cyber threat trends in taiwan
TRANSCRIPT
2015 Taiwan National Computer Emergency Response Team0
Cyber Threat Trends in Taiwan
Henry Yu
TWNCERT
2015 Taiwan National Computer Emergency Response Team1
Outline
● Introduction of NICST
● Even More Aggressive E-Mail Info Collections
● Even More Wilder Contractor Invasions
● Mobile Scam
● Conclusion
2015 Taiwan National Computer Emergency Response Team2
Introduction of NICST
● National Information & Communication Security Taskforce
(NICST), established since January 2001, is a Cabinet-Level
taskforce
–Convened by Vice Premier, Executive Yuan
–Steering Committee comprised of central government CISOs/Municipality
CISOs/Deputy Director of NSB/Experts
–Secretariat by Office of Information and Communication Security (OICS),
Executive Yuan
–8 major working groups for cyber security related tasks execution and
coordination among agencies
–One service center (Information and Communication Security Technology
Center, ICST) plays the role of National CSIRT (TWNCERT)
2015 Taiwan National Computer Emergency Response Team4
Even More Aggressive E-Mail Info Collection
● Hackers use various methods to collect e-mail addresses,
steal accounts and passwords, and then use stolen e-mail
accounts to collect even more e-mail addresses, steal more
accounts and passwords, and ……
–Hackers collect e-mails from government agencies, academic units,
government contractors, private sectors and many individuals…
–As time passed, hackers have collected enormous amount of e-mail
accounts.
2015 Taiwan National Computer Emergency Response Team5
Case – Social Engineering
Victim #1Hacker
Brute ForcePassword
Attack
Victims
Social Engineering
• Phishing E-mail
• Malicious Attachment
Victim #2
• Phishing Website
(GOOGLE LOGIN PAGE)
Login GOOGLE Accounts
Steal GOOGLE
accounts & passwords
• Over 20 victims
• Roughly 118 phishing e-mails
3
2
1
4
Over port 1024/6666RDP
2015 Taiwan National Computer Emergency Response Team6
● The hacker sent 118 phishing e-mails via the stepping stone, mainly
impersonated famous politicians to lure people to hit the malicious
link, and stole their Gmail accounts and passwords
Stepping stone investigation
信件主旨 數量
馬瑋國邀請您加入到他的討論圈"事務性研討會",並希望成為你的 Google+ 朋友,接受他的申請?
19
馬瑋國在Google+ 上提到了你。 11
馬瑋國邀請您加入到他的討論圈"內參資料更新事",並希望成為你的 Google+ 朋友,接受他的申請?
6
金溥聰在Google+ 上提到了你。 4
Hits the link of phishing website, the hacker can
get victims’ Gmail accounts and passwords
2015 Taiwan National Computer Emergency Response Team7
● Total 60 recipients, mostly are government officials’
business and private e-mail accounts
Victims mostly are government officials
Domain Amount Agencies
gov.tw 24 …
org.tw 2 …
gmail.com 27Including government officials’
private e-mail accounts…
yahoo.com.tw 7Including government officials’
private e-mail accounts…
2015 Taiwan National Computer Emergency Response Team8
● The hacker used phishing website to steal victims’ e-mail account
and passwords, read through contents in the account, then used the
account to send the malicious mails to victims’ contact lists
Use stolen account to send malicious mails again
Original
Fake
2015 Taiwan National Computer Emergency Response Team9
Phishing e-mails
● A government agency’s secretary received the social
engineering e-mail and reported to us, we analyzed the
header of the mail and try to find the source
● The header showed that the mail sender IP is 122.x.x.x,
registered in Hong Kong, the hacker used PHPMailer to
send fake Google website link, try to lure the victims to hit
the link
2015 Taiwan National Computer Emergency Response Team10
Fake…
● The link took victims to the fake Google Cloud screen…
2015 Taiwan National Computer Emergency Response Team11
More Fake…
● Fake Google Cloud login screen…
2015 Taiwan National Computer Emergency Response Team12
Real Fake…
● Input any combination of accounts and passwords, the page will take victims to the
download page to download real file
● Test in different time will result in different file downloaded, which means this
page is still active, the hacker continues to update the page to trick different
victims
2015 Taiwan National Computer Emergency Response Team14
● As more and more government agencies have done great
jobs on cyber security defenses, the hackers are starting to
focus their efforts on government contractors
● Compare to government agencies, government contractors
usually have weaker defenses, lower restrictions, and lesser
security awareness
● The contractors’ security is becoming a critical issue in
Taiwan as well as the whole world
Even More Wilder Contractor Invasions
