THE EVOLUTION OF

CORPORATE CYBERTHREATS
Protecting Your Organization Today, Tomorrow,
and Beyond

Most established organizations have large IT departments with staff

exclusively devoted to IT security. As your business grows, hopefully
your IT security team is thriving, too, and getting the intelligence
and resources needed to stay abreast of the latest threats to your
organization.
Unfortunately, the bad guys are keeping pace, and in some cases theyre
taking the lead. To keep your organization safe, its imperative to stay
at least a few steps ahead of the cybercriminals. Education is a key
component of this defensive strategy in todays cybercriminal ecosystem.
If you dont know its there, you cant defend against it.
Threats are increasing in frequency and sophistication. In fact, according
to the recently released Verizon Data Breach report, there were 1,367
confirmed data breaches and 63,437 security incidents in 2013.1 The
severity and cause of these incidents vary depending on the goals of the
cybercriminals and, sometimes, the size of the potential victim. Although
you may be more equipped to fight cybercrime, larger organizations are
vulnerable to a wider array of attacks, including Advanced Persistent
Threats (APTs), cyberespionage, and more sophisticated malware.

1 2014 Verizon Data Breach Investigations Report

Advanced Persistent Threats (APTs)

Every corporation, regardless of its size or industry, is at risk of
becoming the victim of a targeted attack by a variety of threat actors
including APT groups, politically-driven hacktivists, and more advanced
cybercriminals, who offer their services for hire. These adversaries will
target any organization that has valuable information or data relevant to
their objectives.
Depending on the adversaries operational motives and objectives, the
information identified as valuable will vary. However, its important to
note that regardless of the motive, attackers are targeting very specific
information from a specific set of victims, and they will relentlessly
customize and optimize their techniques until they successfully realize
their objective.

All APTs are vehicles for cybercrime but not all cybercrimes involved
APTs. Although both are based on monetary gain, APTs specifically
target more sensitive data including passwords, competitive intelligence,
schematics, blueprints, and digital certificates and are paid for by
third-party clients or resold in the underground. General cybercrime
operations are direct for profit attacks and target customers personal
and financial information which can be quickly monetized and laundered
underground for ID theft and fraud.
Cybercriminals will either provide the hijacked information to the
third-party who hired them to steal it, or they will repackage and
resell the data underground to interested parties, such as nationstates or competing organizations. Earned through years of hard work
and investment, stolen intellectual property enables third-parties to
accelerate their technological and commercial developments while
weakening corporations intellectual and competitive advantages in
the global economy.

There are many different types of targeted attacks, including:

Economic Espionage
Targeted Information: Intellectual property; proprietary
information; geopolitical, competitive or strategic intelligence
Insider Trading Theft
Targeted Information: Pending M&A deals or contracts;
upcoming financial earnings; future IPO dates
Financial & Identify Theft
Targeted Information: Employee and customer personallyidentifiable information; payment transactions; account
numbers; financial credentials
Technical Espionage
Targeted Information: Password or account credentials, source
code, digital certificates; network and security configurations;
cryptographic keys; authentication or access codes
Reconnaissance and Surveillance:
Targeted Information: System and workstation configurations;
keystrokes; audio recordings; emails; IRC communications;
screenshots; additional infection vectors; logs; cryptographic
keys

One of the biggest challenges in defending against targeted attacks

is being able to correlate data and identify attack patterns amidst the
high volume of incidents coming from disparate sources at various
times. However, with careful observation, research, and proper analysis,
concrete information can show similarities in targeted attack campaigns.
In 2013, Kasperskys Global Research & Analysis Team published
detailed reports revealing valuable information about several large-scale
targeted attack campaigns, which were code-named Red October, Winnti,
NetTraveler and Icefog.2 These reports carry heavy weight because their
substantive and exhaustive nature connects the disparate dots and
provides corporations with practical information that can be used to
improve security procedures and mitigation efforts immediately.
The reports findings revealed that the primary methods for infecting
targeted organizations were sending spear-phishing emails to targets.
These emails were rigged with common vulnerabilities found in
corporate applications or programs. Using this technique, attackers have
successfully compromised organizations across every sector, including
government and defense organizations, commercial enterprises,

2 2014 Verizon Data Breach Investigations Report

financial institutions, and scientific research facilities. The notorious and

sophisticated zero-day vulnerabilities are not being used by attackers
because theyre not necessary. Organizations are being compromised
using rudimentary attack techniques because they are easy and because
companies are vulnerable due to the lack of patch management, control
policies, and updated security configurations.
This eBook will delve a little deeper into some of todays most
destructive threats, including Icefog, The Mask as well as the pluses
and minuses of Bitcoin and the nefarious use of the Tor network.

