Cybercrime, Fastweb: in Italy + 180% of malicious events, red alert on 2022

The picture that emerges from the analysis prepared by the Security Operations Center (Soc) made up of over 6.5 million public IP addresses is a more than disturbing picture. In the first six months of 2021, 36 million attacks were recorded, equal to those of all of 2020. “Employees in smart working, weak point of the security chain. Threats on the endpoint are growing " 10 Nov 2021

Mi Fio

36 million malicious events recorded in the first half of 2021 alone, which correspond numerically to those of the whole of 2020, thus marking a growth of 180% year on year: the scenario that emerges from the analysis of the most relevant phenomena elaborated by the Fastweb Security Operations Center (Soc) as part of the Clusit report. Two main phenomena emerged from the analysis of Fastweb network infrastructure - consisting of over 6.5 million public IP addresses on each of which hundreds of devices and servers active in customer networks can communicate: the first concerns a strong increase in the first quarter of attacks of the type "Proxy Logon", the second concerns the increase in the activity of ransomware with request for ransom. With regard to the Proxy Logon phenomenon, this attack - explains the telco - allows the victims to access the e-mail servers of the companies (on Exchange technology), managing to violate the email accounts, and conveying through them additional malicious software to increase the scope of the attack. "Starting from April, this attack has had a decline due to the availability of a patch to solve the vulnerability in the mail systems," the company emphasizes. On the ransomware front, an increase in the activity of this malware of about 350% was observed compared to the same period last year. And the consequences caused by this type of attacks, increasingly aggressive, become somehow even more evident. For example, see the attacks against public structures that have blocked daily operations. However, there are - Fastweb highlights - also good news because the activity of the Emotet botnet effectively ceased its activity during the month of April 2021. "Thanks to the joint intervention of international government associations, this threat has disappeared but It is important to highlight how the concept of team play is important in cyber security. You can't win alone, you need to join forces and above all be aware of cyber threats ”.

In its analysis Fastweb also puts on paper the forecasts for the last part of the year and for 2022. "The attackers - reads the report - are focusing on what is the weak point of the security chain, namely the smart working employees. In fact, there is a growing number of threats on the endpoint that even reach 90,000 compared to the same period last year (Jan-Sept) where it stopped at 65,000, with a growth of 40% ". According to the telco, for a more complete reading of the phenomena in progress it is necessary to start analyzing the threats on the application part "given that the use of these techniques is increasingly frequent and with impacts in terms of cybersecurity that will always be more significant ". From this year in fact Fastweb will contribute to the Clusit Report with an analysis on the world of vulnerabilities and attacks aimed at the software and application systems of client companies in the Enterprise and Public Administration sectors, detected through Web Application technologies. Firewall. "From the evidence collected in the first nine months of 2021, we can see that most of the surveys refer to cyber activities related to the collection of information (Information Gathering 54.8%). This activity, not being directly linked to an attack, is often linked to preparatory activities with a view to gathering detailed information on company application systems to subsequently launch a targeted attack on the server ". File Injection attempts follow in number (18.3%) where the attacker tries to insert malicious files into the system with the aim of taking control of them and attempts to exploit vulnerabilities towards Web applications (9.6% ) such as CMS Joomla, Drupal, WordPress. On the other hand, in the Generic Attack category (6%) all those types of attacks that exploit common exploits but do not use techniques such as SQL Injection (direct attack to access data, exploiting the weaknesses of the programming language for the management of database), such as Local File Inclusion (LFI). SQL Injection, Cross Site Scripting events (attack aimed at introducing code not belonging to the site you are visiting, forcing the user to perform unwanted actions), and Directory Traversal (attack to have access to files in directories where you are not authorized to access) which still today they are important attack vectors although these methodologies are well known even to those who develop and secure the application.

FASTWEB ARTICLE