At the end of last year, I wrote the The Top 10 Security Stories of 2011,
an article that summarized 2011 in one word: "explosive." Back then,
the biggest challenge was how to narrow down all the incidents, stories,
facts, new trends and intriguing actors into just 10 top stories.
Based on the events and the actors who defined the top security stories of 2011, I made a number of predictions regarding 2012:
The continued rise of hacktivist groups.
The growth of Advanced Persistent Threat (APT) incidents
The dawn of cyber-warfare and more powerful nation states jostling for dominance through cyber-espionage campaigns.
Attacks on software and gaming developers such as Adobe, Microsoft, Oracle and Sony.
More aggressive actions from law enforcement agencies against traditional cybercriminals.
An explosion of Android threats.
Attacks on Apple’s Mac OS X platform.
How did these predictions work out? Let’s take a look at the top 10 security incidents that shaped 2012...
1. Flashback hits Mac OS X
Although the Mac OS X Trojan Flashback/Flashfake
appeared in late 2011, it wasn't until April 2012 that it became really
popular. At its peak, Flashback infected more than 700,000 Macs, easily
the biggest known MacOS X infection to date. How was this possible? Two
main factors: a Java vulnerability CVE-2012-0507 and the general sense of apathy among the Mac faithful when it comes to security issues.
Flashback continues to be relevant because it demolished the myth of
invulnerability surrounding the Mac and because it confirmed that
massive outbreaks can indeed affect non-Windows platforms. Back in 2011,
we predicted that we would see more Mac malware attacks. We just never
expected it would be this dramatic.
2. Flame and Gauss: nation-state cyber-espionage campaigns
In mid-April 2012, a series of cyber-attacks destroyed computer
systems at several oil platforms in the Middle East. The malware
responsible for the attacks, named “Wiper”, was never found – although
several pointers indicated a resemblance to Duqu and Stuxnet. During the
investigation, we stumbled upon a huge cyber-espionage campaign now known as Flame.
Flame is arguably one of the most sophisticated pieces of malware
ever created. When fully deployed onto a system, it has more than 20 MB
of modules which perform a wide array of functions such as audio
interception, bluetooth device scanning, document theft and the making
of screenshots from the infected machine. The most impressive part was
the use of a fake Microsoft certificate to perform a man-in-the-middle
attack against Windows Updates, which allowed it to infect fully patched
Windows 7 PCs at the blink of an eye. The complexity of this operation
left no doubt that this was backed by a nation-state. Actually, a strong
connection to Stuxnet was discovered by Kaspersky researchers, which
indicate the Flame developers worked together with Stuxnet developers,
perhaps during the same operation.
Flame is important because it showed that highly complex malware can
exist undetected for many years. It is estimated that the Flame project
could be at least five years old. It also redefined the whole idea of
“zero-days”, through its “God mode” man-in-the-middle propagation
technique.
Of course, when Flame was discovered, people wondered how many other
campaigns like this were being mounted. And it wasn’t long before others
surfaced. The discovery of Gauss, another highly sophisticated Trojan
that was widely deployed in the Middle East, added a new dimension to
nation-state cyber campaigns. Gauss is remarkable for a variety of
things, some of which remain a mystery to this day. The use of a custom
font named “Palida Narrow” or its encrypted payload which targets a
computer disconnected from the Internet are among the many unknowns. It
is also the first government-sponsored banking Trojan with the ability
to hijack online banking credentials from victims, primarily in Lebanon.
With Flame and Gauss, a new dimension was injected into the Middle
East battleground: cyber-war and cyber-warfare. It appears there is a
strong cyber component to the existing geopolitical tensions – perhaps
bigger than anyone expected.
3. The explosion of Android threats
During 2011, we witnessed an explosion in the number of malicious
threats targeting the Android platform. We predicted that the number of
threats for Android will continue to grow at an alarming rate. The chart
below clearly confirms this:
The number of samples continued to grow and peaked in June 2012, when
we identified almost 7,000 malicious Android programs. Overall, in
2012, we identified more than 35,000 malicious Android programs, which
is about six times more than in 2011. That’s also about five times more
than all the malicious Android samples we received since 2005
altogether!
