Global Threat Intelligence Report April 2015
In the month of April the world saw much of the same tricks and hacks against companies, governments, and people carried out by the usual suspects. Needless to say, the fact of the matter is that today if you are online you are likely to be phished, hacked, infected with malware, or socially engineered. There are ways to attempt to avoid these things from happening to you but the in the aggregate you have to realize that everyone will get hacked and you will lose data. The difference though is that realizing it is one thing, to act against it is quite another.
The following threat intelligence report is to be used as a notional guide to show you what has happened within the last month in the way of new hacks and exploits and to point to areas of the CIA triad where you can bolster your security awareness. By seeing what has been happening perhaps you and your organization can seek remedies to security vulnerabilities that you have by insights in this document.
Social Media & Reputation Management In Danger from Easy Hacks
Lately there has been a spate of attacks on Twitter and other social media accounts that have raised the bar on schadenfreude for the month. Whether the issue stems from poor password systems security within the platforms like Twitter or just a persistent and creative group of adversaries, the outcome has been noticed.
The above link is only one in a multitude of attacks on Twitter and other social media accounts of late. The use of these types of attacks against companies is usually aimed at a goal of embarrassment to the entity being attacked. A secondary outcome from these attacks usually stems from poor password strength and most of all password re-use on more sensitive systems.
A tertiary effect is reputational loss due to the hacks on these accounts. Often times the accounts are then used to spread propaganda or just to shame the company/entity with the fact that they got hacked very publicly and in some cases used as a tool to spread hacked information from their own accounts. One should consider this whenever accounts like these are created and maintained. Insure that the passwords are not re-used, the systems that access it are secure and not of a sensitive nature, and that you use good password hygiene at all times including changing those passwords at regular intervals.
Passwords… Yeah, OPSEC Much?
It is bad enough when your TV station gets hacked and used as a platform for propaganda. It is quite another thing when the hack itself was caused by a password(s) being shared on your own TV stations broadcast. This is the case of the French TV station that got hacked by the Cyber Caliphate in April. This is what is called OPSEC failure in the world of information security.
The hack of TV 5 Monde in April stemmed directly from a segment that aired containing their sensitive passwords to systems at the station itself. The Cyber Caliphate, a pseudo aligned group with daesh (ISIL) must have seen the segment or heard online that the passwords were in the video. Once this happened they went to work on hacking the TV station altotgether. It is not known to what level the hackers had gained access to the network before they were shut down but it is assumed that they had gotten inside deep enough to cause havoc. The station shut itself down to remediate the issues but not before the Caliphate made it known they had been hacked.
The fundamental issue here though is that no one, not the videographers, the technical force there, nor the security people that they may have at Tv 5 Monde stopped this from happening in the first place. It is a complete lack of security awareness about passwords, their placement on screens or other media in a segment or online that is stunning in this case. It is important to note this story and to take pains to insure that you are not the next company to lose control of it’s networks due to simple security failures like simple passwords or their sharing in public media.
The Dangers of Insider Threats
The hack of the lottery by an insider is a classic signpost for anyone in information security. The aphorism goes something like this in this business; “The insider threat is the biggest threat”and this is absolutely true.
In the case of the great lottery job of 2015, the insider tried as best as he could to pull off the job of the century. This insider almost made it but lost in the end because of the logistics of claiming the prize that did him in. It seems that the insider could not get someone right away to claim the winnings and waited a year before trying to get prize.
The object lesson here is that this attacker worked for more than a year on his plan and bided time to collect the winnings. The insider subverted not only air gapped computers with a self destructing rootkit but also the camera systems that watched the room that they reside in. This should be a lesson for everyone running a security program. Remember the mantra; “The insider threat is the biggest one”How does one stop insider threats? Well that is the problem isn’t it? Consider looking into this issue at your company and assess what steps you can take to mitigate some of these attacks.
Average Time To Intervene In A Phishing Attack: One Minute Twenty Seconds:
Phishing… What can you say about phishing that hasn’t already been said? Well, I guess you could conduct a study and determine just how long you have as a security body to stop one from being successful. That seems to be a window of one minute and twenty seconds today.
