About these ads

Archive

Archive for October, 2012

BotClouds Still Hard to Detect (And Mitigate)

October 31, 2012 1 comment

This morning, during my usual virtual promenade through my feeds, I came across a really interesting post from Stratsec, a subsidiary of Bae Systems.

The post unveils the details of an unprecedented experiment aimed to verify how easy and cheap is to setup a botCloud and how hard is for the Cloud providers to detect them (and consequently advise the victims).

As the name suggests, a botCloud is defined as a group of Cloud instances that are commanded and controlled by malicious entity to initiate cyber-attacks.

The research was carried on by subscribing to five common Cloud providers and setting up to 10 Cloud instances targeting a victim host, protected by traditional technologies such as IDS, and flooded with several common attack techniques (malformed traffic, non-RFC compliant packets, port scanning, malware traffic, denial of service, brute force, shellcode and web application attacks) in 4 scenarios:

  1. Victim host placed in a typical network scenario with a public IP, firewall and IDS;
  2. Victim host setup as a cloud instance inside the same cloud service provider then the attackers;
  3. Victim host setup as a cloud instance inside a different cloud service provider then the attackers;
  4. Same scenario as test 1 with a major duration (48 hours) to verify the impact of duration on the experiment;

 The findings are not so encouraging, and confirm that the security posture of the cloud providers needs to be improved:

  • No connection reset or connection termination on the outbound or inbound network traffic was observed;
  • No connection reset or termination against the internal malicious traffic was observed;
  • No traffic was throttled or rate limited;
  • No warning emails, alerts, or phone calls were generated by the Cloud providers, with no temporary or permanent account suspensions;
  • Only one Cloud provider blocked inbound and outbound traffic on SSH, FTP and SMTP, however these limitation was bypassed by running the above service on non-default port.

The other face of the coin is represented by the moderate easiness needed to setup an army of cloud-hidden zombie machined which can leverage the advantages of a Cloud infrastructure. In fact a botCloud

  • Is relatively easy to setup and use;
  • Needs significantly less time to build;
  • Is Highly reliable and scalable;
  • Is More effective;
  • Has a Low cost.

Cloud Service Providers (and their customers), are advised…

About these ads

DDoS and SQLi are the Most… Discussed Attack Techniques

October 30, 2012 Leave a comment

Imperva has just published the results of its annual analysis on one of the largest-known hacker forums counting approximately 250,000 members.

The research (also made on other smaller forums) used the forum’s search engine capabilities to analyze conversations by topic using specific keywords. Unfortunately no details have been provided about the methodology used to collect the data, however the results show that SQL Injection and DDoS are the most discussed topic, both of them with the 19% of discussion volume (I am glad to see that the results are coherent with the findings of my Cyber Attack Statistics).

Of course the data must be taken with the needed caution since the analyzed sample could not be entirely consistent. As Imperva admits: “The site we examined is not a hardcore crime site, but it’s not entirely softcore. New hackers come to this site to learn and,on the other hand, more experienced hackers teach to gain “street cred” and recognition […]. Typically, once hackers have gained enough of a reputation, they go to a more hardcore, invitation-only forum.” This probably means that the incidence of the two attack techniques is overrated since one should expect a beginner hacker to approach the easiest and most common attack methods for which there are many tools available.

Anyway the events of the last months show that an attack does not deserve less attention only because it is carried on by a beginner, nor a beginner worries too much if he uses automated tools without full knowledge and awareness. A look to the infosec chronicles of the last period is sufficient to verify that DDoS and SQLi attacks are always in the first pages.

Sadly, Imperva estimates that only the 5% of the security budget is spent on thwarting SQL Injection attacks.

Other interesting findings of the research are: the fact that social networks pose a major interest for hackers since they are becoming a prominent source of information and potential monetary gain (Facebook was the most discussed social media platform, with 39%, immediately followed by Twitter at 37%), and also the fact that E-whoring is becoming one of the most common methods for beginner cyber criminals to gain easy money (more than 13,000 threads observed).

Anonymous leaks 3500 Private Docs From Italian Police

October 25, 2012 Leave a comment

On the wake of similar operations carried on by Hacktivists against Law Enforcement Agencies all over the World, the Italian Cell of the infamous collective Anonymous has decided to cross the line targeting the Italian Police with a clamorous Cyber Attack under the label of #Antisec movement.

On October, the 23rd, the Hactkivists have leaked more than 3500 private documents, claiming to own an additional huge amount of sensitive information such as lawful interception schemes, private files and e-mail accounts.

