2019 Global Threat Intelligence Report: Finance remains most attacked sector globally six of the past seven years

09 April 2019

NTT Security report shows education is a new entry to five most attacked industries, with an increase in coin mining campaigns largely to blame

NTT Security, the specialized security company, has launched its 2019 Global Threat Intelligence Report (GTIR) which reveals finance as the most attacked sector for six of the past seven years, accounting for 17% of all attacks. The technology sector joined finance this year with 17% of the attacks. Education and government are both new entries in the list of global top five industries – rising from 4% to 11% and 5% to 9% respectively – with coin mining campaigns largely to blame for the increased attacks in educational environments.

NTT Security summarizes data from trillions of logs and billions of attacks for the 2019 GTIR, which analyzes threat trends based on log, event, attack, incident and vulnerability data from NTT Group operating companies. In the new report, NTT Security continues its analysis of attacks against 18 industry sectors and shares its observations of the challenges faced by organizations globally.

The GTIR also reveals how coin mining is leading the evolution of malware and how cyber attackers are increasingly adapting their attack patterns and intrusion sets to include coin mining in their toolkits. Illicit coin mining accounted for a significant amount of activity during the past year, with the technology and education sectors making up over 86% of all coin mining detections. The most active coin miners detected were XMRig (62%) – commonly used by Rocke, 8220 Mining Group and Tor2Mine – followed by CoinHive (24%) and Coin Miner (13%).

In the GTIR, credential theft and web-application attacks were found to be among the most prevalent activities during the past year. The most common technical attack used to commit credential theft was phishing (67%) with attackers targeting credentials for Microsoft (45%), Google (27%), PayPal (15%) and DocuSign (10%) in an attempt to gather usernames and passwords.

Globally, organizations experienced an average of 32% of all attacks as web attacks, a number which has crept up slightly from 29% in 2017. Finance became the most targeted industry, accounting for 46% of web attacks, reinforcing its vulnerability to these types of cyberattacks.

John South of the Threat Intelligence Communication Team, Global Threat intelligence Center at NTT Security, says:
“Finance is yet again on the top spot when it comes to targeted attacks, which surely is enough evidence to convince the board that cybersecurity is a must-have investment. Many financial organizations are moving forward with digital transformation but without prioritizing security as a core business requirement. While legacy methods and tools are still effective at providing a solid foundation for mitigation, new attack methods are continually being developed by malicious actors. Security leaders should ensure basic controls remain a primary focus but they must also embrace innovative solutions if they provide a good fit and true value.”

Mr. Fumitaka Takeuchi, Security Evangelist, Vice President, Managed Security Service Taskforce, Corporate Planning at NTT Communications, says:
“Many organizations are caught up in simply buying solutions to problems that either don‘t really exist, or a solution which costs more than the potential loss being prevented. Our advice for organizations, regardless of the industry they operate in, is to leverage existing relationships with trusted experts and to keep an eye on professional and managed service maturity in the cybersecurity space. First and foremost, it is essential to know where the real risks lie and then develop solutions accordingly.”

Matthew Gyde, Group Executive – Cybersecurity at Dimension Data, says:
“This year’s GTIR clearly demonstrates that cybersecurity attacks are constantly evolving. While attack volumes don’t always increase, new threats are certainly being introduced. In fact, 2018 set a record for the number of new vulnerabilities identified and reported in a single year. NTT Group has spent the last 15 years working with our clients to help them defend against the evolving threat landscape which is increasingly complex. Understanding the threat environment helps our clients predict and mitigate potential threats in the digital world.”

“The threat report indicates the variety of attacks is not as broad as it would seem, while the United States and China are also often identified as the most common attack sources,” said Mike Barch, VP of Security Services, NTT DATA Services. “As frequently attacked industries, such as health care and financial services, safeguard their businesses from sophisticated cybercriminals, leaders must ensure a completely secure infrastructure, from endpoint to core, that allows them to focus on daily operations.”

