Analysis

Trends and Analysis

Threat intelligence report for the telecommunications industry

 Download PDF Introduction The telecommunications industry keeps the world connected.

Telecoms providers build, operate and manage the complex network infrastructures used for voice and data transmission – and they communicate and store vast amounts of sensitive data.

This makes them a top target for cyber-attack. According to PwC’s Global State of Information Security, 2016, IT security incidents in the telecoms sector increased 45% in 2015 compared to the year before.

Telecoms providers need to arm themselves against this growing risk. In this intelligence report, we cover the main IT security threats facing the telecommunications industry and illustrate these with recent examples. Our insight draws on a range of sources.

These include: The latest telecoms security research by Kaspersky Lab experts. Kaspersky Lab monitoring systems, such as the cloud antivirus platform, Kaspersky Security Network (KSN), our botnet tracking system and multiple other internal systems including those used to detect and track sophisticated targeted (advanced persistent threat, APT) attacks and the corresponding malware. Underground forums and communities. Centralized, specialized security monitoring systems (such as Shodan). Threat bulletins and attack reports. Newsfeed aggregation and analysis tools. Threat intelligence is now a vital weapon in the fight against cyber-attack. We hope this report will help telecoms providers to better understand the cyber-risk landscape so that they can develop their security strategies accordingly. We can provide more detailed sector and company-specific intelligence on these and other threats.

For more information on our Threat Intelligence Reporting services please email intelligence@kaspersky.com. Executive summary Telecommunications providers are under fire from two sides: they face direct attacks from cybercriminals intent on breaching their organization and network operations, and indirect attacks from those in pursuit of their subscribers.

The top threats currently targeting each of these frontlines feature many classic attack vectors, but with a new twist in terms of complexity or scale that place new demands on telecoms companies. These threats include: Distributed Denial of Service (DDoS) attacks. DDoS attacks continue to increase in power and scale and, according to the 2016 Data Breach Investigations Report, the telecommunications sector is hit harder than any other. Kaspersky Lab’s research reveals that in Q2, 2016, the longest DDoS attack lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days), with vulnerable IoT devices increasingly used in botnets.

Direct DDoS attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are hit.

They can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack. The exploitation of vulnerabilities in network and consumer devices. Our intelligence shows that vulnerabilities in network devices, consumer or business femtocells, USBs and routers, as well as root exploits for Android phones, all provide new channels for attacks – involving malware and technologies that individuals, organisations and even basic antivirus solutions cannot always easily remove. Compromising subscribers with social engineering, phishing or malware.

These classic techniques remain popular and can easily be mastered by entry-level cybercriminals, although 2016 sees changes in how more sophisticated attackers conduct their campaigns.

Growing numbers of cyber-attackers now combine data sets from different sources, including open sources, to build up detailed pictures of potential targets for blackmail and social engineering purposes. Insider threat is growing.

Detailed profiles of targets are also used to recruit insiders to help perpetrate cybercrime.
Some insiders help voluntarily, others are cooerced through blackmail.
Insiders from cellular service providers are recruited mainly to provide access to data, while staff working for Internet service providers are chosen to support network mapping and man-in-the-middle attacks. Other threats facing telecommunications companies include targeted attacks; poorly configured access controls, particularly where interfaces are publicly available to any Internet user; inadequate security for 2G/3G communications; and the risk of telecoms providers being drawn into unrelated attacks that exploit telecoms resources, and suffering collateral damage as a result. Typical threats targeting telecoms Overview We can divide the main threats facing the telecommunications industry into two, interrelated, categories: Threats targeting telecommunication companies directly.

These include DDoS attacks, targeted attacks (APT campaigns), network device vulnerabilities and human-related threats like insider access, social engineering and the risk of allowing third parties to access information. Threats targeting subscribers of telecoms services – particularly the customers of cellular service providers (CSPs) and Internet service providers (ISPs).

These include malware for mobile devices, subscriber data harvesting, end-user device vulnerabilities, and more. Threats directed at telecoms companies DDoS DDoS (distributed denial of service) attacks remain a serious threat to telecoms providers around the world as attackers discover ever more ways of boosting the power and scale of attacks. Kaspersky Lab’s DDoS intelligence report for Q2, 2016 notes that websites in 70 countries were targeted with attacks.

By far the most affected country was China, with South Korea and the US also among the leaders. 70.2% of all detected attacks were launched from Linux botnets, with cybercriminals paying close attention to financial institutions working with cryptocurrency.

Another trend observed in Q2 was the use of vulnerable IoT devices in botnets to launch DDoS attacks. The telecommunications sector is particularly vulernable to DDoS attacks.

According to the 2016 Data Breach Investigations Report, the telecommunications sector was hit around twice as hard as the second placed sector (financial exchanges), with a median DDoS packet count of 4.61 million packets per second (compared to 2.4 Mpps for exchanges.) The impact of a DDoS attack should not be underestimated.

Direct attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are affected. With a growing number of connected devices and systems supporting mission-critical applications in areas such as healthcare and transport, unexpected downtime could be life threatening. Further, DDoS attacks can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack. A good example of the first is the 2015 cyber-attack on the UK telecoms company, TalkTalk.

The hack, alledgedly perpetrated by a couple of teenagers, resulted in the loss of around 1.2 million customers’ email addresses, names and phone numbers, as well as many thousands of customer dates of birth and financial information – all ideal for use in financially-motivated social engineering campaigns.

The forensic investigation revealed that the hackers had used a smokescreen DDoS attack to conceal their main activities. DDoS attacks are also evolving. 2015 saw attackers amplify the power of DDoS attacks by turning them into DrDoS (Distributed reflection Denial of Service) attacks through the use of standard network protocols like NTP, RIPv1, NetBIOS (Network Basic Input/Output System) and BGP (Border Gateway Patrol).

Another approach that is becoming more commonplace is the compromise of end-user routers via network-scanning malware and firmware vulnerabilities.