The Italian Police has indirectly confirmed the attack, downplaying its effects with a scant statement (in Italian) that (easily predictable) has raised a furious reaction by the Hacktivists. According to the above mentioned statement, no server was compromised, but the leaked data were just the consequence of several “illegitimate accesses” to private emails belonging to police officers (as to say that several compromised accounts are less severe than a hacked server).

Strictly speaking, this latest attack is not a surprise since in the past months, mainly after the infamous 50 days of Lulz of the LulzSec collective, Governments and Law Enforcement Agencies all over the world have become the preferred targets for Hacktivists under the Antisec shield. From a broader perspective this trend was apparently decreasing during 2012 because of several factors: the discovery of the double identity of Sabu (an hacktivist during the day and an FBI informant during the night), the arrest of W0rmer and ItsKahuna (two members of the CabinCr3w collective who left behind them a long trail of cyber-attacks against law enforcement agencies, and, last but not least, the arrest of the members of the Team Poison Collective.

Unfortunately This cyber-attack changes the rules and brings the things back in time to Summer 2011. It looks similar to LulzSec’s Operation Chinga La Migra, targeting Arizona Border Patrol, and to another (nearly contemporary) cyber attack that allowed LulzSecBrasil (??) to leak 8 Gb of data from the Brazilian Police.

Hopefully this cyber-attack will change the rules in Italy, it has dramatically demonstrated the real risk for public institutions and the need for a greater level of security. As a consequence it cannot be absolutely underestimated.

1-15 October 2012 Cyber Attack Statistics

October 22, 2012 Leave a comment

Here’s the partial snapshot for the Cyber Landscape in October. I have deliberately decided not to include in the statistics the massive Cyber Attack against the Universities executed by Team Ghost Shell, since, in my opinion, it would not have been formally correct include into the sample, this wave of cyber attacks which have been distributed in several months, and disclosed all at once.

In any case, looking at the sample including all the other attacks collected in October, according to the Daily Trend they were mainly concentrated at the beginning of the month:

For what concerns the Motivations Behind Attacks chart, Cyber Crime ranks at number one, with nearly the 58%, approximately at the same level of September (when it was at 55%). Interesting to notice, for the first half of October, the rise of events related to Cyber Warfare, mainly related to what is happening in the Middle East, and in particular in Iran, that suffered a couple of noticeable cyber attacks. In this landscape, the events related to hacktivism appear in decrease with the 35% of the events.

Even if the events related to hacktivism seem to be decreasing, the Distribution Of Attack Techniques shows a revamp of DDoS (the favourite weapon of hacktivists), mainly due to the wave of DDoS Cyber Attacks against the U.S. banks. Even if approximately one-fourth of the attacks has an unknown origin, SQL is stable at rank number three with the 22.5% of occurrences. It also worth to mention the 5% gained by Targeted Attacks.

Last but not least, the Distribution Of Targets chart, that confirms the weakness of the targets belonging to Government, ranking at number one with nearly one-third of the occurrences. It does not matter if the reason is hacktivism or cyber crime, Governments keep on to be the preferred victims of cybercrooks, at least for this first half of October.

Again, I will never get tired of repeating that data must be taken very carefully since they do refer only to discovered attacks (the so-called tip of the iceberg), and hence do not pretend to be exhaustive but only aim to provide an high level overview of the “cyber landscape” of the considered period.

In any case, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

A 0-Day Attack Lasts On Average 10 Months

October 19, 2012 Leave a comment

(But in some cases may remain unknown for up to 2.5 years). A couple of days ago, two Symantec Researchers have published an interesting article (“Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World”) reporting the study of 0-Day Attacks between 2008 and 2001. They have analyzed 300 million files collected by 11 million hosts (a representative subset of the hosts running Symantec products) between March 2008 and February 2011.

These files were extracted from the the WINE environment (Worldwide Intelligence Network Environment, a platform for repeatable data intensive experiments aimed to share comprehensive field data among the research community) and correlated with three additional sources: the Open Source Vulnerability Database (OSVDB), Symantec’s Threat Explorer (the company database for the known malware samples) and an additional Symantec data set with dynamic analysis results for malware samples.

The purpose of the research was to execute a sort of automatic forensic analysis aimed to go back in time to look for 0-day attacks carried on during the analyzed period. The results are disarming.

The researchers were able to find 18 vulnerabilities exploited before disclosure, among which 11 were not previously known to have been deployed in 0-day attacks. Based on the data, a typical zero-day attack lasts on average 312 days, but in some cases may remain unknown for up to 2.5 years (think to what it means to have the enemy inside the gates for such a long time).

