Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
The sharp increase in the number of cyber incidents that BI.ZONE TDR experts observed in 2022 and early 2023 slowed down somewhat, while the share of highly critical cyber incidents slightly decreased.
Most of the incidents were recorded in industry (38%), IT (27%) and finance (15%), but in the vast majority of cases, attackers can be stopped before they have time to cause damage.
As in 2023, attacks through contractors are not uncommon, and phishing and the use of legitimate accounts remain among the top most popular methods for obtaining primary access to infrastructure.
The report collects and summarizes data on cyber incidents recorded by BI.ZONE TDR specialists. Cyber incidents are malicious or unauthorized actions of cybercriminals in relation to the company's IT infrastructure, related to the violation or imminent threat of a breach of the security of elements of the IT infrastructure, for example, encryption of IT infrastructures, destruction and theft of confidential information.
Most cyber incidents do not cause damage to the company, because the attackers ' actions are stopped before they have time to move deeper into the IT infrastructure and cause damage. If the attackers managed to compromise at least one element of the IT infrastructure during the attack and affect its operation, such an event is classified as a highly critical incident. This also includes events where an attacker has not yet affected the compromised IT infrastructure, but is highly likely to do so.
1. Growth in the number of cyber incidents slowed down after a sharp jump in 2022-early 2023.
In the first half of 2024, BI.ZONE TDR specialists recorded almost 40% more cyber incidents than a year ago. However, such changes are not associated with a sharp activation of intruders, but with an increase in the number of service clients and endpoints (servers and workstations) that are monitored by BI.ZONE TDR. As of the end of June 2024, their number was more than 250,000, which is about 30% more than a year earlier.
Andrey Chaliapin, Head of BI.ZONE TDR:
In 2022, there was a sharp increase in the activity of cyber groups attacking Russian companies, which continued in early 2023. Now this indicator is growing more slowly, which may indicate a gradual exit to a more or less stable plateau. At the same time, more and more organizations are implementing monitoring of cybersecurity events, which means that more cyber threats are coming to the attention of specialists. Thus, the absolute number of registered cyber incidents is steadily increasing with the number of service clients.
As a rule, the second quarter is ahead of the first in terms of the number of cyber incidents. So, in 2023, 10% more incidents were detected in the second quarter than in the first, and in 2024 the gap increased and amounted to 36%.
This dynamic is partly due to the fact that the first months of the year have a lot of days off. Some of the recorded alerts about cyber incidents are inevitably associated with pentests, which, as a rule, are not held during the holidays. Externally, pentests may be indistinguishable from real attacks, but their purpose is to identify vulnerabilities in the defense for further correction, and not to cause damage to the company.
2. Most cyber incidents were recorded in industry, IT, and the financial industry
In the first half of 2024, BI.ZONE TDR analysts recorded the largest number of cyber incidents (38%) in industry and energy. For the same period last year, this figure was 37%. The increased interest of intruders in industry and the fuel and energy sector may be due to the strategic importance that these industries have for the economy. According to the cyber intelligence portal BI.ZONE Threat Intelligence, espionage is the main target for 35% of cyber groups attacking industrial enterprises.
The IT industry accounted for 27% of all cyber incidents detected in the first half of the year, with a year-on-year increase of just 1%. The relatively large number of detected cyber attacks in the IT sector is most likely due to the specifics of the industry: As a rule, IT companies have a more complex and volatile digital infrastructure, and therefore the attack surface becomes wider.
15% of cyber incidents in the first half of 2024 were related to the financial sector and insurance, while by the end of June 2023, this figure was 10%. At the same time, the share of cyber groups attacking the financial sector has also increased: according to BI.ZONE Threat Intelligence, in 2023, 16% of clusters attacked financial organizations, and in the first half of 2024 — already 25%.
At the same time, the vast majority of cyber attacks detected in financial and insurance companies do not lead to cyber incidents. This is due to the fact that the industry traditionally places high demands on cybersecurity, so most attacks can be stopped at the initial stage, before the attackers have time to cause any damage or gain a foothold in the infrastructure.
