Global Threat Intelligence Report: FEBRUARY 2015
Global Threat Intelligence Report
In the month of February an astonishing array of news came out concerning information security and vulnerabilities. One such piece of news concerned supply chain tampering by Lenovo with “Superfish” an adware that compromised users SSL sessions of every user’s machine purchased from the company. In other areas we discovered that our personal routers were being attacked by phishing emails containing the default passwords for the routers that people commonly forget to change. It would seem that nothing is safe either because people leave the defaults as the way they operate or in fact the companies are weakening security on their products to make more money through tracking users and selling data to advertisers.
This report will cover the news highlights and give you a more nuanced portrait of their importance globally to you personally as well as at a corporate level for information security. Use this report as a primer to understanding the security picture as it is today and to help in confronting the security issues within your organization.
Think your BYOD program is secure? Perhaps you might want to think again about that as you consider this article. Applications for iOS and Android have been cloned and malware inserted into them for download by unsuspecting users. All the attackers need to is trick the end users into installing the new application with malware in it by sending them an email with a link to their fake site.
As more and more corporations move toward the singularity and use BYOD as their primary way of conducting business (phones, tablets, and phablets) these concerns should be more pressing. Given that the BYOD now allows personal devices to access corporate networks and assets, if the user then infects their device with malware that steals data such as keystrokes, then your corporate network is now at risk of compromise.
If you have a BYOD program and do not have a robust way to manage what the users can download and install then you are more likely to have a compromise to your domain. If for example though, you have BYOD mandates and policies that require phones with separate profiles you might be on a better footing in that the end users corporate profile should be completely locked down and unable to install anything without approval. This is a hard needle to thread and must be considered today as we see more of these types of attacks being leveraged in the wild against corporate BYOD programs.
Once again we find ourselves facing another SSL attack that may leave our private communications at risk. This one has been an issue for many years and only now is being talked about as something adversaries may be using. As with others, this attack uses the fact that many systems still allow backward compatibility to reduce the encryption levels to one that can be cracked by an attacker.
While this attack is being patched it is important to note that since Shellshock and Poodle adversaries have been working on variations on a theme to attempt to find old or unthought-of of exploits to leverage in attacks today. It is important to keep up on these various vulnerabilities being reported to respond to them as soon as possible once they have been announced.
It is recommended that all SSL systems be set to disallow backward compatibility of there is a newer version that is more secure. If you are forced to use backward compatibility though, you should insure that you have a risk assessment carried out and the risk signed off on at a corporate level to cover your risk should an incident occur from one of these known exploits.
Common technologies abound today and one of the most popular is the COTS (Common Off The Shelf) router for internet access. In the case of D-Link, one of the more common brands being used today, there are multiple vulnerabilities that could lead to compromise of home or even corporate networks. The current vulnerability allows for a remote attack to gain “root” or administrative access to the routers.
So how then could these COTS routers be a threat to your corporate network? Well, consider that the home user who is VPN’d into your network is using one of these routers that is vulnerable? If that is the case and their router is compromised, then so too is all the traffic and systems potentially they own at home. If that home user has their system online and not on the VPN then their system could be scanned and compromised remotely. If the end point has been compromised so too is your network VPN or not so this is a real threat to your corporate environment as well.
Additionally, should by any chance your environment have any of these devices connected to your networks then you too may be vulnerable directly from attacks on those routers. Consider too any company that you may be connected to (via VPN for instance again) that may be a mom and pop with one of these routers being used. This could be leveraged to gain access to your network as well by an enterprising adversary.
It is recommended that all corporations consider these vulnerabilities whether or not they think they have these devices on premises or not. All it takes is one connection from an insecure network elsewhere that has rights on yours to make your life miserable.
NAS (Network Accessible Storage) is common not only in corporate networks but also home networks. As such these devices need to be securely configured and access restricted to internal networks only unless you absolutely know what you are doing. In the case of the Seagate NAS, this vulnerability is like many of the others out there and Seagate has yet to update their firmware months after the fact. This leaves all of these devices unprotected on networks and on the internet in some unfortunate cases.
Think that your corporate network doesn’t have a problem because the NAS is behind the firewall? Well that is not truly the case either as you could have a compromise internally and if these devices are secured yet vulnerable to these types of attacks you could lose in the end. It is recommended that you seek to determine if you have these in your environment and patch as soon as possible.
Alternatively, consider the end user out there who works for you. Do you have a strong policy and practice of not allowing those users to store corporate data anywhere other than your network? Consider the end user who buys one of these and puts it on their home network and shares it accidently with the world. Think that is not probable? Then go to Shodan and look for these devices or better yet use Google to search for them. They are out there and they are open.
Patch Tuesday in February was huge with a total of 56 vulnerabilities being fixed in Microsoft products. A majority of the patches were for Internet Explorer, a core piece of the Windows system and the one most attacked by adversaries seeking to exploit users systems.
This particular patch cycle was of note because the previous cycle had not patched IE and this one seems to have been an aggregate of earlier patches being held back. As the number of patches is so high for one piece of the Microsoft system it can be inferred just how much attention is paid to attacks for the IE Browser.
It is recommended that every enterprise undertake a strong process driven function around patching in your environment. Specifically, enterprises should take care to patch high value target systems at the least and all systems at the most. Given that there are mitigating factors that may leave an organization no choice but to not patch a system because it would break business, those systems should be signed off on for risk and as a compensating measure watched more to insure that they are not compromised.
