Cyber

Threat

Intelligence

2015 Annual Report

www.Trushieldinc.com

marketing@trushieldinc.com

2015 ANNUAL CTI REPORT

1

Foreword

“You don’t have to look further than the headlines. Organizations across

all industries, small and large, in the public and private sector, lack the

ability to detect the inevitable system compromise which rapidly expands

to a data breach.

But does a simple drive-by-download or successful phishing attack have

to result in a serious data breach? I don't think so. The key differentiator is

how quickly the initial incident can be detected, contained, and

eradicated.

Modern attacks focus more upon the endpoint devices and the user

sitting at the keyboard than they do upon finding the holes in the

perimeter defenses. It should be keeping us up at night that just one risky

click is all that stands between us and a massive data breach.

If we know we can’t be perfect 100% of the time, and the bad guys only

have to get it right once, what hope do we really have? Constant,

24/7/365 vigilance can help tip the scales back in our favor.

I believe we must adopt a mindset wherein we accept that a

compromise may happen at any time, through any number of channels

and, fully cognizant of that eventuality, focus on immediately detecting,

containing, and eradicating that compromise when it does happen.”

- Paul Caiazzo, Principal

TruShield Security Solutions, Inc.

2015 ANNUAL CTI REPORT

2

Introduction

TruShield’s real-time security monitoring platform, Continuous Security Monitoring (CSM), was born

in 2011 after years of experience performing hundreds of risk assessments and incident response

engagements.

Our background in compromise assessments, security program development, risk assessments, and

compliance allows us to focus our investigation and remediation efforts not just on fixing individual

vulnerabilities, but also on identifying and addressing the root causes of those vulnerabilities.

Common causes we see are lack of a secure network architecture – including connections to

third-party service providers, incomplete or non-existent secure configuration baselines or device

hardening, and an inability to identify, test, and implement patches as they become available.

We saw time and again that regardless of spend, organizations lacked the ability to gain real-time

threat intelligence about their own environments. Our CSM solutions are designed to solve this

problem.

Our solution brings together data from a variety of client-environment sources such as security

appliances, servers, endpoints, Active Directory, and more. We leverage a broad threat

intelligence base to provide a threat-awareness platform that is on the leading edge of current

threat Tactics, Techniques, and Procedures (TTP). Our threat intelligence spans many sources

including paid and open source data feeds, as well as our own custom intelligence collected from

honeypots deployed worldwide.

The 2015 Cyber Threat Intelligence Report represents a year’s worth of problem-solving for clients

across a wide range of industries. We investigated 428 confirmed incidents caused by Spear

Phishing, Banking Trojans, Ransomware, Exploit Kits, Malvertising, Web Application Exploits, and

DDoS attacks.

43% of the incidents we investigated were in the financial industry, partially due to our client

profiles, and partially due to the sheer volume of threat traffic focused on the financial industry. We

additionally saw significant threat traffic bound for our government and critical infrastructure

clients, the legal industry, the retail and e-commerce industry, and the education industry.

The bottom line is, regardless of industry or market position, it is likely that you are on someone’s

target list. If your security program isn’t prepared to withstand the onslaught, there’s a good

chance your organization could experience a data breach, if you haven’t already.

2015 ANNUAL CTI REPORT

3

Contents Foreword 1

Introduction 2

A Year in Numbers 6

Monthly Security Events 7

January DGA17 Botnet Disrupted 7

February New Dyre Trojan Campaign 8

March Upatre Downloader Phishing Campaign 9

April Linux XOR DDoS Botnet 10

May Mumblehard Attacks on Linux Mail Servers 11

June PoSeidon Operation Dismantled 12

July 188,929 Threat Actors 13

August 3,000 SPAM Botnets 14

September Record Number of Exploit Kits 15

October DNS-based Reflected DDoS Attacks 16

November Three DDoS Attacks Blocked 16

December Juniper ScreenOS Attempt 17

Threat Dissection 18

i. Dark Web 18

ii. Ransomware 20

iii. Point-of-Sale (PoS) Malware 20

iv. Advanced Persistent Threats & Cyber-Espionage Operations 21

Global Distribution of Malicious Traffic 28

i. China: A State-Sponsored Campaign of Persistent Attacks 29

2016 Cybercrime Forecast 31

i. Costs of Cybercrime and Cybersecurity 31

ii. Records Compromised = 169,068,506 35

iii. Cybercrime-as-a-service 37

a. DDoS Attacks 37

b. Ransomware 38

2015 ANNUAL CTI REPORT

4

c. Spear Phishing 38

iv. Industries Targeted 39

a. Legal 39

b. Critical infrastructure 40

c. Small and Medium-sized Businesses (SMBs) 41

Conclusions 43

Acknowledgement 45

References 46

2015 ANNUAL CTI REPORT

5

Figures

Figure 1: Attack Vector Monthly Distribution 7

Figure 2: DGA17/Tempedreve Botnet 8

Figure 3: Malvertising Campaign Delivering Ransomware 13

Figure 4: Chrome Browser Malware Warning 15

Figure 5: DDoS Attacks 17

Figure 6: Malicious Activity Hosted on Tor 19

Figure 7: APT and Cyber-Espionage Timeline 22

Figure 8: Distribution of Attacks: June-December 28

Figure 9: Most Malicious Countries by Month 30

Figure 10: Cybercrime Global Economic Impact 31

Figure 11: Cybercrime Financial Cost Comparison Worldwide 32

Figure 12: Cyber-Attack Payout by Industry 33

Figure 13: Total Number of Records Compromised in the U.S. in 2015 35

2015 ANNUAL CTI REPORT

6

A Year in Numbers

2015 ANNUAL CTI REPORT

7

Security Events by Month: 2015

Figure 1. Attack Vector Monthly Distribution

January: DGA17 Botnet Disrupted

2015 started with plenty of action. In the first two weeks of the year, a

large botnet operation, called DGA17, was discovered to be attacking

one of our clients. The botnet had already compromised this network by

infecting dozens of endpoints including desktops, laptops, and mobile

devices. The majority of devices were infected by the Tempedreve botnet

malware, which attempted to connect via DNS calls to 195.26.22.248.

This IP address was located in Lisbon, Portugal and resolved to the

malware domain testingalwaysfiresyncpixel.com.

The survey forms were developed with input from top managers,

executives, and middle managers. A preliminary draft of the survey was

then sent to several of the company’s most active clients, who were

asked to respond to the questions and make suggestions for possible

changes, additions, or deletions.

2015 ANNUAL CTI REPORT

8

Figure 2. DGA17/Tempedreve Botnet

Although the domain was sinkholed by Botnet experts from Anubis

Networks, the infected hosts continued to call-home leaving the client

exposed to further attacks. It took a large-scale effort that included the

containment and eradication of malware, overhauling network security

architecture, and deploying our full-fledged CSM+ platform.

Since then, we used the information gathered from this client to identify

Indicators of Compromise (IoC) related to DGA17 across multiple clients,

especially in the financial, retail, legal, and utilities industries. All future

IoCs that we discovered were successfully mitigated.

February: New Dyre Trojan Campaign

In February, we exposed a new strain of Dyre, the infamous banking

Trojan. After being alerted by two leading threat intelligence providers,

we learned that government and financial organizations were targeted

by Dyre, which rivals in capabilities with ZeuS, and its subsequent versions.

The new attack vector used for delivering the payload was a

sophisticated phishing campaign. The two verticals were targeted by

emails with a subject line reading “Document Important” or “Account

Report.” The email had attached a .zip file that delivered the malicious

payload when opened.

Dyre is known for its capability of stealing credentials and establishing

backdoor communication with remote attackers. At the time of the

attacks, just a handful of endpoint security firms had developed signatures

for the new Dyre.

It took a large-

scale effort that

included the

containment

and

eradication of

malware,

overhauling

network security

architecture, and

deploying our

full-fledged

CSM+

platform.

2015 ANNUAL CTI REPORT

9

One of the key components of defending against Dyre, or any malware

without a signature, is a sound security awareness training program

where users learn never to open files from unknown sources, or files

containing .zip or .exe attachments. Moreover, as part of a defense-in-

depth strategy, organizations should deploy a managed secure email

gateway capable of screening and blocking suspicious attachments.

Cleanup from Dyre was a long process, due in large part to problems

with this client’s containment strategy – a problem we helped them

resolve over the following months.