3. Attackers are increasingly being stopped at the initial stages of an attack
In the first half of 2024, BI.ZONE TDR analysts recorded 39 highly critical cyber incidents, and a year earlier – 26. However, the growth in absolute indicators in this case is unrepresentative: in 2024, only 0.6% of all recorded attacks resulted in highly critical incidents, and a year earlier — 0.7%.
One of the factors that led to a decrease in the share of highly critical cyber incidents could be the wider use of specialized endpoint protection solutions of the endpoint detection and response (EDR) class. Their share in the Russian market has increased 1.5-2 times over the past two years. These solutions allow you to detect complex threats at endpoints, as well as respond to them quickly, before attackers penetrate deep into the infrastructure and achieve their goals.
4. Most cyber incidents are related to attacks through contractors
To break into the IT infrastructure, attackers most often use phishing, as well as exploit vulnerabilities in external services. Attacks through contractors are less common, although in the last few years they have become more frequent due to the consistently high demand for software and hardware maintenance and technical support services, custom software development and testing.
However, attacks on contractors pose a more serious threat to companies than phishing or exploiting vulnerabilities, since the actions of attackers in such cases are more difficult to detect and stop at an early stage. It is for this reason, as well as due to the lack of security of the contractors themselves, that such attacks became a trend last year. In 2024, the majority of cyber incidents are still associated with attacks through contractors, despite the fact that such attacks are significantly less than phishing, for example.
In addition, cybercriminals actively use legitimate accounts, whose data is stolen using styler programs, to attack companies.
Among the tools most popular among attackers are tools for building network tunnels ngrok and Stunnel, as well as remote access utilities such as PhantomRAT and Sliver. Unlike the remote access Trojan PhantomRAT, Sliver is a conditionally legitimate tool that was originally created for penetration testing.
The top 5 most popular attack tools also include Gsocket, an open source remote access program. Criminals began to actively use Gsocket in 2023 to execute arbitrary commands on a remote system and copy files bypassing firewalls.
Most of the incidents were recorded in industry (38%), IT (27%) and finance (15%), but in the vast majority of cases, attackers can be stopped before they have time to cause damage.
As in 2023, attacks through contractors are not uncommon, and phishing and the use of legitimate accounts remain among the top most popular methods for obtaining primary access to infrastructure.
The report collects and summarizes data on cyber incidents recorded by BI.ZONE TDR specialists. Cyber incidents are malicious or unauthorized actions of cybercriminals in relation to the company's IT infrastructure, related to the violation or imminent threat of a breach of the security of elements of the IT infrastructure, for example, encryption of IT infrastructures, destruction and theft of confidential information.
Most cyber incidents do not cause damage to the company, because the attackers ' actions are stopped before they have time to move deeper into the IT infrastructure and cause damage. If the attackers managed to compromise at least one element of the IT infrastructure during the attack and affect its operation, such an event is classified as a highly critical incident. This also includes events where an attacker has not yet affected the compromised IT infrastructure, but is highly likely to do so.
1. Growth in the number of cyber incidents slowed down after a sharp jump in 2022-early 2023.
In the first half of 2024, BI.ZONE TDR specialists recorded almost 40% more cyber incidents than a year ago. However, such changes are not associated with a sharp activation of intruders, but with an increase in the number of service clients and endpoints (servers and workstations) that are monitored by BI.ZONE TDR. As of the end of June 2024, their number was more than 250,000, which is about 30% more than a year earlier.
Andrey Chaliapin, Head of BI.ZONE TDR:
In 2022, there was a sharp increase in the activity of cyber groups attacking Russian companies, which continued in early 2023. Now this indicator is growing more slowly, which may indicate a gradual exit to a more or less stable plateau. At the same time, more and more organizations are implementing monitoring of cybersecurity events, which means that more cyber threats are coming to the attention of specialists. Thus, the absolute number of registered cyber incidents is steadily increasing with the number of service clients.
