IT threat evolution Q1 2017

Overview

focused assaults and malware campaigns

more wipers

The intention of most focused assault campaigns is to steal delicate information. alternatively, this isn’t at all times the intention. now and again attackers erase information instead of – or in addition to – looking to acquire access to private data. We’ve considered a number of wiper attacks in latest years. They embrace Shamoon (also known as ‘Disttrack’), believed to had been used to erase information on greater than 30,000 computers at Saudi Aramco in 2012, and darkish Seoul, used in the assault on Sony photos in 2013.

Shamoon re-regarded in November 2016, concentrated on firms in quite a lot of very important and financial sectors in Saudi Arabia. thus far now we have noticed three waves of attacks the use of the Shamoon 2.zero malware – activated on Revolutionary Organization 17 November 2016, 29 November 2016 and 23 January 2017.

while the attacks share many similarities with the sooner wave of assaults, they now characteristic new tools and techniques. The attackers begin with the aid of acquiring administrator credentials for the goal community. Then they construct a customized wiper (Shamoon 2.zero) which uses the stolen credentials for lateral motion throughout the company. at last, the wiper activates on a predefined date, leaving the contaminated computers unusable. the ultimate stage of the attack is completely computerized and doesn’t depend on communication with the attacker’s C2 (Command-and-control) heart.

Shamoon 2.0 additionally features a ransomware element. This has but for use within the wild, so it’s unknown whether or not the attackers would use this a part of the platform for monetary gain or for idealistic purposes.

whereas investigating the Shamoon attacks, we found out a prior to now unknown wiper. This malware, which we’ve named StoneDrill, also appears to focus on organisations in Saudi Arabia. There are similarities standard to Shamoon, with additional features designed to assist it avert detection. probably the most victims of StoneDrill, seen by the use of the Kaspersky security network (KSN) is situated in Europe (and operates in the petro-chemicals sector), suggesting that the attackers could be increasing their wiping operations past the center East.

essentially the most vital difference between the two pertains to the wiping course of. Shamoon uses a disk driver for direct get entry to to the disk, whereas StoneDrill injects the wiper in an instant into the sufferer’s most well-liked browser.

StoneDrill additionally shares similarities with an APT workforce known as NewsBeef (also known as ‘Charming Kitten’), so-referred to as as a result of its use of the Browser Exploitation Framework (red meat). These similarities include acquainted WinMain and OS signatures, update instructions and C2 server names. It isn’t identified whether the groups at the back of Shamoon and StoneDrill are the identical, or are simply aligned when it comes to pursuits and the areas they aim – the latter seems in all probability to us.

in addition to the wiping module, StoneDrill additionally includes a backdoor that has been used to run espionage operations towards a number of objectives.

you will discover the full file on Shamoon 2.zero and StoneDrill right here. by means of subscribing to our APT intelligence reports, that you can get get admission to to our investigations and discoveries as they happen, together with complete technical knowledge.

EyePyramid

As we’ve seen before, targeted assaults don’t should be technically advanced as a way to be successful. In January 2016, the arrest of two suspects by way of Italian police delivered to mild a collection of cyber-assaults that targeted distinguished politicians, bankers, freemasons and individuals of regulation enforcement agencies.

The malware used within the assaults, referred to as ‘EyePyramid’, was unsophisticated, however nevertheless successful sufficient to allow the attackers to realize get admission to to all tools on their victims’ computers. The police investigation published 100 energetic victims within the server used to host the malware, but there were signals that the attackers had targeted round 1,600 victims in the previous few years. Their victims – located mostly in Italy – included regulation corporations, consultancy services and products, universities and Vatican cardinals.

