Updates Attack Landscape H2 2019


Staff member
Malware Hunter
Jul 27, 2015
The last year of the decade set a new standard for cyber attacks. F-Secure’s Attack Landscape H2 2019 notes that while the impact of sophisticated ransomware attacks continues to be devastating, most of the billions of attacks we see target devices that don’t have keyboards.

In the first half of 2019, we saw a jump in attack traffic to our global network of honeypots from millions of hits to 2.9 billion. In the second half of the year, this pace continued with 2.8 billion hits to our servers. DDoS attacks drove this deluge, accounting for two thirds of the traffic. Honeypot traffic was driven by action aimed at the SMB and Telnet protocols. This shows persistent attacker interest in the Eternal Blue vulnerability, which was first made public in 2017.


The explosion in attack traffic tracks the explosion of the Internet of Things (IoT) and threats that target IoT devices. As a result, most of the malicious traffic we see today is generated by Linux-based malware like Mirai. Brute forcing factory default usernames and passwords of IoT devices continues to be an popular way to recruit devices into botnets for DDoS attacks. A great way to see what attackers are interested in is to check out the list of passwords they use in their attacks. From this, we can see that Dahua DVRs and embedded devices such as routers are popular targets.

Spam continues to be the most popular way to spread malware.

“Spam preys on unsuspecting individuals, making the lack of awareness about threats a weak link for companies, and a lucrative target for malware authors,” says Calvin Gan, Manager at F-Secure’s Tactical Defense Unit. “And with attacks becoming more sophisticated, such as ransomware infections that escalate into data breaches, it’s more important than ever for organizations to improve their cyber defenses in preparation for these attacks.”


Malicious Word and Excel macro documents acting as downloaders for malicious binaries like Emotet were also common throughout the year.

One of the most fascinating things about our Attack Landscape reports is the numbers that show the source countries where attacks are being launched from and where they are being targeted by destination. The numbers capture mostly criminal not nation-state activity and should be taken with a grain of salt due to purposeful obfuscation. Yet many countries show up on these lists again and again.