Phishing and more to the point, spear phishing, are tactics that rely heavily on the end user and the psychology of the human animal. In that you have a period of just over a minute to attempt to intervene between a user and a clickable link, loaded file, or other methods to exploit the end user system one can see the immensity of the issue.
There are many means to attempt to stop these attacks from happening in the first place such as email sandboxing, malware and semantic detection through systems like spam sifting. However, the human being at the beginning of the attack chain will always find a way to subvert those systems and get the lure to the end user. This is why it is exceedingly important to understand the human psyche and to use that to train users to understand what phishing and spear phishing is.
As the primary attack vector today in most compromises, it is the duty of all security organizations to attempt to educate their users in a fashion that will give them real knowledge and not just wrote memorization. To understand the attacks and think like an attacker is probably the best way to deter attacks. As a security organization please consider this story and work on education programs as well as check up systems of self phishing end users to inculcate awareness. Technology alone cannot solve this problem and will only lead to the cycle continuing.
A Majority of Incidents Are Aided By The End Users:
As you just read above, it seems that the end user is the primary target today for attacks on organizations. Phishing emails, social engineering exploits, and poor user security hygiene most often than not leads to greater company compromise today.
In an era when the moat, castle, and portcullis (firewall) aren’t the arbiters of stopping attacks, one must then consider that the Troy fell to the Greeks by the use of a Trojan Horse. It amazes me that even today people still fall prey to the notion that they have some security technologies like a firewall and believe that they are good to go.
What this story should give you as a takeaway, along with the previous story on phishing in tandem, is that the end user is the key to 95% of the security threats we face today. Yet, many still believe that a technological solution alone is the way to go and that education for end users is pointless. The fact of the matter is that it is quite the opposite and more orgs should come to understand the human animal’s psychology to lead them to better security choices and educate them to do so.
If your org does not have a robust program of iterative security education for the end users, you are doing a disservice to the company and the end users. You will in the end, lose your battle much quicker and have larger compromises if you are not carrying out continuing security education.
Default Passwords; A Security Threat
Insanity: doing the same thing over and over again and expecting different results.
Default passwords on secure systems. This is an oxymoron yet it happens all of the time in networks and organizations. How is it that systems are placed on networks or facing the internet with these same defaults left in their original states?
Once again the human psyche seems to be at work in our security failures and foibles. All too often default passwords or default configurations are the cause of compromise for organizations that lead to great loss of data and reputation. Are these things just oversights by overtaxed network admins? Or is there just a lack of comprehension on the part of the workers and management within the security milieu?
As a security organization you should by default (ha ha) be seeking out these defaults with network vulnerability tools and testing to deny their use by others to access your networks. This is the lowest of low hanging fruit and yet it keeps happening.
RyanAir Hacked and Five Million Dollars Stolen Electronically:
Attacks on banking systems as well as other payment type systems are becoming more prevalent as well as creative. In the case of the Ryan Air compromise, the attackers knew their target and their ways very well indeed to carry out this hack and transfer of 5 million dollars.
This case is specifically of interest because of the way that the adversary used the daily operations of the company to transfer large sums of cash without raising a red flag internally. Like many companies Ryan Air, had a set of accounts and practices that could be leveraged by an astute attacker to make off with funds and not raise an eyebrow. In this case it was the accounts that are used to pay for re-fueling the planes.
Since the costs of fuel fluctuates this made these the perfect accounts because they often had high volume transactions with some regularity. In many companies you will also find such accounts and practices that could be leveraged by attackers to make off with money transfers that would not be noticed. As organizations you should consider looking at these high value accounts and consider means to track them more assiduously to detect and perhaps deter such attacks.
What’s Your Security Maturity Level?
Brian Krebs brings up a very important question when considering your security posture at a corporate level. In this piece he begs the question through a poll that was taken and data that shows how orgs tend to fail as security bodies. The maturity level of the company directly correlates to the level of threat that company faces from adversaries leveraging the lack of maturity to effect their goals.
One of the primary tenets of INFOSEC is that unless the security organization has buy in from the top and a clear channel to communicate, it will fail in it’s job. This is much of the point of the article and the data that Mr. Krebs is pointing out. Every organization should consider the data within this article and question what their organizational structure is and seek to better it if it is not already functioning at high level.