Just to confirm that 0-days are the cradle of targeted attacks, the data show that most zero-day attacks affect few hosts, with the exception of a few high-profile attacks (Do you remember Stuxnet?). Moreover, after vulnerabilities are disclosed, the volume of attacks exploiting them increases by up to 5 orders of magnitude (the number of variants increases “only” by up to 2 orders).

And this is not a mere coincidence since apparently the cyber criminals watch closely the vulnerability landscape, as exploits for 42% of all vulnerabilities employed are detected in field data within 30 days after the disclosure date.

A terribly worrying landscape, even considering a theoretical point of weakness of the research, that is the fact that the sample could be considered self-consistent referring only to malware strains collected by Symantec customers.

1-15 October 2012 Cyber Attacks Timeline

October 17, 2012 Leave a comment

Apparently October has shown a decrease in the number of Cyber Attacks. At least from a mere numerical perspective. It is not a coincidence that I used the term “Apparently” since if we consider the most important event of the month: the massive leak from Worldwide universities executed by Team GhostShell inside their ProjectWestWind operation, things are well different.

The one carried on by Team Ghost Shell (approximately 120k accounts leaked) is for sure the most important operation of the current month which has also shown the first virtual hacking operation (at least as far as I remember): the massive death of avatars inside World of Warcraft.

Other remarkable events in the first half of October concern the attack to Playspan (possibly millions of users affected), the new waves of DDoS cyber attacks against US banks, and an alleged hijacking to the Irish domains of Google and Yahoo!.

It worth to mention also the breach of University of Georgia (8,500 users affected) and  the 400,000 bucks stolen by unknown hackers to the City of Burlington.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

Read more…

The Middle East Flame is Far from Being Extinguished

October 15, 2012 Leave a comment

Flame

Another day, another revelation inside the (in)visible Cyber War going on Middle East. Today Kaspersky Lab has announced the discovery of another strain of malware derived from the infamous Tilded-Platform family: the little brother of Flame, the so-called miniFlame (or “John”, as named by the corresponding Gauss configuration).

The malware has been discovered while looking closer at the protocol handlers of the Flame C2 Infrastructure. An analysis that had previously revealed four different types of malware clients codenamed SP, SPE, FL and IP, and hence the fragmented evidence of a new family of cyber weapons, where one only element were known at the time the FL client corresponding to Flame.

Exactly one month later, another member of the family has been given a proper name: the SPE element corresponding to miniFlame.

Unlike its elder brother Flame (and its cousin Gauss) miniFlame does not appear to be the element of a massive spy operation, infecting thousands of users, but rather resembles more a small, fully functional espionage module designed for data theft and direct access to infected systems. In few words: a high precision, surgical attack tool created to complement its most devastating relatives for high-profile targeted campaigns. The main purpose of miniFlame is to act as a backdoor on infected systems, allowing direct control by the attackers.

Researchers discovered that miniFlame is based on the Flame platform but is implemented as an independent module. This means that it can operate either independently, without the main modules of Flame in the system, or as a component controlled by Flame.

Furthermore, miniFlame can be used in conjunction Gauss. It has been assumed that Flame and Gauss were parallel projects without any modules or C&C servers in common. The discovery of miniFlame, and the evidence that it can works with both cyber espionage tools, proves that were products of the same ‘cyber-weapon factory’: miniFlame can work as a stand-alone program, or as a Flame or event Gauss plugin.

Although researchers believe that miniFlame is on the wild since 2007, it has infected a significantly smaller number of hosts (~50-60 vs. more than 10,000 systems affected by the Flame/Gauss couple). The distribution of the infections depends on the SPE variant, and spans a heterogeneous sample of countries: from Lebanon and Palestine, to Iran, Kuwait and Qatar; with Lebanon and Iran that appear to concentrate the bigger number of infected hosts.

Another evidence of the ongoing (since 2007) silent Cyber War in Middle East.

Who is Afraid of State-Sponsored Attacks?

October 10, 2012 Leave a comment

Last week, for the second time since June, Google warned his Gmail users of possible state-sponsored attacks. According to Mike Wiacek, a manager on Google’s information security team, Google started to alert users to state-sponsored attacks three months ago. Meanwhile the security team has gathered new intelligence about attack methods and the groups deploying them, and that information was used to warn “tens of thousands of new users”, possible targets of the attack.

