cyber threat intelligence · 2017. 10. 23. · global distribution of malicious traffic 28 i....
TRANSCRIPT
2015 ANNUAL CTI REPORT
1
Foreword
“You don’t have to look further than the headlines. Organizations across
all industries, small and large, in the public and private sector, lack the
ability to detect the inevitable system compromise which rapidly expands
to a data breach.
But does a simple drive-by-download or successful phishing attack have
to result in a serious data breach? I don't think so. The key differentiator is
how quickly the initial incident can be detected, contained, and
eradicated.
Modern attacks focus more upon the endpoint devices and the user
sitting at the keyboard than they do upon finding the holes in the
perimeter defenses. It should be keeping us up at night that just one risky
click is all that stands between us and a massive data breach.
If we know we can’t be perfect 100% of the time, and the bad guys only
have to get it right once, what hope do we really have? Constant,
24/7/365 vigilance can help tip the scales back in our favor.
I believe we must adopt a mindset wherein we accept that a
compromise may happen at any time, through any number of channels
and, fully cognizant of that eventuality, focus on immediately detecting,
containing, and eradicating that compromise when it does happen.”
- Paul Caiazzo, Principal
TruShield Security Solutions, Inc.
2015 ANNUAL CTI REPORT
2
Introduction
TruShield’s real-time security monitoring platform, Continuous Security Monitoring (CSM), was born
in 2011 after years of experience performing hundreds of risk assessments and incident response
engagements.
Our background in compromise assessments, security program development, risk assessments, and
compliance allows us to focus our investigation and remediation efforts not just on fixing individual
vulnerabilities, but also on identifying and addressing the root causes of those vulnerabilities.
Common causes we see are lack of a secure network architecture – including connections to
third-party service providers, incomplete or non-existent secure configuration baselines or device
hardening, and an inability to identify, test, and implement patches as they become available.
We saw time and again that regardless of spend, organizations lacked the ability to gain real-time
threat intelligence about their own environments. Our CSM solutions are designed to solve this
problem.
Our solution brings together data from a variety of client-environment sources such as security
appliances, servers, endpoints, Active Directory, and more. We leverage a broad threat
intelligence base to provide a threat-awareness platform that is on the leading edge of current
threat Tactics, Techniques, and Procedures (TTP). Our threat intelligence spans many sources
including paid and open source data feeds, as well as our own custom intelligence collected from
honeypots deployed worldwide.
The 2015 Cyber Threat Intelligence Report represents a year’s worth of problem-solving for clients
across a wide range of industries. We investigated 428 confirmed incidents caused by Spear
Phishing, Banking Trojans, Ransomware, Exploit Kits, Malvertising, Web Application Exploits, and
DDoS attacks.
43% of the incidents we investigated were in the financial industry, partially due to our client
profiles, and partially due to the sheer volume of threat traffic focused on the financial industry. We
additionally saw significant threat traffic bound for our government and critical infrastructure
clients, the legal industry, the retail and e-commerce industry, and the education industry.
The bottom line is, regardless of industry or market position, it is likely that you are on someone’s
target list. If your security program isn’t prepared to withstand the onslaught, there’s a good
chance your organization could experience a data breach, if you haven’t already.
2015 ANNUAL CTI REPORT
3
Contents Foreword 1
Introduction 2
A Year in Numbers 6
Monthly Security Events 7
January DGA17 Botnet Disrupted 7
February New Dyre Trojan Campaign 8
March Upatre Downloader Phishing Campaign 9
April Linux XOR DDoS Botnet 10
May Mumblehard Attacks on Linux Mail Servers 11
June PoSeidon Operation Dismantled 12
July 188,929 Threat Actors 13
August 3,000 SPAM Botnets 14
September Record Number of Exploit Kits 15
October DNS-based Reflected DDoS Attacks 16
November Three DDoS Attacks Blocked 16
December Juniper ScreenOS Attempt 17
Threat Dissection 18
i. Dark Web 18
ii. Ransomware 20
iii. Point-of-Sale (PoS) Malware 20
iv. Advanced Persistent Threats & Cyber-Espionage Operations 21
Global Distribution of Malicious Traffic 28
i. China: A State-Sponsored Campaign of Persistent Attacks 29
2016 Cybercrime Forecast 31
i. Costs of Cybercrime and Cybersecurity 31
ii. Records Compromised = 169,068,506 35
iii. Cybercrime-as-a-service 37
a. DDoS Attacks 37
b. Ransomware 38
2015 ANNUAL CTI REPORT
4
c. Spear Phishing 38
iv. Industries Targeted 39
a. Legal 39
b. Critical infrastructure 40
c. Small and Medium-sized Businesses (SMBs) 41
Conclusions 43
Acknowledgement 45
References 46
2015 ANNUAL CTI REPORT
5
Figures
Figure 1: Attack Vector Monthly Distribution 7
Figure 2: DGA17/Tempedreve Botnet 8
Figure 3: Malvertising Campaign Delivering Ransomware 13
Figure 4: Chrome Browser Malware Warning 15
Figure 5: DDoS Attacks 17
Figure 6: Malicious Activity Hosted on Tor 19
Figure 7: APT and Cyber-Espionage Timeline 22
Figure 8: Distribution of Attacks: June-December 28
Figure 9: Most Malicious Countries by Month 30
Figure 10: Cybercrime Global Economic Impact 31
Figure 11: Cybercrime Financial Cost Comparison Worldwide 32
Figure 12: Cyber-Attack Payout by Industry 33
Figure 13: Total Number of Records Compromised in the U.S. in 2015 35
2015 ANNUAL CTI REPORT
6
A Year in Numbers
2015 ANNUAL CTI REPORT
7
Security Events by Month: 2015
Figure 1. Attack Vector Monthly Distribution
January: DGA17 Botnet Disrupted
2015 started with plenty of action. In the first two weeks of the year, a
large botnet operation, called DGA17, was discovered to be attacking
one of our clients. The botnet had already compromised this network by
infecting dozens of endpoints including desktops, laptops, and mobile
devices. The majority of devices were infected by the Tempedreve botnet
malware, which attempted to connect via DNS calls to 195.26.22.248.
This IP address was located in Lisbon, Portugal and resolved to the
malware domain testingalwaysfiresyncpixel.com.
The survey forms were developed with input from top managers,
executives, and middle managers. A preliminary draft of the survey was
then sent to several of the company’s most active clients, who were
asked to respond to the questions and make suggestions for possible
changes, additions, or deletions.
2015 ANNUAL CTI REPORT
8
Figure 2. DGA17/Tempedreve Botnet
Although the domain was sinkholed by Botnet experts from Anubis
Networks, the infected hosts continued to call-home leaving the client
exposed to further attacks. It took a large-scale effort that included the
containment and eradication of malware, overhauling network security
architecture, and deploying our full-fledged CSM+ platform.
Since then, we used the information gathered from this client to identify
Indicators of Compromise (IoC) related to DGA17 across multiple clients,
especially in the financial, retail, legal, and utilities industries. All future
IoCs that we discovered were successfully mitigated.
February: New Dyre Trojan Campaign
In February, we exposed a new strain of Dyre, the infamous banking
Trojan. After being alerted by two leading threat intelligence providers,
we learned that government and financial organizations were targeted
by Dyre, which rivals in capabilities with ZeuS, and its subsequent versions.
The new attack vector used for delivering the payload was a
sophisticated phishing campaign. The two verticals were targeted by
emails with a subject line reading “Document Important” or “Account
Report.” The email had attached a .zip file that delivered the malicious
payload when opened.
Dyre is known for its capability of stealing credentials and establishing
backdoor communication with remote attackers. At the time of the
attacks, just a handful of endpoint security firms had developed signatures
for the new Dyre.
It took a large-
scale effort that
included the
containment
and
eradication of
malware,
overhauling
network security
architecture, and
deploying our
full-fledged
CSM+
platform.
2015 ANNUAL CTI REPORT
9
One of the key components of defending against Dyre, or any malware
without a signature, is a sound security awareness training program
where users learn never to open files from unknown sources, or files
containing .zip or .exe attachments. Moreover, as part of a defense-in-
depth strategy, organizations should deploy a managed secure email
gateway capable of screening and blocking suspicious attachments.
Cleanup from Dyre was a long process, due in large part to problems
with this client’s containment strategy – a problem we helped them
resolve over the following months.
