At the end of 2016, various reports predicted cyber-attacks could double in 2017. True to those prognostications, F-Secure Labs has logged an overall increase of 223% in traffic to its honeypots as compared with H2 2016.
“Some of this jump in volume can be attributed to improvements made in our backend systems and the addition of new honeypots to the network, but given the considerable surge, it is our belief that attacks are also simply on the increase,” the firm said in its report shared with Infosecurity on the findings. “The constantly evolving nature of the ecosystem, the increased automation and distribution of attack tools, ever-expanding attack surfaces, and highly charged geopolitical events are all likely contributing factors.”
F-Secure found that in the last half of 2016, the top five sources of activity were Russia, the Netherlands, the US, China, and Germany. In 2017, Russia re-appeared in the top spot for sources of attacks, accounting for 44% of traffic. Following Russia was the US, with about 15% of traffic, the Netherlands with 7%, Belgium and Germany with 6% each, and China with 5%. The top 10 source countries accounted for 87% of all traffic detected.
It also delved into who has been attacking who: “When it comes to the more specific question of which countries are attacking which, the greatest number of attacks came from Russia targeting the US, followed by Russia targeting the Netherlands, the Netherlands targeting the US, and Belgium targeting the US,” the report found.
The analysis uncovered spikes in traffic to SMB port 445 (resulting from NotPetya and WannaCry) and to UPnP port 1900 (resulting from attacker interest in vulnerable IoT devices). Attack payloads were made up of 66% executable files, and 33% fileless scripts and commands—and the report underscores that attackers are constantly evolving to find new attack surfaces.
“Both this spring’s Shadow Brokers leak of stolen NSA tools and the inherent vulnerability of IoT devices significantly affected our list of commonly probed ports, once again underscoring that attackers will always adapt to find new avenues of exploitation,” F-Secure said. “At the same time, the dramatic increase in volume of activity gives us no reason to expect a slowdown in the second half of the year.”
Clearly, following standard security practices remains critically important. These include keeping operating systems and applications up to date and patched, configuring firewall rules properly, taking reliable backups, segmenting networks, and maintaining a healthy suspicion about email attachments and links.