Apparently this increase in state-sponsored activity comes from the Middle East, although no particular countries have been explicitly quoted.

This is not the first time that Gmail is the target of alleged state-sponsored attacks, unfortunately the secrets hidden inside the mailboxes have proven to be a too tempting target for states without scruples.

June 5, 2012: Eric Grosse, Google VP Security Engineering issues a Security warnings for suspected state-sponsored attacks.The warning seems more a preventive measure than the result of a true campaign.

September 8, 2011: As consequence of the infamous Diginotar Breach by the so-called Comodo Hacker, Google advises its users in Iran to change their Gmail passwords, and check that their Google accounts have not been compromised. Several Iranian users who may have been hit by a man-in-the-middle attack are contacted directly.

June 1, 2011: In an unusual blog post, Google declares to have discovered and alerted hundreds of people victims of a targeted “phishing” scam originating from Jinan, the capital of Shandong province. Hackers aimed to get complete control of the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists. Google does not rule out the possibility of the attack being state-sponsored, although China firmly denies Gmail hacking accusations.

January 13, 2010: In a blog post, Google discloses the details of the infamous Operation Aurora. A highly sophisticated and targeted attack on its corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. At least twenty other large companies from a wide range of businesses have been targeted, but the primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists (only two Gmail accounts appear to have been accessed with limited damage). As part of the investigation (but independent of the attack on Google), it turns out that the accounts of dozens of U.S.-, China- and Europe-based Gmail users, advocates of human rights in China, appear to have been routinely accessed via phishing scams or malware placed on the users’ computers.

State-Sponsored attacks or not, setting a complex password and enabling 2-step verification are two effective countermeasures to mitigate the risk.

An Advanced Anti-Malware solution can be really effecive as well, such as Lastline. It is not a coincidence that Wepawet, based on our technology, was the first to detect the Internet Explorer “Aurora” Memory Corruption exploit behind the state-sponsored Operation Aurora.

New Waves of Cyber Attacks in Middle East

October 9, 2012 Leave a comment

The infosec chronicle has offered many interesting events in this first part of October. Upon all, the massive leak against top 100 universities by the infamous Team GhostShell, the Skype worm, and, last but not least, the U.S. congressional report accusing China’s leading telecom equipment makers, Huawei and ZTE, of being a potential security risk.

Inevitably these events are obfuscating what’s going on in Middle East where Iran, on one hand, is facing the latest wave of Cyber Attacks against its internal assets, and on the other hand, claims to have infiltrated the “most sensitive enemy cyber data”.

This hot autumn for the Middle East has begun on September 30 (approximately one week after Iran connected all its government agencies to its secure autarchic domestic internet service). In that circumstance Iranian Rear Admiral Ali Fadavi announced a clamorous cyber strike of his navy’s cyber corps, being able to “infiltrate the enemy’s most sensitive information” and successfully promote “cyberwar code,” i.e. decrypt highly classified data.

Ali Fadavi did not specify the name of any particular enemy, but simply referred to “imperialistic domination,” a clear reference to Iran’s “enmity with America.”

Maybe is a coincidence, or maybe not, but on October 3 Iran has suffered a massive outage of its Internet infrastructure, at least according to what Mehdi Akhavan Behabadi, secretary of the High Council of Cyberspace, has declared to the Iranian Labour News Agency. An outage that the Iranian official has attributed to a heavy organized attack against the country’s nuclear, oil, and information networks, which forced to limit the usage of the Internet.

The latest (?) episode a couple of days ago, on October 8, when Mohammad Reza Golshani, head of information technology for the Iranian Offshore Oil Company, told Iran’s Mehr news agency that an unsuccessful (i.e. repelled by Iranian Experts) cyber attack had targeted the company platforms’ information networks in the past few weeks. I wonder if we are in front of a new Flame. In any case, according to Mr. Golshani there were few doubts about the authors of the attack.

“This attack was planned by the regime occupying Jerusalem (Israel) and a few other countries”.

Few hours later Iran has officially blamed Israel and China for planning and operating the attack.

It is not a mystery that the Stuxnet attack forced Iran to tighten its cyber security, a strategy culminating on the creation of a domestic Internet separated from the outer world (a way to control the access to the Web according to many observers).

For sure it is not a coincidence that the same network separation is the main reason why Iran was able to repel the latest attacks.

My sixth sense (and half) tells me that other occasions to test the cyber security of the Iranian domestic Internet will come soon!

Follow

Get every new post delivered to your Inbox.

Join 2,898 other followers