The reason for the huge growth of Android can be explained by two
factors: economic and platform related. First of all, the Android
platform itself has become incredibly popular, becoming the most
widespread OS for new phones, with over 70% market share. Secondly, the
open nature of the operating system, the ease with which apps can be
created and the wide variety of (unofficial) application markets have
combined to shine a negative spotlight on the security posture of the
Android platform.
Looking forward, there is no doubt this trend will continue, just
like it did with Windows malware many years ago. We are therefore
expecting 2013 to be filled with targeted attacks against Android users,
zero-days and data leaks.
4. The LinkedIn, Last.fm, Dropbox and Gamigo password leaks
In June 2012, LinkedIn, one of the world’s biggest social networks for business users was hacked by unknown assailants and the password hashes of more than 6.4 million people leaked onto the Internet.
Through the use of fast GPU cards, security researchers recovered an
amazing 85% of the original passwords. Several factors made this
possible. First of all, LinkedIn stored the passwords as SHA1 hashes.
Although better than the very popular MD5, modern GPU cards can crack
SHA1 hashes at incredible speeds. For instance, a $400 Radeon 7970 can
check close to 2 billion SHA1 password/hashes per second. This, combined
with modern cryptographic attacks such as the usage of Markov chains to
optimize brute force search or mask attacks, taught web developers some
new lessons about storing encrypted passwords.
When DropBox announced that it was hacked and
user account details were leaked, it was yet another confirmation that
hackers were targeting valuable data (especially user credentials) at
popular web services. In 2012, we saw similar attacks at Last.fm and Gamigo, where more than 8 million passwords were leaked to the public.
To get an idea of how big a problem this is, during the InfoSecSouthwest 2012 conference, Korelogic released an archive containing about 146 million password hashes, which was put together from multiple hacking incidents. Of these, 122 million were already cracked.
These attacks show that in the age of the ‘cloud’, when information
about millions of accounts is available in one server, over speedy
internet links, the concept of data leaks takes on new dimensions. We
explored this last year during the Sony Playstation Network hack; there
is perhaps no surprise such huge leaks and hacks continued in 2012.
5. The Adobe certificates theft and the omnipresent APT
During 2011, we saw several high profile attacks against certificate
authorities. In June, DigiNotar, a Dutch company, was hacked out of
business, while a Comodo affiliate was tricked into issuing digital
certificates in March. The discovery of Duqu in September 2011 was also
related to a Certificate Authority hack.
On 27 September 2012, Adobe announced the discovery of two malicious programs that
were signed using a valid Adobe code signing certificate. Adobe’s
certificates were securely stored in an HSM, a special cryptographic
device which makes attacks much more complicated. Nevertheless, the
attackers were able to compromise a server that was able to perform code
signing requests.
This discovery belongs to the same chain of extremely targeted attacks performed by sophisticated threat actors commonly described as APT.
The fact that a high profile company like Adobe was compromised in
this way redefines the boundaries and possibilities that are becoming
available for these high-level attackers.
6. The DNSChanger shutdown
When the culprits behind the DNSChanger malware were arrested in November 2011 during the “Ghost Click” operation, the identity-theft infrastructure was taken over by the FBI.
The FBI agreed to keep the servers online until 9 July 2012, so the
victims could have time to disinfect their systems. Several doomsday
scenarios aside, the date passed without too much trouble. This would
not have been possible without the time and resources invested into the
project by the FBI, as well as other law enforcement agencies, private
companies and governments around the world. It was a large scale action
that showed that success against cybercrime can be achieved through open cooperation and information sharing.
7. The Ma(h)di incident
During late 2011 and the first half of 2012, an ongoing campaign to
infiltrate computer systems throughout the Middle East targeted
individuals across Iran, Israel, Afghanistan and others scattered across
the globe. In partnership with Seculert, Kaspersky Lab investigated this operation and named it “Madi”, based on certain strings and handles used by the attackers.
Although Madi was relatively unsophisticated, it did succeed in
compromising many different victims around the globe through social
engineering and Right-To-Left-Override tactics. The Madi campaign
demonstrated yet another dimension to cyber-espionage operations in the
Middle East and one very important thing: low investment operations, as
opposed to nation-state sponsored malware with an unlimited budget, can
be quite successful.