How does your org function? Can you get buy in from the CEO down? If not, you are not likely to be successful.
False Positives Sink Antivirus Ratings
Antivirus is problematic to start with. All too often it is seen as a panacea by the executives but the reality is that it is quite an imperfect system and must be used in tandem with a layered approach to mitigating attacks. With the prevalence of false positives we can see how just this one factor can lead to ratings hits as well as a sense of crying wolf.
The fact that AV has so many false positives as well as issues around patterns either not being up to date or missing often times makes the system a flawed one at best. Orgs should not be looking at the ratings of detection as much as the overall issues surrounding the efficacy of the products themselves as well as their balanced use in a layered approach.
Overall, orgs should look at their AV choices and implementations to determine where gaps exist in the efficacy of the programs technically and logically. Those gaps should then be closed with other means logically or technically to stop gap areas of concern. A single AV solution in an environment is futile as a means to protect your organization today.
New Malware Spreads Through Advertising Channels:
Malware campaigns spread via advertising channels is a stroke of genius for the adversaries. The prevalence of advertisements on sites and the ability to spread malware through them enables the attacks to geometrically progress.
An uptick in this activity has been seen in many channels and should be considered a clear and present danger. Once the malware channels have been created by taking over linkages to advertisements in sites and feeds the drive by potential is increased geometrically. Depending on the malware variants and the adversaries we could see quite an uptick in directed attacks.
A curated malware campaign by these attackers could conceivably be used to go after particular targets through the types of ads being used as the transmission point. Say that you were able to go after luxury item ads and inject malware into those who use them. The return on investment here by the adversaries could be huge. As well, given the prevalence for ads on sites today in every corner of the page, one imagines that this vector will become the go to method in the near future.
Banking Malware Now Using More Exotic Evasion Tactics:
The crimeware creators are taking cues from the advanced persistent threat crowd and building in features that will allow for not only greater compromise but longer periods of entrenchment in the victim networks. These factors will make crimeware the new APT and the APT seem like old hat.
As time has past we have seen the crimeware creators become more adept at integrating the tools and techniques of the advanced persistent threat set. In the case of this report we can see directly how the criminals have taken up the mantle of APT by using advanced techniques to keep persistence on the networks they are attacking.
As the technology gets more complex so too will the ability to detect and deter the attacks. In samples recently, malware of a more pedestrian nature via phishing exploits of a lower end type have shown to have malware that has been built to be network aware as well as sandbox aware. These escalations in techniques will require organizations to catch up to their level and have operations that can detect, reverse, and report on these attacks as their frequency and technological complexity rises. Orgs should invest in people and technologies to deal with these threats appropriately.
CISCO ASA Bug Allows Arbitrary Commands and DoS
A remote user on the local network can send specially crafted UDP packets to the target failover device via the failover interface to trigger a flaw in the failover IPSec feature and execute arbitrary configuration commands on the target device [CVE-2015-0675]. This can be exploited to take full control of the active and standby failover units.
This is another good example of a core system being attacked with code that could allow for greater compromise of a network. Please insure that your org is looking at these types of core systems and their feeds for vulnerabilities and patches that should be applied or investigated.
A remote user can send a specially crafted HTTP request to trigger a parsing flaw in the HTTP protocol stack (HTTP.sys) and execute arbitrary code on the target system. The code will run with System privileges.
This is another flawed that exists in common core features of the internet. As has been mentioned before it seems that the attackers are now going after core systems and protocols for larger effect today. Such vulnerabilities should be considered a clear and present danger being patched as soon as practicable.
Microsoft Security Bulletin April 2015
In Aprils patch Tuesday there were 27 vulnerabilities patched that ranged from critical to informational.
As with all systems, Microsoft has patches that are produced from alerts and events concerning their operating systems vulnerabilities. It is important that all orgs focus time on a monthly basis following up on Microsoft security patches that are put out each 2nd Tuesday of the month.
Microsoft, being what they are, is a bit of a monoculture in many networks and as such a compromise of one system likely will mean the compromise of the greater network because of trusts within the domain as well as weaknesses in the operating systems.
Please insure that your organization’s security group is involved with the patch cycle by involvement in the decision making of patching vulnerabilities per their criticality to your own environment.
Word Document to download and edit for your org HERE