March: Upatre Downloader

Phishing Campaign

In March we encountered a vast phishing operation which delivered

Upatre. Upatre is only a downloader and has a very small footprint and

countless versions, all of which avoid detection. In addition, Upatre is

known to deliver secondary payloads such as banking Trojans and

Ransomware like CryptoWall. There was a lot of Ransomware present

over 2015, and much of it was secondary payload delivered by Upatre

and other similar downloaders.

During this campaign, we identified 129 malware domains responsible for

delivering Upatre, and helped all of our clients prevent additional

payload delivery via these channels.

Upatre Secondary Payloads:

GameOver Zeus (GOZ): Banking Malware responsible for tens of millions of

dollars in losses.

Dyre or Dyreza: Banking Malware that targeted Bank of America,

Citibank, NatWest (United Kingdom), Royal Bank of Scotland, and Ulster

Bank (Ireland).

CryptoLocker: Ransomware Trojan operated by Command & Control

(C&C) Servers in the Dark Web (aka Tor).

Vawtrak (aka Snifula and Neverquest): Banking Malware that targeted

Bank of America, Capital One, Wells Fargo, Citibank, U.S. Bank, Fifth Third

Bank and Commerce Bank.

Rovnix: Rootkit for Windows VBR which makes changes to your PC so that

it downloads and runs other malware each time it starts.

As part of a

defense-in-

depth strategy,

organizations

should deploy a

managed

secure email

gateway capable

of screening and

blocking suspicious

attachments.

2015 ANNUAL CTI REPORT

10

April: Linux XOR DDoS Botnet

In April, we battled the most malware families throughout the entire year.

Our SOC analysts fought 4 different worm varieties, 3 Exploit Kits, 3

Ransomware families, 2 Linux Trojan families, and countless Windows

Trojans.

The Tempedreve Botnet (aka DGA17) reactivated and beaconed back

to its C&C server. After Forensic Analysis we determined that the infected

hosts were on a schedule to call back every 75 days. Fortunately, the

C&C domain was previously sinkholed, while our incident responders

restored impacted systems without any further damage.

In April we also detected an instance of the feared Linux XOR DDoS Trojan

that combined a Rootkit with backdoor communication to 103.25.9.228,

located in China. The malware is capable of infecting servers running on

Linux and directing them to

launch Distributed Denial of

Service Attacks (DDoS) against

pre-determined targets. The

botnet behind this malware is

responsible for an average of 20

DDoS attacks a day, with the

strongest in excess of 150 Gbps.

Linux XOR DDoS spreads via

Secure Shell (SSH) services on

systems susceptible to brute-force

attacks due to weak passwords, and is capable of downloading and

executing files, removing services, installing modules, and updating itself.

Finally in April, we disrupted a Havex RAT operation. This malware is

responsible for targeting Industrial Controls Systems (ICS) and Supervisory

Control and Data Acquisition (SCADA). The attackers have customized

software available for download from ICS/SCADA manufacturer websites

in an effort to infect the computers where the software is installed.

The Tempedreve

(DGA17) Botnet

from February

reactivated…Forensic

Analysis determined

that the infected

hosts were on a

schedule to call

back every 75

days.

Linux XOR DDoS

spreads via Secure Shell

services on systems

susceptible to brute-force

attacks due to weak

passwords…

Havex continues

to be a serious

threat to

ICS/SCADA

systems.

2015 ANNUAL CTI REPORT

11

Furthermore, the cybercriminals use Havex to gain control of critical

infrastructure and launch more attacks against other victims. F-Secure

reported more than 88 different versions of this Trojan, which can be used

in cyber-espionage operations and kinetic cyber-attacks. Havex has been

seen to connect to 13 malicious domains and continues to be a serious

threat to ICS/SCADA systems.

May: Mumblehard Attacks on Linux Mail Servers

In May, we saw a dramatic increase in application exploitation. Adobe’s

products were dominating the landscape with 60% of the total observed

exploits targeting their products. We also saw Internet Explorer and

OpenSSL exploitation attempts. Moreover, a vulnerability in the Magento

e-commerce platform took center stage in one of our clients’ networks. In

fact, there were three security bulletins exploited within 24 hours from

disclosure (CVE-2015-1397, CVE-2015-1398, and CVE-2015-1399). The

critical weaknesses allow attackers to launch a SQL Injection, bypass

authentication, and respectively execute remote file inclusion.

TruShield security analysts also saw Mumblehard active in the wild. This

Linux-specific malware was responsible for infecting Linux and BSD systems

that run as email servers and launch large SPAM attacks. The malware,

composed of a downloader and Trojan, was very effective with an initial

9,000 infected host IPs within a few months. We pinpointed YELLSOFT at

the origin of the attack, a company that sells DirectMailer software for

delivering bulk mail and is believed to be based in Russia.

We detected and removed evidence of the Simda botnet, for which the

US-CERT issued Alert TA15-105A. Industry analysis indicated that Simda

enrolled more than 770,000 computers in the botnet, but our estimates

surpassed 1.5 million systems worldwide. The attack vectors included SQL

Injection, BlackHole Exploit Kit and different application vulnerabilities. In

our cases we observed a combination of Adobe Flash vulnerability and

Styx Exploit Kit.

Mumblehard,

was very effective

with an initial

9,000 infected

host IPs within

a few months.

Industry analysis

indicated that

Simda

enrolled more

than 770,000

computers in

the botnet.

2015 ANNUAL CTI REPORT

12

June: PoSeidon Operation Dismantled

The first month of summer was very busy, with over 200,000 web-based

attacks. For the first time, the majority of attacks were generated from the

Russian Federation, with a significant percentage being conducted by

groups from this country.

The centerpiece was a large operation directed against clients from the

banking and retail industries and used as an attack vector - the infamous

PoSeidon malware. The cybercrime ring used a newer technique called

Fast Flux DNS, which used 60 second DNS calls to obfuscate its origins. As a

result, we blacklisted more than 50 malware domains responsible for

spreading PoSeidon.

June was also the month that we recorded a 21% surge in application

exploits. The leader was Internet Explorer followed by Adobe Flash, and

Adobe Reader. June recorded a peak in Exploit Kits (EK), including the

hugely popular and versatile Angler.

Exploit Kits for June 2015:

EXPLOIT-KIT Angler

EXPLOIT-KIT Astrum

EXPLOIT-KIT CritX

EXPLOIT-KIT Fiesta

EXPLOIT-KIT Magnitude

EXPLOIT-KIT Nuclear

EXPLOIT-KIT Styx

We determined that the leading cause is still the window of opportunity

handed over to hackers by organizations that leave their critical systems

unpatched for extended periods of time. In many cases those systems go

unpatched for months or even years. It is always a goal of ours to get

clients on regular cyber hygiene programs where their inventories are kept

up to date, systems are hardened to a standard, and vulnerabilities are

patched as soon as a testing and approval processing allows.

We determined

that the leading

cause is still the

window of

opportunity

handed over to

hackers by

organizations that

leave their

critical

systems

unpatched for

extended

periods of

time.

2015 ANNUAL CTI REPORT

13

We also experienced a record breaking number of email bounce attacks,

in part due to the misconfiguration of email servers, with a peak of 2,499

attempts within 48 hours. Finally, security analysts defended the networks

against multiple banking Trojans that were delivered via phishing

campaigns.

July: 188,929 Threat Actors

Throughout July we monitored 188,929 threat actors, including spamming,

malware domains, and scanning hosts. A total of 474 Command &

Control servers were closely monitored in order to block any potential

botnet attacks. The majority of the C&C Servers were located in the

Netherlands, Germany, and France. Our SOC analysts also blocked

206,504 web-based attacks against our clients’ networks.

Our success story of the month was an active malvertising campaign that

we disrupted. During this event, we closely monitored and blocked

multiple drive-by-downloads carrying the Angler EK which was attempting

to exploit Adobe Flash Player Zero-day (CVE-2015-0311).

Figure 3. Malvertising Campaign Delivering Ransomware

The Zero-day vulnerability was impacting Windows OS, OS X, and Linux

platforms, while the EK was delivering the infamous CryptoWALL 3.0.

Throughout 2015, CryptoWALL made multiple appearances, and in the

majority of cases we saw, where there was CryptoWALL, there was Angler.