The Italian police record didn’t include technical important points about how the malware used to be spread – rather then revealing that spear-phishing was once used. however, it did identify plenty of C2 servers and e mail addresses utilized by the attackers to exfiltrate stolen information. the usage of this data, we created a YARA rule, in keeping with customized e mail addresses, C2 servers, licences for the customized mailing library used by the attackers and explicit IP addresses used within the assault. Then we ran it through our methods to see if it matched any identified samples. Out preliminary YARA rule highlighted two samples which enabled us to create a more specific YARA rule that identified a further forty two samples in our assortment. a further search revealed extra details about EyePyramid. The attacks relied on social engineering to trick victims into opening and working infected recordsdata connected to the spear-phishing e-mails. The attachments used were ZIP and 7ZIP archives which contained the malware. The attackers used multiple areas to take a look at and mask the extension of the file – underlining the low degree of sophistication of the attacks.

in line with the compilation time-stamps of the samples, which look like legit, most samples used in the assaults were compiled in 2014-15.

It’s clear that cybercriminals can reach success even when the malware they use is neither refined nor hard to realize. From the bad OPSEC (operational security) employed in the marketing campaign (for instance, the usage of IP addresses associated with their very own company and discussing victims in common cellphone calls and the usage of WhatsApp), it’s clear that the attackers have been amateurs. nevertheless, they had been ready to operate for many years and managed to steal gigabytes of data from their victims.

which you could read our full file on EyePyramid here.

Breaking the weakest link of the strongest chain

in the course of 2016 greater than one hundred Israeli servicemen had been targeted by way of a crafty threat actor. The assault compromised their devices and exfiltrated knowledge to the attackers’ C2 server.

The IDF (Israeli protection Forces) C4I and the IDF knowledge safety department unit, with Kaspersky Lab researchers, received an inventory of the victims – all IDF servicemen serving across the Gaza strip.

This campaign, which consultants consider remains to be in its early stages, pursuits Android OS gadgets. once the device has been compromised, a process of sophisticated intelligence gathering begins, exploiting the phone’s video and audio capabilities, SMS functions and site.

The attacks are unsophisticated, relying closely on social engineering ways. The attackers entice their victims into putting in a malicious software, whereas repeatedly making an attempt to obtain personal data the usage of social networks: the team seems specifically active on fb Messenger. many of the avatars used by the attackers (digital contributors within the social engineering stage of the assault) trap the victims the use of sexual issues: as an instance, asking the victim to ship explicit pictures and, in return, sending faux photos of juvenile women. The avatars fake to be from different countries such as Canada, Germany, Switzerland and others.

The sufferer is tricked into downloading an app from a malicious URL. The app collects data from the victim’s telephone, including common knowledge (network operator, GPS region, IMEI, and so on.), contacts, shopping historical past, SMS messages, pictures. The app can also be able to report video and audio.

The IDF, which led the research along with Kaspersky lab researchers, believes that this is simply the opening shot of a wider campaign that is designed to seize knowledge on how floor forces are distributed, the techniques and tools the IDF makes use of and real-time intelligence.

that you can read our full file on this campaign right here.

The non-persistence of memory

during an incident response, safety specialists hunt for any artefacts that attackers have left at the back of within the sufferer’s community. This includes inspecting log information, looking for recordsdata on the laborious drive, taking a look on the registry and checking reminiscence.

however, each and every of these has a distinct ‘shelf-life’: in different phrases, the clues might be to be had to an analyst for a shorter or longer time, relying on the place they’re located. data stored on a troublesome power it will likely be on hand to a forensic analyst for a long time: even if, as we noticed with Duqu 2.zero, sophisticated malware would possibly intentionally dispose of all traces from the hard pressure after set up, leaving itself in reminiscence most effective. that is why reminiscence forensics is crucial to the diagnosis of malware and its features.

any other important facet of an attack is the tunnels that are installed in the network by means of an attacker. Cybercriminals (such as Carbanak and GCMAN) would possibly use PLINK for this objective; Duqu 2.0 used a different driver.

