Global Cyber Security Threats Landscape

Attacks to penetrate security setups of organizations are becoming more targeted, with attackers focusing ever more sharply on stealing business critical information. Here are some of the security breaches that made headlines recently, and advice by security vendors on how to keep yourself protected.

Wipbot/Turla spyware combo wreaks havoc on Governments and Embassies

A cyberespionage campaign involving malware known as Wipbot and Turla has systematically targeted governments and embassies of a number of former Eastern Block countries. Trojan.Wipbot (known by other vendors as Tavdig) is a back door used to facilitate reconnaissance operations before the attackers shift to long term monitoring operations using Trojan.Turla (which is known by other vendors as Uroboros, Snake, and Carbon).

Turla provides the attacker with powerful spying capabilities. Configured to start every time a computer starts, once the user opens a Web browser it opens up a back door that enables communication with the attackers. Through this back door, attackers can copy files from the infected computer, connect to servers, delete files, and load and execute other forms of malware, among other capabilities.

The two-pronged attack strategy involves infecting victims through spear phishing emails and watering hole attacks. The watering hole attacks display competent compromise capabilities, with the attackers compromising a range of legitimate websites and only delivering malware to victims visiting from pre-selected IP address ranges. These compromised websites deliver a payload of Trojan.Wipbot. It is highly likely that Wipbot is then used as a downloader to deliver Turla to the victim.

Infections in Western Europe occurred on computers that were connected to private government networks of former Eastern Bloc countries. These infections transpired to be in the embassies of these countries. In May of 2012, the office of the prime minister of a former Soviet Union member country was infected. Another attack saw a computer at the embassy to France of a second former Soviet Union member infected in late 2012. During 2013, infections began to spread to other computers linked to the network of this country’s ministry of foreign affairs.

Later, infections were also discovered at embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany.

Source: Kaspersky Lab

Nigerian Scammers are using RATs to Infiltrate Businesses

Cyber criminals in Nigeria have evolved common malware campaigns to infiltrate businesses that have not previously been their primary targets. The Palo Alto Networks threat intelligence team explains how Nigeria-based scammers use the same tools to steal business-critical data from enterprises.

Key research findings:

• Nigerian criminals use Remote Administration Tools (RATs) available through underground forums, including commercial RATs such as NetWire, that provide complete control over infected systems.

• Attacks similar to Silver Spaniel in the past may have come from Eastern Europe or a hostile espionage group.

• Traditional Antivirus programs and legacy firewalls are ineffective because Silver Spaniel attacks are specifically designed to evade those technologies.

• These Silver Spaniel malware activities originate in Nigeria and employ tactics, techniques and procedures similar to one another. The actors don’t show a high level of technical acumen, but represent a growing threat to businesses that have not previously been their primary targets.

Source: Palo Alto Networks

Weak Links in Threat Landscape Increases Malicious Traffic

The Cisco 2014 Mid-year Security Report examines the ‘weak links’ in organisations that contribute to the increasingly dynamic threat landscape. These weak links – outdated software, bad code, abandoned digital properties, or user errors – contribute to the adversary’s ability to exploit vulnerabilities with methods such as DNS queries, exploit kits, amplification attacks, point-of-sale (POS) system compromise, malvertising, ransomware, infiltration of encryption protocols, social engineering and ‘life event’ spam.

This analysis yielded three compelling security insights tying enterprises to malicious traffic:

• ‘Man-in-the-Browser’ attacks pose a risk for enterprises: Nearly 94 percent of customer networks observed in 2014 have been identified as having traffic going to websites that host malware. Specifically, issuing DNS requests for hostnames where the IP address to which the hostname resolves is reported to be associated with the distribution of Palevo, SpyEye, and Zeus malware families that incorporate man-in-the-browser (MiTB) functionality.

• Botnet hide and seek: Nearly 70 percent of networks were identified as issuing DNS queries for Dynamic DNS Domains. This shows evidence of networks misused or compromised with botnets using DDNS to alter their IP address to avoid detection/blacklist. Few legitimate outbound connection attempts from enterprises would seek dynamic DNS domains apart from outbound C&C callbacks looking to disguise the location of their botnet.

• Encrypting stolen data: Nearly 44 percent of customer networks observed in 2014 have been identified as issuing DNS requests for sites and domains with devices that provide encrypted channel services, used by malicious actors to cover their tracks by exfiltrating data using encrypted channels to avoid detection like VPN, SSH, SFTP, FTP, and FTPS.

Source: Cisco 2014 Mid-year Security Report

Russian Cyber Gang Steals 1.2 bn Usernames and Passwords

A Russian group has reportedly hacked 1.2 billion usernames and passwords, belonging to over 500 million email addresses, according to a report by Hold Security. The information was stolen through more than 420,000 websites, and that the perpetrators ‘didn’t just target large companies; instead they targeted every site that their victims visited.’ The list of affected websites is said to include ‘leaders in virtually all industries across the world, as well as a magnitude of small or even personal websites.’