Today’s faster mobile data transfer speeds and the growing adoption of 4G are also making smartphone-based botnets more useful for implementing DDoS attacks. The worrying thing is that even inexperienced attackers can organize quite an effective DDoS campaign using such techniques. Targeted attacks The core infrastructure of a telecommunications company is a highly desirable target for cybercriminals, but gaining access is extremely difficult.

Breaking into the core requires a deep knowledge of GSM architecture, rarely seen except among the most skilled and resourced cybercriminals.
Such individuals can generally be found working for advanced, international APT groups and nation-state attackers, entities that have a powerful interest in obtaining access to the inner networks of telecommunication companies.

This is because compromised network devices are harder to detect by security systems and they offer more ways to control internal operations than can be achieved through simple server/workstation infiltration. Once inside the core infrastructure, attackers can easily intercept calls and data, and control, track and impersonate subscibers. Other APTs with telecommunications on their radar The Regin APT campaign, discovered in 2014, remains of the most sophisticated ever seen and has the ability to infiltrate GSM networks, while the Turla group, has developed the ability to hijack satellite-based Internet links as part of it’s Command & Control process, successfully obscuring its actual location. Others, such as Dark Hotel and a new cyber-espionage threat actor likely to be of Chinese origin, exploit telecoms networks in their targeted campaigns.
In these cases, the telecoms providers often suffer collateral damage even though they are not directly related to the attack.

Further details on these can be found on Kaspersky Lab’s expert Securelist blog or through a subscription to the Kaspersky APT Threat Intelligence Reporting service. Unaddressed software vulnerabilities Despite all the high profile hacks and embarrassing data leaks of the last 12 months, attackers are still breaching telecoms defenses and making off with vast quantities of valuable, personal data.
In many cases, attackers are exploiting new or under-protected vulnerabilities.

For example, in 2015, two members of the hacker group, Linker Squad gained access to Orange Spain through a company website vulnerable to a simple SQL injection, and stole 10 million items of customer and employee data. SQL injection vulnerability on Orange Spain web site The impact of service misconfiguration In many cases, the hardware used by by the telecommunications industry carries configuration interfaces that can be accessed openly via HTTP, SSH, FTP or telnet.

This means that if the firewall is not configured correctly, the hardware in question becomes an easy target for unauthorized access. The risk presented by publicly exposed GTP/GRX (GPRS Tunneling Protocol/GPRS Roaming Exchange) ports on devices provides a good example of this. As CSPs encrypt the GPRS traffic between the devices and the Serving GPRS Support Node (SGSN), it is difficult to intercept and decrypt the transferred data. However, an attacker can bypass this restriction by searching on Shodan.io for devices with open GTP ports, connecting to them and then encapsulating GTP control packets into the created tunnel. Table 1.

Top 10 countries with GTP/GRX ports exposed to Internet access
The Border Gateway Protocol (BGP) is the routing protocol used to make decisions on routing between autonomous systems.

Acceptance and propagation of routing information coming from other peers can allow an attacker to implement man-in-the-middle (MITM) attacks or cause denial of service.

Any route that is advertised by a neighboring BGP speaker is merged in the routing database and propagated to all the other BGP peers. Table 2.

Top five countries with BGP protocol exposed to Internet access
An example of such an attack took place in March 2015, when Internet traffic for 167 important British Telecom customers, including a UK defense contractor that helps to deliver the country’s nuclear warhead program, was illegally diverted to servers in Ukraine before being passed along to its final destinations. To avoid probable attacks against BGP from unauthorized remote malefactors, we recommend that companies provide network filtering, allowing only a limited number of authorized peers to connect to BGP services.

To protect against malicious re-routing and hijacking initiated through authorized autonomous systems we recommend that they monitor anomalies in BGP communications (this can be done through specialized software solutions or by subscribing to alerts from vendors providing this kind of monitoring.) Vulnerabilities in network devices Routers and other network devices are also primary targets for attacks against telecommunications companies. In September 2015, FireEye researchers revealed the router malware “SYNful knock”, a combination of leaked privilege (root) credentials and a way of replacing device firmware that targets Cisco 1841, 2811 and 3825 routers (see Cisco advisory here). Put simply, SYNful knock is a modified device firmware image with backdoor access that can replace the original operating system if the attacker has managed to obtain privileged access to the device or can physically connect to it. SYNful is not a pure software vulnerability, but a combination of leaked privileged credentials combined with a certain way of replacing device firmware.
Still, it is a dangerous way of compromising an organization’s IT infrastructure. SYNful knock backdoor sign-in credentials request Worldwide distribution of devices with the SYNful knock backdoor The latest information on the number of potentially compromised devices is available through the link https://synfulscan.shadowserver.org/stats/. A second Cisco vulnerability, CVE-2015-6389 enables attackers to access some sensitive data, such as the password file, system logs, and Cisco PCA database information, and to modify data, run internal executables and potentially make the system unstable or inaccessible.

Cisco Prime Collaboration Assurance Software releases prior to 11.0 are vulnerable.

Follow this Cisco bulletin for remediation actions. For further information on Cisco fixes for its devices see https://threatpost.com/cisco-warning-of-vulnerabilities-in-routers-data-center-platforms/115609. Juniper, another network device manufacturer has been found to carry vulnerabilities in its operating system for its NetScreen VPN appliances, enabling third-party access to network traffic.

The issue was reported by the vendor in the security advisory JSA10713 on December 18th, 2015, along with the release of the patch. It appears that the additional code with hardcoded password was planted in the source code in late 2013.

