Once again, it’s time for us to deliver our customary retrospective of the key events that have defined the threat landscape in 2013. Let’s start by looking back at the things we thought would shape the year ahead, based on the trends we observed in the previous year.
- Targeted attacks and cyber-espionage
- Nation-state-sponsored cyber-attacks
- The use of legal surveillance tools
- Cloudy with a chance of malware
- Vulnerabilities and exploits
- Cyber extortion
- Who do you trust?
- Mac OS malware
- Mobile malware
- Dude, where’s my privacy?!
If we now focus on the highlights on 2013, you can judge for yourself how well we did in predicting the future.
The top stories of 2013
Here’s our shortlist of the top secuarity stories of 2013.
New “old” cyber-espionage campaigns
Quite often, the roots of targeted attacks reach back in time from the point at which they become known and are analyzed and reported. It’s true also of some of the major cyber-espio- nage campaigns we’ve seen this year.
Red October is a cyber-espionage campaign that has affected hundreds of victims around the world – including diplomatic and government agencies, research institutions, energy and nuclear groups and trade and aerospace organizations. We have published the results of our analysis in January 2013, but it’s clear that the campaign dates back to 2008. The malware is highly sophisticated – among other things, it includes a ‘resurrection mode’ that enables the malware to re-infect computers. Interestingly, Red October didn’t just harvest information from traditional endpoints, but also from mobile devices connected to the victims’ networks – a clear recognition by cybercriminals that mobile devices are a core component of today’s business environment and contain valuable information.
In February, we published our analysis of MiniDuke, designed to steal data from government agencies and research institutions. Our analysis uncovered 59 high profile victim organizations in 23 countries. MiniDuke combined the use of ‘old school’ social engineering tactics with sophisticated techniques. Compromised endpoints received instructions from the command-and-control server via pre-defined Twitter accounts (and used Google search as a fall back method).
We learned of a wave of attacks in March that targeted top politicians and human rights activists in CIS countries and Eastern Europe. The attackers used the TeamViewer remote ad- ministration tool to control the computers of their victims, so the operation became known as ‘TeamSpy’. The purpose of the attacks was to gather information from compromised computers. Though not as sophisticated as Red October, NetTraveler and other campaigns, this campaign was nevertheless successful – indicating that not all successful targeted attacks need to build code from scratch.
NetTraveler (also known as “NetFile”), which we announced in June, is another threat that, at the time of discovery, had long been active – in this case, since 2004.
This campaign was designed to steal data relating to space exploration, nano-technology, energy production, nuclear power, lasers, medicine and telecommunications. NetTraveler was successfully used to compromise more than 350 organizations across 40 countries. The targets were from state and private sector organizations that included government agencies, embassies, oil and gas companies, research centers, military contractors and activists.
In April we published a report on the cybercrime group ‘Winnti’. This group, active since 2009, focuses on stealing digital certificates signed by legitimate software vendors, as well as intellectual property theft (including theft of source code for online game projects). The Trojan used by the group operated as a fully-functional Remote Administration Tool – giving the attackers full control over the compromised computer. In total, we found that more than 30 companies in the online gaming industry fell victim to the group’s activities – mostly in South-East Asia, but also affecting companies in Germany, the US, Japan, China, Russia, Brazil, Peru, Belarus and the UK. This group is still active.
The Icefog attacks that we announced in September (discussed in the next section of this report) were focused on the supply chain and, as well assensitive data from within the target networks, also gathered e-mail and network credentials to resources outside the target networks.
Cyber-mercenaries: a new emerging trend
On the face of it, Icefog seems to be a targeted attack like any other. It’s a cyber-espionage campaign, active since 2011, focused mainly in South Korea, Taiwan and Japan, but also in the US, Europe and China. Similarly, the attackers use spear-phishing e-mails – containing either attachments or links to malicious web sites – to distribute the malware to their victims. As with any such attack, it’s difficult to say for sure how many victims there have been, but we have seen several dozen victims running Windows and more than 350 running Mac OS X (most of the latter are in China).
However, there are some key distinctions from other attacks that we’ve discussed already. First, Icefog is part of an emerging trend that we’re seeing – attacks by small groups of cyber-mercenaries who conduct small hit-and-run attacks. Second, the attackers specifically targeted the supply chain – their would-be victims include government institutions, military contractors, maritime and ship-building groups, telecommunications operators, satellite operators, industrial and high technology companies and mass media. Third, their campaigns rely on custom-made cyber-espionage tools for Windows and Mac OSX and they directly control the compromised computers; and in addition to Icefog, we have noticed that they use backdoors and other malicious tools for lateral movement within the target organizations and for exfiltration of data.
