in partnership with
The Think Tank Cybersecurity of INNOCHERCHE identifies, decrypts and popularizes trends in cybersecurity to help managers decode, anticipate and take action.
The INNOCHERCHE Cybersecurity Trophy aims to highlight startups capable of meeting the challenges posed by these 9 trends identified during 2019 by the Think Tank Cyber and of proposing effective solutions for 2020.
Here are the 9 trends in cybersecurity observed in 2019. For each, the concept is explained, examples are given with the results observed and in the lessons that we draw from it, we refer to our sheet of 8 principles that we keep up to date in our InnoCherche monitoring repository:
We classified these 9 trends into:
- three general trends for everyone,
- always more leaks on the most sensitive data
- … and ransom demand
- a new threat Deepfake
- four sector trends
- all infrastructures are vulnerable
- in particular because of the development of IOT
- , the Cyber risk which must be controlled
- with the very targeted Supply Chain given its power of contamination
- … and two trends Management
- working on digital resilience
- with an HR policy at the center of your Cyber security
Trend 1: ever more leakage of the most sensitive data
The Panama Papers affair is the largest global leak of confidential private data supposed to be very protected.
Within the Panamanian law firm Mossack Fonseca, specializing in the creation and domiciliation of offshore companies, an internal computer specialist exported 2.6 terabytes of data relating to 214,000 offshore companies, mainly linked in one way or another to public figures.
This leak constitutes the largest revelation of documents exploited by the media (2.6 TB (equivalent to 2600 one-hour films in HD) and far exceeds the total data of the cables of WikiLeaks of 2010 (1.7 GB) , Offshore Leaks from 2013 (260 GB), Luxleaks from 2014 (4 GB) and Swiss Leaks from 2015 (3.3 GB).
The volumes are impressive:
- 4.8 million emails
- 3 million databases
- 2 million PDF files
- 1.1 million images (including photocopies of shareholders’ passports and scans of signed contracts)
- 320,000 text
- files 2,000 files in other formats
These documents were sent in 2015 to the German daily newspaper Süddeutsche Zeitung. The latter quickly shared the information with the International Consortium of Investigative Journalists to secretly share the work of journalistic investigation and then distribute en masse when they are ready and when the scandal exploded in April 2016.
- A vast investigation covering 40 years (1977-2015) and 70 countries, carried out by 370 journalists, revealed that 140 politicians or personalities have assets in tax havens.
- An online database still available today with a search engine provides information on the 214,000 offshore companies created by Mossack Fonseca and, when the data allow, the names of their real owners. Internet users can analyze this data and view the networks around a hundred of these entities.
Trend 1 lessons “sensitive data leakage”:
Trend 2: always more Ransomware (ransom demand)
These are attacks where the objective is to demand a ransom by promising to recover his property or to stop blackmail.
In 2017, the first largest global ransomware attack took place
On April 14, 2017, the hacker group The Shadow Brokers published EternalBlue, a feat developed and used by the NSA, which uses a Windows security vulnerability. (On March 14, 2017, Microsoft had released a security update for the maintained versions of Windows to plug this flaw)
On Friday May 12, 2017, a ransomware, “WannaCry” uses this security flaw to spread to thousands of old PC not updated, go encrypt the files and ask for a ransom to decrypt them. WannaCry targets the Server Message Block (SMB) protocol to infiltrate its victims (specifically via a TCP connection to port 445). Created in the 1980s, this protocol was used in several forms up to Windows 8. She then installed the WannaCry ransomware, which makes the files unusable and demands a ransom in Bitcoin of around 300 dollars (which doubles after 3 days ). If the ransom is not paid after one week, the files are deleted.
This Friday, May 12, 2017, WannaCry has spread at a crazy speed around the world to the point of reaching a hundred countries: Great Britain, Spain, Portugal, Mexico, Australia, Russia but also… France. In total, 300,000 PCs were affected.
- A meager receipt of 110,000 euros because the authorities’ recommendations not to pay have been followed (if you pay, you are put on a list galore in the dark web increasing your chance of being attacked again)
- Production shutdown: As a precaution, Renault has decided to shut down its industrial sites. The shutdown of production “is part of the protective measures that have been taken to prevent the spread of the virus,” said a spokesperson, without specifying the names of the sites concerned.
- Unacceptable weakness … turned into opportunity by Microsoft: due to the severity of the WannaCry attack on May 13, 2017, Microsoft takes the unusual step of releasing a security update for the operating systems it it no longer maintains, like Windows XP, Windows 8 and Windows Server 20037,8.
- A production halt a month after the end of the epidemic: on June 21, 217, Honda had to stop production one day at its Sayama factory: Windows machines had not been updated.