The backdoor allows any user to log in with administrator privileges using hard-coded password “<<< %s(un=’%s’) = %u”.This vulnerability has been identified as CVE-2015-7755 and is considered highly critical. Top countries where ScreenOS devices are used are the Netherlands, the United States, China, Italy and Mexico. Juniper ScreenOS-powered devices worldwide Another Juniper backdoor, CVE-2015-7756, affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 and allows a third party to monitor traffic inside VPN connections due to security flaws in the Dual_EC PRNG algorithm for random number generation. To protect the organization from misconfiguration and network device vulnerabilitiy, Kaspresky Lab recommendats that companies pay close attention to vulnerabilities in the network services of telecommunication equipment, establish effective vulnerability and configuration management processes, and regularly perform security assessments, including penetration testing for different types of attackers (a remote intruder, a subscriber, a contractor, etc.). Malicious insiders Even if you consider your critical systems and devices protected and safe, it is difficult to fully control some attack vectors. People rank at the very top of this list.

Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness. While insider-assisted attacks are uncommon, the impact of such attacks can be devastating as they provide a direct route to the most valuable information. Examples of insider attacks in recent years include: A rogue telecoms employee leaking 70 million prison inmate calls, many breaching client-attorney privilege. An SMS center support engineer who had intercepted messages containing OTP (One-Time Passwords) for the two-step authentication required to login to customer accounts at a popular fintech company.

The engineer was found to be freely offering his services on a popular DarkNet forum. For attackers, infiltrating the networks of ISPs and CSPs requires a certain level of experience – and it is often cheaper and easier to stroll across the perimeter with the help of a hired or blackmailed insider.

Cybercriminals generally recruit insiders through two approaches: enticing or coercing individual employees with relevant skills, or trawling around underground message boards looking for an appropriate employee or former employee. Employees of cellular service providers are in demand for fast track access to subscriber and company data or SIM card duplication/illegal reissuing, while staff working for Internet service providers are needed for network mapping and man-in-the-middle attacks. A particularly promising and successful attack vector for recruiting an insider for malicious intrusion is blackmail. Data breaches, such as the 2015 Ashley Madison leak reveal information that attackers can compare with other publically available information to track down where people work and compromise them accordingly.
Very often, these leaked databases contain corporate email addresses, including those of telecommunication companies. Further information on the emerging attack vectors based on the harvesting of Open Source Intelligence (OSINT) can be obtained using Kaspersky Lab’s customer-specific Intelligence Reporting services. Threats targeting CSP/ISP subscribers Overview Attacks targeting the customers of cloud and Internet service providers remain a key area of interest for cybercriminals. We’ve revealed a number of malware activities and attack techniques based on internal information and incidents that were caught in our scope.

As a result of analyzing this data the following main threats were identified: Obtaining subscribers’ credentials. This is growing in appeal as consumers and businesses undertake ever more activity online and particularly on mobile.

Further, security levels are often intentionally lowered on mobile devices in favor of usability, making mobile attacks even more attractive to criminals. Compromising subscribers’ devices.

The number of mobile malware infections is on the rise, as is the sophistication and functionality of the malware.

Experienced and skilled programmers are now focusing much of their attention on mobile – looking to exploit payment services as well as low-valued assets like compromised Instagram or Uber accounts, collecting every piece of data from the infected devices. Compromising small-scale telecoms cells used by consumers and businesses. Vulnerabilities in CSP-provided femtocells allow criminals to compromise the cells and even gain access to the entire cloud provider’s network. Successful Proof-Of-Concept attacks on USIM cards. Recent research shows that the cryptography of 3G/4G USIM cards is no longer unbreakable.
Successful attacks allow SIM card cloning, call spoofing and the interception of SMS. Social engineering, phishing and other ways in Social engineering and phishing remain popular activities and they continues to evolve and improve, targeting unaware or poorly aware subscribers and telecoms employees. The attackers exploit trust and naiivity.
In 2015, the TeamHans hacker group penetrated one of Canada’s biggest communications groups, Rogers, simply by repeatedly contacting IT support and impersonating mid-ranking employees, in order to build up enough personal information to gain access to the employee’s desktop.

The attack provided hackers with access to contracts with corporate customers, sensitive corporate e-mails, corporate employee IDs, documents, and more. Both social engineering and phishing approaches are worryingly successful.

The Data Breach Investigations Report 2016 found that 30% of phishing emails were opened, and that 12% clicked on the malicious attachment – with the entire process taking, on average, just 1 minute and 40 seconds. Social engineers and phishers also use multiple ways for increasing the likeness of authenticity in their attacks, enriching their data with leaked profiles, or successfully impersonating employees or contractors. Recently criminals have successfully stolen tens of thousands of euros from dozens of people across Germany after finding a way around systems that text a code to confirm transactions to online banking users.

After infecting their victims with banking malware and obtaining their phone numbers, they called the CSP’s support and, impersonating a retail shop, asked for a new SIM card to be activated, thus gaining access to OTP (One Time Passwords) or “mTan’s” used for two-factor authentication in online banking. Kaspersky Lab recommends that telecommunications providers implement notification services for financial organizations that alert them when a subscriber’s SIM card has been changed or when personal data is modified. Some CSPs have also implemented a threat exchange service to inform financial industry members when a subscriber’s phone is likely to have been infected with malware. Vulnerable kit USBs, modems and portable Wi-Fi routers remain high-risk assets for subscribers, and we continue to discover multiple vulnerabilities in their firmware and user interfaces.

These include: Vulnerabilities in web interfaces designed to help consumers configure their devices.

These can be modified to trick a user into visiting a specially crafted page. Vulnerabilities that result from insufficient authentication.

These can allow for the modification of device settings (like DNS server addresses), and the interception, sending and receiving of SMS messages, or USSD requests, by exploiting different XSS and CSRF vulnerabilities. RCE (Remote Code Execution) vulnerabilities based on different variants of embedded Linux that can enable firmware modification and even a complete remote compromise. Built-in “service” backdoor allowing no-authentication access to device settings Examples of these kind of vulnerabilities were demonstrated in research by Timur Yunusov from the SCADAStrangeLove team.