The Adobe Flash

Zero-day

vulnerability was

impacting

Windows OS,

OS X, and

Linux

platforms, while

the EK was

delivering the

infamous

CryptoWALL

3.0.

2015 ANNUAL CTI REPORT

14

During this month we also witnessed a surge in Linux/UNIX malware.

Among Linux specific malware were backdoor, worm, downloader, and

Trojan. We also blocked two major Banking Trojan campaigns delivering

the credential-stealing ZeuS and Dridex. Finally, we blocked an ongoing

SeaDuke APT operation and blacklisted multiple domains and

subdomains responsible for delivery.

August: 3,000 SPAM Botnets

In August there was an increase of 52% percent in attack sources with

over 286,133 threat actors, including spamming, malware domains,

bruteforce, and scanning hosts. No less than 585 Command & Control

(C&C) servers were closely monitored in order to block any potential

botnet attacks. Most C&C Servers were located in the U.S., China, the

Netherlands, France, Bulgaria, Ukraine, Turkey, Russia, and Vietnam. We

also monitored and blocked over 3,000 SPAM botnets that were

attempting to overwhelm our clients’ mailing systems.

While the U.S. led as the source of the most web-based attacks (over

60%), the most malicious sources were hosted by China (34,535), followed

by the U.S. (21,981), Turkey (10,034), France (7,628), and the Netherlands

(4,051). Our SOC analysts and integrated multiple threat intelligence

platforms allowed us to determine that the financial industry continued to

represent the most targeted vertical, followed by the legal industry.

August was the month we unveiled that two major U.S. universities were

compromised by cybercriminals. One of them, the University of Michigan’s

School of Electrical & Computer Engineering, was also the most malicious

source of the month. Our threat intelligence revealed that dynamically

assigned IP 78.176.131.113 residing in Turkey was responsible for using the

school’s open network as a platform to launch massive scans.

We closed the month of August with a cyber-espionage operation,

ransomware, and multiple banking Trojans.

TruShield analysts

and integrated

threat intelligence

platforms

determined that

the financial

industry

continued to

represent the

most

targeted

vertical,

followed by the

legal

industry.

2015 ANNUAL CTI REPORT

15

September: Record Number of Exploit Kits

The Top 20 attacker countries were responsible for 141,290 exploit

attempts against our clients. While U.S.-based attacks saw a significant

reduction from 54% to less than 44%, China jumped from 12% to 17%. Even

more worrisome, the Russian Federation, which in August ranked fourth

with just over 3%, almost tripled its attacks in September.

During this month, we fought a Botnet using the Namospu Trojan which

had C&C servers located on the tiny island of Tokelau, the Netherlands,

and Spain. We also reconnected with an old friend: the infamous DGA17

botnet’s known IP range, resolving to anbtr[.]com. This was also the first

time we discovered and released the mastermind’s name, Matthew

Pynhas, who has more than 2,350 other known domains registered under

his email.

Figure 4. Chrome Browser Malware Warning

In September, we had the largest number of exploit kits, including Angler,

Fiesta, Goon, Infinity, and Nuclear. These EKs were mostly targeting a

record number of vulnerabilities in Adobe Flash and Adobe Player,

accounting for about 70% of all weaknesses. We also experienced a

backdoor on Cisco routers which allowed the attacker to load different

functional modules over the Internet. The modular backdoor would then

let the attackers maintain persistent presence within the networks once

they had successfully infiltrated the routers.

These EKs were

mostly targeting a

record number

of vulnerabilities in

Adobe Flash

and

Adobe Player,

accounting for

about 70% of all

weaknesses.

2015 ANNUAL CTI REPORT

16

October: DNS-based Reflected DDoS Attack

In October we witnessed 70% of all web-based attacks originating from

the U.S. instead of other threat actors. The main reason behind this was

the significant drop of attacks from 23,340 in September to only 3,394 in

October. The 7-fold reduction in attacks was most likely due to the

September agreement between the U.S. and China. Both countries

mutually agreed to not engage in activities such as intellectual property

theft and cyber-espionage.

Also during this month, we stopped a major phishing campaign that was

targeting one of our financial clients on the West Coast. We determined

the origin of the attack was a compromised email account belonging to

a state authority ending in .gov. After the initial assessment we notified

those authorities and the account was scrubbed.

Another large event was a DRDoS attack against one of our clients in the

Legal industry. After the attack was successfully diverted, we learned that

the attacker was using a misconfigured DNS server capable of a factor

amplification of 100.

Next, we blocked an Android malware called Kemoge targeting all

recent platforms which was responsible for infecting a large amount of

devices in 20 countries. The cybercrime ring responsible for Kemoge

uploaded fake “popular” apps to third-party app stores and promoted

the download links via websites and in-app ads.

We also experienced a record number of Adobe Flash Player instances

(78%) exploited by Angler EK. Lastly, we observed ActiveX plugin being

exploited by Neutrino EK.

November: Three DDoS Attacks Blocked

November saw China-based attacks coming back to “normal”, in other

words leading in terms of the most malware domains - 82,344. Attacks

from the U.S. fell to second place with 35,834 domains generating

malware. Other notable countries responsible for malicious activities were

Germany, France, the Netherlands, and Russia. In the U.S., we pinpointed

that the biggest cybercrime hubs are located in California, Michigan,

Kansas, and Washington State.

After the attack was

successfully

diverted, we learned

that the attacker

was using a

misconfigured

DNS server

capable of a factor

amplification

of 100.

2015 ANNUAL CTI REPORT

17

November was the month of DDoS attacks. The first two assaults were

made against Retail clients on 12th and 18th of November and were most

likely initiated by group[s] specialized in cyber extortion, probably a

copycat of the infamous criminal group DD4BC (DDoS for Bitcoins). The

third DDoS attack was against the Education industry and was meant to

obfuscate a malware intrusion.

Figure 5. DDoS Attacks

Next we dealt with the Sefnit Trojan which attacks Windows platforms

from XP to 10. The campaign against the financial industry originated

from multiple domains with the suffix .su which once belonged to the

Soviet Union and is currently used by Eastern European crime. Another

major attack vector blocked was the first-ever OS X Ransomware –

Mabouia. This particular ransomware escalated from proof-of-concept

to attacks in a matter of weeks.

December: Juniper ScreenOS Attempt

In December, we defended our clients against 233,400 web-based

attacks generated by the top 20 attacker countries. We were surprised

by new entries in our Top 20 most malicious countries. Among the Top 20

Attackers we noticed for the first time Costa Rica (3,803), Bulgaria

(1,451), and Italy (1,426).

The first-ever OS X

Ransomware,

Mabouig…escalated

from proof-of-

concept to

attacks in a matter

of weeks.

New additions to

Top 20 Attackers:

Costa Rica

Bulgaria

Italy

2015 ANNUAL CTI REPORT

18

We continued to see domain shadowing as one of the most common

techniques. Domain shadowing is when hackers create sub-domains of

popular shopping and entertainment sites which ultimately land users on

infected websites. As predicted we saw spikes in malicious traffic, mainly

due to the holiday season which ultimately led to a flurry of malware,

including multiple Point-of-Sale Trojans capable of scrapping credit card

information, Ransomware, and banking Trojans. We also experienced

two operations responsible for cyber-espionage and APT groups.

Lastly but equally dangerous was the Juniper ScreenOS backdoor

incident. The secret door found in the ScreenOS (CVE-2015-7755 and

CVE-2015-7756) impacted multiple firewalls and routers by allowing

remote attackers to gain privileged access. The exploitation attempt was

blocked and the risk removed.

Threat Dissection

The Dark Web, Ransomware, Banking Trojans,

and PoS Malware

Dark Web

We continuously monitor and scrutinize the Dark Web. A decade ago

multiple projects were developed to promote anonymous browsing on

the Internet and ensure the privacy of users. Although the initial goal of

creating anonymous browsing was to protect users’ identity and even

free political speech, lately Dark Web (Tor) traffic led to flourishing black

markets for cybercrime, cyber-espionage and terrorism, and a whole set

of other illegal activities (see the case of the drug marketplace Silk Road).

This represents what is called the Dark Web, which should not be confused

for the Deep Web which represents parts of World Wide Web

unsearchable by common engines such as Google or Bing. It is worth

noting that common search engines/crawlers index roughly 16% of the

internet, while the rest sits beyond reach.

