US and China have most hijacked machines, says report


The world’s two leading economic powerhouses share the dubious honor of hosting the most devices used by threat actors in cyberattacks in the first half of this year, according to research by Nozomi Networks.

Nozomi named the superpower nations as the world’s “top attacker countries” but stressed: “As the world becomes more interconnected through technology, it becomes increasingly difficult to pinpoint exactly where a cyberattack originated.”

ADVERTISEMENT

It added: “There is not always a direct correlation between the location where the cyber-activity originates and the location of the threat actor, as servers anywhere in the world can be leveraged to carry out global cyberattacks.”

Instead, it would appear that the two nations might even be victims of their own success, with more sophisticated networks providing a larger attack surface for threat actors to exploit.

Nozomi suggested that these, along with both countries’ superior manufacturing sectors, could explain the higher incidence of hijacked devices it observed between January and June, as attackers increasingly seek to exploit the burgeoning internet of things (IoT.)

“The number of connected devices increases the number of vulnerable devices susceptible to exploits,” said Nozomi, adding that the US’s developed Cloud technologies made it particularly prone to cyberattacks.

Words, things, and bots

Nozomi also furnished some insights into the top credentials used by malicious hackers trying to access the IoT, with “admin” and “root” being among the most leveraged. But topping that list was “nproc” – more than 12,000 URLs were targeted over the six-month period covered by the report using this stock credential.

Regarding the choice of such ‘keywords’ by threat actors, Nozomi explained: “Device manufacturers commonly use them to provide maximum unrestricted access to vulnerable devices for troubleshooting purposes. From the attackers’ perspective, these options are particularly beneficial as they are already associated with high privileges, making privilege escalation unnecessary.”

It added that such words were “obvious attractive targets used in multiple variations as they may allow threat actors access to all system commands and user accounts.”

ADVERTISEMENT

Nozomi’s report highlighted the rise of botnets – virtual armies of hijacked ‘robot’ machines that conduct distributed denial of service of service (DDos) attacks against selected targets – as an increased cause of concern, thought to be spurred by the outbreak of war between Russia and Ukraine in February.

Over the six-month period, it observed 12,500 bot attacks deploying coded commands such as “enable” and “shell” to force a target’s operating system to process malicious activity at the threat actor’s behest. Another popular weapon in the cybercriminal arsenal is “uname -a” that forces a target machine to divulge system information.

Cyberattacks as force multipliers

From the hacktivist attacks on railway systems in Belarus on January 25 to Russia-backed Killnet’s targeting of Lithuania on June 27, Nozomi said cyberattacks had been used as a “force multiplier” in the wider war between Ukraine and Russia and their respective allies.

“Of the varying threat actors and motives, nation-state advanced persistent threats are the most active during wartime,” said Nozomi. “They are less financially motivated and more focused on cyber espionage – spying and disrupting communications and other critical enemy systems.”

This escalation had seen the rise in uptake of wiper malware, as well as the development of specially tailored malware such as Industroyer2, upgraded and refined from the original to target industrial installations such as power grid components.

Nozomi added that civilian businesses – particularly those in the manufacturing, communications, transport, and energy sectors – were at increased risk of being caught up in the virtual crossfire created by this escalating cyber-conflict. “Some companies become incidental casualties of cyberwar as a result of threat actors’ attacks on their targets,” it said.

Commenting on the report’s findings, Nozomi research expert Roya Gordon said: “This year’s cyber threat landscape is complex. Many factors including increasing numbers of connected devices, the sophistication of malicious actors, and shifts in attack motivations are increasing the risk for a breach or cyber-physical attack.”

ADVERTISEMENT

But she had some optimism to impart as well, saluting the defenders for their improving work at combating the growing cyber-threat. “Fortunately, security defenses are evolving too,” she said. “Solutions are available now to give critical infrastructure organizations the network visibility, dynamic threat detection, and actionable intelligence they need to minimize risk and maximize resilience.”