The author assessed a number of 3G/4G routers from ZTE, Huawei, Gemtek and Quanta. He has reported a number of serious vulnerabilities: Remote Code Execution from web scripts. Arbitrary device firmware modification due to insufficient consistency checks. Cross Site Request Forgert and Cross Site Scripting attacks. All these vectors can be used by an external attacker for the following scenarios: Infecting a subscriber’s computer via PowerShell code or badUSB attack. Traffic modification and interception. Subscriber account access and device settings modification. Revealing subscriber location. Using device firmware modification for APT attack persistence. Most of these issues exist due to web interface vulnerabilities (like insufficient input validation or CSRF) or modifications made by the vendor during the process of branding its devices for a specific telecommunications company. The risk of local cells Femtocells, which are essentially a personal NodeB with an IP network connection, are growing in popularity as an easy way to improve signal coverage inside buildings.
Small business customers often receive them from their CSPs. However, unlike core systems, they are not always submitted to suitably thorough security audits. Femtocell connection map Over the last year, our researchers have found a number of serious vulnerabilities in such devices that could allow an attacker to gain complete control over them.

Compromising a femtocell can lead to call interception, service abuse and even illegal access to the CSP’s internal network. At the moment, a successful attack on a femtocell requires a certain level of engineering experience, so risks remain low – but this is likely to change in the future. USIM card vulnerabilities Research presented at BlackHat USA in 2015 revealed successful attacks on USIM card security. USIMs had previously been considered unbreakable thanks to the AES-based MILENAGE algorithm used for authentication.

The reseachers conducted differential power analysis for the encryption key and secrets extraction that allowed them to clone the new generation of 3G/4G SIM cards from different manufacturers. Right byte guess peak on differential power analysis graph Conclusion Telecommunications is a critical infrastructure and needs to be protected accordingly.

The threat landscape shows that vulnerabilities exist on many levels: hardware, software and human, and that attacks can come from many directions.

Telecoms providers need to start regarding security as a process – one that encompasses threat prediction, prevention, detection, response and investigation. A comprehensive, multi-layered security solution is a key component of this, but it is not enough on its own.
It needs to be complemented by collaboration, employee education and shared intelligence. Many telecommunications companies already have agreements in place to share network capability and capacity in the case of disruption, and now is the time to start reaping the benefit of shared intelligence. Our Threat Intelligence Reporting services can provide customer-specific insight into the threats facing your organization.
If you’ve ever wondered what your business looks like to an attacker, now’s the time to find out.

Contact us at intelligence@kaspersky.com

How Machine Learning For Behavior Analytics & Anomaly Detection Speeds Mitigation

By relying on artificial intelligence to identify suspicious network activity or behavior, machine learning can adapt to both business needs and new threats. Businesses and organizations are under heavier fire than usual from cyberattacks, with 57% of CIOs and CISOs reporting at least one significant cybersecurity incident at their companies. Whether the attacks resulted from unaware employees (55%), unauthorized access (54%), or malware (52%), security decision-makers have opted to increase their security budgets to adopt new technologies and cybersecurity defenses. Business-centric machine learning for behavior analytics and anomaly detection should be adopted by any organization focused on faster detection and mitigation to prevent advanced persistent threats (APTs) from significantly impacting their business.

By relying on artificial intelligence to identify suspicious network activity or behavior, machine learning can adapt to both business needs and new threats. Bitdefender has been developing and using patented machine-learning algorithms since 2009, constantly tweaking and improving them to proactively detect new and never-before-seen malware. Your Enterprise Network Is PredictableStarting from the premise that your enterprise network is predictable, deploying behavior analytics technologies requires first observing and learning your organization’s network behavior.

Afterward, anything new or out of the ordinary that doesn’t respect the learned behavior will be reported to IT managers. However, it’s important to note that you can use these technologies for either spotting new processes that are suspicious for that network, or spotting behavior that’s abnormal.

For example, after training,  machine learning can create a prediction database that will contain all known applications currently deployed in your organization. What happens to the prediction database when a company‘s deployed application is updated, after the training process is completed? That’s when the adaptation on variation to the baseline kicks in and machine learning flexes its muscles. When the updated application runs for the first time, the machine-learning detection module checks if the prediction database contains the launched application.
If a perfect match isn’t found, it will apply a similarity factor that statistically estimates the chances for the unknown application to be similar to something the database already has.
If that similarity percentage passes a specific threshold, the application is considered trusted and the prediction database is updated.
If the similarity score is below the threshold, the application is quarantined and the IT administrator is notified. Application Profiling with Machine LearningProfiling applications with machine learning requires the use of various algorithms such as binary decision trees, neural networks, and genetic algorithms, but it all starts with building a model that can be used for accurate detection.

Because a model is actually an automatically generated mathematical equation that satisfies a set of conditions known to be associated with a malicious file, its purpose is to statistically estimate the chances that an unknown or never-before-seen file is malicious. Neural networks are among the most commonly used types of machine-learning algorithms, as they can extract file characteristics into features -- file form, emulator information, and compiler type, among others -- and normalize those features into numbers. Of course, not all features are used to train a model, but just a subset of them can actually yield highly accurate results.

