Here is the summary of the Cyber Attacks Timeline for February. A month that will probably be remembered for the “sophisticated” cyber attacks to the two main social networks: Facebook and Twitter.
But the attacks against the two major social networks were not the only remarkable events of this period. Other governmental and industrial high-profile targets have fallen under the blows of (state-sponsored) cyber criminals: the list of the governmental targets is led by the U.S. Department of Energy and the Japan Ministry of Foreign Affairs, while Bit9, a primary security firm, was also targeted, leading the chart of Industrial targets.
Hacktivists have raised the bar and breached the Federal Reserve, leaking the details of 4,000 U.S. Banks executives. Similarly, the Bush family was also targeted, suffering the leak of private emails.
Even if the list is not as long as the one of January, it includes other important targets, so, scroll it down to have an idea of how fragile our data are inside the cyberspace. Also have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). To do so, you can use this form.
A couple of weeks after similar revelations made by Twitter, Facebook has joined the unwelcome list of Social Networks hit by targeted attacks.
This news has shaken this quiet week end of February, as Facebook officials told to Ars Technica they discovered in January several computers belonging to mobile application developers hacked using a zero-day Java attack. According to a consolidated attack schema, the malware installed a collection of previously unseen malware.
The attack occurred within the same timeframe as the hack that hit Twitter and exposed cryptographically hashed passwords of 250,000 users, and apparently targeted other companies completely unaware of the attack, until they were notified by Facebook.
According to the information available the attack showed several interesting (and nowadays common) patterns:
- The attackers used a “watering hole” attack, compromising the server of a popular mobile developer Web forum and using it to spring the zero-day Java exploit on site visitors. The attack was injected into the site’s HTML, affecting any visitor who had Java enabled in his browser, regardless of the level of patching of the machine.
- The exploit was used to download malware to victims’ computers affecting both Windows and Apple computers.
- As usual, I would say, Antivirus software was unable to detect the malware, neither the malware was slowed down by the fact that the machines were patched.
Facebook said it is working with FBI to investigate the attack. Only the latest example of a class of targeted sophisticated threats increasingly common and aggressive against high-profile targets including tech industries, media, and now social networks. As a matter of fact (state sponsored ?) cyber criminals are actively exploiting 0-Day vulnerabilities targeting Java (and Adobe Flash), in this 2013 that, in only two months, is proving to be dramatic for the Infosec Landscape.
They are among us! ISACA has just released its Advanced Persistent Threat Awareness Report. The study presents the results of a survey undertaken by ISACA in the fourth quarter of 2012 with a sample of information security professionals including information security managers in different industries and organizations throughout the world (1,551 individuals globally, representing more than 20 industries).
The results of the survey are interesting to measure the level of awareness, but not so encouraging (and in several circumstances also contradictory) for other aspects:
- The survey results reveal that 25.1% of respondents are very familiar with APTs, although (somehow in contradiction with the previous statement), 53.4% of respondents indicated that they do not believe APTs differ from traditional threats.
- 89.7% of respondents believe that the use of social networking sites increases the likelihood of a successful APT attack.
- 87.3% think that BYOD, combined with rooting or jailbreaking makes a successful APT attack more likely.
- The biggest risk for the enterprise is the Loss of Intellectual Property (25.5%) and the Loss of Personal Information (23.6%). Reputational damage is the third biggest risk (20.5%).
- Only 21.6% of respondents reported having been subject to an APT attack, but 63% of them believes that it is only a matter of time before their enterprise is targeted.
- In any case, nearly 60% of respondents believe that they are ready to respond to APT attacks. Of those: 14% responded that they are “very prepared,” which indicated that they have a documented and tested plan in place for APT. Another 49.6% responded that they have an incident management plan although it does not specifically cover APT.
But in my opinion, the most surprising finding is the fact that, from a technological point of view, a very high percentage (above 90%) of surveyed responded that they are using antivirus and anti-malware and/or traditional network perimeter technologies to thwart APTs. Other kinds of technologies (Sandboxing, Event Correlation, Mobile or Traditional Endpoint Control, Remote access), have a much lower impact (below 60%).
Contradictory results that show a high awareness about Advanced Persistent Threats, but maybe more from a marketing point of view than from a substantial perspective. As a matter of fact more than one half of the sample does not consider APTs different from the other threats. This explains the high value of respondents who leverage traditional technologies to (believe to) thwart this class of threats.
Here are the statistics related to the Cyber Attacks included inside the January 2013 Cyber Attacks Timelines. A terrible month that has seen an unprecedented number of Cyber Attacks.
The Daily Trend Of Attacks emphasizes the peak in the second half of January, in particular the 24th has seen a surprisingly high rate due to the massive (and last, at least so far) wave of DDoS attacks against the U.S. Banks.
The Motivations Behind Attacks Chart confirms the influence of hacktivism in this early 2013. More than half of the attacks (more precisely the 56%) were motivated by this reason. From this point of view the new year begins in a complete different way than 2012 when, despite the peak of attacks on the wake of the Megaupload shutdown, Cyber Crime led the chart with the 54% (against the 40% motivated by Hacktivism).
Easily predictable, the plenty of attacks against U.S. Banks has brought the DDoS on top of the Distribution Of Attack Techniques Chart with almost the 40% of occurrences. SQLi follows closely with the 33%. It is interesting to notice the relatively high impact of Targeted Attacks (3.8%) mainly due to the sudden disclosure of (purported) Chinese Cyber Attacks against U.S. Media.
Again, the attacks against U.S. Banks push the finance targets on top of the Distribution Of Targets Chart, ten points ahead of Governmental targets that, at least for this time, rank at the second place with the 21% of occurrences. Targets belonging to industry rank at the third place with the 13%.
Even in this promising 2013, no need to remind that the sample must be taken very carefully since it refers only to discovered attacks included in the January 2013 Cyber Attacks Timeline (the so-called tip of the iceberg), and hence it does not pretend to be exhaustive but only aims to provide an high level overview of the “cyber landscape”.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012 and now 2013 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Another high-profile security company has been breached. Bit9, a leading provider of application whitelisting technology, has admitted to have been attacked by a malicious external third party who was able to illegally gain access to one of their digital code-signing certificates. The attackers did not waste time and the compromised certificate has immediately been used to sign malware infiltrating, according to the company’s investigation, the network of three customers.
The news was initially revealed by Brian Krebs in a blog post, and later confirmed by the security vendor, which also gave additional (scant) details, including the fact that the malicious attackers were able to infiltrate a portion of their internal network not protected by their product.
“We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9.“
At first glance the attack has many points in common with the infamous RSA Breach of 2011, including the fact that maybe the real target of the attack was not the company itself, but the protected network of its customers. On the other hand, if it is true, as the company claims, that Bit9 was the only security company capable to stop both the Flame malware and the RSA breach attack, to achieve their target, the attackers had no other chance than attacking the source of their technology.
The latest demonstration, if necessary, that attacks are becoming more and more aggressive and sophisticated, and the protection is not only a matter of technology but even of good procedures and best practice, and not only for the possible victims…
WTF! This month I am terribly late with the Cyber Attack Timeline. I can anticipate that, as you will have probably guessed, this month we have seen an unprecedented rate of attacks.
I have already compiled the timeline of January, I still need a little bit of time to check it and to write the comments as usual. I still do not know if I will be able to publish it today or tomorrow (I am quite busy this afternoon) but, maximum at 12:00 CET of tomorrow it will be here.
Thanks for your patience, and please continue to support my work with your visits!