ast-0128312 the evolution of corporate cyberthreats 2014

8/10/2019 AST-0128312 the Evolution of Corporate Cyberthreats 2014

1/20

CORPORATE CYBERTHREATSTHE EVOLUTION OF

Protecting Your Organization Today, Tomorrow,and Beyond


2/20

Most established organizations have large IT departments with staffexclusively devoted to IT security. As your business grows, hopefully

your IT security team is thriving, too, and getting the intelligence

and resources needed to stay abreast of the latest threats to your

organization.

Unfortunately, the bad guys are keeping pace, and in some cases theyre

taking the lead. To keep your organization safe, its imperative to stay

at least a few steps ahead of the cybercriminals. Education is a key

component of this defensive strategy in todays cybercriminal ecosystem.

If you dont know its there, you cant defend against it.Threats are increasing in frequency and sophistication. In fact, according

to the recently released Verizon Data Breach report, there were 1,367

confirmed data breaches and 63,437 security incidents in 2013.1The

severity and cause of these incidents vary depending on the goals of the

cybercriminals and, sometimes, the size of the potential victim. Although

you may be more equipped to fight cybercrime, larger organizations are

vulnerable to a wider array of attacks, including Advanced Persistent

Threats (APTs), cyberespionage, and more sophisticated malware.

1 2014 Verizon Data Breach Investigations Report


3/20

Advanced Persistent Threats (APTs)Every corporation, regardless of its size or industry, is at risk of

becoming the victim of a targeted attack by a variety of threat actors

including APT groups, politically-driven hacktivists, and more advanced

cybercriminals, who offer their services for hire. These adversaries will

target any organization that has valuable information or data relevant to

their objectives.

Depending on the adversaries operational motives and objectives, the

information identified as valuable will vary. However, its important tonote that regardless of the motive, attackers are targeting very specific

information from a specific set of victims, and they will relentlessly

customize and optimize their techniques until they successfully realize

their objective.


4/20

All APTs are vehicles for cybercrime but not all cybercrimes involvedAPTs. Although both are based on monetary gain, APTs specifically

target more sensitive data including passwords, competitive intelligence,

schematics, blueprints, and digital certificates and are paid for by

third-party clients or resold in the underground. General cybercrime

operations are direct for profit attacks and target customers personaland financial information which can be quickly monetized and laundered

underground for ID theft and fraud.

Cybercriminals will either provide the hijacked information to the

third-party who hired them to steal it, or they will repackage and

resell the data underground to interested parties, such as nation-

states or competing organizations. Earned through years of hard work

and investment, stolen intellectual property enables third-parties to

accelerate their technological and commercial developments while

weakening corporations intellectual and competitive advantages inthe global economy.


5/20

Economic EspionageTargeted Information: Intellectual property; proprietaryinformation; geopolitical, competitive or strategic intelligence

Insider Trading TheftTargeted Information: Pending M&A deals or contracts;upcoming financial earnings; future IPO dates

Financial & Identify TheftTargeted Information: Employee and customer personally-

identifiable information; payment transactions; accountnumbers; financial credentials

Technical EspionageTargeted Information: Password or account credentials, sourcecode, digital certificates; network and security configurations;cryptographic keys; authentication or access codes

Reconnaissance and Surveillance:Targeted Information: System and workstation configurations;keystrokes; audio recordings; emails; IRC communications;screenshots; additional infection vectors; logs; cryptographickeys

There are many different types of targeted attacks, including:


6/20

One of the biggest challenges in defending against targeted attacksis being able to correlate data and identify attack patterns amidst the

high volume of incidents coming from disparate sources at various

times. However, with careful observation, research, and proper analysis,

concrete information can show similarities in targeted attack campaigns.

In 2013, Kasperskys Global Research & Analysis Team published

detailed reports revealing valuable information about several large-scale

targeted attack campaigns, which were code-named Red October, Winnti,

NetTraveler and Icefog.2These reports carry heavy weight because their

substantive and exhaustive nature connects the disparate dots and

provides corporations with practical information that can be used to

improve security procedures and mitigation efforts immediately.

The reports findings revealed that the primary methods for infecting

targeted organizations were sending spear-phishing emails to targets.

These emails were rigged with common vulnerabilities found incorporate applications or programs. Using this technique, attackers have

successfully compromised organizations across every sector, including

government and defense organizations, commercial enterprises,

2 2014 Verizon Data Breach Investigations Report


7/20

financial institutions, and scientific research facilities. The notorious andsophisticated zero-day vulnerabilities are not being used by attackers

because theyre not necessary. Organizations are being compromised

using rudimentary attack techniques because they are easy and because

companies are vulnerable due to the lack of patch management, control

policies, and updated security configurations.