All these features are placed in N-dimensional matrixes, where N represents the number of features, and then they generate highly complex equations (or models) that accurately identify unknown samples as malicious or not, based on whether the equation is met. Put another way, if an unknown file reaches an organization’s perimeter and ends up being fed into a machine-learning algorithm that uses such models, the file is tested on whether it resolves a series of mathematical equations known to be resolved only by malicious files or applications. Is Machine Learning Reliable in Business Environments?If the average user displays an unpredictable behavior in his or her online and PC activities, the business environment -- from network traffic to endpoint activity -- is pretty much predictable, and therefore a baseline can be performed. Machine learning can sniff through large amounts of data and make an “educated” -- or statistically accurate -- guess on whether something abnormal is going on. While training the machine model may take some time, the resulted expression (or equation, as previously referred to) is usually just a couple of kilobytes in size, meaning that it’s really fast to compute and has a very low memory footprint. Naturally, having more models specifically trained to analyze specific behaviors is always recommended, as they can cover a wide array of potential attack vectors, warning security teams of impending and potential security threats. The merging of human and machine learning is vital in training accurate machine-learning models, and organizations have a lot more to gain by working with technology security companies that have been actively involved in machine-learning development for years. Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ...
View Full Bio More Insights

Where Cybercriminals Go To Buy Your Stolen Data

What malicious sites provide both free and paid access to stolen credit cards, company databases, malware and more? 1 of 10 Image Source: imsmartin With nothing more than a standard Web browser, cybercriminals can find personal, private information all over the public Internet.
It isn't just legitimate services - from genealogy sites to public records and social media - that can be mined and exploited for nefarious purposes. Openly malicious criminal activities are also happening on the public Internet.  True, much of the cybercrime underground consists of private and established communities that don't appear in a normal search engine and are not accessible by regular users without special authorization. However, according to the team at identity protection and fraud detection provider CSID, there are different levels of cybercriminal resources - and not all are so tightly protected.

The quality and quantity of the more easily accessible forums are still high, say the CSID team, and anyone can access content such as stolen credit cards, cyberattack tools, and even advanced malware, which can be leveraged with minimal technical know-how required. Adam Tyler, chief innovation officer at CSID, describes how black-market organizations are becoming more like traditional online businesses we visit and buy from every day. “For example," he says, "many sites now have their own Facebook, Twitter and even YouTube pages to advise their member base on new attacks and tools that are available.” Data sold on criminal marketplaces “age quickly, meaning that once the information is stolen, it has to be used for fraudulent purposes quickly,” says Christopher Doman, consulting analyst at Vectra Networks. “The more times the information is abused for fraud, the more the information will be devalued.” “Companies should have these marketplaces monitored, looking for trends in data breaches and attacks as well as to see if any of their data has been compromised,” says Carefree Solutions’s CEO Paul San Soucie. “One point that I’m not sure is evident is that there is more public and Dark Web research than any one IT person can handle. Researching and absorbing this information requires significant training and experience.

Even large US banks that have dedicated security staff are not able to do some of the research and analysis that specialized reconnaissance teams can perform.” San Soucie nevertheless suggests treading carefully when doing this research. "While you can get to most of these sites using standard https, I still consider them dark and strongly recommend accessing them via a VPN as both criminal and government sources track access in some cases.” Read on for a collection of some of the popular sites where private data, credentials, and attack tools are up for sale, or even for free download. Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with articles published globally covering security management, cloud computing, enterprise mobility, governance, risk, and compliance—with a focus on specialized industries such as ...
View Full Bio 1 of 10 More Insights

Malware-Ridden Word Docs Lead To Microsoft Alert Blurt

MICROSOFT HAS taken the trouble to warn Windows users about an attack that takes what trust people have left in the software and throws it out of the window. The firm explained that the problem involves macros and the use of social engineering. People are tricked into downloading and then enabling malicious content that ultimately leads to trouble when they innocently use Word. "Attackers have been using social engineering to avoid the increasing costs of exploitation due to the significant hardening and exploit mitigation investments in Windows," said the firm in a Microsoft TechNet blog post suggesting that this is a cheap shot by hackers. "Tricking a user into running a malicious file or malware can be cheaper for an attacker than building an exploit which works on Windows 10. We recently came across a threat that uses the same social engineering trick but delivers a different payload." Microsoft explained that the payload's primary purpose is to change a user's browser Proxy Server setting, which could result in the theft of authentication credentials or other sensitive information. "We detect this JScript malware as Trojan:JS/Certor.A. What's not unique is that the malware gets into the victim's computer when the victim clicks the email attachment from a spam campaign," the post said. Microsoft added that people really ought not to click on links from people or outfits that they do not know or trust.

This is good, if perhaps hoary and often ignored, advice. "To avoid attacks like we have just detailed, it is recommended that you only open and interact with messages from senders and websites that you recognise and trust," explained the firm. "For added defence-in-depth, you can reduce the risk from this threat by following [our] guidance to adjust the registry settings to help prevent OLE Embedded Objects executing altogether or running without your explicit permission." Just don't click untrusted links, people. µ

Wildfire, the ransomware threat that takes Holland and Belgium hostage

While ransomware is a global threat, every now and then we see a variant that targets one specific region.

For example, the Coinvault malware had many infections in the Netherlands, because the authors posted malicious software on Usenet and Dutch people are particular fond of downloading things over Usenet.

Another example is the recent Shade campaign, which targets mostly Russia and CIS. Today we can add a new one to the list: Wildfire. Infection vector Wildfire spreads through well-crafted spam e-mails.

A typical spam e-mail mentions that a transport company failed to deliver a package.
In order to schedule a new delivery the receiver is asked to make a new appointment, for which a form has to be filled in, which has to be downloaded from the website of the transport company. Three things stand out here.

First, the attackers registered a Dutch domain name, something we do not see very often.
Second, the e-mail is written in flawless Dutch.

And thirdly, they actually put the address of the targeted company in the e-mail.

This is something we do not see very often and makes it for the average user difficult to see that this is not a benign e-mail. However, when we look at who registered the domain name, we immediately see that something is suspicious: The registration date (registered a few days before the spam campaign started), as well as the administrative contact person seem to be very suspicious. The Word document After the user downloaded and opened the Word document, the following screen is shown: Apparently the document has some macros, containing pieces of English text, which clearly show the intent of the attackers (actually it is the lyrics of the famous Pink Floyd song Money), but also has several variables in the Polish language. The ransomware itself The macros download and execute the actual Wildfire ransomware which consists in the case we analyzed of the following three files: Usiyykssl.exe; Ymkwhrrxoeo.png; Iesvxamvenagxehdoj.xml The exe file is an obfuscated .net executable that depends on the other two files.

