[Feature Article] Security Information (Part 2) – Trends in Cyber ​​Attacks in the First Half of 2020

■ This is an article posted on June 2020, 9, so the content of the information may be out of date.

Released the other day Security information (1)Then, we introduced information and countermeasures related to malware threats under the theme of "Approaching cyber attacks: Knowing the enemy, taking countermeasures, and controlling damage".

This time, security vendors have released interim reports on the trends of cyber attacks in the first half of the year, so we will introduce some of them.

 

6. Interim reports on cyber attacks by each company

6-1. Check Point Software Technologies LTD.

In the first half of 2020, due to changes in the operation and management (infrastructure) of the IT environment that companies made to allow remote access in response to the spread of the new coronavirus infection, not only network and mobile but also on-premises The public cloud "hybrid cloud / multi-cloud" is also a problem.

CYBER ATTACK TRENDS: 2020 MID-YEAR REPORT (announced on July 2020, 7)
https://research.checkpoint.com/2020/cyber-attack-trends-2020-mid-year-report/

 

6-2. Trend Micro

The number of visits to phishing sites has increased (1.6 times the previous year), and the percentage of users via mobile devices continues to increase. It is speculated that one of the reasons for this is the increase in online consumption behavior due to the spread of the new coronavirus infection. For online conferencing services, phishing attacks targeting authentication information and attacks that bundle malware with software installers and redistribute it have also been confirmed. In addition, "information disclosure type" ransomware attacks targeting corporations are said to be on the rise.

Security Roundup for the first half of 2020(Announced on August 2020, 8)
https://www.trendmicro.com/ja_jp/about/press-release/2020/pr-20200831-01.html
https://documents.trendmicro.com/assets/rpt/rpt-securing-the-pandemic-disrupted-workplace.pdf

 

6-3. Symantec

“Cryptojacking”, which uses other people's computers to mine cryptocurrencies without permission, surged to 2% in the second quarter. In addition, malware is increasing as the lockdown restrictions taken as a countermeasure against the new coronavirus are relaxed. And Emotet (Trojan.Emotet), which has been alerted in Japan, is also on the rise again, calling attention.

Threat Landscape Trends Q2 2020 (announced August 2020, 8)
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/threat-landscape-trends-q2-2020

 

6-4. Kaspersky

Kasperusky publishes quarterly PC and mobile malware reports. Malicious installers targeting mobiles and malware designed to target PCs and steal money through online access to bank accounts are said to be on the rise.

Exploit distribution statistics for the second quarter of 2020InVulnerabilityIt describes attacks aimed at.The Microsoft Office suite vulnerabilities are the most common, but be aware that browsers, Android, Java, Adobe Flash, PDF, etc. are also targeted.

IT threat evolution Q2 2020. PC statistics
https://securelist.com/it-threat-evolution-q2-2020-pc-statistics/98292/

IT threat evolution Q2 2020. mobile statistics
https://securelist.com/it-threat-evolution-q2-2020-mobile-statistics/98337/

 

6-5. Canon Marketing Japan Inc.

A report on domestic malware trends in the first half of 2020 is expected to be published in the future.

Announced on December 2018, 8
https://eset-info.canon-its.jp/malware_info/trend/detail/180824.html
Announced on December 2019, 9
https://eset-info.canon-its.jp/malware_info/trend/detail/190920.html

 

7. Report spam, paid links, malware

The threats of cyber attacks are clear from the reports released by each company, and mutual cooperation is no longer necessary to minimize these damages. From now on it was infringedTrace information (security breach indicator /IoC =Indicator of Compromise) is required to be publicly shared as soon as possible.

For example, suppose a new threat is found in the information received by a security vendor that utilizes IoC information. Security vendors analyze vulnerabilities and threats and devise countermeasures. By updating the software and OS whose vulnerabilities have been reviewedThis is because similar damage can be prevented.

 

7-1. How do you report?

What should I do if I find information in Internet search results that seems to be the result of spam, paid links, or malware? Google, Microsoft, security vendors, and in Japan, Information-technology Promotion Agency (IPA) want to report to prevent the spread of the infection.

Report spam, paid links, malware (Google)
https://support.google.com/webmasters/answer/93713?hl=ja

You can report web pages, paid links, rich snippet spam, malware, and phishing.