Domain Shadowing

as one of the most

common

techniques,

especially during the

holiday season.

2015 ANNUAL CTI REPORT

19

To access the Dark Web one needs a special browser called Tor. TOR

stands for “The Onion Router” and represents a complex network of

public and private relays, VPNs, and Proxies which allow the end-user to

hide their identity. By using a special version of the Mozilla Firefox browser

the user can access regular Internet anonymously, and at the same time

the Dark Web.

Figure 6. Malicious Activity Hosted on Tor

The Dark Web in general, and Tor in particular, offer a secure platform

for cybercriminals to support a vast amount of illegal activities — from

anonymous marketplaces and secure means of communication, to an

untraceable and difficult to shut down infrastructure for deploying

malware and botnets. More and more cybercriminals are hosting their

C&C servers on Tor to avoid detection, identification, and prosecution.

The digital currency Bitcoin also plays a significant part in funding these

operations by avoiding the normal scrutiny allocated to physical

currencies such as USD and EURO.

…cybercriminals are

hosting their C&C

servers on Tor to

avoid detection,

identification, and

prosecution.

Tor…[allows] the

end-user to hide

their identity. By

using a special

version of the

Mozilla Firefox

browser the user can

access the Internet

anonymously.

2015 ANNUAL CTI REPORT

20

Ransomware

At TruShield we were able to map the months with most malicious traffic

to the highest amount of attempted Tor connections. In fact, we

pinpointed multiple Ransomware and Banking Trojan campaigns

originating from Tor or calling back home to the anonymous network. We

mapped Dyre, Upatre, and many custom Banking Trojans beaconing to

C&C servers hiding in Tor. In addition, we unveiled several ransomware

operations using CryptoWALL 2.0 and 3.0, Crypto Fortress, and

TorrentLocker as vectors.

Point-of-Sale (PoS) Malware

We defended our clients against multiple PoS malware campaigns during

2015. In June, we stopped the largest operation against one of our

financial clients potentially infected with PoSeidon malware. We learned

that attacks stopped in 2015.

Global Operation Black Atlas was the most likely origin for specialized PoS

malware such as Center PoS, NewPoS, and Alina. As with similar

campaigns, the criminals were after credit card information scraped from

the RAM of the PoS. Of special interest is NewPoS, which is capable of

RAM scraping, keylogging, keep-alive reporting, and data transfer

sequencing.

Trend Micro discovered several healthcare providers and insurance

companies among the victims of Black Atlas. However, our SOC analysts

determined that the campaign also targeted SMBs in the retail and

financial industries. With the majority of victims located in U.S., the origins

of Black Atlas were traced to cybercriminal rings from the Russian

Federation, Romania, France, Latvia, and India.

PoS Malware:

Cybercriminals are

after credit card

information scraped

from the RAM of

the PoS. Of special

interest is NewPoS,

which is capable of

RAM scraping,

keylogging, keep-

alive reporting, and

data transfer

sequencing.

2015 ANNUAL CTI REPORT

21

Advanced Persistent Threats &

Cyber-Espionage Operations

While the beginning of 2015 was rather quiet, from May through

December we saw 10 separate instances of APTs and Cyber-Espionage

operations that impacted our clients’ networks. However, it is important

to note that TruShield’s partners and clients were not directly targeted. To

recap a perfect example, Stuxnet Trojans were initially conceived to take

down Iranian nuclear centrifuges, but once released in the wild it was

used against SCADA/ICS organizations across the world.

We have observed a major design flaw in the case of Stuxnet and other

weaponized malware such as Duqu and Flame. All of these pieces of

malware designed for cyber-espionage and SCADA sabotage were

missing a kill switch to destroy it. Due to this fact the malware was reverse-

engineered and used by cybercrime rings. Nevertheless, all attacks

against TruShield clients were diverted or blocked.

Major APT Groups

• APT Aurora – China

• APT1 – China

• APT3 - China

• APT12/IXESHE – China

• APT17 – China

• APT18/Wekby - China

• APT28/Sofacy – Russia

• APT30 – China

• APT “The Dukes” – Russia

• APT Poseidon - Brazil

Weaponized Malware

for SCADA

sabotage and

cyber-

espionage

(Stuxnet, Duqu,

Flame) is

missing a kill

switch to destroy

it. Due to this fact

the malware was

reverse-

engineered and

used by

cybercrime

rings.

2015 ANNUAL CTI REPORT

22

Figure 7. APT and Cyber-Espionage Timeline

Desert Falcon

A group of cyber mercenaries believed to be located in the Middle East

used the Trojan to launch successful operations against military and

foreign governments of Egypt, Palestine, Israel and Jordan. A total of

more than 50 nations were impacted, with a total of more than 1 million

files stolen from over 3,000 victims.

The Desert Falcon group used sophisticated social engineering and Spear

Phishing schemes to lure their victims into downloading the payload. The

criminals were able to obfuscate the malicious files by using the right-to-

left extension override technique which allows .exe or .scr files to go

undetected by endpoint security solutions. Once the initial payload is

delivered the second stage begins by establishing backdoor

communication and data exfiltration.

Wekby

This group is thought to be part of, or related to, TG-0416, APT-18, and

Dynamite Panda hacking groups. The Wekby group is suspected to be

responsible for multiple attacks against the healthcare industry and other

…more than 50

nations were

impacted, with a

total of more than 1

million files

stolen from over

3,000 victims.

2015 ANNUAL CTI REPORT

23

verticals over the last 3 years. What sets Wekby apart is that instead of

using HTTP calls like other APTs, it communicates with its C&C servers via

rogue DNS calls.

While in the past the group exploited Adobe Flash Zero-days, the

campaign launched in July used Spear Phishing as a method of malware

delivery. The attackers impersonated a member of the IT support and

helpdesk team of the organization. Next, the malicious email directed

the victims to upgrade their Citrix agent or VPN client on the targeted

system, which ultimately led to a system compromise.

CozyBear

CozyBear, also known as CozyDuke or CozyCar, is an Advanced

Persistent Threat which is responsible for multiple cyber-espionage

campaigns. This APT was found responsible for hacks against The

Department of State and The White House towards the end of 2014 and

the beginning of 2015. The malware is delivered via short media files

which depict an “Office Monkeys” movie. It is considered part of “The

Dukes” family.

Once the victim opens and runs the “very funny movie”, the executable

launches a dropper which is responsible for evading anti-virus solutions

installed on the infected host. Next, the dropper harvests the local system

data and sends it to a compromised website. The configuration files of

the malware are encrypted with RC4 keys, and also release executables

that are signed with fake certificates. Finally, communication with C&C

servers is established and data exfiltration begins.

SeaDuke

This is a recent member of a family of weaponized malware including

CozyDuke, MiniDuke, OnionDuke, and CosmicDuke. “The Duke” group

behind multiple cyber-espionage operations was found responsible for

earlier campaigns against the U.S. and foreign governments by using the

CozyBear APT and CozyCar APT. In contrast with CozyDuke, which was

aggressively targeting multiple industries, SeaDuke is apparently reserved

for handpicked high-profile governmental and military organizations.

This APT uses HTTP/HTTPS calls for communication with C&C servers, which

can mislead many network defense tools. Moreover, because there is no

Wekby:

The attackers

impersonated a

member of the

IT support

team of the

organization. Next,

the malicious

email directed

the victims to

upgrade their

Citrix agent or VPN

client on the

targeted system,

which ultimately led

to a system

compromise.

2015 ANNUAL CTI REPORT

24

database present on the C&C server, Duke’s members instead opt for

uploading specific tasks to each compromised network. This is another

evading tactic by reducing the overall footprint of the APT on the

compromised systems.

Sofacy

The group with the same name as the APT has been active since 2008. It

mostly targets military and foreign governments in the NATO arena and

lately it’s been active against the Ukrainian Government. The Sofacy

group, also known as APT28, is believed to be located in the Russian

Federation and possibly is in connection with, or sponsored by, its

government. Sofacy APT targets Windows, Linux, and iOS platforms.

In July/August, the group launched several waves of attacks relying on

Zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash

Player and Windows OS. We’ve seen exploitation of Java Zero-day CVE-

2015-2590 for the Oracle Java SE 6u95, 7u80, and 8u45, and Java SE

Embedded 7u75 and 8u33. The signature piece of the group is using

multiple backdoors on the same malware to avoid detection and

removal, while maintaining uninterrupted communication with C&C

servers.

