Chennai: The ever expanding internet space is also defining new threat landscapes which need to be urgently addressed. 2013 witnessed advanced and large-scale threat operations including groups that were available “for hire” that perform hit-and-run operations. Hackers were constantly in the news, together with the term “leak” or “stolen” in terms of some valuable information or money. The top 10 cyber incidents of 2013 are listed as compilation by Kaspersky.
New “old” cyber-espionage campaigns
The majority of the cyber-espionage campaigns that Kaspersky Lab’s analysts have seen were designed to steal data from governmental agencies and research institutions – Red October, NetTraveler, Icefog and MiniDuke all behave this way. The most widespread campaign of the year was NetTraveler espionage which affected victims from 40 countries all over the world. For the first time ever cybercriminals harvested information from mobile devices connected to the victims’ networks – clear recognition of importance of mobile to hackers. Red October, MiniDuke, NetTraveler and Icefog all started by ‘hacking the human’. They employed spear-phishing to get an initial foothold in the organizations they targeted.
Cyber-mercenaries: a new emerging trend
On the face of it, Icefog seems to be a targeted attack like any other. It’s a cyber-espionage campaign, active since 2011 and the attackers use spear-phishing e-mails – containing either attachments or links to malicious web sites – to distribute the malware to their victims.
Icefog is part of an emerging trend that we’re seeing – attacks by small groups of cyber-mercenaries who conduct small hit-and-run attacks. Second, the attackers specifically targeted the supply chain – their would-be victims include government institutions, military contractors, maritime and ship-building groups, telecommunications operators, satellite operators, industrial and high technology companies and mass media. Third, their campaigns rely on custom-made cyber-espionage tools for Windows and Mac OSX and they directly control the compromised computers. The Chinese group ‘Hidden Lynx’, whose activities were reported by researchers at Symantec, fall into the same category – ‘guns-for-hire’ performing attacks to order using cutting-edge custom tools. This group was responsible for attacks on Bit9 earlier this year.
Hacktivism and leaks
Stealing money – either by directly accessing bank accounts or by stealing confidential data – is not the only motive behind security breaches. They can also be launched as a form of political or social protest, or to undermine the reputation of the company being targeted. One of the weapons of choice for those who have an ax to grind is the DDoS (Distributed Denial of Service) attack.
Hacktivist activities included attack on the U.S. Department of Justice, MIT (Massachusetts Institute of Technology) and the web sites of various governments – including Poland, Greece, Singapore, Indonesia and Australia. Those who are part of the ‘Syrian Electronic Army’ claimed responsibility for hacking the Twitter account of Associated Press and sending a false tweet reporting explosions at the White House. It’s clear that our dependence on technology, together with the huge processing power built into today’s computers, means that we’re potentially vulnerable to attack by groups of people with diverse motives. So it’s unlikely that we’ll see an end to the activities of hacktivists or anyone else choosing to launch attacks on organizations of all kinds.
Ransomware
‘Ransomware’ programs operate like a computer-specific ‘denial-of-service’ attack – they block access to a computer’s file system, or they encrypt data files stored on the computer. One such common ransomware program is the Cryptolocker Trojan which downloads a RSA public key from its command-and-control (C2) server.
A unique key is created for each new victim and only the authors have access to the decryption keys. To connect to the C2 server, Cryptolocker uses a domain generation algorithm that products 1,000 unique candidate domain names every day. The cybercriminals give their victims only three days to pay up – and they reinforce their message with scary wallpaper that warns them that if they don’t pay up in time their data will be gone forever. They accept different forms of payment, including Bitcoin. The most affected countries are the UK and US, distantly followed by India, Canada and Australia.
Mobile malware and app store (in)security
There are more than 148,427 mobile malwares detected with 98 percent of it focused on Android platform. It is easy to develop and important factor is that cybercriminals exploit the fact that people download apps from Google Play, from other marketplaces, or from other web sites. The malware targeting mobile devices mirrors the malware commonly found on infected desktops and laptops – backdoors, Trojans and Trojan-Spies. The one exception is SMS-Trojan programs – a category exclusive to smartphones
The threat isn’t just growing in volume but in complexity too. A multifunctional Trojan named Obad, could send messages to premium rate numbers, downloads and installs other malware, uses Bluetooth to send itself to other devices and remotely performs commands at the console. The Trojan could gain extended Device Administrator privileges – but without it being listed on the device as one of the programs that has these rights. This makes it impossible for the victim to simply remove the malware from the device.