In 2019, the world’s largest industrial ransomware attack took place
In March 2019, the LockerGoga ransomware targets Norwegian aluminum manufacturer Norsk Hydro. It encrypts data, disconnects users and networks. Its originality lies in the fact of not having the capacity to broadcast alone on the network of the targeted organization: it is deployed via Cobalt Strike (a tool for training defense teams and protecting information systems) coupled with command and control servers. More than a month later, most of its 160 manufacturing sites were still operating in manual (non-IT) operations.
Two American chemical companies, Hexion and Momentive, were also targeted.
Trend 2 lessons “Ransomware”:
To anticipate and prepare, you must put in place:
Trend 3: new Deepfake threat after FakeNews (in French, information attack)
These are fake news or fake videos, more and more realistic aimed at manipulating opinion for electoral or financial gain.
By playing with the phenomenon of FaceBook bubbles – which isolate audiences who receive only one-way information – Russian propaganda has succeeded in completely polarizing American political life. With a debate that has sometimes become hateful, without any rational and objective argument, based solely on fears and fears, the Russians have thus facilitated the election of Trump as demonstrated in the MUELLER report.
According to the rough calculations of Roger McNamee (… in his remarkable book ZUCKED), to mount such an operation, it is necessary for 4 years, to mobilize 80 to 100 professional hackers, for an overall cost estimated around 100 million dollars . It is the cost of an F 35 military fighter … which is very little in view of the geopolitical stakes of Russia. (asymmetrical warfare concept)
In this total cost, the share of paid advertising to Facebook is minimal. FaceBook admitted before the congress to have received $ 100K from the account of Russian agents in rubles to finance 3000 announcements relayed by 470 fake accounts and many BoTs. Given the patient fieldwork done upstream in the different communities, these Fakenews, which bounce on distorted news, have been viewed 340 million times. This shows you the viral aspect of these fake news, which well orchestrated, with relays from similar groups into similar groups, reaches a very large audience. In another testimony and using another metric, Facebook acknowledged that 126 million people were affected by these Russian advertisements and fake news during the elections. This figure is to be compared to the 137 million voters of the last elections of 2016.
Ultimately, this company built to discourage Democrats from going to vote worked well since between the election of Obama in 2012 and the defeat of Hillary Clinton in 2016 , 4 million Democratic voters stayed at home on polling day for Hillary Clinton.
From Putin’s point of view, this is an extraordinary success of asymmetric warfare because, for a very small budget of 100 million dollars, it completely nullified the “soft power” that American democracy had created. since the end of the second world war.
Here are the videos on this subject:
- https://www.youtube.com/watch? v = Z5shuMkducs
Since 2019, the threat has increased with the Deepfakes.
Trend 3 lessons “Fakenews et DeepFake”:
Trend 4: physical infrastructures (Web, IOT) all vulnerable.
So far, by doing damage in the digital world, we are targeting information and money. With these new attacks, we are destroying your physical servers
Denial of service (DDoS) is an attack that consists of saturating the processing capacities of an internet service provider. Concretely by analogy, if we consider that a bus can transport 75 customers, the fact that 1200 false customers appear at the door of this bus will prevent legitimate customers from getting in and therefore from transporting them; the service is interrupted.
The OVH attack is the world’s largest denial of service attack.
In September 2016, the French internet hosting giant OVH, which manages more than 260,000 servers worldwide, was the victim of the most powerful denial of service attack on a global scale: 145,607 automatic message sending devices introduced into surveillance camera software, which is itself connected to the internet, dumped more than 1.5 TB per second of data onto OVH servers for a week.
- After this denial of service, transparent communication by tweet from the founder of the company, Octave Klaba on the evolution of the situation: We have the infrastructure that holds (explain that he has managed to maintain a degraded service ? !!). This transparent communication was relayed in the media.
- Pro work at OVH: The infrastructure was able to absorb the attack thanks to anticipation of the volumes of data to be received and thanks to an internal innovation called “VAC” (short for “vacuum”). Countering a DDoS attack essentially consists of detecting malicious requests in the flow of requests and deleting them. But for this, the host must already be able to accommodate all of the requests on its network. In addition to a large interconnection capacity, OVH has implemented a large packet filtering capacity: the VAC is a hardware system, developed in-house in anticipation of such an attack, based on programmable logic circuits of the FPGA type. (Field-programmable gate array), on which the hosting engineers implement filtering algorithms that they have developed themselves. “ At the beginning, we used products from the market. But they are not flexible enough. Hackers are clever and always find a way to bypass a filtering system. You therefore have to constantly be able to adapt, which was not possible with these products. So we started to create our own solutions which they are not known on the market: Besides, there is no question of reselling them”, explains Stéphane Lesimple, SOC OVH Manager.
- … but work amateurish at the video camera manufacturer with all its cameras delivered on the market with the same password of type “00000” and no possibility of updating the SW remotely after detection of a flaw (cf. Principle 6: My space is a space to defend ”)… which will become a major problem for all IOTs.