This is exactly similar to the Zyklon ransomware that also consists of three files.

Another similarity is that, according to some sources (http://www.bleepingcomputer.com/forums/t/611342/zyklon-locker-gnl-help-topic-locked-and-unlock-files-instructionshtml/, http://www.bleepingcomputer.com/forums/t/618641/wildfire-locker-help-topic-how-to-unlock-files-readme-6de99ef7c7-wflx/), Wildfire, GNLocker and Zyklon mainly target the Netherlands.
In addition, the ransom notes of Wildfire and Zyklon look quite similar.

Also note that Wildfire and Zyklon increase the amount you have to pay three-fold if you don’t pay within the specified amount of time. Anyway, back to Wildfire.

The binary is obfuscated, meaning that when there is no deobfuscator available reversing and analyzing it can take a lot of time.

Therefore we decided to run it and see what happens. Just as we hoped, this made things a bit easier, because after a while Usiyykssl.exe launched Regasm.exe, and when we looked into the memory of Regasm.exe, we clearly saw that some malicious code had been injected into it. Dumping it gave us the binary of the actual Wildfire malware. Unfortunately for us, this binary is also obfuscated, this time with Confuserex 0.6.0.

Even though it is possible to deobfuscate binaries obfuscated with Confuserex, we decided to skip that for now. Why? Well it takes a bit of time, and because by working together with the police on this case, we had something much better in our hands: The botnetpanel code! Inside the botnetpanel code When you are infected with Wildfire, the malware calls home to the C2 server where information such as the IP, username, rid and country are stored.

The botnetpanel then checks whether the country is one of the blacklisted countries (Russia, Ukraine, Belarus, Latvia, Estonia and Moldova).
It also checks whether the “rid” exists within a statically defined array (we therefore expect the rid to be an affiliate ID). If the rid is not found, or you live in one of the blacklisted countries, the malware terminates and you won’t get infected. Each time the malware calls home, a new key is generated and added to the existing list of keys.

The same victim can thus have multiple keys.

Finally the botnetpanel returns the bitcoin address to which the victim should pay, and the cryptographic key with which the files on the victim’s computer are encrypted. We don’t quite understand why a victim can have multiple keys, especially since the victim only has one bitcoin address. Also interesting is the encryption scheme.
It uses AES in CBC mode but the key and the IV are both derived from the same key.

This doesn’t add much security and defeats the sole purpose of having an IV in the first place. Conclusion Even though Wildfire is a local threat, it still shows that ransomware is effective and evolving.
In less than a month we observed more than 5700 infections and 236 users paid a total amount of almost 70.000 euro .

This is also due to the fact that the spam e-mails are getting better and better. We therefore advise users to: Be very suspicious when opening e-mails; Don’t enable Word macro’s; Always keep your software up-to-date; Turn on Windows file extensions; Create offline backups (or online backups with unlimited revisions); Turn on the behavioral analyzer of your AV. A decryption tool for Wildfire can be downloaded from the nomoreransom.org website. P.S. the attackers agree with us on some points:

How Trojans manipulate Google Play

For malware writers, Google Play is the promised land of sorts. Once there, a malicious application gains access to a wide audience, gains the trust of that audience and experiences a degree of leniency from the security systems built into operating systems. On mobile devices, users typically cannot install applications coming from sources other than the official store, meaning this is a serious barrier for an app with malicious intent. However, it is far from easy for the app to get into Google Play: one of the main conditions for it is to pass a rigorous check for unwanted behavior by different analysis systems, both automatic and manual. Some malware writers have given up on their efforts to push their malicious creations past security checks, and instead learned how to use the store’s client app for their unscrupulous gains. Lately, we have seen many Trojans use the Google Play app during promotion campaigns to download, install and launch apps on smartphones without the owners’ knowledge, as well as leave comments and rate apps.

The apps installed by the Trojan do not typically cause direct damage to the user, but the victim may have to pay for the created excessive traffic.
In addition, the Trojans may download and install paid apps as if they were free ones, further adding to the users’ bills. Let us look into the methods how such manipulations with Google Play happen. Level 1. N00b The first method is to make the official Google Play app store undertake the actions the cybercriminal wants.

The idea is to use the Trojan to launch the client, open the page of the required app in it, then search for and use special code to interact with the interface elements (buttons) to cause download, installation and launch of the application.

The misused interface elements are outlined with red boxes in the screenshots below: The exact methods of interaction with the interface vary.
In general, the following techniques may be identified: Use of the Accessibility services of the operating system (used by modules in Trojan.AndroidOS.Ztorg). Imitation of user input (used by Trojan-Clicker.AndroidOS.Gopl.c). Code injection into the process of Google Play client to modify its operation (used by Trojan.AndroidOS.Iop). To see how such Trojans operate. Let us look at the example of Trojan.AndroidOS.Ztorg.n.

This malicious program uses Accessibility services originally intended to create applications to help people with disabilities, such as GUI voice control apps.

The Trojan receives a job from the command and control server (C&C) which contains a link to the required application, opens it in Google Play, and then launches the following code: This code is needed to detect when the required interface element appears on the screen, and to emulate the click on it.

This way, the following buttons are clicked in a sequence: “BUY” (the price is shown in the button), “ACCEPT” and “CONTINUE”.

This is sufficient to purchase the app, if the user has a credit card with sufficient balance connected to his/her Google account. Level 2. Pro Some malware writers take roads less traveled.
Instead of using the easy and reliable way described above, they create their own client for the app store using HTTPS API. The difficult part about this approach is that the operation of the self-made client requires information (e.g. user credentials and authentication tokens) which is not available to a regular app. However, the cybercriminals are very fortunate that all required data are stored on the device in clear text, in the convenient SQLite format.

Access to the data is limited by the Android security model, however apps may abuse it e.g. by rooting the device and thus gaining unlimited access. For example, some versions of the Trojan.AndroidOS.Guerrilla.a have their own client for Google Play, which is distributed with the help of the rooter Leech.