Watering-hole attacks
A combination of drive-by downloads and spear-phishing ends up with what's called a 'watering-hole' attack. The attackers study the behavior of people who work for a target organization, to learn about their browsing habits. Then they compromise a web site that is frequently used by employees – preferably one that is run by a trusted organization that is a valuable source of information. Ideally, they will use a zero-day exploit. So when an employee visits a web page on the site, they are infected – typically a backdoor Trojan is installed that allows the attackers to access the company's internal network. In effect, instead of chasing the victim, the cybercriminal lies in wait at a location that the victim is highly likely to visit – hence the watering-hole analogy.
A classic case of watering-hole attack is Winnti attacks, were a Flash Player exploit on a care-giver web site that supports Tibetan refugee children, the ‘Tibetan Homes Foundation’. It turned out that this web site was compromised in order to distribute backdoors signed with stolen certificates from the Winnti case.
The need to re-forge the weakest link in the security chain
Many of the high profile targeted attacks that we have analyzed this year have started by ‘hacking the human’. They use social engineering techniques to trick individuals who work for an organization into doing something that jeopardizes corporate security. People are susceptible to such approaches for various reasons.
They frame their approaches to employees using data that they’re able to gather from a company web site, public forums and by sifting through the various snippets of information that people post in social networks. This helps them to generate e-mails that look legitimate and catch people off-guard. The same approach is also adopted by those behind the mass of random, speculative attacks that make up the majority of cybercriminal activities – the phishing messages sent out in bulk to large numbers of consumers. This is especially true for targeted attacks, where cybercriminals develop exploit code to make use of unpatched application vulnerabilities, or create custom modules to help them steal data from their victims.
Privacy loss: Lavabit, Silent Circle, NSA and the loss of trust
No ITSec overview of 2013 would be complete without mentioning Edward Snowden and the wider privacy implications which followed up to the publication of stories about Prism, XKeyscore and Tempora, as well as other surveillance programs.
Perhaps one of the first visible effects was the shutdown of the encrypted Lavabit e-mail service. Silent Circle, another encrypted e-mail provider, decided to shut down their service as well, leaving very few options for private and secure e-mail exchange. The reason why these two services shut down was their inability to provide such services under pressure from Law Enforcement and other governmental agencies. Another similar incident was that of the elliptic curve cryptographic algorithms released through NIST. Apparently, the NSA introduced a kind of “backdoor” in the Dual Elliptic Curve Deterministic Random Bit Generation algorithm. The “backdoor” supposedly allows certain parties to perform easy attacks against a particular encryption protocol, breaking supposedly secure communications. RSA, one of the major encryption providers in the world noted that this algorithm was default in its encryption toolkit and recommended all their customers to migrate away from it.
Vulnerabilities and zero-days
Cybercriminals have continued to make widespread use of vulnerabilities in legitimate software to launch malware attacks. They do this using exploits – fragments of code designed to use a vulnerability in a program to install malware on a victim’s computer without the need for any user interaction. This exploit code may be embedded in a specially-crafted e-mail attachment, or it may target a vulnerability in the browser. The exploit acts as a loader for the malware the cybercriminal wishes to install.
Of course, if an attacker exploits a vulnerability is known only to the attacker – a so-called ‘zero-day’ vulnerability – everyone using the vulnerable application will remain unprotected until the vendor has developed a patch that closes up the loophole. But in many cases cybercriminals make successful use of well-known vulnerabilities for which a patch has already been released. Cybercriminals focus their attention on applications that are widely-used and are likely to remain unpatched for the longest time – giving them a large window of opportunity through which to achieve their goals.
The ups and downs of cryptocurrencies - how the Bitcoins rule the world
“Bitcoin: A Peer-to-Peer Electronic Cash System”, is a de-centralized financial payment system with no transaction fees. Bitcoin is constantly gaining strength surpassing $400 in November 2013. Bitcoins provide an almost anonymous and secure means of paying for goods and is popular with cybercriminals, who are looking at ways to evade the law. Bitcoin mining botnets, as well as malware designed to steal Bitcoin wallets have emerged.
In a joint operation between the FBI and the DEA, the infamous Silk Road “a hidden website designed to enable its users to buy and sell illegal drugs and other unlawful goods and services anonymously and beyond the reach of law enforcement” was shut down. It was operating on Bitcoins, which allowed both sellers and customers to remain unknown. As Bitcoin becomes more and more popular, it will be interesting to see if there is any government crackdown on the exchanges in a bid to put a stop to their illicit usage.
0 comments:
Post a Comment