In our predictions for 2017 we forecast an increase in ephemeral infections – memory-resident malware supposed for general reconnaissance, with little interest in persistence. In highly delicate environments, where stealth is crucial, attackers may smartly be happy to operate except the malware is cleared from memory all through a re-boot, considering this may reduce the possibility of the malware being detected and their operation being compromised.

all through a contemporary incident response our consultants discovered that each memory-primarily based malware and tunnelling had been applied in a financial institution assault the use of usual home windows utilities akin to SC and NETSH. The risk used to be firstly found out by means of the bank’s safety workforce after they detected Meterpreter code throughout the physical reminiscence of a site controller. We participated within the forensic diagnosis following this detection and found out the use of PowerShell scripts within the home windows registry. We additionally found out that the NETSH utility used to be used for tunnelling site visitors from the victim’s host to the attacker´s C2.

you can learn the details of our investigation right here.

the usage of the Kaspersky safety community we discovered more than a hundred endeavor networks infected with malicious PowerShell scripts in the registry.

We don’t be aware of if they had been all contaminated by way of the identical attacker. during our prognosis of the affected financial institution we realized that the attackers had used several 1/3 degree domains and domains in the .GA, .ML and .CF ccTLDs. The advantage, for the attackers, of using such domains is that they are free and don’t include WHOIS data after the area expiration. the fact that the attackers used the Metasploit framework, usual home windows utilities and unknown domains without a WHOIS information makes attribution almost inconceivable. The closest groups with the same TTPs are Carbanak and GCMAN.

tactics like this are becoming more in style, particularly in assaults in opposition to financial establishments. Exfiltration of information will also be completed the usage of standard utilities and a few tricks, with out the need for malware. Such ephemeral attacks spotlight the need for sophisticated, proactive expertise in anti-malware solutions, akin to Kaspersky Lab’s device Watcher.

KopiLuwak: a brand new JavaScript payload from Turla

The Russian-conversing APT staff Turla (known variously as ‘Snake’, ‘Uroburos’, ‘Venomous undergo’ and ‘KRYPTON’) has been energetic when you consider that as a minimum 2007 (and perhaps even longer). Its activities were traced to many excessive-profile incidents, together with the 2008 assault towards america crucial Command (the Buckshot Yankee incident) and, more recently, the assault in opposition to the Swiss armed forces contractor, RUAG. We’ve discuss its activities on a variety of events (here, here, here and right here). The group intensified its actions in 2014, focused on Ukraine, european-related institutions, governments of eu countries, global international affairs ministries, media companies and possibly corruption-associated objectives in Russia. In 2015 and 2016 the crew varied its actions, switching from the Epic Turla watering-hole framework to the Gloog Turla framework, which continues to be energetic. The team also improved its spear-phishing activities with the Skipper/WhiteAtlas attacks, which made use of latest malware. recently, the workforce has intensified its satellite tv for pc-primarily based C2 registrations ten-fold in comparison with the 2015 moderate.

In January, John Lambert from Microsoft (@JohnLaTwC) tweeted about a malicious report that dropped a ‘very interesting .JS backdoor‘. because the finish of November 2016, Kaspersky Lab has observed Turla using this new JavaScript payload and explicit macro variant. this is a method we’ve noticed prior to with Turla’s ‘ICEDCOFFEE’ payloads (unique in an individual file from June 2016 which is to be had to buyers of Kaspersky APT Intelligence products and services). whereas the delivery means is rather just like ICEDCOFFEE, the JavaScript differs a great deal and seems to had been created primarily to avoid detection.

The concentrated on of this new malware is consistent with earlier campaigns conducted by using Turla, specializing in international ministries and different governmental companies all through Europe. however, the frequency is far lower than ICEDCOFFEE, with sufferer companies numbering within the single digits (as of January 2017). We strongly imagine that this new JavaScript will be used extra closely at some point as a primary-stage delivery mechanism and sufferer profiler.

The malware is fairly simplistic however versatile in its functionality, operating a regular batch of profiling instructions on the sufferer and likewise allowing the attackers to run arbitrary instructions by the use of Wscript.

Full important points on KopiLuwak can be found here.

