‘No one is safe’ as global cyberattacks increase, says Kaspersky boss

“We see cyberattacks happening everywhere, and we see cyber attackers being present everywhere. There is no guarantee to safety, however, it is different for each organisation is different for each user, as every organisation has a different enemy,” said Amin Hasbini, Kaspersky’s Head of META (Middle East, Turkey, Africa) research centre and Head of Global research and analysis team (GReAT).

Hasbini’s comments came on the sidelines of the 2024 edition of Kaspersky’s Cybersecurity Weekend held in Malaysia.

Over 30 million threats blocked in UAE

Last year, over 30 million threats to the UAE were blocked by Kaspersky, Hasbini revealed, adding that 71 percent of attacks are financially motivated and ransomware, in particular, is on the rise.

“Each country has different enemies and require what is known as Threat Modelling, which is the science behind identifying these enemies. Ransomware is becoming the most popular kind of attacks, not in terms of numbers but in terms of having a lot of impact,” he said.

According to Hasbini, very large organisations worth billions of dollars are often targeted, adding that government entities and ministries are more prone to these attacks as they harbour “special and sensitive” data.

“They are all compromised when a ransomware attack takes place, however, there are also many countermeasures that allow for better safety. Nevertheless, attackers are developing and adapting to this and are still finding ways to get inside these organisations.”

Ransomware gangs are already targeting the META region. In 2023 and 2024, Kaspersky found out the biggest ransomware threat to the UAE and Saudi Arabia was LockBit, which targeted the construction and sports and fitness sectors of the countries, respectively.

LockBit is a ransomware group that takes its origins in Russia and was initially detected in 2019. The group gained recognition for its ransomware variant, also called LockBit, which uses the Ransomware-as-a-Service (RaaS) framework. Under this model, LockBit licenses its ransomware software to affiliated cybercriminals, who, in turn, pay a portion of the received ransoms to the group.

The attack on both Saudi Arabia and UAE by LockBit claimed $200 million and $20 million in victim size last year and this year so far with the damage resulting in leak of financial data, operations data, client date, employee data and PII (Personal Identifiable Information).

Dubai Police, Emirates Post phishing scams

When asked about the ongoing phishing scam that impersonating authorities like Dubai 
Police and Emirates Post, Hasbini said that while the authorities themselves haven’t been compromised, the use of their name has been targeted because of its credibility.

“They [attackers] often use these authorities to retrieve personal data because they are very credible as an authority and people trust these entities. This is called social engineering. However, there are many ways to detect and block these kinds of attacks. It starts from using anti-phishing technologies that analyse text, pictures inside the emails, source the IP address, and more,” he said.

Hasbini also revealed that peak phishing email scams occurred last year during October 19, 25 and 30 during Halloween season and later on during the Black Friday sales, followed by the winter holiday season.

Advanced Persistent Threats are becoming popular across the world

Another trending attack is an APT (Advanced Persistent Threat), which is more “sophisticated,” according to Hasbini.

“These attacks use better technology and are developed by those equipped with better budgets. However, these attacks are not for everyone. They are used on specific entities or specific people that are interesting to the attacker.”

When asked about a few significant cybercriminal groups that carry out these attacks, Hasbini said that there are two types of APT attacks – criminal and advanced attacks.

“Criminal attacks are less complicated and sophisticated than advanced attacks, and we can see specialised groups becoming popular nowadays. Some are specialised with spreading some kinds of malware with limited functionalities to collect basic information. They then hand over this information to other groups, which spread it across the victim organisation.

“Advanced groups often deploy some malware or sell access to someone interested, and then handover it to another group to carry out a ransomware attack, steal data, maybe leaked it underground, blackmail the victim or handover to another group that would publish the data and carry out the scam,” Hasbini explained, adding that a very strong example of these attacks is the BlackCat/ ALPHV group, which has a $15 million bounty by the US Department of State.

Top targeted industries include governments, diplomatic entities as they form the “backbone” of a country, followed by the telecom and finance sector and industrial sector.

Kaspersky uncovers APT’s iPhone vulnerability

Hasbini also explained that the APT story of the year was the iOS Triangulation.

Kaspersky’s GReAT team discovered a vulnerability in Apple’s System on a Chip (SoC) that was exploited in recent iPhone attacks called Operation Triangulation.

The vulnerability allowed attackers to bypass hardware-based memory protection on iPhones running iOS versions up to iOS 16.6.

The feature used by the attackers was not publicly documented, making it challenging to detect and analyse, however, researchers at Kaspersky extensively reverse-engineered the iPhone’s hardware and software integration to identify the vulnerability.

Apple addressed the issue in the form of CVE-2023-38606. The discovery highlights the potential ineffectiveness of advanced hardware-based protections against sophisticated attackers.

The vulnerability was part of an APT campaign targeting iOS devices, and Apple released security updates to address the identified vulnerabilities.

As for attacks on smart city technologies, Hasbini said, “While we implement smart city technology everywhere, sadly we also invent the option of controlling the smart grid and these could lead to attacks on critical infrastructure before turning power off in some cities, or shutting down facilities – be it nuclear or chemical. This could cause explosions and changes in behaviour, however, it is a lot easier to do this remotely when everything is online.”

So, what can smart cities, organisations do to stay safe?

“Well one strategy is the zero trust strategy, which goes back to the untraditional kind of technologies or frameworks used. A zero trust environment is a different form of the internet, where no connection is made without validation or verification,” Hasbini said, highlighting four more steps for organisations to stay safe ahead of an attack on their business:

1. Advanced employees, security awareness and intelligence on the latest attack methods
2. Investing in advanced technologies such as APT intelligence, threat feeds, SOC, SIEM, EDR, AEP, Attribution Engine, DFIR capabilities
3. Advanced controls such as vulnerability tracking, penetration testing, data centric classification and assessments
4. Advanced compliance such as governance, laws and regulations, procedures, executive management involvement and more

What should global organisations look out for in 2024?

“Increased ransomware activities could take place in 2024, and it is becoming a major threat for a lot of organisations,” Hasbini said.

Other crimeware trends include the introduction of new technical features such as cross-platform ransomware to be as adaptive as possible or with self-propagating capabilities, code adoption from other families to attract more affiliates and zero-day exploits.

Zero-day exploits can be afforded by crimeware attacks, however, only APT actors used them usually, Hasbini explained.

“It is worrying, because if attackers are able to run their work in a safe way, they will not hesitate to do more,” he concluded.