• A project for the future: in February 2018, the host wants to create a “digital dyke” capable of withstanding a flow of 7 terabits / s. The goal is to have a dozen VACs, each with a processing capacity of 600 Gbits / s, for a total of 7.2 terabits / s. In February 2017, OVH has three VACs, distributed around the world. Each is capable of processing a throughput of 160 Gbits / s, which represents a total filtering capacity of 480 Gbits / s.
Trend 4 lessons “infra Physique”:
Trend 5: watch out for cyber risks in IOT
Until now, by doing damage in the digital world, we are targeting information u money. With these new attacks, we are destroying your physical servers…. but also all physical objects today connected to the internet to control them remotely and divert them from their mission.
IOT is a Business opportunity only if Cybersecurity is taken into account.
IOT has been the subject of numerous restitutions within the Think Tank Cybersecurity.
Here are the videos related to this subject:
Trend 5 lessons “IOT” :
Trend 6: Growing use of weapons of physical destruction
So far, by doing damage in the digital world, we are targeting information or money. With these new attacks, we are destroying your physical servers…. but also all physical objects today connected to the internet to control them remotely and divert them from their mission to destroy them.
CIA Stuxnet in 2010 destroyed Iranian centrifuges. Hackers take hold of this kind of malware and develop it.
The world’s largest wiper attack (in French, destructive virus) took place in 2017. On June 27, 2017, NotPetya (a variant of the Petya malware discovered in 2015) spread at very high speed: 2,000 companies were affected .
The vector of initial infection is Ukrainian accounting and taxation software, MEDoc. It is an update of the latter, modified by the attackers, which served as a launching pad for the malware. To spread, the Wiper virus uses EternalBlue, an exploit developed and used by the NSA, which uses a Windows security vulnerability. This NotPetya ransomware is displayed to him every time the computer is started instead of Windows. Thus, we see, on a black screen this text written in red and in English, the following message: “Ooops, your files have been encrypted. If you see this message, your files are no longer accessible, because they have been encrypted. Maybe you are looking for a way to recover your files, but don’t waste your time. No one can recover your files without our decryption service.“
So the latter demands a ransom, payable in Bitcoin, untraceable computer currency, 300 Dollars and send it to a random email address, to be able to recover access to its files. But the returned address has been deactivated by the German email provider Posteo, which means that no files will be recovered after the ransom has been paid; the data is then destroyed!
In addition, NotPetya encrypts user data using a random encryption key, making it impossible to recover the decryption key.
Therefore, it is a wiper that uses the operating mode of a ransomware as a facade.
- A meager receipt of 8,600 euros in ransom, paid by 46 victims
- A production halt: The Saint-Gobain factories in Toul, Foug and Pont à Mousson were shut down for 5 days. Auchan’s Ukrainian subsidiary has been arrested.
- A weakness transformed into an opportunity by SNCF: “Like other companies, SNCF is undergoing the attack in progress (…) we are not victims,” insisted a spokesperson, stressing that “the operations of the railway company were not affected. Our teams are on the bridge, they (the attacks) are contained, “he added.
Trend 6 lessons “weapons destruction” :
to anticipate and prepare, you must put in place:
Trend 7: The supply chain more and more targeted
The Supply Chain attack consists of infiltrating reference servers and using its products to infect its customers direct. The more global the supplier, the greater the contamination.
In March 2019, it was revealed that the manufacturer Asus (top 5 of PC suppliers) was the victim of a computer attack which allowed to use its infrastructure to spread malware via update mechanism installed on the machines, Asus Live Update. This attack targeted a specific and limited group of 600 machines.
The hacker group Barium had already carried out a similar attack in 2017 on a very popular CCleaner software.
In April 2019, it was announced that the Visual Tool development software (published by Microsoft) was infiltrated by the same group of hackers to contaminate software encoded with this tool.
Enseignements Trend 7 “supply chain” :
Trend 8 : digital resilience has become vital
Small states in a situation of latent war with large neighboring countries have developed significant resilience in the event of attacks.
Israel has become the Cybersecurity startup nation internationally. Each year, many large American groups buy either the structure or the skills or the services of this startup.
Estonia has developed a system for backing up and restoring this data on an international scale. It has set up a network of all the RSSIs in the country to regroup on critical targets in the event of a generalized attack. This system is very effective as demonstrated by the attacks NoPetya and Wanna Cry Where Estonia was one of the few unaffected countries.
Here are the videos relating to this subject:
Trend 8 lessons “Résilience” :
Trend 9: HR policy is at the center of cybersecurity
Attacks are increasingly designed and designed with meticulousness to deceive employees, in particular from all the data available on your organization and personal habits spread over networks like Linkedin .
The Cybersecurity Think Tank is preparing a survey around the strategic place of HR policy in cybersecurity. Here is the video relating to the presentation of this project:
Trend 9 “RH” education:
InnoCherche – Janvier 2020