The Chinese group ‘Hidden Lynx’, whose activities were reported by researchers at Symantec in September, fall into the same category – ‘guns-for-hire’ performing attacks to order using cutting-edge custom tools. This group was responsible for, among others, an attack on Bit9 earlier this year. Going forward, we predict that more of these groups will appear as an underground black market for “APT” services begins to emerge.
Hacktivism and leaks
Stealing money – either by directly accessing bank accounts or by stealing confidential data – is not the only motive behind security breaches. They can also be launched as a form of political or social protest, or to undermine the reputation of the company being targeted. The fact is that the Internet pervades nearly every aspect of life today. For those with the relevant skills, it can be easier to launch an attack on a government or commercial web site than it is to co-ordinate a real-world protest or demonstration.
One of the weapons of choice for those who have an ax to grind is the DDoS (Distributed Denial of Service) attack. One of the biggest such attacks in history (some would say *the* biggest) was directed at Spamhaus in March. It’s estimated that, at its peak, the attack reached a throughput of 300gbps. One organization suspected of launching it was called Cyberbunker. The conflict between this organization and Spamhaus dates back to 2011, but reached a peak when Cyberbunker was blacklisted by Spamhaus a few weeks before the incident. The owner of Cyberbunker denied responsibility, but claimed to be a spokesperson for those behind it. The attack was certainly launched by someone capable of generating huge amounts of traffic. To mitigate this, Spamhaus was forced to move to CloudFlare, a hosting and service provider known for dissipating large DDoS attacks. While some of the ‘it’s the end of the world as we know it’ headlines might have overstated the effects of this event, the incident highlights the impact that a determined attacker can have.
While the attack on Spamhaus appears to have been an isolated incident, ongoing hacktivist activities by groups who have been active for some time have continued this year. This includes the ‘Anonymous’ group. This year it has claimed responsibility for attacks on the US Department of Justice, MIT (Massachusetts Institute of Technology) and the web sites of various governments – including Poland, Greece, Singapore, Indonesia and Australia. The group also claims to have hacked the wi-fi network of the British parliament during protests in Parliament Square during the first week of November.
Those claiming to be part of the ‘Syrian Electronic Army’ (supporters of Syria’s president, Bashar-al-Assad) have also been active throughout the year. In April, they claimed responsibility for hacking the Twitter account of Associated Press and sending a false tweet reporting explosions at the White House – which wiped $136 billion off the DOW. In July the group compromised the Gmail accounts of three White House employees and the Twitter account of Thomson Reuters.
It’s clear that our dependence on technology, together with the huge processing power built into today’s computers, means that we’re potentially vulnerable to attack by groups of people with diverse motives. So it’s unlikely that we’ll see an end to the activities of hacktivists or anyone else choosing to launch attacks on organizations of all kinds.
The methods used by cybercriminals to make money from their victims are not always subtle. ‘Ransomware’ programs operate like a computer-specific ‘denial-of-service’ attack – they block access to a computer’s file system, or they encrypt data files stored on the computer. The modus operandi can vary. In areas where levels of software piracy are high, for example, ransomware Trojans may claim to have identified unlicensed software on the victim’s computer and demand payment to regain access to the computer. Elsewhere, they purport to be pop-up messages from police agencies claiming to have found child pornography or other illegal content on the computer and demanding a fine. In other cases, there’s no subterfuge at all – they simply encrypt the data and warn you that you must pay in order to recover your data. This was the case with the Cryptolocker Trojan that we analyzed in October.
Cryptolocker encrypts data stored on a computer, making it impossible to access or restore it without knowing a special key. The cybercriminals give their victims only three days to pay up – and they reinforce their message with scary wallpaper that warns them that if they don’t pay up in time their data will be gone forever. They accept different forms of payment, including Bitcoin. The most affected countries are the UK and US, distantly followed by India, Canada and Australia.