8. The Java 0-days
In the aftermath of the previously mentioned Mac OS X Flashback
attack, Apple took a bold step and disabled Java across millions of Mac
OS X users. It might be worth pointing out that although a patch was
available for the vulnerability exploited by Flashback since February,
Apple users were exposed for a few months because of Apple’s tardiness
in pushing the patch to Mac OS X users. The situation was different on
Mac OS X, because while for Windows, the patches came from Oracle, on
Mac OS X, the patches were delivered by Apple.
If that was not enough, in August 2012, a Java zero-day vulnerability
was found to be massively used in-the-wild (CVE-2012-4681). The exploit
was implemented in the wildly popular BlackHole exploit kit and quickly
become the most effective of the whole set, responsible for millions of
infections worldwide.
During the second quarter of 2012, we performed an analysis of vulnerable software found
on users’ computers and found that more than 30% had an old and
vulnerable version of Java installed. It was easily the most widespread
vulnerable software installed.
9. Shamoon
In the middle of August, details appeared about a piece of highly
destructive malware that was used in an attack against Saudi Aramco, one
of the world’s largest oil conglomerates. According to reports, more
than 30,000 computers were completely destroyed by the malware.
Detailed analysis of the Shamoon malware found
that it contained a built-in switch which would activate the
destructive process on 15 August, 8:08 UTC. Later, reports emerged of
another attack of the same malware against another oil company in the
Middle East.
Shamoon is important because it brought up the idea used in the Wiper
malware, which is a destructive payload with the purpose of massively
compromising a company’s operations. As in the case of Wiper, many
details are unknown, such as how the malware infected the systems in the
first place or who was behind it.
10. The DSL modems, Huawei banning and hardware hacks
In October 2012, researcher Fabio Assolini published the details of an attack which
had been taking place in Brazil since 2011 using a single firmware
vulnerability, two malicious scripts and 40 malicious DNS servers. This
operation affected six hardware manufacturers, resulting in millions of
Brazilian internet users falling victim to a sustained and silent mass
attack on DSL modems.
In March 2012, Brazil’s CERT team confirmed that more than 4.5
million modems were compromised in the attack and were being abused by
cybercriminals for all sorts of fraudulent activity.
At the T2 conference in Finland, security researcher Felix ‘FX’
Lindner of Recurity Labs GmbHdiscussed the security posture and
vulnerabilities discovered in the Huawei family of routers. This came in
the wake of the U.S. government’s decision to investigate Huawei for espionage risks.
The case of Huawei and the DSL routers in Brazil are not random
incidents. They are just indications that hardware routers can pose the
same if not higher security risks as older or obscure software that is
never updated. They indicate that defense has become more complex and
more difficult than ever - in some cases, even impossible.
Conclusions: From Explosive to Revealing and Eye-opening
As we turn the page to 2013, we’re all wondering what’s next. As we
can see from the top 10 stories above, we were very much on the ball
with our predictions.
Despite the arrest of LulzSec’s Xavier Monsegur and many prominent
‘Anonymous’ hackers, the hacktivists continued their activities. The
cyber-warfare/cyber-espionage campaigns grew to new dimensions with the
discovery of Flame and Gauss. APT operations continued to dominate the
news, with zero-days and clever attack methods being employed to hack
high-profile victims. Mac OS X users were dealt a blow by Flashfake, the
biggest Mac OS X epidemic to date while big companies fought against
destructive malware that wrecked tens of thousands of PCs.
The powerful actors from 2011 remained the same: hacktivist groups,
IT security companies, nation states fighting each other through
cyber-espionage, major software and gaming developers such as Adobe,
Microsoft, Oracle or Sony, law enforcement agencies and traditional
cybercriminals, Google, via the Android operating system, and Apple,
thanks to its Mac OS X platform.
Security in 2011 was best described as "explosive" and I believe the
incidents in 2012 raised eyebrows and piqued the imagination. We came to
understand the new dimensions in existing threats while new attacks are
beginning to take shape.
8:24:00 AM
valgeo
0 σχόλια:
Post a Comment