Black Coffee

This malware targets Windows platforms, and can accept commands

from a control server that would allow it to execute shell commands,

read/write files, obtain disk information, search files, enumerate and

terminate processes, and more. The malware could also steal credentials

from the infected computer. The Trojan is used by Chinese group APT 17,

and it used the TechNet (Microsoft Support) forum to disguise its C&C

server.

The APT17 group created fake user profiles that contain one or more URLs

that linked to the biography sections of attacker-created profiles, as well

as forum threads that contained comments from those same profiles. The

malware then communicated directly with the IP address to receive

commands and send stolen information. If the C&C server is discovered or

shut down, the attackers can switch the encoded IP address on TechNet

Sofacy: The signature

piece of the group is

using multiple

backdoors on the

same malware to

avoid detection and

removal, while

maintaining

uninterrupted

communication

with C&C servers.

2015 ANNUAL CTI REPORT

25

to retain control of the victims’ machines. Since then, Microsoft disrupted

the malicious activity.

Wild Neutron

The economic espionage operation first seen in 2013 in attacks against

Apple, Facebook, Twitter, and Microsoft made a big comeback in 2015

by attacking legal firms, investment firms, and mergers & acquisitions

conglomerates. The vector exploits unknown Flash Player vulnerabilities

and has the ability to switch backdoor communication to alternate

C&Cs in case the primary is taken down.

The malware is composed of a main backdoor module that first

initiates communication with the C&C server; several information

gathering modules; exploitation tools; SSH-based exfiltration tools; and

intermediate loaders and droppers that decrypt and run the payloads.

Wild Neutron’s main backdoor module contains a number of evasion

techniques designed to detect or time out sandboxes and emulation

engines. This APT targets Windows and OS X platforms.

Hodoor

This is a Trojan capable of infecting Windows systems. In fact, multiple

Windows Operating Systems were found to be exploited by this APT, which

establishes backdoor communication with remote attackers via C&C

servers.

We have reported and blacklisted the following malware domains

responsible for delivering Hodoor:

chamus.gmailboxes.com coco.purpledaily.com

chq.newsonet.net cok.purpledaily.com

cib.businessconsults.net comfile.softsolutionbox.net

cibuc.blackcake.net contact.arrowservice.net

citrix.globalowa.com contact.ignorelist.com

climate.newsonet.net contact.purpledaily.com

clin.earthsolution.org control.arrowservice.net

cman.blackcake.net control.blackberrycluter.net

cook.globalowa.com cow.arrowservice.net

cool.newsonet.net cowboy.bigish.net

copierexpert.com crab.arrowservice.net

corp.purpledaily.com crazycow.homenet.org

Wild Neutron:

First attacked Apple,

Facebook, Twitter -

Made a comeback in

2015 attacking legal

and investment

firms and M&A

conglomerates.

2015 ANNUAL CTI REPORT

26

count.blackcake.net csba.bigdepression.net

cov.arrowservice.net csc.businessconsults.net

covclient.arrowservice.net business.chileexe77.com

Arid Viper

This malware has been observed in the Middle East as part of the

Operation Arid Viper, also known as Desert Falcons. The cyber-espionage

operation was first seen in 2011 and became increasingly active in

targeting government, financial, transportation, and education industries

especially in Palestine, Egypt, and Israel. The sophisticated malware

includes various modules such as spyware, keylogger, and backdoor

communication. Arid Viper targets Windows and Android platforms.

The attack uses a Spear Phishing campaign that lures the victims to watch

a video that depicts a violent car crash. Instead of embedded URLs, the

malicious email leads the victim to download a RAR file. As soon as the

RAR is downloaded it self-extracts the video file titled ‘this.morning’ which

actually contains the malicious video payload. Once the infection

propagates to the system a backdoor communication channel is

established to the C&C server and data exfiltration begins.

GlassRAT

This is a malware only recently discovered, but has in fact been around

since at least September 2012. The RAT modules includes reverse shell

functionality that provides attackers access to the infected device.

GlassRAT has zero detection capabilities by using forged security

certificates that appear to belong to a popular Chinese software

developer.

Security researchers determined that malicious domains used by GlassRAT

as C&C servers overlapped with other known malware such PlugX,

MagicFire, and MirageFox. What makes GlassRAT unique is its ability to use

the Adobe Flash Player icon to mask its dropper and ultimately stay

stealthy for an extended period of time. Major vendors present in the Virus

Total engine developed signatures only in late December, which means

the ring could operate undetected for 3 years.

2015 ANNUAL CTI REPORT

27

Gh0stRAT

This is a well-known remote access Trojan (RAT) commonly used in

targeted attacks and widely available to both threat actors and

cybercriminals alike. The RAT has been observed in the wild since 2001

and continues to pose a serious threat by adding new features such as:

Taking full control of the remote screen on the infected

bot.

Providing real time, as well as offline, keystroke logging.

Providing a live feed of the webcam and/or microphone

of infected host.

Downloading remote binaries on the infected remote host.

Taking control of the remote shutdown and reboot of the

host.

Disabling the infected computer’s remote pointer and

keyboard input.

Entering into the remote infected host via SSH.

Providing a list of all the active processes.

At the end of this section it’s important to highlight that while we’ve

separately listed APTs and cyber-espionage campaigns, most often there

are blurry lines between the two. Many cyber-espionage operations use

one or multiple APTs to compromise the adversary’s systems. Likewise, so-

called APT groups can be involved in cybercrime and espionage at the

same time. In fact, it’s been the case for decades that nation and state-

sponsored intelligence communities used cybercrime (e.g. stolen trade

secrets and intellectual property) to fund their espionage operations.

2015 ANNUAL CTI REPORT

28

Global Distribution of

Malicious Traffic

We witnessed over 3 Million attacks against our clients’ networks in 2015.

However, the first 8 countries accounted for almost 900,000 web-based

attacks between June and December. The US continues to lead in the

most malicious categories including SPAM, Malware Domains, Phishing,

DDoS, and Hacktivism.

Figure 8. Distribution Of Attacks June - December

Attacks originating in China and the Russian Federation continue to pose

the biggest threat to our clients from all industries. Both countries generate

a large number of cybercrime and cyber-espionage. Russia currently has

an estimate of over 20,000 individuals engaged in cybercrime, due in part

to the subpar job market that does not offer career opportunities to its IT

workforce. Another factor in the ever-increasing cybercrime market is that

while the local underground market for exploit kits, ransomware, and

banking Trojans used to be rated in the hundreds or even thousands of

USD nowadays the values dropped 3 to 4 times. As a result, hackers are

more aggressive in gaining new income avenues, especially Cybercrime-

as-a-Service, where clients can hire them for Ransomware, DDoS, and

other attacks. The hackers’ cut varies from 25 to 50 percent of the

revenue.

2015 ANNUAL CTI REPORT

29

While Chinese hackers are still leading in scanning and Brute-force

attempts, the real issue is the nation-state cyber-espionage and APT

groups. In fact, the recent survey among more than 17,000 IT specialists -

of which more than half were in management and executive positions -

revealed that the majority are fearful of Chinese-backed cyber-attacks

(89%) followed by Iran (67%), the Russian Federation (65%), North Korea

(58%), and Syria (50%). To further support our statement, The Rise of Nation

State Attacks survey listed among the most important objectives of

nation-state attacks business disruption (73%) aka DDoS attacks, followed

by cyber-espionage (56%) aka APT groups, and data exfiltration (44%) as

in intellectual property and trade secrets theft.

China: A State-Sponsored

Campaign of Persistent Attacks

Timeline of China’s attacks:

2008 Obama and McCain presidential campaign breach.

2010 First reported APT. Aurora Operation against Google and

30 other companies including major US defense

contractors.

2011 U.S. Chamber of Commerce is breached.

2012 Jet Propulsion Laboratory is compromised.

2013 Relatively unknown threat intelligence pioneer at the time

(Mandiant) unveils China’s APT1, which marked the very

first public exposure of their cyber warfare.

2014 USPS attack exposes more than 800,000 government

employees’ records.

2015 Second OPM breach impacts 20+ million US citizens,

including their clearance statuses.