This eBook will delve a little deeper into some of todays most

destructive threats, including Icefog, The Mask as well as the pluses

and minuses of Bitcoin and the nefarious use of the Tor network.


8/20

IcefogMost APT campaigns are sustained over months or years, continuously

stealing data from their victims. By contrast, the attackers behind Icefog,

an APT discovered by the Kaspersky Security Network in September

2013, focused on their victims one at a time, in short-lived, precisehit-and-run attacks designed to steal specific data. Operational since at

least 2011, Icefog involved the use of a series of different versions of

the malware, including one aimed at Mac OS.

Following Kaspersky Labs publication of Icefog: Threat Analysis and

Defense Strategy, the APTs operations ceased and the attackers closed

down all of the known command-and-control servers. However, ongoing

monitoring of sinkholing domains and analyzing victim connections has

revealed the existence of another generation of Icefog backdoors this

time, a Java version of the malware designated Javafog. Connections

to one of the sinkholed domains, lingdona[dot]com, indicated that the

client could be a Java application; and subsequent investigation turned

up a sample of this application. Detailed analysis can be found on

SecureList.3

3 January 2014, The Icefog APT Hits US Targets With Java Backdoor,http://www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor


9/20

During the sinkholing operation for this domain, security experts

observed eight IP addresses for three unique victims of Javabot. Unlike

the original form of the Icefog APT where victims were based in South

Korea and Japan, all the targets of Javabot were located in the UnitedStates. One was a very large independent oil and gas corporation with

operations in multiple countries. Its possible that Javafog was developed

for a US-specific operation, one that was designed to be longer than the

typical Icefog attacks. One probable reason for developing a Java version

of the malware is that it is more stealthy and harder to detect.


10/20

The MaskIn February 2013, the Kaspersky Lab security research team published

a report on a complex cyberespionage campaign called The Mask or

Careto (Spanish slang for ugly face or mask). This campaign was

designed to steal sensitive data from various types of targets. Thevictims, located in 31 countries around the world, included government

agencies, embassies, energy companies, research institutions, private

equity firms and activists.

The Mask attacks start with a spear-phishing message containing a

link to a malicious website rigged with several exploits. Once victims

are infected, they are then redirected to the legitimate site described

in the e-mail they received (e.g. a news portal, or video). The Mask

includes a sophisticated backdoor Trojan capable of intercepting multiple

communication channels and of harvesting all kinds of data from

the infected computer. Like Red October and other targeted attacks

before it, the code is highly modular, allowing the attackers to add new

functionality at will. The Mask also casts its net wide - there are versions

of the backdoor for Windows and Mac OS X and there are references

that suggest there may also be versions for Linux, iOS and Android.

The Trojan also uses very sophisticated stealth techniques to hide its

activities.


11/20

4 2014, SecureList


12/20

The key motivation of The Mask attackers is to steal data from theirvictims. The malware collects a range of data from the infected system,

including encryption keys, VPN configurations, SSH keys, RDP files and

some unknown file types that could be related to bespoke military/

government-level encryption tools. Security researchers dont know whos

behind the campaign. Some traces suggest the use of the Spanishlanguage but that fact doesnt help pin it down, since this language is

spoken in many parts of the world. Its also possible that this could have

been used as a false clue, to divert attention from whoever wrote it. The

very high degree of professionalism of the group behind this attack is

unusual for cybercriminal groups one indicator that The Mask could be

a state-sponsored campaign.


13/20

This campaign underlines the fact that there are highly-professionalattackers who have the resources and the skills to develop complex

malware in this case, to steal sensitive information. It also highlights

the fact that targeted attacks, because they generate little or no activity

beyond their specific victims, can fly under the radar.

The entry point of The Mask involves tricking individuals into doing

something that undermines the security of the organization they work

for in this case, by clicking on a link or an attachment. Currently, all

known C&C (Command-and-Control) servers used to manage infections

are offline. But researchers believe that the danger hasnt been totally

eradicated and that its possible for the attackers to renew the campaign

in the future.


14/20

BitcoinBitcoin is a digital crypto-currency. It operates on a peer-to-peer model,

where the money takes the form of a chain of digital signatures that

represent portions of a Bitcoin. There is no central controlling authority

and there are no international transaction charges both of which havecontributed to making it attractive as a means of payment. You can find

an overview of Bitcoin, and how it works, on the Kaspersky Daily website.

As use of Bitcoin has increased, it has become a more attractive

target for cybercriminals. In end-of-year forecasts, security researchers

anticipated attacks on Bitcoin. Attacks on Bitcoin pools, exchanges and

Bitcoin users will become one of the most high-profile topics of the year.