March: Upatre Downloader
Phishing Campaign
In March we encountered a vast phishing operation which delivered
Upatre. Upatre is only a downloader and has a very small footprint and
countless versions, all of which avoid detection. In addition, Upatre is
known to deliver secondary payloads such as banking Trojans and
Ransomware like CryptoWall. There was a lot of Ransomware present
over 2015, and much of it was secondary payload delivered by Upatre
and other similar downloaders.
During this campaign, we identified 129 malware domains responsible for
delivering Upatre, and helped all of our clients prevent additional
payload delivery via these channels.
Upatre Secondary Payloads:
GameOver Zeus (GOZ): Banking Malware responsible for tens of millions of
dollars in losses.
Dyre or Dyreza: Banking Malware that targeted Bank of America,
Citibank, NatWest (United Kingdom), Royal Bank of Scotland, and Ulster
Bank (Ireland).
CryptoLocker: Ransomware Trojan operated by Command & Control
(C&C) Servers in the Dark Web (aka Tor).
Vawtrak (aka Snifula and Neverquest): Banking Malware that targeted
Bank of America, Capital One, Wells Fargo, Citibank, U.S. Bank, Fifth Third
Bank and Commerce Bank.
Rovnix: Rootkit for Windows VBR which makes changes to your PC so that
it downloads and runs other malware each time it starts.
As part of a
defense-in-
depth strategy,
organizations
should deploy a
managed
secure email
gateway capable
of screening and
blocking suspicious
attachments.
2015 ANNUAL CTI REPORT
10
April: Linux XOR DDoS Botnet
In April, we battled the most malware families throughout the entire year.
Our SOC analysts fought 4 different worm varieties, 3 Exploit Kits, 3
Ransomware families, 2 Linux Trojan families, and countless Windows
Trojans.
The Tempedreve Botnet (aka DGA17) reactivated and beaconed back
to its C&C server. After Forensic Analysis we determined that the infected
hosts were on a schedule to call back every 75 days. Fortunately, the
C&C domain was previously sinkholed, while our incident responders
restored impacted systems without any further damage.
In April we also detected an instance of the feared Linux XOR DDoS Trojan
that combined a Rootkit with backdoor communication to 103.25.9.228,
located in China. The malware is capable of infecting servers running on
Linux and directing them to
launch Distributed Denial of
Service Attacks (DDoS) against
pre-determined targets. The
botnet behind this malware is
responsible for an average of 20
DDoS attacks a day, with the
strongest in excess of 150 Gbps.
Linux XOR DDoS spreads via
Secure Shell (SSH) services on
systems susceptible to brute-force
attacks due to weak passwords, and is capable of downloading and
executing files, removing services, installing modules, and updating itself.
Finally in April, we disrupted a Havex RAT operation. This malware is
responsible for targeting Industrial Controls Systems (ICS) and Supervisory
Control and Data Acquisition (SCADA). The attackers have customized
software available for download from ICS/SCADA manufacturer websites
in an effort to infect the computers where the software is installed.
The Tempedreve
(DGA17) Botnet
from February
reactivated…Forensic
Analysis determined
that the infected
hosts were on a
schedule to call
back every 75
days.
Linux XOR DDoS
spreads via Secure Shell
services on systems
susceptible to brute-force
attacks due to weak
passwords…
Havex continues
to be a serious
threat to
ICS/SCADA
systems.
2015 ANNUAL CTI REPORT
11
Furthermore, the cybercriminals use Havex to gain control of critical
infrastructure and launch more attacks against other victims. F-Secure
reported more than 88 different versions of this Trojan, which can be used
in cyber-espionage operations and kinetic cyber-attacks. Havex has been
seen to connect to 13 malicious domains and continues to be a serious
threat to ICS/SCADA systems.
May: Mumblehard Attacks on Linux Mail Servers
In May, we saw a dramatic increase in application exploitation. Adobe’s
products were dominating the landscape with 60% of the total observed
exploits targeting their products. We also saw Internet Explorer and
OpenSSL exploitation attempts. Moreover, a vulnerability in the Magento
e-commerce platform took center stage in one of our clients’ networks. In
fact, there were three security bulletins exploited within 24 hours from
disclosure (CVE-2015-1397, CVE-2015-1398, and CVE-2015-1399). The
critical weaknesses allow attackers to launch a SQL Injection, bypass
authentication, and respectively execute remote file inclusion.
TruShield security analysts also saw Mumblehard active in the wild. This
Linux-specific malware was responsible for infecting Linux and BSD systems
that run as email servers and launch large SPAM attacks. The malware,
composed of a downloader and Trojan, was very effective with an initial
9,000 infected host IPs within a few months. We pinpointed YELLSOFT at
the origin of the attack, a company that sells DirectMailer software for
delivering bulk mail and is believed to be based in Russia.
We detected and removed evidence of the Simda botnet, for which the
US-CERT issued Alert TA15-105A. Industry analysis indicated that Simda
enrolled more than 770,000 computers in the botnet, but our estimates
surpassed 1.5 million systems worldwide. The attack vectors included SQL
Injection, BlackHole Exploit Kit and different application vulnerabilities. In
our cases we observed a combination of Adobe Flash vulnerability and
Styx Exploit Kit.
Mumblehard,
was very effective
with an initial
9,000 infected
host IPs within
a few months.
Industry analysis
indicated that
Simda
enrolled more
than 770,000
computers in
the botnet.
2015 ANNUAL CTI REPORT
12
June: PoSeidon Operation Dismantled
The first month of summer was very busy, with over 200,000 web-based
attacks. For the first time, the majority of attacks were generated from the
Russian Federation, with a significant percentage being conducted by
groups from this country.
The centerpiece was a large operation directed against clients from the
banking and retail industries and used as an attack vector - the infamous
PoSeidon malware. The cybercrime ring used a newer technique called
Fast Flux DNS, which used 60 second DNS calls to obfuscate its origins. As a
result, we blacklisted more than 50 malware domains responsible for
spreading PoSeidon.
June was also the month that we recorded a 21% surge in application
exploits. The leader was Internet Explorer followed by Adobe Flash, and
Adobe Reader. June recorded a peak in Exploit Kits (EK), including the
hugely popular and versatile Angler.
Exploit Kits for June 2015:
EXPLOIT-KIT Angler
EXPLOIT-KIT Astrum
EXPLOIT-KIT CritX
EXPLOIT-KIT Fiesta
EXPLOIT-KIT Magnitude
EXPLOIT-KIT Nuclear
EXPLOIT-KIT Styx
We determined that the leading cause is still the window of opportunity
handed over to hackers by organizations that leave their critical systems
unpatched for extended periods of time. In many cases those systems go
unpatched for months or even years. It is always a goal of ours to get
clients on regular cyber hygiene programs where their inventories are kept
up to date, systems are hardened to a standard, and vulnerabilities are
patched as soon as a testing and approval processing allows.
We determined
that the leading
cause is still the
window of
opportunity
handed over to
hackers by
organizations that
leave their
critical
systems
unpatched for
extended
periods of
time.
2015 ANNUAL CTI REPORT
13
We also experienced a record breaking number of email bounce attacks,
in part due to the misconfiguration of email servers, with a peak of 2,499
attempts within 48 hours. Finally, security analysts defended the networks
against multiple banking Trojans that were delivered via phishing
campaigns.
July: 188,929 Threat Actors
Throughout July we monitored 188,929 threat actors, including spamming,
malware domains, and scanning hosts. A total of 474 Command &
Control servers were closely monitored in order to block any potential
botnet attacks. The majority of the C&C Servers were located in the
Netherlands, Germany, and France. Our SOC analysts also blocked
206,504 web-based attacks against our clients’ networks.
Our success story of the month was an active malvertising campaign that
we disrupted. During this event, we closely monitored and blocked
multiple drive-by-downloads carrying the Angler EK which was attempting
to exploit Adobe Flash Player Zero-day (CVE-2015-0311).
Figure 3. Malvertising Campaign Delivering Ransomware
The Zero-day vulnerability was impacting Windows OS, OS X, and Linux
platforms, while the EK was delivering the infamous CryptoWALL 3.0.
Throughout 2015, CryptoWALL made multiple appearances, and in the
majority of cases we saw, where there was CryptoWALL, there was Angler.