2015 Breaches to Anthem and Premera Blue Cross resulted in

more than 100 million healthcare records compromised.

While China leads in terms of APT groups, Russia dominates the Point-of-

Sale malware. China also hosts the most malware domains, and Brute

Force. Korea hosts rank second in WEBAPPs and DDoS attacks which is

due to weak legislation.

2015 ANNUAL CTI REPORT

30

On a special note, Brazil distinguishes itself as a leader in banking Trojans

and underground market for malware. Brazil’s case is tied to expansive

cheap Internet access and is also one of the countries with the highest

levels of corruption within the G-20 largest economies. Moreover, Brazil

has failed to implement sound legislation to enforce breach reporting.

Finally, as recently reported, one of the longest lasting APT groups –

Poseidon – is believed to have roots in Brazil.

Figure 9. Most Malicious Actors by Month

As for the European countries, we have reported time and again that

bulletproof hosting allows cybercrime rings to infect a significant number

of C&C servers in Germany, the Netherlands, and France. However, we

noted in November that the Netherlands’ authorities, in collaboration with

the FBI and major companies, took significant steps in reducing

cybercrime. The proof is in the numbers, which shows a significant

decrease of Dutch-based malicious activity, from 4,611 in June to only 692

attacks in December.

2015 ANNUAL CTI REPORT

31

2016 Cybercrime Forecast

Costs of Cybercrime and Cybersecurity

In our hyper-connected world, the threats we see on a daily basis have

evolved from hacktivists and script-kiddies to new, sophisticated means of

attacks by organized cybercrime groups. In fact, we witness an

unprecedented level of sophisticated attacks on an ever increasing

scale. Financial and reputational losses have reached an almost

unbearable cost for many small and medium-sized organizations.

The total cost in USD due to cybercrime damages seems to vary greatly

between different reputable sources due to different methodologies and

the size of the sample. However, all of the reports seems to agree that

numbers are staggering and continue to rise.

Figure 10. Cybercrime Global Economic Impact

2015 ANNUAL CTI REPORT

32

According to the Ponemon Institute, the average cost of cybercrime in

2015 for large organizations is:

U.S. $15.4 Million

Germany $7.5M

Japan $6.8M

UK $6.3M

Brazil $3.8M

Australia $3.5M

The Russian Federation $2.4M

Allianz Global reports that in 2015 the 10 largest economies suffered more

than $250 Billion in losses, while overall the world economy suffered an

estimate of $445 Billion.

Figure 11. Cybercrime Financial Cost Comparison Worldwide

2015 ANNUAL CTI REPORT

33

The 10 largest economies in the world have all been impacted financially

by cybercrime. The U.S. is shouldering the financial burden with close to

50% of the total costs worldwide.

Figure 12. Cyber-Attack Payout by Industry

It is important to note that only 252 companies in 7 countries participated

in the survey. The study shows that costs continue to rise from 2014 to 2015.

Russia leads with a 29% increase, the U.S. 19%, the UK and Japan 14%,

Australia 13%, and Germany 8%.

2015 ANNUAL CTI REPORT

34

However, Germany has the highest percentage of cybercrime to its GDP,

approximately 2.5 times larger than the U.S. It is also important to note that

globally, attacks recorded a hike of 38% from 2014 to 2015 and a similar

increase is expected for 2016.

The business disruption caused by DDoS attacks costs an average of over

$400,000 and requires 19 days to fully restore operations. Those costs are

associated with containment and eradication, loss of revenue, legal fees,

and reputational damage. Likewise, costs of Ransomware on enterprises

are on the rise with an average of more than $15,000 but could go as high

as $125,000 per incident, while the total reported in 2015 for CryptoWALL

3.0 is estimated to be $325 Million in damages.

On the bright side (if there is one), according to a recent survey, the

majority of attacks are dropped after 60 hours if there is no breach. The

number of total breaches (reported) reached 781 for the U.S. with more

than 169 Million records exposed for 2015.

Another worrisome cost is associated with Spear Phishing, which

represents 38% of all cyber-attacks with an average cost of $1.6 Million per

incident. Other reports show as much as $3.7 Million per Phishing incident

with half of that cost due to productivity loss.

Cyber Insurance

Insurance claims for 2015 an additional aspect of breach-related costs. As

pointed out before, enterprises cannot entirely transfer the risk to

insurance companies. Instead the organization must prove that it was

taking due care and due diligence. Although many companies strive to

enhance their security posture by following regulations and industry best

practices such as NIST, PCI-DSS, and ISO, they also purchase cyber

insurance. It’s important to note that cyber insurers will not cover the

entire extent of the damage, such as in the case of Home Depot were

they had a cyber insurance policy for $100 Million, yet total losses were

more than double that amount.

While the cost of

breaches in the U.S.

continues to rise,

from $1.6 Million

in 2012 to $6.5

Million in 2015,

cyber

insurance is

covering less –

from $3.6 Million

in 2012 to only

$670,000 in 2015.

2015 ANNUAL CTI REPORT

35

Records Compromised = 169,068,506

In 2015, we also observed the largest number of records compromised for

any one year in the last 10 years. Healthcare is not only dominating the

landscape with 112,832,082 records compromised (67%) but also holds the

second largest financial damages, as shown in the preceding section.

Government breaches also counted for 20% of the total in 2015 with

34,222,763 records, followed by Business with 10%, 16,191,017 records

compromised.

Figure 13. Total Number of Records Compromised in the U.S. in 2015

All of this is perhaps even more staggering when viewed against the PwC

global study showing that organizations continue to increase their

spending in information security. In fact, in the US alone InfoSec budgets

have grown at almost double the rate of IT budgets between 2013 and

2015. Also, cybersecurity insurance is the fastest growing area for IT

security budgets. However, it is important to highlight the fine print of these

policies, since no insurance company will cover losses due to negligence.

Another worrisome aspect is that just over half of the companies are hiring

CSOs or CISOs while only 45% of organizations have their Board of

Directors involved in Information Security.

2015 ANNUAL CTI REPORT

36

Moreover, the actual budget allocated to cybersecurity in 2015 was

about $75 Billion globally, with an expected increase of less than 5% for

2016. Comparing all reports that estimate cyber-attacks will be increasing

by 15 to 40 percent in 2016, the net increase of cybersecurity spending

proves to be an uphill battle.

In 2016 we’ll continue to witness the same slogan in many Boards of

Directors – “We are not a target” - when in fact every single organization

has its own trade secrets, Intellectual Property (IP), and financial data that

is attractive to hackers. The correct approach should be, “A security

incident is inevitable, we need to prepare to detect and eradicate as

quickly as possible.”

Even with the significant increase in IT security spending we saw a similar

approach across the board. Organizations belonging to different verticals,

especially government and legal, are increasing their budget toward IT

security appliances, with SIEM solutions in the lead. At the same time, they

fail to clearly identify the level of effort required to correctly deploy,

integrate, configure, maintain, and respond to alerts. Factoring in the

equation the severe shortage of cybersecurity professionals makes the

situation even worse.

Furthermore, one of our internal studies revealed that SIEM solutions are

becoming more affordable, but organizations fail to take into

consideration all of the costs required to get the right people and build a

Security Operations Center (SOC) from scratch. Our estimates are that for

every $100,000 spent on security technologies another $800,000 to

$1,000,0000 are needed to fully operationalize the SOC and begin to

return value for the investment. And these are not one-time costs.

Operating and maintaining a basic SOC requires annual costs upward of

$1 million to 1.5 million. In fact, the majority of organizations are not even

considering SIEM, IPS/IDS, DLP and other advanced technologies as part

of Continuous Security Monitoring, instead they acquire them mainly for

compliance.

2015 ANNUAL CTI REPORT

37

The same report reveals that more than 80% of small to medium-sized

businesses (SMBs) do not factor in the costs for a 24/7/365 security

operation. Alternately, many organizations that purchase SIEM solutions

are unpleasantly surprised by the amount of data that SIEM solutions are

producing. Their in-house resources are often overwhelmed by the

number of security events, making it impossible to identify actual security

incidents among the millions of false positives. As a result, the majority of

SMBs end up shelving those platforms while their security posture remains

highly vulnerable.