2015 Taiwan National Computer Emergency Response Team15
● The Hacker invaded a information system development
company, and stole many files and documentation from the
storage servers
● There were 43 government agencies, 12 academic
organizations and 16 private sector companies’
information were being stolen
–Including clients’ Notice of Invitation to Bid related information,
case documentation and all the source codes being developed in
these cases
Case #1 – Contractor invasion
2015 Taiwan National Computer Emergency Response Team16
● A government agency was hacked, and many sensitive
documentation were leaked out
–20 government project plans, and 27 budget plans documentation
were being stolen
● After investigation, we found out the invasion was from its
information contractor
–the agency gave its information service contractor remote access
privileges in order for them to do the maintenance services
remotely
Case #2 – Invasion via contractors (1/2)
2015 Taiwan National Computer Emergency Response Team17
● The hacker hacked the contractor first, then used remote
access to get into the agency’s servers (Web Server, AD
Server, Official Document Exchange System, and Mail
Server), then got into all personal computers to steal
information
Case #2 – Invasion via contractors (2/2)
The Hacker The Contractor
ODES
PC
Agency Intranet
2015 Taiwan National Computer Emergency Response Team19
Mobile Scam Background
● Taiwan National Police
Agency set up an Anti-Fraud
Hotline (165) and Web Portal
for awareness raising,
suspicious activity impeach
and case report of all kinds of
fraud since 2004
– 165 observed fraud cases through
SMS of mobile device increase
rapidly since Oct. 2013
– And fraud cases through Messaging
Apps surged since Feb. 2014
2015 Taiwan National Computer Emergency Response Team20
● From February to May 2014, mobile scam through
messaging APPs had quickly reached a peak in Taiwan
● The most common messaging APP used in Taiwan is
LINE, scammers are using various methods to social
engineering victims, and gaining profits
Mobile Scam through Messaging APP
2015 Taiwan National Computer Emergency Response Team21
Various LINE Scam Methods
E-mail Others
Invade
Account & Pass
Line Friends
Send out scam messages
Mal. APP
Links
Device hacked
* Steal personal info
* Use info to do Micro
Payment scam
* Ask for personal info
* Ask to receive auth.
code
Micro Payment
Scam
Ask to buy
game
points
victims provide
game point info
Exchange game
points to cash
Ask to dial
0809031088
Establish and
activate Ruten
seller account
Facebook,
Google+, etc.
資料來源:內政部警政署刑事警察局
2015 Taiwan National Computer Emergency Response Team22
Countermeasures
● TWNCERT has cooperated with National Communication
Commission and National Police Agency through G-ISAC:
– We announced all known scam methods to all members; asked anti-virus companies to
analyze all malicious APP; blocked, reported and handled all malicious IPs traffics
through appropriate authorities
– We asked mobile users don’t install any APP which is not from official Apple or Google
stores, and set the security option to not allow unknown source installation
– We also ask mobile users to harden LINE’s security options: blocking messages which are
not from known friends; don’t allow people to add you as friends automatically; don’t
make LINE ID public; if only use LINE on one device, don’t allow logins from PC or
other devices
– We ask people to cancel ISP micro payment option, and make ISPs to change the micro
payment enabled by default policy to disable by default and requires citizen have to go to
ISP counter and apply micro payment option in person
2015 Taiwan National Computer Emergency Response Team23
Conclusions
● The social engineering has been a long time problem… as more and more people
get on to the Internet, the situation has gone even worse
– TWNCERT continues to promote the social engineering awareness to the government
agencies
Government cyber security seminars twice a year
Provide social engineering drill platform for agencies to perform self drills
● The security threat from contractors are keep on raising
– Currently Taiwan government is developing Government Contractor Cyber Security
Requirement Standard, and now also require contractors to monitor own cyber events
and report when incident occurs
● Mobile scams are getting popular
– TWNCERT has cooperated with National Communication Commission and law
enforcement agencies through G-ISAC, exchange all scam information quickly
– We successfully quieted down all mobile scams in Taiwan within four months