The Adobe Flash
Zero-day
vulnerability was
impacting
Windows OS,
OS X, and
Linux
platforms, while
the EK was
delivering the
infamous
CryptoWALL
3.0.
2015 ANNUAL CTI REPORT
14
During this month we also witnessed a surge in Linux/UNIX malware.
Among Linux specific malware were backdoor, worm, downloader, and
Trojan. We also blocked two major Banking Trojan campaigns delivering
the credential-stealing ZeuS and Dridex. Finally, we blocked an ongoing
SeaDuke APT operation and blacklisted multiple domains and
subdomains responsible for delivery.
August: 3,000 SPAM Botnets
In August there was an increase of 52% percent in attack sources with
over 286,133 threat actors, including spamming, malware domains,
bruteforce, and scanning hosts. No less than 585 Command & Control
(C&C) servers were closely monitored in order to block any potential
botnet attacks. Most C&C Servers were located in the U.S., China, the
Netherlands, France, Bulgaria, Ukraine, Turkey, Russia, and Vietnam. We
also monitored and blocked over 3,000 SPAM botnets that were
attempting to overwhelm our clients’ mailing systems.
While the U.S. led as the source of the most web-based attacks (over
60%), the most malicious sources were hosted by China (34,535), followed
by the U.S. (21,981), Turkey (10,034), France (7,628), and the Netherlands
(4,051). Our SOC analysts and integrated multiple threat intelligence
platforms allowed us to determine that the financial industry continued to
represent the most targeted vertical, followed by the legal industry.
August was the month we unveiled that two major U.S. universities were
compromised by cybercriminals. One of them, the University of Michigan’s
School of Electrical & Computer Engineering, was also the most malicious
source of the month. Our threat intelligence revealed that dynamically
assigned IP 78.176.131.113 residing in Turkey was responsible for using the
school’s open network as a platform to launch massive scans.
We closed the month of August with a cyber-espionage operation,
ransomware, and multiple banking Trojans.
TruShield analysts
and integrated
threat intelligence
platforms
determined that
the financial
industry
continued to
represent the
most
targeted
vertical,
followed by the
legal
industry.
2015 ANNUAL CTI REPORT
15
September: Record Number of Exploit Kits
The Top 20 attacker countries were responsible for 141,290 exploit
attempts against our clients. While U.S.-based attacks saw a significant
reduction from 54% to less than 44%, China jumped from 12% to 17%. Even
more worrisome, the Russian Federation, which in August ranked fourth
with just over 3%, almost tripled its attacks in September.
During this month, we fought a Botnet using the Namospu Trojan which
had C&C servers located on the tiny island of Tokelau, the Netherlands,
and Spain. We also reconnected with an old friend: the infamous DGA17
botnet’s known IP range, resolving to anbtr[.]com. This was also the first
time we discovered and released the mastermind’s name, Matthew
Pynhas, who has more than 2,350 other known domains registered under
his email.
Figure 4. Chrome Browser Malware Warning
In September, we had the largest number of exploit kits, including Angler,
Fiesta, Goon, Infinity, and Nuclear. These EKs were mostly targeting a
record number of vulnerabilities in Adobe Flash and Adobe Player,
accounting for about 70% of all weaknesses. We also experienced a
backdoor on Cisco routers which allowed the attacker to load different
functional modules over the Internet. The modular backdoor would then
let the attackers maintain persistent presence within the networks once
they had successfully infiltrated the routers.
These EKs were
mostly targeting a
record number
of vulnerabilities in
Adobe Flash
and
Adobe Player,
accounting for
about 70% of all
weaknesses.
2015 ANNUAL CTI REPORT
16
October: DNS-based Reflected DDoS Attack
In October we witnessed 70% of all web-based attacks originating from
the U.S. instead of other threat actors. The main reason behind this was
the significant drop of attacks from 23,340 in September to only 3,394 in
October. The 7-fold reduction in attacks was most likely due to the
September agreement between the U.S. and China. Both countries
mutually agreed to not engage in activities such as intellectual property
theft and cyber-espionage.
Also during this month, we stopped a major phishing campaign that was
targeting one of our financial clients on the West Coast. We determined
the origin of the attack was a compromised email account belonging to
a state authority ending in .gov. After the initial assessment we notified
those authorities and the account was scrubbed.
Another large event was a DRDoS attack against one of our clients in the
Legal industry. After the attack was successfully diverted, we learned that
the attacker was using a misconfigured DNS server capable of a factor
amplification of 100.
Next, we blocked an Android malware called Kemoge targeting all
recent platforms which was responsible for infecting a large amount of
devices in 20 countries. The cybercrime ring responsible for Kemoge
uploaded fake “popular” apps to third-party app stores and promoted
the download links via websites and in-app ads.
We also experienced a record number of Adobe Flash Player instances
(78%) exploited by Angler EK. Lastly, we observed ActiveX plugin being
exploited by Neutrino EK.
November: Three DDoS Attacks Blocked
November saw China-based attacks coming back to “normal”, in other
words leading in terms of the most malware domains - 82,344. Attacks
from the U.S. fell to second place with 35,834 domains generating
malware. Other notable countries responsible for malicious activities were
Germany, France, the Netherlands, and Russia. In the U.S., we pinpointed
that the biggest cybercrime hubs are located in California, Michigan,
Kansas, and Washington State.
After the attack was
successfully
diverted, we learned
that the attacker
was using a
misconfigured
DNS server
capable of a factor
amplification
of 100.
2015 ANNUAL CTI REPORT
17
November was the month of DDoS attacks. The first two assaults were
made against Retail clients on 12th and 18th of November and were most
likely initiated by group[s] specialized in cyber extortion, probably a
copycat of the infamous criminal group DD4BC (DDoS for Bitcoins). The
third DDoS attack was against the Education industry and was meant to
obfuscate a malware intrusion.
Figure 5. DDoS Attacks
Next we dealt with the Sefnit Trojan which attacks Windows platforms
from XP to 10. The campaign against the financial industry originated
from multiple domains with the suffix .su which once belonged to the
Soviet Union and is currently used by Eastern European crime. Another
major attack vector blocked was the first-ever OS X Ransomware –
Mabouia. This particular ransomware escalated from proof-of-concept
to attacks in a matter of weeks.
December: Juniper ScreenOS Attempt
In December, we defended our clients against 233,400 web-based
attacks generated by the top 20 attacker countries. We were surprised
by new entries in our Top 20 most malicious countries. Among the Top 20
Attackers we noticed for the first time Costa Rica (3,803), Bulgaria
(1,451), and Italy (1,426).
The first-ever OS X
Ransomware,
Mabouig…escalated
from proof-of-
concept to
attacks in a matter
of weeks.
New additions to
Top 20 Attackers:
Costa Rica
Bulgaria
Italy
2015 ANNUAL CTI REPORT
18
We continued to see domain shadowing as one of the most common
techniques. Domain shadowing is when hackers create sub-domains of
popular shopping and entertainment sites which ultimately land users on
infected websites. As predicted we saw spikes in malicious traffic, mainly
due to the holiday season which ultimately led to a flurry of malware,
including multiple Point-of-Sale Trojans capable of scrapping credit card
information, Ransomware, and banking Trojans. We also experienced
two operations responsible for cyber-espionage and APT groups.
Lastly but equally dangerous was the Juniper ScreenOS backdoor
incident. The secret door found in the ScreenOS (CVE-2015-7755 and
CVE-2015-7756) impacted multiple firewalls and routers by allowing
remote attackers to gain privileged access. The exploitation attempt was
blocked and the risk removed.
Threat Dissection
The Dark Web, Ransomware, Banking Trojans,
and PoS Malware
Dark Web
We continuously monitor and scrutinize the Dark Web. A decade ago
multiple projects were developed to promote anonymous browsing on
the Internet and ensure the privacy of users. Although the initial goal of
creating anonymous browsing was to protect users’ identity and even
free political speech, lately Dark Web (Tor) traffic led to flourishing black
markets for cybercrime, cyber-espionage and terrorism, and a whole set
of other illegal activities (see the case of the drug marketplace Silk Road).
This represents what is called the Dark Web, which should not be confused
for the Deep Web which represents parts of World Wide Web
unsearchable by common engines such as Google or Bing. It is worth
noting that common search engines/crawlers index roughly 16% of the
internet, while the rest sits beyond reach.
