Canadian cybersecurity teams face a wide range of threats, but the most common vulnerability exploit type is remote code execution (RCE), according to a report from Check Point Software Technologies.
In its annual mid-year attack trends report, which uses data from customers, the company said that in 61 per cent of attacks against Canadian organizations in the first six months of the year, a threat actor either tried to or successfully ran code with system-level privileges on a server.
The report doesn’t say how many of these attacks were caught before corporate data was compromised.
The next most common vulnerability types were system information disclosure (57 per cent) and authentication bypass (44 per cent).
The proportions for these three were roughly the same worldwide.
Globally, the report said, organizations experienced a 29 per cent increase in cyberattacks compared to the same period in 2020. The EMEA (Europe, Middle East, Africa) region showed the highest growth with 36 per cent, followed by the Americas with an increase of 34 per cent.
Perhaps the newest tactic seen this year, the report says, has been the emergence of so-called triple extortion ransomware attacks, where threat groups pressure not only a victim organization with the release of data if they’re not paid, but also its customers and partners in the hopes they will pressure management to capitulate. Sometimes ransom demands are made of these third parties as well.
Attacks up 93 per cent
Globally, the number of ransomware attacks on organizations increased by 93 per cent in the first half of the year compared to the same period a year ago. This means organizations should have a “collateral damage” strategy to face ransomware and other attacks, Check Point says.
“Ransomware will grow” in the second half of the year, the report predicts, “despite law enforcement stepping up.”
The report mentions major Canadian and global publicly-reported cyber attacks so far this year. In this country they included Canada Post (ransomware; impacted 44 corporate customers and compromised the data of more than 950,000 clients. Data was stolen between July 2016 and March 2019); Sierra Wireless (ransomware disrupted production); Bombardier (data breach of employee, customer and supplier information); Discount Car and Truck Rentals (Darkside ransomware, disrupted service); Translink, manager of Metro Vancouver’s transportation network (ransomware, disrupted phone lines, online services and payment systems); and unnamed Canadian banks found targeted by the AutoHotkey credential stealer.
Internationally one of the biggest incidents involved Volkswagon’s Audi division (data on 3.3 million customers or potential customers left on an unprotected database).
Canadian numbers
Other Canadian data showed:
–the top malware detected was Trickbot, impacting five per cent of organizations (Seven per cent globally). Trickbot is a modular botnet and banking trojan targeting Windows, mostly delivered by spam or by other malware families such as Emotet. Trickbot initially grabs system data, sends it back to the attacker, who commands it to download and execute attack modules for stealing credentials and, often, ransomware)
–the top malware list in Canada includes two banking trojans, two info stealers (Formbook, Agent Tesla), one trojan (Arkei), one RAT (remote access trojan Agent Tesla) and one exploit (SpelevoEK)
–73 per cent of malicious files sent to Canadians were delivered by email.
While many threat groups are located outside the country, their distribution systems are spread around the world to deflect attribution. That can explain why 61 per cent of the sources of threats to Canadians and Canadian firms comes from the U.S.. Fifteen per cent come from “other” countries, and 14 per cent came from within our borders.
Another prediction is that man-in-the-middle attacks will become what Check Point calls “the hacker in the network”. Over the past two years, its researchers have seen an acceleration in the use of commercial penetration testing tools such as Cobalt Strike and Bloodhound by attackers. These tools don’t just pose a real challenge from a detection point of view, the report says, they also grant hackers live access to compromised networks, allowing them to scan and scroll at will and customize attacks on the fly. “Security professionals will need a whole new set of skills to detect this form of attack and prevent it from happening in the future,” the report says.
Advice to defenders
The report offers this advice to defenders to lower the risk of compromise:
-
Install updates and patches regularly. Updates and patches must be installed immediately; enable automatic updates if available;
-
Adopt a prevention-first strategy and approach. Once an attack has penetrated a device or a corporate network in any way, it’s too late. It is therefore essential to use advanced threat prevention solutions that stop even the most advanced attacks as well as preventing zero-day and unknown threats;
-
Install anti-ransomware protection. It watches for any unusual activity such as the opening and encrypting of large numbers of files, and if any suspicious behavior is detected, it can react immediately and prevent massive damage. Ransomware attacks do not start with ransomware. Be aware of other malicious code, such as Trickbot or Dridex, that infiltrates organizations and sets the stage for a subsequent ransomware attack;
-
Education is an essential part of protection. Many cyberattacks start with a targeted email that does not contain malware, but uses social engineering to try to lure the user into clicking on a dangerous link. User education is therefore one of the most important parts of protection;
-
Collaborate. In the fight against cybercrime, collaboration is key. In case of an incident, contact law enforcement and national cyber authorities; do not hesitate to contact the dedicated incident response team of a cybersecurity company. In addition, inform employees of the incident, and give instructions on how to proceed in the event of any suspicious behavior.