The record accommodates a malicious macro that’s similar to macros used prior to now via Turla to deliver Wipbot, Skipper, and ICEDCOFFEE. The Turla group continues to depend heavily on embedded macros in office paperwork. This may appear to be a normal tactic for one of these sophisticated attacker, nevertheless it has helped them to compromise excessive-value objectives. we would suggest firms to disable macros and now not permit workers to enable such content material until it’s completely important.

The lure document above presentations an legit letter from the Qatar Embassy in Cyprus to the Ministry of overseas Affairs in Cyprus. in accordance with the name of the report, ‘nationwide Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc’, we presumed it will were sent from the Qatar Ambassador’s secretary to the Ministry of foreign Affairs, possibly indicating that the Turla team already had regulate of at the least one machine within Qatar’s diplomatic network.

the very best defence against centered attacks is a multi-layered manner that mixes conventional anti-virus applied sciences with patch administration, host intrusion detection and a default-deny whitelisting technique. in step with a learn about through the Australian indicators Directorate, 85 per cent of centered attacks analysed may have been stopped via using 4 easy mitigation strategies: utility whitelisting, updating functions, updating operating methods and proscribing administrative privileges.

Malware stories

Stand and deliver: your cash or your information!

In eighteenth century Britain (and somewhere else) travellers could be waylaid by a highwayman – a thief who held up coaches on the public highway and demanded that those on board give up their cash and other valuables. The highwayman would typically difficulty the challenge – ‘Stand and ship: your cash or your life! Ransomware is a version of such freeway robbery for the digital age – with the variation that it’s our knowledge that’s held hostage and the ‘highwayman’s’ ransom demand is displayed on the reveal.

there were more than 1,445,000 ransomware attacks in 2016, on companies in addition to folks. the huge boom we’ve seen in up to date years is fuelled by means of the success that cybercriminals have had with this kind of malware – ransomware is easily monetised and includes a low investment value per victim.

Out of the sixty two new crypto-ransomware households that we found out remaining yr, at the least 47 have been developed by means of Russian-speaking cybercriminals. In February, we revealed a file on the Russian ransomware financial system. It’s clear that the improvement of ransomware is underpinned through a versatile and consumer-pleasant underground eco-gadget that allows criminals to launch attack campaigns with nearly any stage of pc talents and monetary instruments. Our researchers recognized three levels of criminal involvement in the ransomware trade.

the primary is the creation and replace of ransomware families. This requires evolved code-writing abilities; and people concerned are probably the most privileged participants of the ransomware underground, due to the fact that they’re the key to the entire eco-system. The 2nd is the development and give a boost to of affiliate programmes for distributing ransomware. this is finished with the aid of prison communities that deliver the ransomware the use of ancillary instruments reminiscent of take advantage of kits and junk mail. The 0.33 is partner participation in such affiliate programmes. those concerned are on the bottom rung of the ladder and their function is to lend a hand the house owners of affiliate programmes to unfold the malware, in return for a lower of the proceeds: the only skills required are a willingness to hold out unlawful actions and the money to sign up for the affiliate scheme.

We were in a position to determine a few massive groups of Russian-conversing criminals specialising in crypto-ransomware construction and distribution. These teams may bring collectively tens of various partners, each with their own affiliate programme. The listing of their targets includes now not only person customers, however small- and medium-sized businesses and even corporations. whereas at the beginning concentrated on firms in the Russian Federation, these groups are actually moving their consideration to firms in other elements of the world. The day by day revenue of an affiliate programme might attain tens, or even a whole bunch, of hundreds of dollars: of this, around 60 per cent stays within the pockets of the criminals as internet profit.