Domain Shadowing
as one of the most
common
techniques,
especially during the
holiday season.
2015 ANNUAL CTI REPORT
19
To access the Dark Web one needs a special browser called Tor. TOR
stands for “The Onion Router” and represents a complex network of
public and private relays, VPNs, and Proxies which allow the end-user to
hide their identity. By using a special version of the Mozilla Firefox browser
the user can access regular Internet anonymously, and at the same time
the Dark Web.
Figure 6. Malicious Activity Hosted on Tor
The Dark Web in general, and Tor in particular, offer a secure platform
for cybercriminals to support a vast amount of illegal activities — from
anonymous marketplaces and secure means of communication, to an
untraceable and difficult to shut down infrastructure for deploying
malware and botnets. More and more cybercriminals are hosting their
C&C servers on Tor to avoid detection, identification, and prosecution.
The digital currency Bitcoin also plays a significant part in funding these
operations by avoiding the normal scrutiny allocated to physical
currencies such as USD and EURO.
…cybercriminals are
hosting their C&C
servers on Tor to
avoid detection,
identification, and
prosecution.
Tor…[allows] the
end-user to hide
their identity. By
using a special
version of the
Mozilla Firefox
browser the user can
access the Internet
anonymously.
2015 ANNUAL CTI REPORT
20
Ransomware
At TruShield we were able to map the months with most malicious traffic
to the highest amount of attempted Tor connections. In fact, we
pinpointed multiple Ransomware and Banking Trojan campaigns
originating from Tor or calling back home to the anonymous network. We
mapped Dyre, Upatre, and many custom Banking Trojans beaconing to
C&C servers hiding in Tor. In addition, we unveiled several ransomware
operations using CryptoWALL 2.0 and 3.0, Crypto Fortress, and
TorrentLocker as vectors.
Point-of-Sale (PoS) Malware
We defended our clients against multiple PoS malware campaigns during
2015. In June, we stopped the largest operation against one of our
financial clients potentially infected with PoSeidon malware. We learned
that attacks stopped in 2015.
Global Operation Black Atlas was the most likely origin for specialized PoS
malware such as Center PoS, NewPoS, and Alina. As with similar
campaigns, the criminals were after credit card information scraped from
the RAM of the PoS. Of special interest is NewPoS, which is capable of
RAM scraping, keylogging, keep-alive reporting, and data transfer
sequencing.
Trend Micro discovered several healthcare providers and insurance
companies among the victims of Black Atlas. However, our SOC analysts
determined that the campaign also targeted SMBs in the retail and
financial industries. With the majority of victims located in U.S., the origins
of Black Atlas were traced to cybercriminal rings from the Russian
Federation, Romania, France, Latvia, and India.
PoS Malware:
Cybercriminals are
after credit card
information scraped
from the RAM of
the PoS. Of special
interest is NewPoS,
which is capable of
RAM scraping,
keylogging, keep-
alive reporting, and
data transfer
sequencing.
2015 ANNUAL CTI REPORT
21
Advanced Persistent Threats &
Cyber-Espionage Operations
While the beginning of 2015 was rather quiet, from May through
December we saw 10 separate instances of APTs and Cyber-Espionage
operations that impacted our clients’ networks. However, it is important
to note that TruShield’s partners and clients were not directly targeted. To
recap a perfect example, Stuxnet Trojans were initially conceived to take
down Iranian nuclear centrifuges, but once released in the wild it was
used against SCADA/ICS organizations across the world.
We have observed a major design flaw in the case of Stuxnet and other
weaponized malware such as Duqu and Flame. All of these pieces of
malware designed for cyber-espionage and SCADA sabotage were
missing a kill switch to destroy it. Due to this fact the malware was reverse-
engineered and used by cybercrime rings. Nevertheless, all attacks
against TruShield clients were diverted or blocked.
Major APT Groups
• APT Aurora – China
• APT1 – China
• APT3 - China
• APT12/IXESHE – China
• APT17 – China
• APT18/Wekby - China
• APT28/Sofacy – Russia
• APT30 – China
• APT “The Dukes” – Russia
• APT Poseidon - Brazil
Weaponized Malware
for SCADA
sabotage and
cyber-
espionage
(Stuxnet, Duqu,
Flame) is
missing a kill
switch to destroy
it. Due to this fact
the malware was
reverse-
engineered and
used by
cybercrime
rings.
2015 ANNUAL CTI REPORT
22
Figure 7. APT and Cyber-Espionage Timeline
Desert Falcon
A group of cyber mercenaries believed to be located in the Middle East
used the Trojan to launch successful operations against military and
foreign governments of Egypt, Palestine, Israel and Jordan. A total of
more than 50 nations were impacted, with a total of more than 1 million
files stolen from over 3,000 victims.
The Desert Falcon group used sophisticated social engineering and Spear
Phishing schemes to lure their victims into downloading the payload. The
criminals were able to obfuscate the malicious files by using the right-to-
left extension override technique which allows .exe or .scr files to go
undetected by endpoint security solutions. Once the initial payload is
delivered the second stage begins by establishing backdoor
communication and data exfiltration.
Wekby
This group is thought to be part of, or related to, TG-0416, APT-18, and
Dynamite Panda hacking groups. The Wekby group is suspected to be
responsible for multiple attacks against the healthcare industry and other
…more than 50
nations were
impacted, with a
total of more than 1
million files
stolen from over
3,000 victims.
2015 ANNUAL CTI REPORT
23
verticals over the last 3 years. What sets Wekby apart is that instead of
using HTTP calls like other APTs, it communicates with its C&C servers via
rogue DNS calls.
While in the past the group exploited Adobe Flash Zero-days, the
campaign launched in July used Spear Phishing as a method of malware
delivery. The attackers impersonated a member of the IT support and
helpdesk team of the organization. Next, the malicious email directed
the victims to upgrade their Citrix agent or VPN client on the targeted
system, which ultimately led to a system compromise.
CozyBear
CozyBear, also known as CozyDuke or CozyCar, is an Advanced
Persistent Threat which is responsible for multiple cyber-espionage
campaigns. This APT was found responsible for hacks against The
Department of State and The White House towards the end of 2014 and
the beginning of 2015. The malware is delivered via short media files
which depict an “Office Monkeys” movie. It is considered part of “The
Dukes” family.
Once the victim opens and runs the “very funny movie”, the executable
launches a dropper which is responsible for evading anti-virus solutions
installed on the infected host. Next, the dropper harvests the local system
data and sends it to a compromised website. The configuration files of
the malware are encrypted with RC4 keys, and also release executables
that are signed with fake certificates. Finally, communication with C&C
servers is established and data exfiltration begins.
SeaDuke
This is a recent member of a family of weaponized malware including
CozyDuke, MiniDuke, OnionDuke, and CosmicDuke. “The Duke” group
behind multiple cyber-espionage operations was found responsible for
earlier campaigns against the U.S. and foreign governments by using the
CozyBear APT and CozyCar APT. In contrast with CozyDuke, which was
aggressively targeting multiple industries, SeaDuke is apparently reserved
for handpicked high-profile governmental and military organizations.
This APT uses HTTP/HTTPS calls for communication with C&C servers, which
can mislead many network defense tools. Moreover, because there is no
Wekby:
The attackers
impersonated a
member of the
IT support
team of the
organization. Next,
the malicious
email directed
the victims to
upgrade their
Citrix agent or VPN
client on the
targeted system,
which ultimately led
to a system
compromise.
2015 ANNUAL CTI REPORT
24
database present on the C&C server, Duke’s members instead opt for
uploading specific tasks to each compromised network. This is another
evading tactic by reducing the overall footprint of the APT on the
compromised systems.
Sofacy
The group with the same name as the APT has been active since 2008. It
mostly targets military and foreign governments in the NATO arena and
lately it’s been active against the Ukrainian Government. The Sofacy
group, also known as APT28, is believed to be located in the Russian
Federation and possibly is in connection with, or sponsored by, its
government. Sofacy APT targets Windows, Linux, and iOS platforms.
In July/August, the group launched several waves of attacks relying on
Zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash
Player and Windows OS. We’ve seen exploitation of Java Zero-day CVE-
2015-2590 for the Oracle Java SE 6u95, 7u80, and 8u45, and Java SE
Embedded 7u75 and 8u33. The signature piece of the group is using
multiple backdoors on the same malware to avoid detection and
removal, while maintaining uninterrupted communication with C&C
servers.