Such attacks will be especially popular with fraudsters as their cost-to-

income ratio is very favorable.5

MtGox, one of the biggest Bitcoin exchanges, was taken offline inFebruary 2014.6This followed a turbulent month in which the exchange

was beset by problems problems that saw the trading price of Bitcoins

on the site fall dramatically. There have been reports that the exchanges

insolvency followed a hack that led to the loss of $744,408.

5 Kaspersky SecurityBulletin 2013.6 February 25, 2014, CNN Money, Mt.Gox site disappears, Bitcoin future in doubt.


15/20

Spammers are also quick to make use of social engineering techniques

to draw people into a scam. They took advantage of the climb in the

price of Bitcoins in the first part of this quarter (prior to the MtGox

collapse) to try to cash in on peoples desire to get rich quick. Therewere several Bitcoin-related topics used by spammers. They included

offers to share secrets from a millionaire on how to get rich by investing

in Bitcoins; and offers to join a Bitcoin lottery.7

7 February 2014, SecureList, Virtual bitcoins vs hard cash


16/20

TorTor (short for The Onion Router) is software designed to allow someone

to remain anonymous when accessing the Internet. It has been around

for some time, but for many years was used mainly by experts and

enthusiasts. However, use of the Tor network has spiked in recentmonths, largely because of growing concerns about privacy. Tor has

become a helpful solution for those who, for any reason, fear the

surveillance and the leakage of confidential information.

Tors hidden services and anonymous browsing enable cybercriminals to

cover their operations and provides a hosting platform to sell the stolen

information using bitcoins as the currency. Since Bitcoins architecture

is decentralized and more difficult to trace than traditional financial

institutions, it provides a more efficient way for cybercriminals to launder

their ill-gotten gains.

In 2013, security experts began to see cybercriminals actively using

Tor to host their malicious malware infrastructure and Kaspersky Lab

experts have found various malicious programs that specifically use

Tor. Investigation of Tor network resources reveals lots of resources

dedicated to malware, including Command-and-Control servers,


17/20

administration panels and more. By hosting their servers in the Tor

network, cybercriminals make them harder to identify, blacklist and

eliminate.

Cybercriminal forums and market places have become familiar on thenormal Internet. But recently a Tor-based underground marketplace

has also emerged. It all started with the notorious Silk Road market and

has evolved into dozens of specialist markets for drugs, arms and, of

course, malware. Carding shops are firmly established in the Darknet,

where stolen personal information is for sale, with a wide variety of

search attributes like country, bank etc. The goods on offer are not

limited to credit cards: dumps, skimmers and carding equipment are for

sale too.

A simple registration procedure, trader ratings, guaranteed service, anda user-friendly interface are standard features of a Tor underground

marketplace. Some stores require sellers to deposit a pledge a fixed

sum of money before starting to trade. This is to ensure that a trader

is genuine and his services are not a scam or of poor quality.


18/20

The development of Tor has coincided with the emergence of theanonymous crypto-currency, Bitcoin. Nearly everything on the Tor network

is bought and sold using Bitcoins. Its almost impossible to link a Bitcoin

wallet and a real person, so conducting transactions in the Darknet

using Bitcoin means that cybercriminals can remain virtually untraceable.

Kaspersky Labs expert blog, Securelist, discusses bitcoins extensively.

It seems likely that Tor and other anonymous networks will become a

mainstream feature of the Internet as increasing numbers of ordinary

people using the Internet seek a way to safeguard their personal

information. But its also an attractive mechanism for cybercriminals

a way for them to conceal the functions of the malware they create,

to trade in cybercrime services, and to launder their illegal profits.

Researchers believe that use of these networks for cybercrime will only

continue.

Like technology, the specifics of cybercrime are constantly changing. Tokeep your organization safe today and into the future, partnering with a

cybersecurity expert is critical.


19/20


20/20

About Kaspersky

Kaspersky Lab is the worlds largest privately held vendor of endpointprotection solutions. The company is ranked among the worlds top four

vendors of security solutions for endpoint users*. Throughout its more than

16-year history Kaspersky Lab has remained an innovator in IT security and

provides effective digital security solutions for large enterprises, SMBs and

consumers. With its holding company registered in the United Kingdom,

Kaspersky Lab operates in almost 200 countries and territories worldwide,providing protection for over 300 million users worldwide.

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The

rating was published in the IDC report Worldwide Endpoint Security 20132017 Forecast and 2012 Vendor

Shares (IDC # 242618, August 2013). The report ranked software vendors according to earnings from sales of

endpoint security solutions in 2012.

Call Kaspersky today at866-563-3099 or email us at

[email protected], to learn more about

Kaspersky Endpoint Security for Business.

www.kaspersky.com/business

ast-0128312 the evolution of corporate cyberthreats 2014

Documents