In this case there’s little difficulty in removing the malicious application, or even rebuilding the infected computer. But the data may potentially be lost forever. Sometimes in the past, we’ve been able decrypt the hijacked data. But that isn’t always possible if the encryption is very strong, as with some of the Gpcode variants. It is also true of Cryptolocker. That’s why it’s essential that individuals and businesses always make regular backups. If data is lost – for any reason – an inconvenience doesn’t turn into a disaster.
Cryptolocker wasn’t the only extortion program that made the headlines this year. In June we saw an Android app called ‘Free Calls Update’ – a fake anti-malware program designed to scare its victims into paying money to remove non-existent malware from the device. Once installed, the app tries to gain administrator rights: this allows it to turn wi-fi and 3G on and off; and prevents the victim from simply removing the app. The installation file is deleted afterwards, in a ploy to evade detection by any legitimate anti-malware program that may be installed. The app pretends to identify malware and prompts the victim to buy a license for the full version to remove the malware.
Mobile malware and app store (in)security
The explosive growth in mobile malware that began in 2011 has continued this year. There are now more than 148,427 mobile malware modifications in 777 families. The vast majority of it, as in recent years, is focused on Android – 98.05% of mobile malware found this year targets this platform. This is no surprise. This platform ticks all the boxes for cybercriminals: it’s widely-used, it’s easy to develop for and people using Android devices are able to download programs (including malware) from wherever they choose. This last factor is important: cybercriminals are able to exploit the fact that people download apps from Google Play, from other marketplaces, or from other web sites. It’s also what makes it possible for cybercriminals to create their own fake web sites that masquerade as legitimate stores. For this reason, there is unlikely to be any slowdown in development of malicious apps for Android.
The threat isn’t just growing in volume. We’re seeing increased complexity too. In June we analyzed the most sophisticated mobile malware Trojan we’ve seen to-date, a Trojan named Obad. This threat is multi-functional: it sends messages to premium rate numbers, downloads and installs other malware, uses Bluetooth to send itself to other devices and remotely performs commands at the console. It is also impossible for the victim to simply remove the malware from the device. Obad also uses multiple methods to spread. In addition to Bluetooth, it spreads through a fake Google Play store, by means of spam text messages and through redirection from cracked sites. On top of this, it’s also dropped by another mobile Trojan – Opfake.
When targeting a specific company, cybercriminals sometimes utilize method known as a ‘watering-hole’ attack, which combines two attack methods: spear-phishing and drive-by downloads. The attackers study the behavior of people who work for a target organization, to learn about their browsing habits. Then they compromise a web site that is frequently used by employees – preferably one that is run by a trusted organization that is a valuable source of information. When employees visit a web page on the site, they are infected – typically a backdoor Trojan is installed that allows the attackers to access the company’s internal network. In effect, instead of chasing the victim, the cybercriminal lies in wait at a location that the victim is highly likely to visit – hence the watering-hole analogy.
It’s a method of attack that has proved successful for cybercriminals this year. Hard on the heels of our report on the Winnti attacks, we found a Flash Player exploit on a care-giver web site that supports Tibetan refugee children, the ‘Tibetan Homes Foundation’. It turned out that this web site was compromised in order to distribute backdoors signed with stolen certificates from the Winnti case. This was a classic case of a watering-hole attack – the cybercriminals had researched the preferred sites of their victims and compromised them in order to infect their computers. We saw the technique used again in August, when code on the Central Tibetan Administration web site started to redirect Chinese-speaking visitors to a Java exploit that dropped a backdoor used as part of a targeted attack.
Then in September we saw further watering-hole attacks directed against these groups as part of the NetTraveler campaign. All of these attacks are further testimony to the fact that you don’t need to be a multi-national corporation, or other high-profile organization, to become the victim of a targeted attack.
The need to re-forge the weakest link in the security chain
Many of today’s threats are highly sophisticated. This is especially true for targeted attacks, where cybercriminals develop exploit code to make use of unpatched application vulnerabilities, or create custom modules to help them steal data from their victims. However, often the first kind of vulnerability exploited by attackers is the human one. They use social engineering techniques to trick individuals who work for an organization into doing something that jeopardizes corporate security. People are susceptible to such approaches for various reasons. Sometimes they simply don’t realize the danger. Sometimes they’re taken in by the lure of ‘something for nothing’. Sometimes they cut corners to make their lives easier – for example, using the same password for everything.