Black Coffee
This malware targets Windows platforms, and can accept commands
from a control server that would allow it to execute shell commands,
read/write files, obtain disk information, search files, enumerate and
terminate processes, and more. The malware could also steal credentials
from the infected computer. The Trojan is used by Chinese group APT 17,
and it used the TechNet (Microsoft Support) forum to disguise its C&C
server.
The APT17 group created fake user profiles that contain one or more URLs
that linked to the biography sections of attacker-created profiles, as well
as forum threads that contained comments from those same profiles. The
malware then communicated directly with the IP address to receive
commands and send stolen information. If the C&C server is discovered or
shut down, the attackers can switch the encoded IP address on TechNet
Sofacy: The signature
piece of the group is
using multiple
backdoors on the
same malware to
avoid detection and
removal, while
maintaining
uninterrupted
communication
with C&C servers.
2015 ANNUAL CTI REPORT
25
to retain control of the victims’ machines. Since then, Microsoft disrupted
the malicious activity.
Wild Neutron
The economic espionage operation first seen in 2013 in attacks against
Apple, Facebook, Twitter, and Microsoft made a big comeback in 2015
by attacking legal firms, investment firms, and mergers & acquisitions
conglomerates. The vector exploits unknown Flash Player vulnerabilities
and has the ability to switch backdoor communication to alternate
C&Cs in case the primary is taken down.
The malware is composed of a main backdoor module that first
initiates communication with the C&C server; several information
gathering modules; exploitation tools; SSH-based exfiltration tools; and
intermediate loaders and droppers that decrypt and run the payloads.
Wild Neutron’s main backdoor module contains a number of evasion
techniques designed to detect or time out sandboxes and emulation
engines. This APT targets Windows and OS X platforms.
Hodoor
This is a Trojan capable of infecting Windows systems. In fact, multiple
Windows Operating Systems were found to be exploited by this APT, which
establishes backdoor communication with remote attackers via C&C
servers.
We have reported and blacklisted the following malware domains
responsible for delivering Hodoor:
chamus.gmailboxes.com coco.purpledaily.com
chq.newsonet.net cok.purpledaily.com
cib.businessconsults.net comfile.softsolutionbox.net
cibuc.blackcake.net contact.arrowservice.net
citrix.globalowa.com contact.ignorelist.com
climate.newsonet.net contact.purpledaily.com
clin.earthsolution.org control.arrowservice.net
cman.blackcake.net control.blackberrycluter.net
cook.globalowa.com cow.arrowservice.net
cool.newsonet.net cowboy.bigish.net
copierexpert.com crab.arrowservice.net
corp.purpledaily.com crazycow.homenet.org
Wild Neutron:
First attacked Apple,
Facebook, Twitter -
Made a comeback in
2015 attacking legal
and investment
firms and M&A
conglomerates.
2015 ANNUAL CTI REPORT
26
count.blackcake.net csba.bigdepression.net
cov.arrowservice.net csc.businessconsults.net
covclient.arrowservice.net business.chileexe77.com
Arid Viper
This malware has been observed in the Middle East as part of the
Operation Arid Viper, also known as Desert Falcons. The cyber-espionage
operation was first seen in 2011 and became increasingly active in
targeting government, financial, transportation, and education industries
especially in Palestine, Egypt, and Israel. The sophisticated malware
includes various modules such as spyware, keylogger, and backdoor
communication. Arid Viper targets Windows and Android platforms.
The attack uses a Spear Phishing campaign that lures the victims to watch
a video that depicts a violent car crash. Instead of embedded URLs, the
malicious email leads the victim to download a RAR file. As soon as the
RAR is downloaded it self-extracts the video file titled ‘this.morning’ which
actually contains the malicious video payload. Once the infection
propagates to the system a backdoor communication channel is
established to the C&C server and data exfiltration begins.
GlassRAT
This is a malware only recently discovered, but has in fact been around
since at least September 2012. The RAT modules includes reverse shell
functionality that provides attackers access to the infected device.
GlassRAT has zero detection capabilities by using forged security
certificates that appear to belong to a popular Chinese software
developer.
Security researchers determined that malicious domains used by GlassRAT
as C&C servers overlapped with other known malware such PlugX,
MagicFire, and MirageFox. What makes GlassRAT unique is its ability to use
the Adobe Flash Player icon to mask its dropper and ultimately stay
stealthy for an extended period of time. Major vendors present in the Virus
Total engine developed signatures only in late December, which means
the ring could operate undetected for 3 years.
2015 ANNUAL CTI REPORT
27
Gh0stRAT
This is a well-known remote access Trojan (RAT) commonly used in
targeted attacks and widely available to both threat actors and
cybercriminals alike. The RAT has been observed in the wild since 2001
and continues to pose a serious threat by adding new features such as:
Taking full control of the remote screen on the infected
bot.
Providing real time, as well as offline, keystroke logging.
Providing a live feed of the webcam and/or microphone
of infected host.
Downloading remote binaries on the infected remote host.
Taking control of the remote shutdown and reboot of the
host.
Disabling the infected computer’s remote pointer and
keyboard input.
Entering into the remote infected host via SSH.
Providing a list of all the active processes.
At the end of this section it’s important to highlight that while we’ve
separately listed APTs and cyber-espionage campaigns, most often there
are blurry lines between the two. Many cyber-espionage operations use
one or multiple APTs to compromise the adversary’s systems. Likewise, so-
called APT groups can be involved in cybercrime and espionage at the
same time. In fact, it’s been the case for decades that nation and state-
sponsored intelligence communities used cybercrime (e.g. stolen trade
secrets and intellectual property) to fund their espionage operations.
2015 ANNUAL CTI REPORT
28
Global Distribution of
Malicious Traffic
We witnessed over 3 Million attacks against our clients’ networks in 2015.
However, the first 8 countries accounted for almost 900,000 web-based
attacks between June and December. The US continues to lead in the
most malicious categories including SPAM, Malware Domains, Phishing,
DDoS, and Hacktivism.
Figure 8. Distribution Of Attacks June - December
Attacks originating in China and the Russian Federation continue to pose
the biggest threat to our clients from all industries. Both countries generate
a large number of cybercrime and cyber-espionage. Russia currently has
an estimate of over 20,000 individuals engaged in cybercrime, due in part
to the subpar job market that does not offer career opportunities to its IT
workforce. Another factor in the ever-increasing cybercrime market is that
while the local underground market for exploit kits, ransomware, and
banking Trojans used to be rated in the hundreds or even thousands of
USD nowadays the values dropped 3 to 4 times. As a result, hackers are
more aggressive in gaining new income avenues, especially Cybercrime-
as-a-Service, where clients can hire them for Ransomware, DDoS, and
other attacks. The hackers’ cut varies from 25 to 50 percent of the
revenue.
2015 ANNUAL CTI REPORT
29
While Chinese hackers are still leading in scanning and Brute-force
attempts, the real issue is the nation-state cyber-espionage and APT
groups. In fact, the recent survey among more than 17,000 IT specialists -
of which more than half were in management and executive positions -
revealed that the majority are fearful of Chinese-backed cyber-attacks
(89%) followed by Iran (67%), the Russian Federation (65%), North Korea
(58%), and Syria (50%). To further support our statement, The Rise of Nation
State Attacks survey listed among the most important objectives of
nation-state attacks business disruption (73%) aka DDoS attacks, followed
by cyber-espionage (56%) aka APT groups, and data exfiltration (44%) as
in intellectual property and trade secrets theft.
China: A State-Sponsored
Campaign of Persistent Attacks
Timeline of China’s attacks:
2008 Obama and McCain presidential campaign breach.
2010 First reported APT. Aurora Operation against Google and
30 other companies including major US defense
contractors.
2011 U.S. Chamber of Commerce is breached.
2012 Jet Propulsion Laboratory is compromised.
2013 Relatively unknown threat intelligence pioneer at the time
(Mandiant) unveils China’s APT1, which marked the very
first public exposure of their cyber warfare.
2014 USPS attack exposes more than 800,000 government
employees’ records.
2015 Second OPM breach impacts 20+ million US citizens,
including their clearance statuses.