This client successfully fulfils the task of downloading and installing free and paid apps, and is capable of rating apps and leaving comments in the Google store. After launch, Guerrilla starts to collect the following required information: The credentials to the user’s Google Play account. Activities in Google Play require special tokens that are generated when the user logs in. When the user is already logged in to Google Play, the Trojan can use the locally cached tokens.

They can be located through a simple search through the database located at /data/system/users/0/accounts.db: With the help of the code below, the Trojan checks if there are ready tokens on the infected device, i.e. if the user has logged on and can do activities in Google Play: If no such tokens are available, the Trojan obtains the user’s username and hashed password, and authenticates via OAuth: Android_id is the device’s unique ID. Google Service Framework ID is the device’s identifier across Google services. First, the Trojans attempts to obtain this ID using regular methods.
If these fail for whatever reason, it executes the following code: Google Advertising ID is the unique advertising ID provided by Google Play services. Guerrilla obtains it as follows: In a similar way, the Trojan obtains hashed data about the device from the file “/data/data/com.google.android.gms/shared_prefs/Checkin.xml“. When the Trojan has collected the above data, it begins to receive tasks to download and install apps.

Below is the structure of one such task: The Trojan downloads the application by sending POST requests using the links below: https://android.clients.google.com/fdfe/search: a search is undertaken for the request sent by the cybercriminals.

This request is needed to simulate the user’s interaction with the Google Play client. (The main scenario of installing apps from the official client presupposes that the user first does the search request and only then visits the app’s page). https://android.clients.google.com/fdfe/details: with this request, additional information needed to download the app is collected. https://android.clients.google.com/fdfe/purchase: the token and purchase details are downloaded, used in the next request. https://android.clients.google.com/fdfe/delivery: the Trojan receives the URL and the cookie-files required to download the Android application package (APK) file. https://android.clients.google.com/fdfe/log: the download is confirmed (so the download counter is incremented.) https://android.clients.google.com/fdfe/addReview: the app is rated and a comment is added. When creating the requests, the cybercriminals attempted to simulate most accurately the equivalent requests sent by the official client.

For example, the below set of HTTP headers is used in each request: After the request is executed, the app may (optionally) get downloaded, installed (using the command ‘pm install -r’ which allows for installation of applications without the user’s consent) and launched. Conclusion The Trojans that use the Google Play app to download, install and launch apps from the store to a smartphone without the device owner’s consent are typically distributed by rooters – malicious programs which have already gained the highest possible privileges on the device.
It is this particular fact that allows them to launch such attacks on the Google Play client app. This type of malicious program pose a serious threat: in Q2 2016, different rooters occupied more than a half of the Top 20 of mobile malware.

All the more so, rooters can download not only malicious programs that compromise the Android ecosystem and spend the user’s money on purchasing unnecessary paid apps, but other malware as well.

Machine Learning In Cybersecurity Warrants A Silver Shotgun Shell Approach

When protecting physical or virtual endpoints, it's vital to have more than one layer of defense against malware. Cybersecurity is arguably the most rapidly evolving industry, driven by the digitalization of services, our dependency on Internet-connected devices, and the proliferation of malware and hacking attempts in search for data and financial gain. More than 600 million malware samples currently stalk the Internet, and that’s just the tip of the iceberg in terms of cyber threats. Advanced persistent threats, zero-day vulnerabilities and cyber espionage cannot be identified and stopped by traditional signature-based detection mechanisms.

Behavior-based detection and machine learning are just a few technologies in the arsenal of some security companies, with the latter considered by some as the best line of defense. What is Machine Learning?The simplest definition is that it’s a set of algorithms that can learn by themselves.

Although we’re far from achieving anything remotely similar to human-level capabilities – or even consciousness – these algorithms are pretty handy when properly trained to perform a specific repetitive task. Unlike humans, who tire easily, a machine learning algorithm doesn’t complain and can go through far more data in a short amount of time. The concept has been around for decades, starting with Arthur Samuel in 1959, and at its core is the drive to overcome static programming instructions by enabling an algorithm to make predictions and decisions based on input data.

Consequently, the training data used by the machine learning algorithm to create a model is what makes the algorithm output statistically correct.

The expression “garbage in, garbage out” has been widely used to express poor-quality input that produces incorrect or faulty output in machine learning algorithms. Is There a Single Machine Learning Algorithm?While the term is loosely used across all fields, machine learning is not an algorithm per se, but a field of study.

The various types of algorithms take different approaches towards solving some really specific problems, but it’s all just statistics-based math and probabilities.

Decision trees, neural networks, deep learning, genetic algorithms and Bayesian networks are just a few approaches towards developing machine learning algorithms that can solve specific problems. Breaking down machine learning into the types of problems and tasks they try to solve revolves around the methods used to solve problems.
Supervised learning is one such method, involving training the algorithm to learn a general rule based on examples of inputs and desired outputs. Unsupervised learning and reinforcement learning are also commonly used in cybersecurity to enable the algorithm to discover for itself hidden patterns in data, or dynamically interact with malware samples to achieve a goal (e.g. malware detection) based on feedback in the form of penalties and rewards. Is Machine Learning Enough for Cybersecurity?Some security companies argue that machine learning technologies are enough to identify and detect all types of attacks on companies and organizations. Regardless of how well trained an algorithm is, though, there is a chance it will “miss” some malware samples or behaviors.

Even among a large set of machine learning algorithms, each trained to identify a specific malware strand or a specific behavior, chances are that one of them could miss something. This silver shotgun shell approach towards security-centric machine learning algorithms is definitely the best implementation, as more task-oriented algorithms are not only more accurate and reliable, but also more efficient.

But the misconception that that’s all cybersecurity should be about is misguided. When protecting physical or virtual endpoints, it’s vital to have more layers of defense against malware.