Summary of other key global findings: 

  • Finance is one of just two industries (alongside the technology sector) to appear in the top five in every geographic region (Americas, Asia-Pacific and EMEA as well as globally)
  • Like finance, the technology industry accounts for 17% of all attacks (albeit both of which saw a drop from 26% and 19% last year respectively). It is followed by business and professional services (12%), education (11%) and government (9%)
  • The technology sector accounted for 46% of all coin mining detections followed by education (40%), health care (9%), business and professional services (2%), and finance (1%) sectors to round out the top five industries impacted
  • Coin mining ran on systems in which the malicious application was using as a host (75%), as opposed to JavaScript (web-based) coin mining (25%). Education was the most observed sector for coin mining malware, at 52%, followed by technology (46%)
  • 73% of all hostile activity falls into four categories: web attacks, reconnaissance, service-specific attacks, and brute-force attacks – up from 52% the previous year
  • Application-specific and web-application attacks doubled over the past year. Attacks targeting bash, Apache Struts and Samba accounted for 54% of all hostile activity
  • Web attacks accounted for 32% of all hostile traffic – rising to over 53% of hostile activity against the most attacked industries in EMEA
  • 35% of all attacks originated from IP addresses within the United States and China. The remaining attack sources varied across regions, with EMEA and APAC each showing a significant amount of attacks from within their own region.

To learn more about the how this year’s GTIR offers organizations a robust framework to address today’s cyber threat landscape, follow the link to download the NTT Security 2019 GTIR: www.nttsecurity.com/2019gtir

- ends -

About NTT Security
NTT Security is the specialized security company and the center of excellence in security for NTT Group.  With embedded security, we enable NTT Group companies (Dimension Data, NTT Communications and NTT DATA) to deliver resilient business solutions for clients’ digital transformation needs.  NTT Security has multiple SOCs, seven R&D centers, over 1,500 security experts and handles hundreds of thousands of security incidents annually across six continents.
NTT Security ensures that resources are used effectively by delivering the right mix of Managed Security Services, Security Consulting Services and Security Technology for NTT Group companies – making best use of local resources and leveraging our global capabilities.  NTT Security is part of the NTT Group (Nippon Telegraph and Telephone Corporation), one of the largest ICT companies in the world. Visit nttsecurity.com to learn more about NTT Security or visit www.ntt.co.jp/index_e.html

Metholodogy for the Global Threat Intelligence Report (GTIR)
The NTT Security 2019 Global Threat Intelligence Report contains global attack data gathered from NTT Security and supported operating companies from October 1, 2017, to September 31, 2018. The analysis is based on log, event, attack, incident and vulnerability data from clients. It also includes details from NTT Security research sources, including global honeypots and sandboxes located in over 100 countries in environments independent from institutional infrastructures. Leveraging the indicator, campaign and adversary analysis from our Global Threat Intelligence Platform has played a significant role in tying activities to actors and campaigns.

NTT Security summarizes data from trillions of logs and billions of attacks for the 2019 GTIR. NTT Security gathers security log, alert, event and attack information, enriches it to provide context, and analyzes the contextualized data. This process enables real-time global threat intelligence and alerting. The size and diversity of our client base, with over 10,000 security clients on six continents, provides NTT Security with security information which is representative of the threats encountered by most organizations.

The data is derived from worldwide log events identifying attacks based on types or quantities of events. The use of validated attack events, as opposed to the raw volume of log data or network traffic, more accurately represents actual attack counts. Without proper categorization of attack events, the disproportionately large volume of network reconnaissance traffic, false positives, authorized security scanning and large floods of DDoS monitored by Security Operations Centers (SOCs), would obscure the actual incidence of attacks.

The inclusion of data from the 10 SOCs and seven research and development centers of NTT Security provides a highly accurate representation of the ever-evolving global threat landscape.

For more information, please contact:

NTT Security
Origin Communications
t. +44 (0)20 3814 2940
e. [email protected]