2015 Breaches to Anthem and Premera Blue Cross resulted in
more than 100 million healthcare records compromised.
While China leads in terms of APT groups, Russia dominates the Point-of-
Sale malware. China also hosts the most malware domains, and Brute
Force. Korea hosts rank second in WEBAPPs and DDoS attacks which is
due to weak legislation.
2015 ANNUAL CTI REPORT
30
On a special note, Brazil distinguishes itself as a leader in banking Trojans
and underground market for malware. Brazil’s case is tied to expansive
cheap Internet access and is also one of the countries with the highest
levels of corruption within the G-20 largest economies. Moreover, Brazil
has failed to implement sound legislation to enforce breach reporting.
Finally, as recently reported, one of the longest lasting APT groups –
Poseidon – is believed to have roots in Brazil.
Figure 9. Most Malicious Actors by Month
As for the European countries, we have reported time and again that
bulletproof hosting allows cybercrime rings to infect a significant number
of C&C servers in Germany, the Netherlands, and France. However, we
noted in November that the Netherlands’ authorities, in collaboration with
the FBI and major companies, took significant steps in reducing
cybercrime. The proof is in the numbers, which shows a significant
decrease of Dutch-based malicious activity, from 4,611 in June to only 692
attacks in December.
2015 ANNUAL CTI REPORT
31
2016 Cybercrime Forecast
Costs of Cybercrime and Cybersecurity
In our hyper-connected world, the threats we see on a daily basis have
evolved from hacktivists and script-kiddies to new, sophisticated means of
attacks by organized cybercrime groups. In fact, we witness an
unprecedented level of sophisticated attacks on an ever increasing
scale. Financial and reputational losses have reached an almost
unbearable cost for many small and medium-sized organizations.
The total cost in USD due to cybercrime damages seems to vary greatly
between different reputable sources due to different methodologies and
the size of the sample. However, all of the reports seems to agree that
numbers are staggering and continue to rise.
Figure 10. Cybercrime Global Economic Impact
2015 ANNUAL CTI REPORT
32
According to the Ponemon Institute, the average cost of cybercrime in
2015 for large organizations is:
U.S. $15.4 Million
Germany $7.5M
Japan $6.8M
UK $6.3M
Brazil $3.8M
Australia $3.5M
The Russian Federation $2.4M
Allianz Global reports that in 2015 the 10 largest economies suffered more
than $250 Billion in losses, while overall the world economy suffered an
estimate of $445 Billion.
Figure 11. Cybercrime Financial Cost Comparison Worldwide
2015 ANNUAL CTI REPORT
33
The 10 largest economies in the world have all been impacted financially
by cybercrime. The U.S. is shouldering the financial burden with close to
50% of the total costs worldwide.
Figure 12. Cyber-Attack Payout by Industry
It is important to note that only 252 companies in 7 countries participated
in the survey. The study shows that costs continue to rise from 2014 to 2015.
Russia leads with a 29% increase, the U.S. 19%, the UK and Japan 14%,
Australia 13%, and Germany 8%.
2015 ANNUAL CTI REPORT
34
However, Germany has the highest percentage of cybercrime to its GDP,
approximately 2.5 times larger than the U.S. It is also important to note that
globally, attacks recorded a hike of 38% from 2014 to 2015 and a similar
increase is expected for 2016.
The business disruption caused by DDoS attacks costs an average of over
$400,000 and requires 19 days to fully restore operations. Those costs are
associated with containment and eradication, loss of revenue, legal fees,
and reputational damage. Likewise, costs of Ransomware on enterprises
are on the rise with an average of more than $15,000 but could go as high
as $125,000 per incident, while the total reported in 2015 for CryptoWALL
3.0 is estimated to be $325 Million in damages.
On the bright side (if there is one), according to a recent survey, the
majority of attacks are dropped after 60 hours if there is no breach. The
number of total breaches (reported) reached 781 for the U.S. with more
than 169 Million records exposed for 2015.
Another worrisome cost is associated with Spear Phishing, which
represents 38% of all cyber-attacks with an average cost of $1.6 Million per
incident. Other reports show as much as $3.7 Million per Phishing incident
with half of that cost due to productivity loss.
Cyber Insurance
Insurance claims for 2015 an additional aspect of breach-related costs. As
pointed out before, enterprises cannot entirely transfer the risk to
insurance companies. Instead the organization must prove that it was
taking due care and due diligence. Although many companies strive to
enhance their security posture by following regulations and industry best
practices such as NIST, PCI-DSS, and ISO, they also purchase cyber
insurance. It’s important to note that cyber insurers will not cover the
entire extent of the damage, such as in the case of Home Depot were
they had a cyber insurance policy for $100 Million, yet total losses were
more than double that amount.
While the cost of
breaches in the U.S.
continues to rise,
from $1.6 Million
in 2012 to $6.5
Million in 2015,
cyber
insurance is
covering less –
from $3.6 Million
in 2012 to only
$670,000 in 2015.
2015 ANNUAL CTI REPORT
35
Records Compromised = 169,068,506
In 2015, we also observed the largest number of records compromised for
any one year in the last 10 years. Healthcare is not only dominating the
landscape with 112,832,082 records compromised (67%) but also holds the
second largest financial damages, as shown in the preceding section.
Government breaches also counted for 20% of the total in 2015 with
34,222,763 records, followed by Business with 10%, 16,191,017 records
compromised.
Figure 13. Total Number of Records Compromised in the U.S. in 2015
All of this is perhaps even more staggering when viewed against the PwC
global study showing that organizations continue to increase their
spending in information security. In fact, in the US alone InfoSec budgets
have grown at almost double the rate of IT budgets between 2013 and
2015. Also, cybersecurity insurance is the fastest growing area for IT
security budgets. However, it is important to highlight the fine print of these
policies, since no insurance company will cover losses due to negligence.
Another worrisome aspect is that just over half of the companies are hiring
CSOs or CISOs while only 45% of organizations have their Board of
Directors involved in Information Security.
2015 ANNUAL CTI REPORT
36
Moreover, the actual budget allocated to cybersecurity in 2015 was
about $75 Billion globally, with an expected increase of less than 5% for
2016. Comparing all reports that estimate cyber-attacks will be increasing
by 15 to 40 percent in 2016, the net increase of cybersecurity spending
proves to be an uphill battle.
In 2016 we’ll continue to witness the same slogan in many Boards of
Directors – “We are not a target” - when in fact every single organization
has its own trade secrets, Intellectual Property (IP), and financial data that
is attractive to hackers. The correct approach should be, “A security
incident is inevitable, we need to prepare to detect and eradicate as
quickly as possible.”
Even with the significant increase in IT security spending we saw a similar
approach across the board. Organizations belonging to different verticals,
especially government and legal, are increasing their budget toward IT
security appliances, with SIEM solutions in the lead. At the same time, they
fail to clearly identify the level of effort required to correctly deploy,
integrate, configure, maintain, and respond to alerts. Factoring in the
equation the severe shortage of cybersecurity professionals makes the
situation even worse.
Furthermore, one of our internal studies revealed that SIEM solutions are
becoming more affordable, but organizations fail to take into
consideration all of the costs required to get the right people and build a
Security Operations Center (SOC) from scratch. Our estimates are that for
every $100,000 spent on security technologies another $800,000 to
$1,000,0000 are needed to fully operationalize the SOC and begin to
return value for the investment. And these are not one-time costs.
Operating and maintaining a basic SOC requires annual costs upward of
$1 million to 1.5 million. In fact, the majority of organizations are not even
considering SIEM, IPS/IDS, DLP and other advanced technologies as part
of Continuous Security Monitoring, instead they acquire them mainly for
compliance.
2015 ANNUAL CTI REPORT
37
The same report reveals that more than 80% of small to medium-sized
businesses (SMBs) do not factor in the costs for a 24/7/365 security
operation. Alternately, many organizations that purchase SIEM solutions
are unpleasantly surprised by the amount of data that SIEM solutions are
producing. Their in-house resources are often overwhelmed by the
number of security events, making it impossible to identify actual security
incidents among the millions of false positives. As a result, the majority of
SMBs end up shelving those platforms while their security posture remains
highly vulnerable.