Such data breach revelation poses three main threats: first, personal and sensitive information has been put at risk and can be used by criminals, second, the lost credentials could result in identity theft, third, and potentially the most significant for businesses, attackers can impersonate legitimate users to gain access to organisational assets and confidential information.

Data breach incidents will no doubt continue to occur and their potentially severe consequences will only be mitigated by organisations tackling password security head-on. This can be achieved by identifying all privileged users and accounts, while managing and monitoring access and activity. For organisations, focusing on automated password management and ensuring strong passwords for sensitive assets is essential. For individuals, employing personal password managers and employing two-factor authentication whenever possible should be part of their normal thinking.

Source: Cyber Ark

More than a Million Attacks per month to steal Financial Data

Kaspersky Lab statistics show, the number of cyber threats targeting financial data of individual users is growing constantly. The number of attacks using malicious banking software reached 1.4 million during the period between 19 May and 19 June, a 15% increase compared to the period from 19 April to 19 May.

Still, only 52% of financial companies and 46% of firms engaged in e-commerce believe that they need to take enhanced measures to protect financial transactions. Overall, 30% of companies working with cash flows on the Internet do not provide and are not planning to provide protection on customer devices during transactions, even though this is the weakest point in the security chain and could lead to clients losing money and companies losing profits and reputation. 28% of companies do not care about installing anti-fraud software on customers’ mobile devices while 30% of companies do not try to protect their own information infrastructure against fraud. This nonchalant attitude towards the protection of payments may lead to negative feedback from customers: three quarters of users expect financial companies to take responsibility for safeguarding all their devices and 40% of those surveyed are sure that the company will reimburse any lost money.

Cybercriminals target banks by going after the least protected links in the chain – customer devices and the online financial transactions carried out with those devices. In order to protect customers and their money – and hence the reputation of the company – financial organisations are encouraged to use integrated, multi-layered solutions that provide proactive fraud prevention to maximise effectiveness and optimise user experience.

“The use of a unified platform that provides protections both at the customer endpoint and within the bank’s environment provide context driven, comprehensive prevention that point solutions fail to deliver,” says Ross Hogan, Global Head of the Fraud Prevention Division at Kaspersky Lab.

The server side installed in the financial company is used to monitor all transactions for evidence of suspicious activity indicating fraud. Applications installed on user devices provide a secure environment for online payments. Deploying a multi-component solution makes it possible to protect all stages of the transaction.

Source: Kaspersky Lab

Obsolete Software and Operating Systems - vulnerable to Cyber Attacks

More than 16% of all PC users who agreed to provide data to the distributed global Kaspersky Security Network were still working on computers running Windows XP in June 2014. This fact carries potential implications for information security. This number was part of the findings from the ‘Windows usage and vulnerabilities research’ in 2014. Users whose computers run under outdated operating system or have out-of-date versions of installed software are at maximum risk from malware that exploits vulnerabilities.

Although technical support for Windows XP users was only discontinued in April 2014, the sales of this operating system finished back in 2010. Its maintenance has also been discontinued by Microsoft, which means that the manufacturer will no longer release security updates or patch vulnerabilities which may still exist in the system. Should virus writers find such vulnerability, XP users will come under threat.

To minimise the risk of encountering attacks involving vulnerabilities, it is recommended that users update their software regularly and use a reliable security solution equipped with technologies to counteract exploit attacks.

Source: Kaspersky Lab

Indian Organisations Haunted by Targeted

Cyber Attacks

There has been an increase in aggressive activity against Indian organisations involved in environmental, economic and government policy. The attackers have been targeting organisations for a few years now by abusing a Windows service - Windows Management Instrumentation (WMI) - to get access to sensitive information. The malicious operations have been executed with the help of WMIGhost/Shadow Trojan.

As per the lab chairman and CEO, Eugene Kaspersky, “India’s developing technology base, its geographical location and size, its inclusive and riotous political energy, and its growing economic weight makes it a special place of interest for ill-intentioned cyber attackers. Unfortunately there is quite a long list of APT groups targeting Indian organisations. More attacks are occurring throughout the country, targeting government and military agencies, NGOs, subcontractors and technology developers.” The attackers generally re-use current headline news for spearphishing attacks. For example, in a March 2014 attack, they used an upcoming meeting between national energy labs and the Departments of Energy as their spearphishing lure, sending out a misspelled spoof file called, ‘India US strategic dialouge press release.doc’.

The list of advanced persistent threat groups targeting Indian organisations is long. Among the malicious campaigns interested in Indian targets that are found are the infamous Gh0stNet, Shadownet, an Enfal, Red October, NetTraveler, the LuckyCat, the Turla APT, a Mirage, and the Naikon.

Source: Kaspersky Lab