Icefog
Most APT campaigns are sustained over months or years, continuously
stealing data from their victims. By contrast, the attackers behind Icefog,
an APT discovered by the Kaspersky Security Network in September
2013, focused on their victims one at a time, in short-lived, precise
hit-and-run attacks designed to steal specific data. Operational since at
least 2011, Icefog involved the use of a series of different versions of
the malware, including one aimed at Mac OS.
Following Kaspersky Labs publication of Icefog: Threat Analysis and
Defense Strategy, the APTs operations ceased and the attackers closed
down all of the known command-and-control servers. However, ongoing
monitoring of sinkholing domains and analyzing victim connections has
revealed the existence of another generation of Icefog backdoors this
time, a Java version of the malware designated Javafog. Connections
to one of the sinkholed domains, lingdona[dot]com, indicated that the
client could be a Java application; and subsequent investigation turned
up a sample of this application. Detailed analysis can be found on
SecureList.3

3 January 2014, The Icefog APT Hits US Targets With Java Backdoor,
http://www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor

During the sinkholing operation for this domain, security experts

observed eight IP addresses for three unique victims of Javabot. Unlike
the original form of the Icefog APT where victims were based in South
Korea and Japan, all the targets of Javabot were located in the United
States. One was a very large independent oil and gas corporation with
operations in multiple countries. Its possible that Javafog was developed
for a US-specific operation, one that was designed to be longer than the
typical Icefog attacks. One probable reason for developing a Java version
of the malware is that it is more stealthy and harder to detect.

The Mask
In February 2013, the Kaspersky Lab security research team published
a report on a complex cyberespionage campaign called The Mask or
Careto (Spanish slang for ugly face or mask). This campaign was
designed to steal sensitive data from various types of targets. The
victims, located in 31 countries around the world, included government
agencies, embassies, energy companies, research institutions, private
equity firms and activists.
The Mask attacks start with a spear-phishing message containing a
link to a malicious website rigged with several exploits. Once victims
are infected, they are then redirected to the legitimate site described
in the e-mail they received (e.g. a news portal, or video). The Mask
includes a sophisticated backdoor Trojan capable of intercepting multiple
communication channels and of harvesting all kinds of data from
the infected computer. Like Red October and other targeted attacks
before it, the code is highly modular, allowing the attackers to add new
functionality at will. The Mask also casts its net wide - there are versions
of the backdoor for Windows and Mac OS X and there are references
that suggest there may also be versions for Linux, iOS and Android.
The Trojan also uses very sophisticated stealth techniques to hide its
activities.

4 2014, SecureList

The key motivation of The Mask attackers is to steal data from their
victims. The malware collects a range of data from the infected system,
including encryption keys, VPN configurations, SSH keys, RDP files and
some unknown file types that could be related to bespoke military/
government-level encryption tools. Security researchers dont know whos
behind the campaign. Some traces suggest the use of the Spanish
language but that fact doesnt help pin it down, since this language is
spoken in many parts of the world. Its also possible that this could have
been used as a false clue, to divert attention from whoever wrote it. The
very high degree of professionalism of the group behind this attack is
unusual for cybercriminal groups one indicator that The Mask could be
a state-sponsored campaign.

This campaign underlines the fact that there are highly-professional

attackers who have the resources and the skills to develop complex
malware in this case, to steal sensitive information. It also highlights
the fact that targeted attacks, because they generate little or no activity
beyond their specific victims, can fly under the radar.
The entry point of The Mask involves tricking individuals into doing
something that undermines the security of the organization they work
for in this case, by clicking on a link or an attachment. Currently, all
known C&C (Command-and-Control) servers used to manage infections
are offline. But researchers believe that the danger hasnt been totally
eradicated and that its possible for the attackers to renew the campaign
in the future.

Bitcoin
Bitcoin is a digital crypto-currency. It operates on a peer-to-peer model,
where the money takes the form of a chain of digital signatures that
represent portions of a Bitcoin. There is no central controlling authority
and there are no international transaction charges both of which have
contributed to making it attractive as a means of payment. You can find
an overview of Bitcoin, and how it works, on the Kaspersky Daily website.
As use of Bitcoin has increased, it has become a more attractive
target for cybercriminals. In end-of-year forecasts, security researchers
anticipated attacks on Bitcoin. Attacks on Bitcoin pools, exchanges and
Bitcoin users will become one of the most high-profile topics of the year.
Such attacks will be especially popular with fraudsters as their cost-toincome ratio is very favorable.5
MtGox, one of the biggest Bitcoin exchanges, was taken offline in
February 2014.6 This followed a turbulent month in which the exchange
was beset by problems problems that saw the trading price of Bitcoins
on the site fall dramatically. There have been reports that the exchanges
insolvency followed a hack that led to the loss of $744,408.

