developers have been slow to adopt. Lawmakers in California took some notice in 2018, and now it seems that legislators in the United Kingdom want to take things to the next level, too.

While it’s unclear whether the proposed legislation will be adopted, UK MP’s have this to say:

“Whilst the UK Government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design. Citizens’ privacy and safety must not be put at risk because some manufacturers will not take responsibility for ensuring that security is built into their products before they reach UK consumers.”

Whether or not the legislation is enacted, this sends a strong signal to the industry that government intervention seems likely. While other countries may take a wait-and-see approach, it seems likely further laws will be enacted around the globe over time.

The good news is that basic IoT security steps are not overly burdensome. Requiring the new owner to change the default login password when users log in for the first time is something the industry has known about for some time, and is not costly to implement.

Setting a lifespan for firmware updates certainly does cost more since companies would be paying to support firmware that would no longer directly result in revenue. Companies with longer term vision tend to already be thinking along those lines, but forcing them to state when support will end brings it to the fore.

It’s unclear whether customers understand the importance of knowing the support lifespan until it lapses years later and vulnerabilities are then discovered.

The industry counters obtusely by promoting frequent customer upgrades in light of new technological advances to their platforms, but it doesn’t always happen. Everyone knows someone with a 5- or 10-year-old home router, for which support has long since lapsed while the device itself is still actively in use.

And that’s the problem.

We see newly minted attacks against herds of common routers that show no signs of being retired anytime soon. These machines, once zombified, can be used to launch and amplify attacks worldwide, often without the knowledge of their owners.

Related reading: Secure your router: How to help prevent the next internet takedown

One more thing: the UK lawmakers seek to compel companies to maintain a security point-of-contact, something that’s all-but-impossible to find today, especially in smaller companies.

Will this legislation slow innovation? Somewhat, but hopefully the proposed changes would only require moderate efforts from good actors to implement. And whether or not this draft of proposed legislation becomes law, some soon will, so manufacturers would do well to take note.



Cameron Camp


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.