Few Days ago, a Trend Micro Research Paper on the Russian Underground gave a scary landscape of the Underground Black Market showing that every hacking tool and service can be found at dramatically cheap prices in a sort of democratization of Cyber Crime.
Today the news related to the discovery of an unknown 0-day vulnerability targeting Adobe Reader X and XI, confirms that the underground market follows the same rules than the real economy: premium products (read 0-day vulnerabilities) are not for every wallet and if you want a brand new 0-day you must be able to pay up to $50.000.
This is the price at which the previously unidentified Adobe vulnerability is sold according to Malware analysts at Moscow-based forensics firm Group-IB, who have discovered it. The price is justified since this is really a “premium exploit”: in fact beginning with Reader X (June 2011), Adobe introduced a sandbox feature further enhanced in Adobe XI (only three weeks ago). The Sandbox is aimed at blocking the exploitation of previously unidentified security flaws and has proven to be particularly robust: Adobe claimed that since its introduction in Adobe Reader and Acrobat X, they have not seen any exploits in the wild capable of breaking out of it. At least until yesterday.
This makes this 0-day particularly meaningful… And expensive, even if it has some limitations (for example, cannot be fully executed until the user closes his Web browser, or Reader).
Of course cyber criminals did not waste time and Group-IB says the vulnerability is included in a new, custom version of the Blackhole Exploit Kit (apparently it has not been still included in the official version).
And Adobe? So far they have not received any details: “We saw the announcement from Group IB, but we haven’t seen or received any details. Adobe has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately—beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”
Let us begin with the Daily Trend that has seen a revamp of the Cyber Attacks in the second part of the month, with a marked decrease towards the end of the month (maybe in preparation of the massive wave of cyber attacks we are experiencing in conjunction with the 5th of November, the so-called #5Nov or #OpVendetta).
The Motivations Behind Attacks chart confirms the predominance of Cyber Crime with nearly the 59% of occurrences, followed by Hacktivism with the 37.3%. Apparently October has confirmed the trend of September with similar percentages.
The Distribution Of Attack Techniques Chart confirms the predominance of SQL Injection over Distributed Denial Of Service but the two have only 5 points of difference, in clear contrast with the findings of the previous month when the percentages were respectively: 42.1% and 18.2%. It is interesting to notice that, on average, approximately one attack on five has no useful details to identify the used techniques, probably this is a side effect of the sample that is very heterogeneous.
Nothing new, the distribution Of Targets Chart confirms the preference of Cyber Crooks against Government targets which rank at number one with the 31.4% of occurrences, nearly 8 points more than September. Industry targets rank at number two with nearly 17% of occurrences, hence substantially stable (the previous month the value was 14.6%). Great jump of the targets belonging to education that rank at number three with the 12.7% of occurrences, while finance confirms the fourth place (in cohabitation with online services) with the 7.8% of occurrences.
Please, as usual, take the sample very carefully since it refers only to discovered attacks (the so-called tip of the iceberg), and hence does not pretend to be exhaustive but only aims to provide an high level overview of the “cyber landscape”.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
- September 2012 Cyber Attacks Statistics (hackmageddon.com)
After ProjectDragonFly (100,000 accounts leaked from Chinese Sites), Project Hellfire (one million accounts belonging to Governments, Law Enforcement Agencies, etc.) and ProjectWestWind (120,000 accounts from top 100 universities all over the world), Team GhostShell has unveiled a new act of their cyber campaign against Governments and Organizations all over the world.
GhostShell (@TeamGhostShell) November 02, 2012
The latest operation is called ProjectBlackStar. In a clamorous protest against the Russian Government and the current situation (the still present communism feeling […] fused with todays capitalism and bred together a level of corruption and lack of decency of which we’ve never seen before), the collective has leaked 2.5 million accounts belonging to different sectors directly or indirectly related to government. Quoting literally: We’ll start off with a nice greeting of 2.5 million accounts/records leaked, from governmental, educational, academical, political, law enforcement, telecom, research institutes, medical facilities, large corporations (both national and international branches) in such fields as energy, petroleum, banks, dealerships and many more.
The massive leak has been split in different files. The list of targets is long and heterogeneous, and include several high-profile targets (such as the Jinr, Joint Institute for Nuclear Research).
This summer. when unveiling the leak of Project Hellfire, the collective anticipated two more projects scheduled for this fall and winter. Apparently they run faster than the timetable: only in this fall two projects have already been “delivered” (pretty much earlier than expected). Will their fury stop here?