How to send malware to Microsoft for analysis (Microsoft)
https://support.microsoft.com/ja-jp/help/939288/how-to-send-malware-to-microsoft-for-analysis

If you suspect that the file or program is malicious, you can send the file to Microsoft's research and response team for analysis.

Notification of computer viruses (Information-technology Promotion Agency)
https://www.ipa.go.jp/security/outline/todokede-j.html

IPA accepts notifications of domestic virus infection damage.

When you receive a suspicious email, you may feel a sense of crisis or impatience, but that is when you need the correct procedure. The act of uploading files and links carelessly may lead to information leakage. If you cannot make a self-judgment, it is important to keep calm, such as consulting with a person who is familiar with the matter, a specialized agency, or an IT manager.

 

8. How is the name "malware" given?

Here, unlike the other chapters, we will look at "malware" from a different perspective.

Security vendors (eg Trend Micro) publish a "threat database" where you can see information about malware, vulnerabilities, spam, and more. For public information about malware, you can check the detection name, risk level, information disclosure date, etc. of the malware.

Threat database
https://www.trendmicro.com/vinfo/jp/threat-encyclopedia/

The malware detection name is determined by "threat type", "platform", "malware family name", "variant", and "supplementary information (optional)" according to certain criteria, such as typhoon numbers and names. Has been done. You can tell what type of malware it is by just looking at the string prefix and the Threat Type.

 

About naming

Displaying malware detection nameWill vary slightly depending on the security vendor. Microsoft, Trend Micro, Kaspersky Lab and others are now following the Computer Antivirus Research Organization (CARO) malware naming scheme. The naming of detected malware and unwanted software is very straightforward, and after an analyst investigates a particular threat, each component of the name is determined.

1.Threat Type / Type: Threat type
Determine what the malware does (malicious behavior) by type.
Examples: Worm, Adware, Backdoor, Trojan, Ransom, etc. are common types of malware.

2.Platforms: Platforms
Indicates an operating system designed to run malware (Windows, masOS X, Android, etc.). It is also used to indicate the programming language and file format.
Example: AndroidOS, DOS, Linux, iPhoneOS, macOS, macOS_X, Win16, Win2K, Win64, etc.

3.Family: Malware family
Malware threat (commonActivities and reactions)It is a group.
Security software providerDifferent malware families may have different names.

4.Variant: Variant
Give each variant a unique string

5.Other file types / Other Infomation: Supplementary information
More detailed information for complex threats

Malware detection name naming rules (Trend Micro)
https://success.trendmicro.com/jp/solution/1306448

Malware names (Microsoft)
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/malware-naming

EXPENSIVE
http://www.caro.org/index.html

 

Also on the Kaspersky websiteOn-demand scan,Malicious email,Web threat,Network attack,Vulnerability,You can check spam etc. by period (day / week / month). "Top Infections"With a top-level list of infections and knowledge of malware naming schemes, you can quickly identify if there is a threat to your environment just by looking at the name of the malware.

Statistics (Kaspersky)
https://statistics.securelist.com/en

 

9. Security vendor

The website of AV-Comparatives, an independent organization that provides systematic tests to check whether security software (such as PC / Mac-based antivirus products and mobile security solutions) works as expected, is for consumers. You can see a list of antivirus vendors (PCs), a list of vendors for enterprises, and test results.

For example, ESTE's Enterprise productsMalware protection test (March 2020)Has a good result of 99.9%. It may be a good idea to incorporate such data as a reference when selecting products.

Enterprise Main Test-Series Vendors
https://www.av-comparatives.org/enterprise/

Test Results
https://www.av-comparatives.org/enterprise/test-results/

List of Consumer AV Vendors (PC)… For general consumers
https://www.av-comparatives.org/list-of-consumer-av-vendors-pc/

 

There are various products of anti-virus software. There are many and few market shares (occupancy rates), but in reality, you may not know until you try them. Check the existence of the trial version and select the one that suits your environment.

 

10. Summary

Reports on various cyber attacks, including malware, are always open to the public both in Japan and overseas. We would like to understand the vendor information of the security software you are using and the efforts within the company, and cooperate with each other to minimize the damage.

At our company, backup PCs (Tegsys) that assume security and countermeasures against failures, for engineers who are useful for malware analysisIDA, Good at detecting malware, etc.VirusTotal EnterpriseWe handle such things.

If you have any problems, please use Tegara's support site!