Earlier this report covered default passwords on routers in the home. It seems that this issue has risen again as malware/malcode disguised in spam has been seen in the wild with the ability to log into routers with insecure default passwords. This type of attack is not new but it is once again being leveraged by particular actors today in the wild.
This in and of itself should be a wakeup call for any users who have not changed their default passwords and logins for COTS routers. As also mentioned before in this report, this is something that all enterprises should be concerned about with regard to users who work from home and have access to your internal networks.
It is recommended that all organizations look at these vulnerabilities as not only affecting home users but also those networks that they may interface every day for work. As such, it is in every companies interest to follow these things and to have education for their users not only about corporate networks and assets but also those BYOD devices and networks that interconnect them.
Increasingly carders and other adversaries are attacking corporations by targeting the end users for malware by phishing campaigns. Much of these exploits are directly targeted at gaining access to credit card data, bank account data, and PII data that would allow them to create new identities and start credit lines.
The adversaries are however getting cleverer and targeted today and with knowledge, they are attacking from the top down. Phishing campaigns aimed at executives gain access to their accounts and machines which then are used to trick employees into making funds transfers from the company accounts.
It is recommended that organizations keep awareness at a high level not only for regular employees but also specifically, the executives. Executives are the prime targets for much of the malware and phishing campaigns in these types of attacks and all too often, the executives and their minions are less aware than they should be about phishing and how to spot it.
Additionally, it is also a good policy to have some means of empowering employees to question the process of such transactions if they feel that there is something amiss. Often times the adversaries are counting on the social and psychological norms of corporate pecking order to just get an employee to react and carry out transactions like these.
As the tempo of attacks speeds up and more groups of adversaries start working together, the likelihood of follow on attacks using news items like the Anthem breach is high. In the case of Anthem, phishing emails started immediately after the incident made it into the news. Emails began to be sent from newly created domains created by a whole other sector of adversaries.
The Anthem breach for all intents and purposes, seems to have been Nation State actors and as such the data that they stole will not, and has not yet been seen to be for sale on the darknet or other places where this data is sold. This means that the criminals who do carry out this type of attack for money are seeking to capitalize on the backs of the APT by phishing already worried clients of Anthem.
It is recommended that organizations keep up with this type of activity as well as the breach itself. Targeted phishing emails are not just going to end users home addresses. These phishing emails and new waves of malware have been seen in corporate email systems as well. Awareness is key and as such talking directly to employees about these types of attacks will not only benefit them but hopefully stop incursions into your network as well.
The Anthem breach, while unfortunate, should be an object lesson for all corporations today. The scope of the breach and the attacks that were carried out to steal the information and keep access to the networks at Anthem should be studied by anyone who has a network and data they want to protect. In the case of Anthem though, it is becoming clearer that not only was it nation state actors but also that they had access to Anthem’s networks for a considerable amount of time before discovery.
As information becomes more available the likelihood will be that the initial incursion came from a phishing campaign using crafted domains (we11point.com etc) to get users to click on links and install malware on their machines. This is a common tactic and something that every organization has problems with as users are being manipulated by actors who understand human nature.
Watch the Anthem story and consider how your networks could or could not use telemetry to determine undue traffic to known bad actor sites as well as anomalous traffic. In the case of Anthem, it was a sysadmin who first noticed that their account was being used on a system that they had never logged into that started the incident there. Every org is vulnerable to these tactics and it is in the interest of every company to learn from others mistakes as well as the modus operandi of the actors involved.
Superfish, a simple piece of adware that was installed on every system that Lenovo sold in the last couple of years had upended the trust of the public about their products. This particular malware was to perform a man in the middle attack against SSL traffic and route the user to specific ads which then would pay Lenovo on the back end. This however backfired on them once the malware was discovered.
While Lenovo claimed that the adware was harmless it was shown that in fact this piece of software could be easily subverted to break into machines by setting up man in the middle exploits and getting users to log into things with their credentials as well as downloading malware. This is unacceptable and an object lesson in supply chain trust.
If one cannot trust the supply chain (e.g. laptops from Lenovo without malware pre-loaded) how can one trust that the systems they are buying for their companies are secure? This issue should be something that all companies consider when not only purchasing new equipment but also those systems or appliances they may buy grey market online. Can you trust the systems have not been tampered with?
Today the selling of “Threat Intelligence” is all the rage, but really how useful is much of what is being sold today? So far the focus of many seems to be on “who” carried out the attacks but not so much on the how. While the who can be important in many ways, it is the least of your worries when dealing with an incident and this needs to be a key focus for companies.
By engaging companies that sell threat intelligence a company can in fact gain a better foothold on protecting their networks and data. However, all too many companies are not prepared to really use the data that these threat intelligence firms provide because they do not have enough insight into their own networks to start. As such it is key to know your own capabilities and work with threat intelligence firms to set up feeds and methods that will help your company detect and deter as well as proactively mitigate ongoing campaigns.
It is recommended that when you look into threat intelligence feeds that you first undertake a serious introspective look at your environment, it’s maturity, and capabilities to truly leverage the data that you are buying and not to just have a feed as a check box in an auditors notebook.
Document for download and dissemination HERE