Cybercrime-as-a-service
In 2016, we expect cybercrime-for-hire services to flourish. In fact, not
only is the scale of the underground market on the Dark Web worrisome,
the diversification of them is a major cause of concern. We predict that
criminal groups will expand their services in multiple types of attack
vectors especially in DDoS, Spear Phishing, and Ransomware. It is crucial
to highlight that 2016 will be dominated by identity theft and banking
fraud. While stolen credit cards value only $4 per piece on the
underground market, an individual’s date of birth (DOB) is sold for about
$11. Moreover, a combination of credit card number, SSN, and DOB
belonging to the same individual commands $30.
DDoS Attacks
More and more attacks will be launched by professional hackers that are
hired to execute them. While in 2015 we continued to observe
disgruntled employees and customers reaching out to the underground
market to retaliate, this year we expect companies to hire “professionals”
to take down competitors’ websites and e-commerce portals. ‘DDoS for
Bitcoin’ aka DD4BC group is the most notable example that uses DDoS
attacks for extortion. Luckily Europol, in collaboration with authorities in
Bosnia and Herzegovina, Germany, France, Japan, Romania,
Switzerland, the UK and the US dismantled the group in a recent
operation. We expect more groups to launch similar for-hire DDoS
campaigns.
Forecast: Reflective
DDoS or DRDoS
using common
Internet protocols
such as RPC, NTP,
and DNS will be
largely employed by
cyber crooks. The
length of those
attacks will
increase from
an average of
half a day in
2015 to 3-4 days
in 2016.
2015 ANNUAL CTI REPORT
38
In addition, DDoS attacks are expected to employ a “multi-vector”
technique which simultaneously targets infrastructure, applications, and
services that could lead to catastrophic losses. The size of attacks will also
grow to an average of 150-400 Gbps, and by 2018 is expected to reach
1Tbps. Another trend is to use smaller scale DDoS to cover other attack
vectors such as APT and banking Trojans.
Ransomware
The last 5 years have shown an ascendant trend in using Ransomware as
part of cyber-extortion. 2016 will mark new heights in the development of
Ransomware. Windows will continue to be the most targeted platform,
followed by Android due to their extensive market penetration.
Mabouia marked the first serious threat against Apple OSX. An increasing
trend will be using Ransomware against IoT, especially against smart TVs
which have become more widespread. We also expect to see the first
waves of Ransomware targeting networked medical devices such as
insulin dispensers, pacemakers and more.
While Ransomware targets both individual home-users and corporations,
2016 will mark an explosion of using this vector against corporations. As
noted in a recent report, the damages due to CryptoWALL 3.0 surpassed
$300 million in 2015 with enterprise-specific Ransomware constituting a
very attractive target. Even though best practices across all industries
advise having updated backups as a means of assurance against
Ransomware, this is not an effective method of prevention for this type of
attack.
Spear Phishing
Underground cybercrime markets will utilize customized campaigns
against potential victims. Enterprises are largely exposed to this attack
vector. Sophisticated Spear Phishing schemes can also lead to the largest
cost in financial and reputational damages.
In contrast with the Financial industry that has additional mechanisms in
place to prevent this (e.g. Separation of Duties, security awareness
training), Retail and other industries are more vulnerable due to the lack
of effective countermeasures.
Forecast:
Development of the
next generation of
crypto-lockers
capable of stealthily
encrypting the last
30 days of files, and
then only encrypting
the ongoing files. In
many cases backups
are useless since
very few enterprises
actually test them
periodically.
2015 ANNUAL CTI REPORT
39
This attack vector remains a top favorite among criminals due to the
relatively low level of technical effort required. It is also one of the most
effective campaigns for tricking victims. In fact, there are many ways of
compromising computers via Spear Phishing. The most common are
embedding malicious URLs within the body of the message, and
attachments containing malware. A novel strategy is embedding
malicious URL links within the attachment which easily bypass endpoint
security and anti-malware engines. Spear Phishing continues to be the
tool-of-choice during tax season in the US and is expected to play a
major role in the 2016 Presidential Election.
Two notable Spear Phishing attacks were already reported in 2016. The
first one was delivering the infamous BlackEnergy malware, which took
down the energy grid in Ukraine by threat actors believed to be in
connection with Russian cyber warfare (aka Sandworm Team). The
second was launched against the financial department of the
European aerospace manufacturer FACC. The result of the attack was
the siphoning off of €50 million in cash by unknown actors.
Industries Targeted
Obviously 2016 will still be a year of major breaches. Many will go
undetected due to the lack of continuous monitoring, defense-in-depth
strategy, and executive team’s support. Healthcare, Financial, and Retail
will be hit by Spear Phishing, Banking Trojans, and PoS malware. E-
commerce will be targeted by DDoS and DRDoS attacks, as well as web
application attacks. Insider attacks due to negligence, lack of awareness,
and disgruntled employees will contribute to significant reputational,
legal, and financial losses.
Legal
The American Bar Association (ABA) stated that law firms are major
targets for cybercrime. The fact that lawyers hold immensely valuable
data such as Intellectual Property (IP), Mergers and Acquisitions (M&A)
insider information, and Personally Identifiable Information (PII) turns them
into targets.
Forecast: 2016 will be
a record year for
successful Spear
Phishing campaigns.
Cybercrime, nation-
state sponsored
operations, APT
groups and terrorist
organizations will
employ this highly
effective strategy.
2015 ANNUAL CTI REPORT
40
Due to the lack of minimum cyber hygiene, lawyers, paralegals, and
other related personnel are extremely vulnerable to Cybercrime-as-a-
Service. Each and every computer compromised by one or more of the
tools reviewed in this report will yield a goldmine to cybercrime rings.
While a substantial percentage of law firms have taken some measures
to safeguard this sensitive information, more needs to be done. The lack
of direct regulation will also hinder improvement in the security for law
firms. In fact, most of those organizations that have started an
information security program were actually pushed by their major
clients. Legal departments of large banks leveraged their worries by
requiring their law firms to enhance security and even fall into
compliance with NIST and ISO standards.
One of the most vulnerable facets in the law firms’ security are emails.
Lawyers and support staff are transiting an enormous volume of
sensitive information many times through their personal email accounts.
As has happened so many times before, email accounts provided free-
of-charge have little or no security at all. To counter cyber threats
against emails each law firm should implement a sound information
security policy and at the same time to enforce the usage of a
corporate email system. In addition, emails containing sensitive
information should be encrypted. Lastly, archived emails should be
encrypted to prevent any potential leakage.
Critical Infrastructure
There are multiple types of organizations that fall under this category, but
the ones that have significant threats against them include utilities,
especially the energy sector, gas and oil industry, and water and
wastewater treatment. Although breaches against these sectors don’t get
the same high-profiling in the media, Kinetic Cyber-attacks can have a
catastrophic impact not only in interrupting delivery, but also in physical
destruction and human casualties.
Forecast: Mid-
sized law firms
that employ 50 to
150 attorney will
be primary
targets for cyber
attacks, in order to
gain unauthorized
access to Intellectual
Property and trade
secrets.
2015 ANNUAL CTI REPORT
41
ICS-CERT periodically publishes the number of incidents against
SCADA/ICS organizations and starting with 2010 we’ve seen an
ascendant trend against industrial facilities. It is no coincidence that
Stuxnet (2010) was the first malware designed to attack an ICS system. It
was launched against Iranian nuclear centrifuges and resulted in
physical destruction.
While 2010 marked less than 50 attacks, the next year surpassed 200 and
the number has stayed in the mid to upper 200s. It is crucial to note that
many incidents go undetected due to the lack of continuous
monitoring, or are just simply not reported. While drills such as GridEx,
that are organized every two years by the Department of Energy, are
definitely helpful, many energy providers opt out.
In contrast with Internet-based traffic where a plethora of vendors
compete to sell their security appliances, very few venture into
designing firewalls and other countermeasures capable of protecting
ICS/SCADA systems. To make the situation worse, just a handful of
managed security providers have the ability to monitor and respond to
incidents related to industrial controls. Moreover, weaponized malware
such as Stuxnet, Duqu, Flame, Gauss, and most recently Black Energy
are capable of avoiding signature-based endpoint security.
Small and Medium Sized Businesses (SMBs)
Many reports show an increasing trend of attacks on large organizations
and also against merger and acquisitions (M&A). While big breaches will
continue to make the news headlines, especially for the Retail and
Financial industries, SMBs intrusions will go largely unreported.