Many of the high profile targeted attacks that we have analyzed this year have started by ‘hacking the human’. Red October, the series of attacks on Tibetan and Uyghur activists, MiniDuke, NetTraveler and Icefog all employed spear-phishing to get an initial foothold in the organizations they targeted. They frame their approaches to employees using data that they’re able to gather from a company web site, public forums and by sifting through the various snippets of information that people post in social networks. This helps them to generate e-mails that look legitimate and catch people off-guard.
Of course, the same approach is also adopted by those behind the mass of random, speculative attacks that make up the majority of cybercriminal activities – the phishing messages sent out in bulk to large numbers of consumers.
Social engineering can also be applied at a physical level; and this dimension of security is sometimes overlooked. Even if the need for staff awareness is acknowledged, the methods used are often ineffective. Yet we ignore the human factor in corporate security at our peril, since it’s all too clear that technology alone can’t guarantee security. Therefore it’s important for all organizations to make security awareness a core part of their security strategy.
Privacy loss: Lavabit, Silent Circle, NSA and the loss of trust
No ITSec overview of 2013 would be complete without mentioning Edward Snowden and the wider privacy implications which followed up to the publication of stories about Prism, XKeyscore and Tempora, as well as other surveillance programs.
Perhaps one of the first visible effects was the shutdown of the encrypted Lavabit e-mail service. We wrote about it here. Silent Circle, another encrypted e-mail provider, decided to shut down their service as well, leaving very few options for private and secure e-mail exchange. The reason why these two services shut down was their inability to provide such services under pressure from Law Enforcement and other governmental agencies.
Another story which has implications over privacy is the NSA sabotage of the elliptic curve cryptographic algorithms released through NIST. Apparently, the NSA introduced a kind of “backdoor” in the Dual Elliptic Curve Deterministic Random Bit Generation (or Dual EC DRBG) algorithm. The “backdoor” supposedly allows certain parties to perform easy attacks against a particular encryption protocol, breaking supposedly secure communications. RSA, one of the major encryption providers in the world noted that this algorithm was default in its encryption toolkit and recommended all their customers to migrate away from it. The algorithm in question was adopted by NIST in 2006, having been available and used on a wide scale at least since 2004.
Interestingly, one of the widely discussed incidents has direct implications for the antivirus industry. In September, Belgacom, a Belgian telecommunications operator announced it was hacked. During a routine investigation, Belgacom staff identified an unknown virus in a number of servers and employee computers. Later, speculations appeared about the origin of the virus and the attack, which pointed towards GCHQ and NSA. Although samples of the malware have not been made available to the security industry, further details appeared which indicate the attack took place through “poisoned” LinkedIn pages that had been booby-trapped through man-in-the-middle techniques, with links pointing to CNE (computer network exploitation) servers.
All these stories about surveillance have also raised questions about the level of cooperation between security companies and governments. The EFF, together with other groups, published a letter on 25th October, asking security vendors a number of questions regarding the detection and blocking of state-sponsored malware.
At Kaspersky Lab, we have a very simple and straightforward policy concerning the detection of malware: We detect and remediate any malware attack, regardless of its origin or purpose. There is no such thing as “right” or “wrong” malware for us.
Vulnerabilities and zero-days
Cybercriminals have continued to make widespread use of vulnerabilities in legitimate software to launch malware attacks. They do this using exploits – fragments of code designed to use a vulnerability in a program to install malware on a victim’s computer without the need for any user interaction. This exploit code may be embedded in a specially-crafted e-mail attachment, or it may target a vulnerability in the browser. The exploit acts as a loader for the malware the cybercriminal wishes to install.
Of course, if an attacker exploits a vulnerability is known only to the attacker – a so-called ‘zero-day’ vulnerability – everyone using the vulnerable application will remain unprotected until the vendor has developed a patch that closes up the loophole. But in many cases cybercriminals make successful use of well-known vulnerabilities for which a patch has already been released. This is true for many of the major targeted attacks of 2013 – including Red October, MiniDuke, TeamSpy and NetTraveler. And it’s also true for many of the random, speculative attacks that make up the bulk of cybercrime.
Cybercriminals focus their attention on applications that are widely-used and are likely to remain unpatched for the longest time – giving them a large window of opportunity through which to achieve their goals. In 2013, Java vulnerabilities accounted for around 90.52% of attacks, while Adobe Acrobat Reader accounted for 2.01%. This follows an established trend and isn’t surprising. Java is not only installed on a huge number of computers (3 billion, according to Oracle), but its updates are not installed automatically. Adobe Reader continues to be an application exploited by cybercriminals, though the volume of exploits for this application has reduced greatly over the last 12 months, as a result of Adobe’s more frequent (and, in the latest version, automatic) patch routine.