5 Kaspersky SecurityBulletin 2013.

6 February 25, 2014, CNN Money, Mt.Gox site disappears, Bitcoin future in doubt.

Spammers are also quick to make use of social engineering techniques

to draw people into a scam. They took advantage of the climb in the
price of Bitcoins in the first part of this quarter (prior to the MtGox
collapse) to try to cash in on peoples desire to get rich quick. There
were several Bitcoin-related topics used by spammers. They included
offers to share secrets from a millionaire on how to get rich by investing
in Bitcoins; and offers to join a Bitcoin lottery.7

7 February 2014, SecureList, Virtual bitcoins vs hard cash

Tor
Tor (short for The Onion Router) is software designed to allow someone
to remain anonymous when accessing the Internet. It has been around
for some time, but for many years was used mainly by experts and
enthusiasts. However, use of the Tor network has spiked in recent
months, largely because of growing concerns about privacy. Tor has
become a helpful solution for those who, for any reason, fear the
surveillance and the leakage of confidential information.
Tors hidden services and anonymous browsing enable cybercriminals to
cover their operations and provides a hosting platform to sell the stolen
information using bitcoins as the currency. Since Bitcoins architecture
is decentralized and more difficult to trace than traditional financial
institutions, it provides a more efficient way for cybercriminals to launder
their ill-gotten gains.
In 2013, security experts began to see cybercriminals actively using
Tor to host their malicious malware infrastructure and Kaspersky Lab
experts have found various malicious programs that specifically use
Tor. Investigation of Tor network resources reveals lots of resources
dedicated to malware, including Command-and-Control servers,

administration panels and more. By hosting their servers in the Tor

network, cybercriminals make them harder to identify, blacklist and
eliminate.
Cybercriminal forums and market places have become familiar on the
normal Internet. But recently a Tor-based underground marketplace
has also emerged. It all started with the notorious Silk Road market and
has evolved into dozens of specialist markets for drugs, arms and, of
course, malware. Carding shops are firmly established in the Darknet,
where stolen personal information is for sale, with a wide variety of
search attributes like country, bank etc. The goods on offer are not
limited to credit cards: dumps, skimmers and carding equipment are for
sale too.
A simple registration procedure, trader ratings, guaranteed service, and
a user-friendly interface are standard features of a Tor underground
marketplace. Some stores require sellers to deposit a pledge a fixed
sum of money before starting to trade. This is to ensure that a trader
is genuine and his services are not a scam or of poor quality.

The development of Tor has coincided with the emergence of the

anonymous crypto-currency, Bitcoin. Nearly everything on the Tor network
is bought and sold using Bitcoins. Its almost impossible to link a Bitcoin
wallet and a real person, so conducting transactions in the Darknet
using Bitcoin means that cybercriminals can remain virtually untraceable.
Kaspersky Labs expert blog, Securelist, discusses bitcoins extensively.
It seems likely that Tor and other anonymous networks will become a
mainstream feature of the Internet as increasing numbers of ordinary
people using the Internet seek a way to safeguard their personal
information. But its also an attractive mechanism for cybercriminals
a way for them to conceal the functions of the malware they create,
to trade in cybercrime services, and to launder their illegal profits.
Researchers believe that use of these networks for cybercrime will only
continue.
Like technology, the specifics of cybercrime are constantly changing. To
keep your organization safe today and into the future, partnering with a
cybersecurity expert is critical.

About Kaspersky
Kaspersky Lab is the worlds largest privately held vendor of endpoint
protection solutions. The company is ranked among the worlds top four
vendors of security solutions for endpoint users*. Throughout its more than
16-year history Kaspersky Lab has remained an innovator in IT security and
provides effective digital security solutions for large enterprises, SMBs and
consumers. With its holding company registered in the United Kingdom,
Kaspersky Lab operates in almost 200 countries and territories worldwide,
providing protection for over 300 million users worldwide.
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The
rating was published in the IDC report Worldwide Endpoint Security 20132017 Forecast and 2012 Vendor
Shares (IDC # 242618, August 2013). The report ranked software vendors according to earnings from sales of
endpoint security solutions in 2012.

Call Kaspersky today at 866-563-3099 or email us at

corporatesales@kaspersky.com, to learn more about
Kaspersky Endpoint Security for Business.

www.kaspersky.com/business