Behavior-based detection that monitors processes and applications throughout their entire execution lifetime, web filtering and application control are vital in covering all possible attack vectors that could compromise a system. Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ...
View Full Bio More Insights

Introducing Deep Learning: Boosting Cybersecurity With An Artificial Brain

With nearly the same speed and precision that the human eye can identify a water bottle, the technology of deep learning is enabling the detection of malicious activity at the point of entry in real-time. Editor’s Note: Last month, Dark Reading editors named Deep Instinct the most innovative startup in its first annual Best of Black Hat Innovation Awards program at Black Hat 2016 in Las Vegas.

For more details on the competition and other results, read
Best Of Black Hat Innovation Awards: And The Winners Are It’s hot outside and you’re thirsty.

As you reach for a water bottle, you don’t pause to analyze its material, size or shape in order to determine whether it’s a water bottle.
Instead, you immediately reach for it, with complete confidence in its identification. If I show the same water bottle to any traditional computer vision module, it will easily recognize it.
If I partially obstruct the image with my fingers, then traditional computer vision modules will have difficulty recognizing it.

But, if I apply an advanced form of artificial intelligence that is called deep learning, which is resistant to small changes and can generalize from partial data, it would be very easy for the computer vision module to correctly recognize the water bottle, even when most of the image is obstructed. Deep learning, also known as neural networks, is “inspired” by the brain’s ability to learn to identify objects.

Take vision as an example. Our brain can process raw data derived from our sensory inputs and learn the high-level features all on its own.
Similarly, in deep learning, raw data is fed through the deep neural network, which learns to identify the object on which it is trained. Machine learning, on the other hand, requires manual intervention in selecting which features to process through the machine learning modules.

As a result, the process is slower and accuracy can be affected by human error.

Deep learning's more sophisticated, self-learning capability results in higher accuracy and faster processing. Similar to image recognition, in cybersecurity, more than 99% of new threats and malware are actually very small mutations of previously existing ones.

And even that 1% of supposedly brand-new malware are rather substantial mutations of existing malicious threats and concepts.

But, despite this fact, cybersecurity solutions -- even the most advanced ones that use dynamic analysis and traditional machine learning -- have great difficulty in detecting a large portion of these new malware.

The result is vulnerabilities that leave organizations exposed to data breaches, data theft, seizure for ransomware, data corruption, and destruction. We can solve this problem by applying deep learning to cybersecurity. The history of malware detection in a nutshellSignature-based solutions are the oldest form of malware detection, which is why they are also called legacy solutions.

To detect malware, the antivirus engine compares the contents of an unidentified piece of code to its database of known malware signatures.
If the malware hasn’t been seen before, these methods rely on manually tuned heuristics to generate a handcrafted signature, which is then released as an update to clients.

This process is time-consuming, and sometimes signatures are released months after the initial detection.

As a result, this detection method can’t keep up with the million new malware variants that are created daily.

This leaves organizations vulnerable to the new threats as well as threats that have already been detected but have yet to have a signature released. Heuristic techniques identify malware based on the behavioral characteristics in the code, which has led to behavioral-based solutions.

This malware detection technique analyzes the malware’s behavior at runtime, instead of considering the characteristics hardcoded in the malware code itself.

The main limitation of this malware detection method is that it is able to discover malware only once the malicious actions have begun.

As a result, prevention is delayed, sometimes available only once it’s too late. Sandbox solutions are a development of the behavioral-based detection method.

These solutions execute the malware in a virtual (sandbox) environment to determine whether the file is malicious or not, instead of detecting the behavioral fingerprint at runtime.

Although this technique has shown to be quite effective in its detection accuracy, it is achieved at the cost of real-time protection because of the time-consuming process involved.

Additionally, newer types of malicious code that can evade sandbox detection by stalling their execution in a sandbox environment are posing new challenges to this type of malware detection and consequently, prevention capabilities. Malware detection using AI: machine learning & deep learningIncorporating AI capabilities to enable more sophisticated detection capabilities is the latest step in the evolution of cybersecurity solutions. Malware detection methods that are based on machine learning AI apply elaborate algorithms to classify a file’s behavior as malicious or legitimate according to feature engineering that is conducted manually. However, this process is time-consuming and requires massive human resources to tell the technology on which parameters, variables or features to focus during the file classification process.

Additionally, the rate of malware detection is still far from 100%.  Deep learning AI is an advanced branch of machine learning, also known as “neural networks” because it is "inspired" by the way the human brain works.
In our neocortex, the outer layer of our brain where high-level cognitive tasks are performed, we have several tens of billions of neurons.

These neurons, which are largely general purpose and domain-agnostic, can learn from any type of data.

This is the great revolution of deep learning because deep neural networks are the first family of algorithms within machine learning that do not require manual feature engineering.
Instead, they learn on their own to identify the object on which they are trained by processing and learning the high-level features from raw data -- very much like the way our brain learns on its own from raw data derived from our sensory inputs. When applied to cybersecurity, the deep learning core engine is trained to learn without any human intervention whether a file is malicious or legitimate.

Deep learning exhibits potentially groundbreaking results in detecting first-seen malware, compared with classical machine learning.
In real environment tests on publicly known databases of endpoints, mobile and APT malware, for example, the detection rates of a deep learning solution detected over 99.9% of both substantial and slightly modified malicious code.

These results are consistent with improvements achieved by deep learning in other fields, such as computer vision, speech recognition and text understanding. In the same way humans can immediately identify a water bottle in the real world, the technology advancements of deep learning -- applied to cybersecurity -- can enable the precise detection of new malware threats and fill in the critical gaps that that leave organizations exposed to attacks. Related Content: Guy Caspi is a leading mathematician and a data scientist global expert. He has 15 years of extensive experience in applying mathematics and machine learning in a technology elite unit of the Israel Defense Forces (IDF), financial institutions and intelligence organizations ...
View Full Bio More Insights