Positive Technologies says 97% of Company Networks Carry Traces of Compromise
Framingham, MA – Positive Technologies experts have analyzed network activity of large companies (with over 1000 employees) in the key economic areas of Eastern European countries . Advanced network traffic analysis revealed suspicious activity in 97% of companies, and malware activity in 81% of companies.
The main evidence of potential compromise was suspicious activity in the network traffic of the company (97% of companies). In 64% of cases, that was traffic hiding; VPN tunneling, connection to the Tor anonymous network, or proxying. In one in every three companies, there were traces of scans of its internal network, which could potentially mean that hackers are gathering intelligence inside the infrastructure. This includes network scans, multiple failed attempts to connect to hosts, and traces of collecting intelligence on active network sessions on a specific host or in the entire domain.
“Traffic hiding is risky, because when the employees connect to Tor, set up proxy servers, and set up VPN to bypass websites blocking, the hackers can use the same technologies to communicate with command and control servers,” says Evgeny Gnedin, Head of Information Security Analytics at Positive Technologies. “The attackers can use that to control the malware and trigger a payload attack.”
This concern is backed by evidence which highlights that 81% of companies’ advanced network traffic analysis detected activity of some malware, such as miners (55% of the total number of infected companies), adware (28%), and spyware (24%). Around half (47%) of companies were plagued with several different types of malware.
The Positive Technologies specialists believe that non-compliance with information security policies found in 94% of companies has a direct impact on security deterioration, by practically opening the door for the hackers to exploit. In 81% of companies, sensitive data is transmitted in clear text, allowing the potential hackers to search the traffic for logins and passwords moving between and across corporate resources. 67% of companies use remote access software, such as RAdmin, TeamViewer, and Ammyy Admin. Once inside the infrastructure, the attacker can use these tools to move along the network, all while remaining undetected by security tools.
Employees at 44% of companies use the BitTorrent protocol for data transfer, such as downloading movies, for instance. Positive Technologies experts point out that, in addition to placing extra load on the communication link and reducing its throughput capacity, this increases the risk of malware infection. For example, torrents were used to distribute STOP ransomware, and the APT37 group also weaponized a YouTube video downloader app with a KARAE backdoor and distributed it on torrent websites.
The vast majority of threats (92%) were detected inside the perimeter. Positive Technologies experts believe this emphasizes that internal network monitoring to ensure timely detection and response is just as important as preventing attacks on the perimeter. This includes network traffic analysis which can help in detecting attackers in the early stages of an attack.
Read a full copy of the report here: https://www.ptsecurity.com/upload/corporate/ww-en/analytics/network-traffic-analysis-2020-eng.pdf
Positive Technologies is a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection. Commitment to clients and research has earned Positive Technologies a reputation as one of the foremost authorities on Industrial Control System, Banking, Telecom, Web Application, and ERP security, supported by recognition from the analyst community. ptsecurity.com, facebook.com/PositiveTechnologies, facebook.com/PHDays.
CONTOS DUNNE COMMUNICATIONS