Analysis of the Italian situation regarding cyber crime and cyber incidents
- Extract from the 'Clusit Report 2019' -
"We can say that 2018 was the worst year ever in terms of the evolution of" cyber "threats and their impacts, not only from a quantitative point of view but also and above all from a qualitative one, highlighting a growth trend of the attacks , their severity and consequent damage never previously recorded.
Over the past two years, the rate of growth in the number of serious attacks has increased 10 times compared to the previous one. Not only that, the average severity of these attacks has simultaneously worsened, acting as a damage multiplier.
To summarize the gravity of the situation last year, we wrote (not without attracting some sneer) that 2017 had represented a "quantum leap" in global cyber-insecurity levels. This year, having run out of adequate comparisons, we decided to express our opinion on the criticality of the historical moment by referring to the notorious "Doomsday Clock”, The metaphorical clock created in 1947 by the scientists of the Bulletin of the Atomic Scientists of the University of Chicago, in which midnight symbolizes the end of the world, and minutes away from it the probability of the nuclear apocalypse.
Why say that we are now "two minutes from midnight"? In summary, because we believe that the trends we are observing cannot continue for a long time without causing some kind of discontinuity, of rupture (even if we have no way of knowing how this will materialize) and that the stress still tolerable by the system is limited ...
As expected, in 2018 the most dangerous trends identified in 2017 were fully realized, which we had described as “the year of the triumph of malware, of the industrialized attacks carried out on a global scale against multiple targets and of the definitive descent into the field of States as actors of threat ", and these trends, consolidating, have become the" new normal ", while scenarios that only 5 years ago we would have branded as series B science fiction have now become part of our daily reality.
To give a striking example of the genetic mutation of cyber threats that has occurred in the last 2 years, Cybercrime, while certainly representing a huge problem from a quantitative point of view and playing the lion's share in our sample (for the reasons explained in the previous chapter ), now from a qualitative point of view (or Severity, according to our analysis) has paradoxically become a secondary risk, in the sense that we now face far worse threats daily, against which the available countermeasures are particularly ineffective.
Below we try to draw up a list, albeit at a high level, of the 4 main "new" threats, recalling that it is a first attempt to systematize very recent dynamics.
- Information Warfare and Cyber Guerrilla
The most problematic aspect of the "new normal" is the possibility for States to "slide" without too much fanfare the management of their conflicts increasingly towards the "cyber" level, continually raising the level of confrontation without having to resort to armies and traditional armaments ...
- Cyber espionage and sabotage
A second element of serious concern is linked to the cyber espionage and sabotage activities, which are clearly growing and now take on the most varied forms, from the now constant "war of perception" carried out through fake news amplified via Social Media to the infiltration of infrastructures criticisms, companies and institutions, of the systematic theft of all kinds of information for geopolitical purposes, of economic and technological dominance, of reconnaissance and "preparation of the ground" in view of further attacks ...
- Machine Learning (AI)
Another cause for serious concern is the inevitable "weaponization" of Machine Learning techniques, and the parallel growth of attack techniques developed specifically to target these platforms. These are actually two distinct problems, both related to the spread of ML-based systems. On the one hand, in fact, we are witnessing the first stages of the use of Machine Learning techniques for the realization of cyber attacks with the aim of making them more effective and less expensive, and on the other, there is now a real possibility that AI-based systems they can be silently altered and misled by "adversarial machine learning" techniques as well as, more trivially, attacked and compromised with traditional techniques.
- Surveillance Capitalism
A fourth very problematic and too little discussed aspect of the "new normal" is linked to the affirmation of a radically new global economic model, born from the ashes of the techno-libertarian utopia of the 90s and early 2000s, recently defined by Zuboff. and others like "Surveillance Capitalism". Recalling the concept within this list could make some people turn up their noses, since, at least in principle, this is not a punctual cybernetic threat, but rather a socio-economic phenomenon that is altering business models and human relationships, modifying balances of power and even altering the functioning of liberal democracies thanks to a specific application of digital technology (which is certainly not the only possible one), modeled on the economic interests of a few high-tech multinationals, moreover in ways (almost always ) lawful. Although in our analysis only "traditional" cyber attacks (ie made with hacking techniques against / through digital systems) are collected and classified, in the face of this real revolution in progress it would be appropriate to start considering also a new class of cyber attacks, made (for example) thanks to the exploitation of regulatory gaps, the smokiness of service contracts or the disinformation of the public and sophisticated forms of lobbying to influence legislators, in order to obtain almost total control of lives, choices and of the orientations (also political) of each. In this sense, we wanted to include the "Cambridge Analytica" affair in the 2018 accident sample, considering it in all practical respects a (new) form of cybernetic attack of the "corporate" type ...
Fastweb analysis of the Italian situation regarding cyber-crime and cyber incidents
2018 was a particularly complex year and the panorama of cyber threats in the past 12 months has evolved significantly.
After the peak reached in 2017, "ransomware" attacks begin to have a slight decrease as the number of new infections has stabilized.
The reason for this slowdown is due in part to the emergence of new countermeasures to protect the machines, in part to the attackers who have turned their attention to crypto-jacking.
This year we have also observed an evolution linked to APT (Advanced Persistent Threat) attacks. These attacks, aimed at specific subjects, become increasingly advanced and sophisticated and use spear phishing techniques extensively.
The difference from other types of phishing is that a particular person or an employee of a specific company is targeted. This means that spear phishing becomes even more effective and therefore dangerous: cybercrime collects information about the victim so that the victim can be deceived. It is indeed very complex to distinguish a well-designed spear phishing e-mail from a normal one, for this reason it is easier for the victims to fall into the trap.
However, there are also positive signs regarding the spread of new technologies, which are increasingly accessible from an economic point of view and which respond to ever-increasing threats, succeeding in some cases in preventing the so-called "zero-days" attacks by exploiting advanced machine learning techniques and artificial intelligence.
This year we have collected over 40 million security events (a 14% database higher than that used for the 2017 report). The analysis domain consists of the data obtained by our Security Operations Center and relating to the IP addresses belonging to the Fastweb Autonomous System (AS): over 6 million public addresses on which tens or even hundreds of active devices and servers can communicate at customer networks.
The composition of the Malware and Botnets affecting the machines belonging to the AS of Fastweb has evolved compared to the previous survey of the year 2017.
In fact, 212 malicious software families were identified this year (+ 10% compared to the previous year). Several threats already present last year have been detected, but the real news concerns the massive spread of new malware, not yet classified and attributable to a known family.
Zeroacces, classified as a "rootkit" is a virus that, once caught, directs the web browser to pages that promote malware or other programs. It is also capable of carrying other specific types of malware and hiding from traditional antivirus scans. Finally, it blocks access to sites where it is indicated how to remove it so that the victim has difficulty “asking for help”.
In the first places, we also find the well-known Wannacry ransomware followed by Gozi and Ramnit.
The latter two, which together cover 15% of total malware, are specific malware for the financial market and are able to intercept credentials related to home banking, thus transmitting attackers username and password to access the victim's bank.
Finally, we find a 19% of malicious software (an increase of 11% compared to 2017) that have not yet been cataloged of which we do not know all the details.