Cybercrime-as-a-service

In 2016, we expect cybercrime-for-hire services to flourish. In fact, not

only is the scale of the underground market on the Dark Web worrisome,

the diversification of them is a major cause of concern. We predict that

criminal groups will expand their services in multiple types of attack

vectors especially in DDoS, Spear Phishing, and Ransomware. It is crucial

to highlight that 2016 will be dominated by identity theft and banking

fraud. While stolen credit cards value only $4 per piece on the

underground market, an individual’s date of birth (DOB) is sold for about

$11. Moreover, a combination of credit card number, SSN, and DOB

belonging to the same individual commands $30.

DDoS Attacks

More and more attacks will be launched by professional hackers that are

hired to execute them. While in 2015 we continued to observe

disgruntled employees and customers reaching out to the underground

market to retaliate, this year we expect companies to hire “professionals”

to take down competitors’ websites and e-commerce portals. ‘DDoS for

Bitcoin’ aka DD4BC group is the most notable example that uses DDoS

attacks for extortion. Luckily Europol, in collaboration with authorities in

Bosnia and Herzegovina, Germany, France, Japan, Romania,

Switzerland, the UK and the US dismantled the group in a recent

operation. We expect more groups to launch similar for-hire DDoS

campaigns.

Forecast: Reflective

DDoS or DRDoS

using common

Internet protocols

such as RPC, NTP,

and DNS will be

largely employed by

cyber crooks. The

length of those

attacks will

increase from

an average of

half a day in

2015 to 3-4 days

in 2016.

2015 ANNUAL CTI REPORT

38

In addition, DDoS attacks are expected to employ a “multi-vector”

technique which simultaneously targets infrastructure, applications, and

services that could lead to catastrophic losses. The size of attacks will also

grow to an average of 150-400 Gbps, and by 2018 is expected to reach

1Tbps. Another trend is to use smaller scale DDoS to cover other attack

vectors such as APT and banking Trojans.

Ransomware

The last 5 years have shown an ascendant trend in using Ransomware as

part of cyber-extortion. 2016 will mark new heights in the development of

Ransomware. Windows will continue to be the most targeted platform,

followed by Android due to their extensive market penetration.

Mabouia marked the first serious threat against Apple OSX. An increasing

trend will be using Ransomware against IoT, especially against smart TVs

which have become more widespread. We also expect to see the first

waves of Ransomware targeting networked medical devices such as

insulin dispensers, pacemakers and more.

While Ransomware targets both individual home-users and corporations,

2016 will mark an explosion of using this vector against corporations. As

noted in a recent report, the damages due to CryptoWALL 3.0 surpassed

$300 million in 2015 with enterprise-specific Ransomware constituting a

very attractive target. Even though best practices across all industries

advise having updated backups as a means of assurance against

Ransomware, this is not an effective method of prevention for this type of

attack.

Spear Phishing

Underground cybercrime markets will utilize customized campaigns

against potential victims. Enterprises are largely exposed to this attack

vector. Sophisticated Spear Phishing schemes can also lead to the largest

cost in financial and reputational damages.

In contrast with the Financial industry that has additional mechanisms in

place to prevent this (e.g. Separation of Duties, security awareness

training), Retail and other industries are more vulnerable due to the lack

of effective countermeasures.

Forecast:

Development of the

next generation of

crypto-lockers

capable of stealthily

encrypting the last

30 days of files, and

then only encrypting

the ongoing files. In

many cases backups

are useless since

very few enterprises

actually test them

periodically.

2015 ANNUAL CTI REPORT

39

This attack vector remains a top favorite among criminals due to the

relatively low level of technical effort required. It is also one of the most

effective campaigns for tricking victims. In fact, there are many ways of

compromising computers via Spear Phishing. The most common are

embedding malicious URLs within the body of the message, and

attachments containing malware. A novel strategy is embedding

malicious URL links within the attachment which easily bypass endpoint

security and anti-malware engines. Spear Phishing continues to be the

tool-of-choice during tax season in the US and is expected to play a

major role in the 2016 Presidential Election.

Two notable Spear Phishing attacks were already reported in 2016. The

first one was delivering the infamous BlackEnergy malware, which took

down the energy grid in Ukraine by threat actors believed to be in

connection with Russian cyber warfare (aka Sandworm Team). The

second was launched against the financial department of the

European aerospace manufacturer FACC. The result of the attack was

the siphoning off of €50 million in cash by unknown actors.

Industries Targeted

Obviously 2016 will still be a year of major breaches. Many will go

undetected due to the lack of continuous monitoring, defense-in-depth

strategy, and executive team’s support. Healthcare, Financial, and Retail

will be hit by Spear Phishing, Banking Trojans, and PoS malware. E-

commerce will be targeted by DDoS and DRDoS attacks, as well as web

application attacks. Insider attacks due to negligence, lack of awareness,

and disgruntled employees will contribute to significant reputational,

legal, and financial losses.

Legal

The American Bar Association (ABA) stated that law firms are major

targets for cybercrime. The fact that lawyers hold immensely valuable

data such as Intellectual Property (IP), Mergers and Acquisitions (M&A)

insider information, and Personally Identifiable Information (PII) turns them

into targets.

Forecast: 2016 will be

a record year for

successful Spear

Phishing campaigns.

Cybercrime, nation-

state sponsored

operations, APT

groups and terrorist

organizations will

employ this highly

effective strategy.

2015 ANNUAL CTI REPORT

40

Due to the lack of minimum cyber hygiene, lawyers, paralegals, and

other related personnel are extremely vulnerable to Cybercrime-as-a-

Service. Each and every computer compromised by one or more of the

tools reviewed in this report will yield a goldmine to cybercrime rings.

While a substantial percentage of law firms have taken some measures

to safeguard this sensitive information, more needs to be done. The lack

of direct regulation will also hinder improvement in the security for law

firms. In fact, most of those organizations that have started an

information security program were actually pushed by their major

clients. Legal departments of large banks leveraged their worries by

requiring their law firms to enhance security and even fall into

compliance with NIST and ISO standards.

One of the most vulnerable facets in the law firms’ security are emails.

Lawyers and support staff are transiting an enormous volume of

sensitive information many times through their personal email accounts.

As has happened so many times before, email accounts provided free-

of-charge have little or no security at all. To counter cyber threats

against emails each law firm should implement a sound information

security policy and at the same time to enforce the usage of a

corporate email system. In addition, emails containing sensitive

information should be encrypted. Lastly, archived emails should be

encrypted to prevent any potential leakage.

Critical Infrastructure

There are multiple types of organizations that fall under this category, but

the ones that have significant threats against them include utilities,

especially the energy sector, gas and oil industry, and water and

wastewater treatment. Although breaches against these sectors don’t get

the same high-profiling in the media, Kinetic Cyber-attacks can have a

catastrophic impact not only in interrupting delivery, but also in physical

destruction and human casualties.

Forecast: Mid-

sized law firms

that employ 50 to

150 attorney will

be primary

targets for cyber

attacks, in order to

gain unauthorized

access to Intellectual

Property and trade

secrets.

2015 ANNUAL CTI REPORT

41

ICS-CERT periodically publishes the number of incidents against

SCADA/ICS organizations and starting with 2010 we’ve seen an

ascendant trend against industrial facilities. It is no coincidence that

Stuxnet (2010) was the first malware designed to attack an ICS system. It

was launched against Iranian nuclear centrifuges and resulted in

physical destruction.

While 2010 marked less than 50 attacks, the next year surpassed 200 and

the number has stayed in the mid to upper 200s. It is crucial to note that

many incidents go undetected due to the lack of continuous

monitoring, or are just simply not reported. While drills such as GridEx,

that are organized every two years by the Department of Energy, are

definitely helpful, many energy providers opt out.

In contrast with Internet-based traffic where a plethora of vendors

compete to sell their security appliances, very few venture into

designing firewalls and other countermeasures capable of protecting

ICS/SCADA systems. To make the situation worse, just a handful of

managed security providers have the ability to monitor and respond to

incidents related to industrial controls. Moreover, weaponized malware

such as Stuxnet, Duqu, Flame, Gauss, and most recently Black Energy

are capable of avoiding signature-based endpoint security.

Small and Medium Sized Businesses (SMBs)

Many reports show an increasing trend of attacks on large organizations

and also against merger and acquisitions (M&A). While big breaches will

continue to make the news headlines, especially for the Retail and

Financial industries, SMBs intrusions will go largely unreported.