In March we mentioned a new ransomware household used in targeted assaults towards organizations, named PetrWrap. One they’ve won a foothold within the target company, the attackers use the PsExec instrument to put in ransomware on all computers. One especially interesting facet of this ransomware is that the attackers use the well-identified Petya ransomware to encrypt knowledge. despite the fact that Petya makes use of a ‘Ransomware-as-a-carrier’ variation, the attackers didn’t make use of this facility. instead, they embrace a pattern of the Petya ransomware within the data element of the malware and use Petya to contaminate their victims’ computers. a distinct module patches the unique Petya ransomware ‘on the fly’. this permits the attackers to hide the fact that they are the use of Petya.

targeted ransomware attacks on organizations are turning into more well-liked. The groups using ransomware in targeted attacks in most cases try to find susceptible servers or servers with unprotected RDP get entry to. After penetrating a company’s network they use special frameworks corresponding to Mimikatz to acquire the necessary credentials to install ransomware all the way through the network. to offer protection to in opposition to such assaults, organizations wish to maintain their server instrument up-to-date, use stable passwords for faraway get entry to methods, set up security options on their servers and use security solutions with behavioral detection components on all their endpoints.

The internet of damaged things

you might needless to say in October 2016, cybercriminals used a botnet of web-linked dwelling devices (such as IP-enabled cameras, DVRs, CCTV cameras and printers) to launch DDoS attack. to try this, the attackers contaminated vulnerable gadgets with the Mirai malware. This operation used to be important no longer best as a result of it misused internet of issues (IoT) units, but also for the reason that DDoS traffic generated handed all earlier volumes. The DDoS took down a section of the internet and used to be severe enough to initiate investigations with the aid of the FBI and the DHS. on the time, they’d not dominated out activity through a nation state, on account of the general energy of the Mirai botnets. but even the dimensions of those attacks didn’t require the work of a nation state. Time will tell if nation states choose to hide their damaging job in plain sight within the IoT – the capabilities are naturally on hand. It’s possible that we may see a nation state tempted to take down huge swaths of the internet the usage of this juvenile toolset.

In February, we looked at stories of a go-platform Win32-primarily based Mirai spreader and botnet in the wild. probably the most public discussions round this steered that a completely new IoT bot is spreading to and from home windows gadgets. but this is not the case: reasonably, a up to now active windows botnet is now spreading a Mirai bot variant. We hadn’t seen this spreader variant pushing Mirai downloaders until January. but this home windows bot itself isn’t new. The home windows bot’s method for distributing Mirai is very restricted as smartly – it simplest delivers the Mirai bots to a Linux host from a windows host if it efficiently brute-forces a remote telnet connection.

So we haven’t considered a sensational hop from Linux Mirai to home windows Mirai. however we do have a brand new danger and the use of home windows to unfold Mirai to up to now unavailable resources. specifically, susceptible SQL servers running home windows can be a drawback, because they can be web-facing, and have get right of entry to to non-public network linked IP-primarily based cameras, DVR, media middle software and other interior devices.

It’s unfortunate to see any form of Mirai crossover between the Linux and home windows platforms. just as the release of source code for the Zeus banking Trojan introduced years of issues for the online neighborhood, the discharge of Mirai IoT bot supply code will even bring major issues to the web infrastructure for years yet to come. this is just the beginning.

in line with the huge downside this poses to the web infrastructure, during the last few months our staff and CERT have participated in more than one a success C2 take-down efforts that in any other case have posed problems for companions merely offering notifications. while some security researchers may just describe these take-downs as ‘whack a mole’, these efforts resulted in relief from Gbps DDoS storms for main networks. We’re satisfied to accomplice with extra community operators to make use of our connections with CERTs, law enforcement companies and other partners around the globe, to build on this success.

you could learn our report right here.

This assault, like others that involve compromised IoT gadgets, exploited the fact that many people don’t change the manufacturer’s default credentials when they buy a wise tool. This makes it easy for attackers to get admission to the tool – they simply have to check out the known default password. in addition, there are not any firmware updates for a lot of gadgets. IoT gadgets are additionally a good looking goal for cybercriminals because they continuously have 24/7 connectivity.