As a rule, the second quarter is ahead of the first in terms of the number of cyber incidents. So, in 2023, 10% more incidents were detected in the second quarter than in the first, and in 2024 the gap increased and amounted to 36%.
This dynamic is partly due to the fact that the first months of the year have a lot of days off. Some of the recorded alerts about cyber incidents are inevitably associated with pentests, which, as a rule, are not held during the holidays. Externally, pentests may be indistinguishable from real attacks, but their purpose is to identify vulnerabilities in the defense for further correction, and not to cause damage to the company.
2. Most cyber incidents were recorded in industry, IT, and the financial industry
In the first half of 2024, BI.ZONE TDR analysts recorded the largest number of cyber incidents (38%) in industry and energy. For the same period last year, this figure was 37%. The increased interest of intruders in industry and the fuel and energy sector may be due to the strategic importance that these industries have for the economy. According to the cyber intelligence portal BI.ZONE Threat Intelligence, espionage is the main target for 35% of cyber groups attacking industrial enterprises.
The IT industry accounted for 27% of all cyber incidents detected in the first half of the year, with a year-on-year increase of just 1%. The relatively large number of detected cyber attacks in the IT sector is most likely due to the specifics of the industry: As a rule, IT companies have a more complex and volatile digital infrastructure, and therefore the attack surface becomes wider.
15% of cyber incidents in the first half of 2024 were related to the financial sector and insurance, while by the end of June 2023, this figure was 10%. At the same time, the share of cyber groups attacking the financial sector has also increased: according to BI.ZONE Threat Intelligence, in 2023, 16% of clusters attacked financial organizations, and in the first half of 2024 — already 25%.
At the same time, the vast majority of cyber attacks detected in financial and insurance companies do not lead to cyber incidents. This is due to the fact that the industry traditionally places high demands on cybersecurity, so most attacks can be stopped at the initial stage, before the attackers have time to cause any damage or gain a foothold in the infrastructure.
3. Attackers are increasingly being stopped at the initial stages of an attack
In the first half of 2024, BI.ZONE TDR analysts recorded 39 highly critical cyber incidents, and a year earlier – 26. However, the growth in absolute indicators in this case is unrepresentative: in 2024, only 0.6% of all recorded attacks resulted in highly critical incidents, and a year earlier — 0.7%.
One of the factors that led to a decrease in the share of highly critical cyber incidents could be the wider use of specialized endpoint protection solutions of the endpoint detection and response (EDR) class. Their share in the Russian market has increased 1.5-2 times over the past two years. These solutions allow you to detect complex threats at endpoints, as well as respond to them quickly, before attackers penetrate deep into the infrastructure and achieve their goals.
4. Most cyber incidents are related to attacks through contractors
To break into the IT infrastructure, attackers most often use phishing, as well as exploit vulnerabilities in external services. Attacks through contractors are less common, although in the last few years they have become more frequent due to the consistently high demand for software and hardware maintenance and technical support services, custom software development and testing.
However, attacks on contractors pose a more serious threat to companies than phishing or exploiting vulnerabilities, since the actions of attackers in such cases are more difficult to detect and stop at an early stage. It is for this reason, as well as due to the lack of security of the contractors themselves, that such attacks became a trend last year. In 2024, the majority of cyber incidents are still associated with attacks through contractors, despite the fact that such attacks are significantly less than phishing, for example.
In addition, cybercriminals actively use legitimate accounts, whose data is stolen using styler programs, to attack companies.
Among the tools most popular among attackers are tools for building network tunnels ngrok and Stunnel, as well as remote access utilities such as PhantomRAT and Sliver. Unlike the remote access Trojan PhantomRAT, Sliver is a conditionally legitimate tool that was originally created for penetration testing.
The top 5 most popular attack tools also include Gsocket, an open source remote access program. Criminals began to actively use Gsocket in 2023 to execute arbitrary commands on a remote system and copy files bypassing firewalls.