Criminals take advantage of M&As between large organizations,

especially when integrating the two networks architecture. As expected,

the goal is financial fraud and Intellectual Property theft. In contrast we

label many SMBs providing third-party services as “low-hanging fruit”

since many high profile security breaches, such as in the case of Target,

were due to infiltrating third-party vendors.

Forecast: We will see

200-300 attacks

against Industrial

Control Systems

including Denial of

Service via

weaponized malware,

including ones

capable of erasing

SCADA, with the

potential of

casualties.

Forecast:

Cyber-attacks

against small and

mid-sized

businesses will

increase 30%

in 2016.

2015 ANNUAL CTI REPORT

42

Moreover, SMBs receive less attention. It is expected that cyber criminals

will target giant retailers and banks, and few of the small and medium-

sized enterprises also consider themselves a target. However, threat actors

will focus their efforts in 2016 more and more on SMBs due to their lower

priority assigned to cyber security. More often than large organizations,

SMBs fail to determine the cyber risk of their business. Not only are SMBs

not developing a formal information security policy and lack proper IT

security budgeting and staffing, they also fail to have a basic cyber

awareness training program.

We believe that SMBs from the Legal, Financial, and Retail industries will

be the most targeted by cyber-attacks in 2016. For this year we estimate

that organizations with approximately 150 to 1,200 employees are the

most vulnerable to Ransomware, Banking Trojans, Phishing, and DDoS

attacks. Despite the fact that Managed Security Services Providers (MSSP)

are making training SMB personnel against Spear Phishing a relatively

inexpensive proposition, few companies actually hire experts from the

outside.

Additionally, MSSPs of various sizes are competing to offer a much more

attractive security posture than the one developed in-house. Still, SMBs

are hesitant to outsource their defense. Sadly, many enterprises in this

category don’t perceive the extent of the damages in the case of a

breach. In contrast with larger organizations that have a failsafe ensured

by cyber insurance and significant contingency funds, SMBs could easily

face extinction after an APT attack that exfiltrates their intellectual

property and trade secrets, or a DDoS that leaves their clients without

access to services.

2015 ANNUAL CTI REPORT

43

Conclusions

Most of today’s organizations handle a massive amount of PII, financial

information, and intellectual property. If these companies were to rely

solely on the traditional approach of security based on anti-virus solutions

and perimeter firewalls, their data could quickly be exfiltrated. Moreover,

APT, zero-day vulnerabilities, and polymorphic malware - or one without

an available signature - threats cannot be stopped by a static network

defense.

Contrary of what other names in the industry claim, continuous monitoring

services are not just a collection of security platforms and technologies. At

TruShield we believe it requires a holistic approach. Our team emphasizes

its human capabilities in delivering our unique CSM services including

IDS/IPS Management, Next-gen Firewall Management, Endpoint Security

Management, Mail Gateway and Internet Gateway Management,

Managed Multi-Factor Authentication, Patch Management, Vulnerability

Management, and many other managed security services.

TruShield’s concierge approach is unique in mitigating cyber threats. We

go beyond the majority of Managed Security Service Providers. Our

organization combines state-of-the-art Cyber Threat Intelligence and

Continuous Security Monitoring with Defense-in-Depth and Zero-Trust

network architecture. Offered as a complete solution or tailored one,

TruShield’s adaptive security offering is one of the most effective

approaches that allows our clients to consequently block and deter

botnets, APTs, DDOS, Zero-days, fileless malware, and malicious insider

threats.

We rely on a mixture of cutting edge technologies, the most up-to-date

cyber threat intelligence (CTI), and super human analysis when

determining the criticality of each and every single event. We ensure the

most recent Common Vulnerabilities and Exposures (CVE) reported by the

National Vulnerability Database (NVD) are integrated within our tier-2 and

tier-3 investigations so we can determine an imminent cyber-attack

before data exfiltration occurs.

2015 ANNUAL CTI REPORT

44

Another key element in mitigating and managing cyber risk is TruShield’s

extensive expertise in vulnerability management and disaster recovery

solutions, which allows security architects and incident responders to

apply real-world solutions in preventing, securing and - when the case

requires - restoring its clients’ critical systems.

Additionally, TruShield not only strives to implement security measures to

ensure compliance, but to exceed regulatory requirements and industry

standards including FISMA, HIPAA, SOX, GLBA, PCI-DSS, and ISO.

TruShield is more than just a Managed Security

Services Provider. We are an MSSP that provides the

white-glove service your organization needs and

deserves.

2015 ANNUAL CTI REPORT

45

Acknowledgement

A special thank you to Alex Deac as the author, and Andrew Beach and Paul

Caiazzo for contributing to the development of this report.

2015 ANNUAL CTI REPORT

46

References

https://www.symantec.com/security_response/writeup.jsp?docid=2015-010823-3741-

99&tabid=2

https://www.akamai.com/us/en/about/news/press/2015-press/xor-ddos-botnet-

attacking-linux-machines.jsp

https://www.f-secure.com/v-descs/backdoor_w32_havex.shtml

http://www.securityweek.com/magento-flaw-exploited-wild-within-24-hours-after-

disclosure

http://www.eset.com/int/about/press/articles/malware/article/linux-and-bsd-web-

servers-at-risk-of-sophisticated-mumblehard-infection-says-eset/

http://www.interpol.int/en/News-and-media/News/2015/N2015-038

http://blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-in-taiwan-

uses-infamous-gh0st-rat/

https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/

http://www.volexity.com/blog/?p=158

https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-

actor-returns-with-new-tricks/

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-

papers/wp-operation-arid-viper.pdf

https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-

updated-toolset/

https://www2.fireeye.com/WEB-2015RPTAPT17.html

https://apt.securelist.com/#firstPage

http://www.securityweek.com/glassrat-malware-stayed-under-radar-years-rsa

http://www.arbornetworks.com/images/documents/WISR2016_EN_Web.pdf

http://www.telegraph.co.uk/finance/newsbysector/industry/12122323/Mapped-The-

worlds-most-corrupt-countries.html

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-

papers/wp-north-american-underground.pdf

http://www.coindesk.com/individuals-tied-to-bitcoin-ddos-group-dd4bc-captured-in-

europe/

http://cybersecurityventures.com/cybersecurity-market-report/

http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html

http://www.agcs.allianz.com/assets/PDFs/risk%20bulletins/CyberRiskGuide.pdf

http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-report/

https://ics-cert.us-cert.gov/sites/default/files/documents/ICS-

CERT%20Incident%20Response%20Summary%20Report%20(2009-2011)_S508C.pdf

http://digitalforensicsmagazine.com/blogs/?p=1005&utm_source=hs_email&utm_mediu

m

http://info.surfwatchlabs.com/law-firms-hunted-by-cybercriminals

http://info.wombatsecurity.com/hubfs/Ponemon_Institute_Cost_of_Phishing.pdf

2015 ANNUAL CTI REPORT

47

http://www.facc.com/en/News/News-Press/EANS-Adhoc-FACC-AG-UPDATE-FACC-AG-

Cyber-Fraud

https://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukraine-employ-

spearphishing-with-word-documents/

https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-

boutique-specializing-in-global-cyber-espionage/

http://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-part-2-

tools-and-malware-used-and-how-to-detect-them/

http://www.threatgeek.com/2015/10/cyber-crime-eastern-europe-and-russia-continue-

to-refine-operations.html

http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR

610.pdf

http://www.threatgeek.com/2015/09/taming-the-tiger-domestic-and-foreign-policy-

complexities-in-curbing-chinas-cyber-espionage-campaign.html

http://www.countertack.com/ponemon-rise-of-nation-state-attacks-report

http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf

http://www.csoonline.com/article/3028787/cyber-attacks-espionage/survey-average-

successful-hack-nets-less-than-15-000.html

http://blog.cloudmark.com/2016/01/13/survey-spear-phishing-a-top-security-concern-to-

enterprises/

http://www.netdiligence.com/downloads/NetDiligence_2015_Cyber_Claims_Study_0930

15.pdf

http://cybercampaigns.net/

2015 ANNUAL CTI REPORT

48

Did you like our 2015 Annual CTI Report?

Visit our website at

www.trushieldinc.com

Check out our other great free resources including:

Monthly Cyber Intelligence Reports

Advisory Alerts to keep you in the know

Webinars, chock full of information