in this day and age we’re surrounded through sensible gadgets. This contains on a regular basis household reminiscent of telephones, televisions, thermostats, fridges, baby monitors, fitness bracelets and children’s toys. but it surely also includes vehicles, medical gadgets CCTV cameras and parking meters. Some houses are even designed now with the ‘smartness’ constructed-in. Ubiquitous Wi-Fi brings all these gadgets on-line, as a part of the web of issues (IoT). these things are designed to make our lives more straightforward. seeing that on a regular basis objects are ready to collect and switch data mechanically, with out human interplay, they are able to operate extra successfully and efficiently. then again, a global of connected on a regular basis objects method a bigger attack surface for cybercriminals. except IoT devices are secured, the non-public knowledge they change will also be compromised, they may be able to be subject to an assault, or they are able to be used in an attack.

some of the problems related to IoT units is that they’re incessantly everyday objects that have equipped helpful functions for much longer than the web has been around. So we don’t see the pc inside the object. Nowhere is that this more true than with children’s toys. within the last two years security and privateness issues round youngsters’s toys were raised on numerous occasions (that you can read more here, here and right here).

In February, identical considerations were raised in regards to the My good friend Cayla doll. The Federal network company, the German telecommunications watchdog, prompt that folks that had sold the doll will have to spoil it on account of these issues.

the most effective recommendation for somebody the usage of related/IoT devices at residence, is to verify the default passwords on all devices are modified (the usage of unique, complex passwords) to prevent them being remotely accessed – this contains home routers, that are the gateway to your house community. The temptation could also be for folk to want to disconnect all units in mild of such information, but in as of late’s increasingly linked world, that’s no longer sensible; even though it’s all the time good to study the performance of a sensible instrument and disable any capabilities that you simply don’t in truth want. alternatively, excellent password ‘housekeeping’ goes a protracted option to maintaining cybercriminals away from your gadgets. this sort of large scale assault additionally highlights the necessity for manufacturers to consider security through design, quite as an afterthought.

information breaches and data dumps

We’ve develop into conversant in seeing a gentle circulation of security breaches month after month; and this quarter has been no exception, including attacks on Barts health trust, sports activities Direct, Intercontinental resorts crew and ABTA.

Some breaches consequence in the theft of delicate knowledge, highlighting the fact that many corporations fail to take enough steps to shield themselves. Any enterprise that holds non-public data has a duty of care to stable it successfully. This includes hashing and salting consumer passwords and encrypting different sensitive data.

shoppers can restrict the harm of a security breach at an online provider by means of making sure that they select passwords which are distinctive and complex: an ideal password is at the least 15 characters long and contains a mixture of letters, numbers and symbols from the whole keyboard. One alternative is to use a password supervisor application to deal with all this routinely. It’s also a good idea to use two-issue authentication, where a web-based provider bargains this option – requiring clients to enter a code generated via a hardware token, or one sent to a mobile software, as a way to get admission to a web site, or at least with a view to make changes to account settings.

the public dumping of delicate data has been gathering p.c. in up to date years. this is a pattern that we predicted in 2015. ‘Hacktivists’, criminals and state-sponsored attackers alike have embraced the strategic dumping of personal footage, data, consumer lists and code to shame their pursuits. while a few of these assaults are strategically targeted, some are also the product of opportunism, benefiting from negative cyber-safety.

In February, WikiLeaks released more than eight,000 documents, known as ‘Vault 7’, that describe tactics and tools used to interrupt into computing devices from best manufacturers, to circumvent put in security options and even lay a trail of false flags. the primary batch of paperwork launched (dated between 2013 and 2016) integrated documentation on the right way to compromise main browsers, smartphones and computers running windows, Mac OS and Linux. Subsequent dumps of information inquisitive about the improvement of malware to compromise firmware running on Mac OS and iOS, particularly EFI and UEFI firmware; and on how to ward off detection. which you could learn extra here and here.

we can most effective are expecting this apply to proceed to grow one day. customers and companies alike will have to use encryption to steady delicate data and must ensure that they follow updates as soon as they transform to be had, to cut back the possibilities that their data shall be stolen and dumped on-line.

Securelist – information about Viruses, Hackers and unsolicited mail