Criminals take advantage of M&As between large organizations,
especially when integrating the two networks architecture. As expected,
the goal is financial fraud and Intellectual Property theft. In contrast we
label many SMBs providing third-party services as “low-hanging fruit”
since many high profile security breaches, such as in the case of Target,
were due to infiltrating third-party vendors.
Forecast: We will see
200-300 attacks
against Industrial
Control Systems
including Denial of
Service via
weaponized malware,
including ones
capable of erasing
SCADA, with the
potential of
casualties.
Forecast:
Cyber-attacks
against small and
mid-sized
businesses will
increase 30%
in 2016.
2015 ANNUAL CTI REPORT
42
Moreover, SMBs receive less attention. It is expected that cyber criminals
will target giant retailers and banks, and few of the small and medium-
sized enterprises also consider themselves a target. However, threat actors
will focus their efforts in 2016 more and more on SMBs due to their lower
priority assigned to cyber security. More often than large organizations,
SMBs fail to determine the cyber risk of their business. Not only are SMBs
not developing a formal information security policy and lack proper IT
security budgeting and staffing, they also fail to have a basic cyber
awareness training program.
We believe that SMBs from the Legal, Financial, and Retail industries will
be the most targeted by cyber-attacks in 2016. For this year we estimate
that organizations with approximately 150 to 1,200 employees are the
most vulnerable to Ransomware, Banking Trojans, Phishing, and DDoS
attacks. Despite the fact that Managed Security Services Providers (MSSP)
are making training SMB personnel against Spear Phishing a relatively
inexpensive proposition, few companies actually hire experts from the
outside.
Additionally, MSSPs of various sizes are competing to offer a much more
attractive security posture than the one developed in-house. Still, SMBs
are hesitant to outsource their defense. Sadly, many enterprises in this
category don’t perceive the extent of the damages in the case of a
breach. In contrast with larger organizations that have a failsafe ensured
by cyber insurance and significant contingency funds, SMBs could easily
face extinction after an APT attack that exfiltrates their intellectual
property and trade secrets, or a DDoS that leaves their clients without
access to services.
2015 ANNUAL CTI REPORT
43
Conclusions
Most of today’s organizations handle a massive amount of PII, financial
information, and intellectual property. If these companies were to rely
solely on the traditional approach of security based on anti-virus solutions
and perimeter firewalls, their data could quickly be exfiltrated. Moreover,
APT, zero-day vulnerabilities, and polymorphic malware - or one without
an available signature - threats cannot be stopped by a static network
defense.
Contrary of what other names in the industry claim, continuous monitoring
services are not just a collection of security platforms and technologies. At
TruShield we believe it requires a holistic approach. Our team emphasizes
its human capabilities in delivering our unique CSM services including
IDS/IPS Management, Next-gen Firewall Management, Endpoint Security
Management, Mail Gateway and Internet Gateway Management,
Managed Multi-Factor Authentication, Patch Management, Vulnerability
Management, and many other managed security services.
TruShield’s concierge approach is unique in mitigating cyber threats. We
go beyond the majority of Managed Security Service Providers. Our
organization combines state-of-the-art Cyber Threat Intelligence and
Continuous Security Monitoring with Defense-in-Depth and Zero-Trust
network architecture. Offered as a complete solution or tailored one,
TruShield’s adaptive security offering is one of the most effective
approaches that allows our clients to consequently block and deter
botnets, APTs, DDOS, Zero-days, fileless malware, and malicious insider
threats.
We rely on a mixture of cutting edge technologies, the most up-to-date
cyber threat intelligence (CTI), and super human analysis when
determining the criticality of each and every single event. We ensure the
most recent Common Vulnerabilities and Exposures (CVE) reported by the
National Vulnerability Database (NVD) are integrated within our tier-2 and
tier-3 investigations so we can determine an imminent cyber-attack
before data exfiltration occurs.
2015 ANNUAL CTI REPORT
44
Another key element in mitigating and managing cyber risk is TruShield’s
extensive expertise in vulnerability management and disaster recovery
solutions, which allows security architects and incident responders to
apply real-world solutions in preventing, securing and - when the case
requires - restoring its clients’ critical systems.
Additionally, TruShield not only strives to implement security measures to
ensure compliance, but to exceed regulatory requirements and industry
standards including FISMA, HIPAA, SOX, GLBA, PCI-DSS, and ISO.
TruShield is more than just a Managed Security
Services Provider. We are an MSSP that provides the
white-glove service your organization needs and
deserves.
2015 ANNUAL CTI REPORT
45
Acknowledgement
A special thank you to Alex Deac as the author, and Andrew Beach and Paul
Caiazzo for contributing to the development of this report.
2015 ANNUAL CTI REPORT
46
References
https://www.symantec.com/security_response/writeup.jsp?docid=2015-010823-3741-
99&tabid=2
https://www.akamai.com/us/en/about/news/press/2015-press/xor-ddos-botnet-
attacking-linux-machines.jsp
https://www.f-secure.com/v-descs/backdoor_w32_havex.shtml
http://www.securityweek.com/magento-flaw-exploited-wild-within-24-hours-after-
disclosure
http://www.eset.com/int/about/press/articles/malware/article/linux-and-bsd-web-
servers-at-risk-of-sophisticated-mumblehard-infection-says-eset/
http://www.interpol.int/en/News-and-media/News/2015/N2015-038
http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-in-taiwan-
uses-infamous-gh0st-rat/
https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/
http://www.volexity.com/blog/?p=158
https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-
actor-returns-with-new-tricks/
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-
papers/wp-operation-arid-viper.pdf
https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-
updated-toolset/
https://www2.fireeye.com/WEB-2015RPTAPT17.html
https://apt.securelist.com/#firstPage
http://www.securityweek.com/glassrat-malware-stayed-under-radar-years-rsa
http://www.arbornetworks.com/images/documents/WISR2016_EN_Web.pdf
http://www.telegraph.co.uk/finance/newsbysector/industry/12122323/Mapped-The-
worlds-most-corrupt-countries.html
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-
papers/wp-north-american-underground.pdf
http://www.coindesk.com/individuals-tied-to-bitcoin-ddos-group-dd4bc-captured-in-
europe/
http://cybersecurityventures.com/cybersecurity-market-report/
http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
http://www.agcs.allianz.com/assets/PDFs/risk%20bulletins/CyberRiskGuide.pdf
http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-report/
https://ics-cert.us-cert.gov/sites/default/files/documents/ICS-
CERT%20Incident%20Response%20Summary%20Report%20(2009-2011)_S508C.pdf
http://digitalforensicsmagazine.com/blogs/?p=1005&utm_source=hs_email&utm_mediu
m
http://info.surfwatchlabs.com/law-firms-hunted-by-cybercriminals
http://info.wombatsecurity.com/hubfs/Ponemon_Institute_Cost_of_Phishing.pdf
2015 ANNUAL CTI REPORT
47
http://www.facc.com/en/News/News-Press/EANS-Adhoc-FACC-AG-UPDATE-FACC-AG-
Cyber-Fraud
https://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukraine-employ-
spearphishing-with-word-documents/
https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-
boutique-specializing-in-global-cyber-espionage/
http://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-part-2-
tools-and-malware-used-and-how-to-detect-them/
http://www.threatgeek.com/2015/10/cyber-crime-eastern-europe-and-russia-continue-
to-refine-operations.html
http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR
610.pdf
http://www.threatgeek.com/2015/09/taming-the-tiger-domestic-and-foreign-policy-
complexities-in-curbing-chinas-cyber-espionage-campaign.html
http://www.countertack.com/ponemon-rise-of-nation-state-attacks-report
http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf
http://www.csoonline.com/article/3028787/cyber-attacks-espionage/survey-average-
successful-hack-nets-less-than-15-000.html
http://blog.cloudmark.com/2016/01/13/survey-spear-phishing-a-top-security-concern-to-
enterprises/
http://www.netdiligence.com/downloads/NetDiligence_2015_Cyber_Claims_Study_0930
15.pdf
http://cybercampaigns.net/
2015 ANNUAL CTI REPORT
48
Did you like our 2015 Annual CTI Report?
Visit our website at
www.trushieldinc.com
Check out our other great free resources including:
Monthly Cyber Intelligence Reports
Advisory Alerts to keep you in the know
Webinars, chock full of information