To reduce their ‘attack surface’, businesses must ensure that they run the latest versions of all software used in the company, apply security updates as they become available and remove software that is no longer needed in the organization. They can further reduce risks by using a vulnerability scanner to identify unpatched applications and by deploying an anti-malware solution that prevents the use of exploits in un-patched applications.
The ups and downs of cryptocurrencies - how the Bitcoins rule the world
In 2009, a guy named Satoshi Nakamoto published a paper that would revolutionize the world of e-currencies. Named “Bitcoin: A Peer-to-Peer Electronic Cash System”, the paper defined the foundations for a distributed, de-centralized financial payment system, with no transaction fees. The Bitcoin system was implemented and people started using it. What kind of people? In the beginning, they were mostly hobbyists and mathematicians. Soon, they were joined by others – mostly ordinary people, but also cybercriminals and terrorists.
Back in January 2013, the Bitcoin was priced at 13$. As more and more services started adopting the Bitcoin as a means for payment, the price rose. On April 9, 2013, it reached $260 dollars (the average price was $214) before crashing the next day as Bitcoin-rich entities started swapping them for real life money.
In November 2013, the Bitcoin started gaining strength again, surpassing the 400$ mark, heading towards 450$ and perhaps above. So why are Bitcoins so popular? First of all, they provide an almost anonymous and secure means of paying for goods. In the wake of the surveillance stories of 2013, there is perhaps little surprise that people are looking for alternative forms of payment. Secondly, there is perhaps little doubt that they are also popular with cybercriminals, who are looking at ways to evade the law.
On Friday, October 25, during a joint operation between the FBI and the DEA, the infamous Silk Road was shut down. Silk Road was “a hidden website designed to enable its users to buy and sell illegal drugs and other unlawful goods and services anonymously and beyond the reach of law enforcement”, according to the Press Release from the US Attorney’s Office. It was operating on Bitcoins, which allowed both sellers and customers to remain unknown. The FBI and DEA seized about 140k Bitcoins (worth approximately $56 mil, at today’s rates) from “Dread Pirate Roberts”, Silk Road’s operator. Founded in 2011, Silk Road was operating through the TOR Onion network, having amassed over 9.5 million BTC in sales revenue.
Although it’s clear that cybercriminals have found safe havens in Bitcoins, there are also many other users who have no malicious intentions. As Bitcoin becomes more and more popular, it will be interesting to see if there is any government crackdown on the exchanges in a bid to put a stop to their illicit usage.
If you happen to own Bitcoins, perhaps the most important problem is how to keep them safe. You can find some tips in this post published by our colleagues Stefan Tanase and Sergey Lozhkin.
Conclusions and looking forward: “2014, the year of trust”
Indeed, some of the revelations of 2013 were eye opening and raised questions about the way we use the Internet nowadays and the category of risks we face. In 2013, advanced threat actors have continued large-scale operations, such as RedOctober or NetTraveler. New techniques have been adopted, such as watering-hole attacks, while zero-days are still popular with advanced actors. We’ve also noticed the emergence of cyber-mercenaries, specialized “for hire” APT groups focusing on hit-and-run operations. Hacktivists were constantly in the news, together with the term “leak”, which is sure to put fear into the heart of any serious sys-admin out there. In the meantime, cybercriminals were busy devising new methods to steal your money or Bitcoins; and ransomware has become almost ubiquitous. Last but not least, mobile malware remains a serious problem, for which no easy solution exists.
Of course, everyone is curious about how all these stories are going to influence 2014. In our opinion, 2014 will be all about rebuilding trust.
Privacy will be a hot subject, with its ups and downs. Encryption will be back in fashion and we believe countless new services will appear, claiming to keep you safe from prying eyes. The Cloud, the wonder child of previous years, is now forgotten as people have lost trust and countries begin thinking more seriously about privacy implications. In 2014, financial markets will probably feel the ripples of the Bitcoin, as massive amounts of money are being pumped in from China and worldwide. Perhaps the Bitcoin will reach the mark of $10,000, or perhaps it will crash and people will start looking for more trustworthy alternatives.