About these ads

Archive

Posts Tagged ‘Advanced Persistent Threat’

Advanced Persistent Threats Are Among Us, Survey Reveals

February 14, 2013 2 comments

They LiveThey are among us! ISACA has just released its Advanced Persistent Threat Awareness Report. The study presents the results of a survey undertaken by ISACA in the fourth quarter of 2012 with a sample of information security professionals including information security managers in different industries and organizations throughout the world (1,551 individuals globally, representing more than 20 industries).

The results of the survey are interesting to measure the level of awareness, but not so encouraging (and in several circumstances also contradictory) for other aspects:

  • The survey results reveal that 25.1% of respondents are very familiar with APTs, although (somehow in contradiction with the previous statement), 53.4% of respondents indicated that they do not believe APTs differ from traditional threats.
  • 89.7% of respondents believe that the use of social networking sites increases the likelihood of a successful APT attack.
  • 87.3% think that BYOD, combined with rooting or jailbreaking makes a successful APT attack more likely.
  • The biggest risk for the enterprise is the Loss of Intellectual Property (25.5%) and the Loss of Personal Information (23.6%). Reputational damage is the third biggest risk (20.5%).
  • Only 21.6% of respondents reported having been subject to an APT attack, but 63% of them believes that it is only a matter of time before their enterprise is targeted.
  • In any case, nearly 60% of respondents believe that they are ready to respond to APT attacks. Of those: 14% responded that they are “very prepared,” which indicated that they have a documented and tested plan in place for APT. Another 49.6% responded that they have an incident management plan although it does not specifically cover APT.

But in my opinion, the most surprising finding is the fact that, from a technological point of view, a very high percentage (above 90%) of surveyed responded that they are using antivirus and anti-malware and/or traditional network perimeter technologies to thwart APTs. Other kinds of technologies (Sandboxing, Event Correlation, Mobile or Traditional Endpoint Control, Remote access), have a much lower impact (below 60%).

Contradictory results that show a high awareness about Advanced Persistent Threats, but maybe more from a marketing point of view than from a substantial perspective. As a matter of fact more than one half of the sample does not consider APTs different from the other threats. This explains the high value of respondents who leverage traditional technologies to (believe to) thwart this class of threats.

About these ads

Certificates From Leading Security Vendor Bit9 Used to Sign Malware

February 10, 2013 Leave a comment

Bit9Another high-profile security company has been breached. Bit9, a leading provider of application whitelisting technology, has admitted to have been attacked by a malicious external third party who was able to illegally gain access to one of their digital code-signing certificates. The attackers did not waste time and the compromised certificate has immediately been used to sign malware infiltrating, according to the company’s investigation, the network of three customers.

The news was initially revealed by Brian Krebs in a blog post, and later confirmed by the security vendor, which also gave additional (scant) details, including the fact that the malicious attackers were able to infiltrate a portion of their internal network not protected by their product.

We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9.

At first glance the attack has many points in common with the infamous RSA Breach of 2011, including the fact that maybe the real target of the attack was not the company itself, but the protected network of its customers. On the other hand, if it is true, as the company claims, that Bit9 was the only security company capable to stop both the Flame malware and the RSA breach attack, to achieve their target, the attackers had no other chance than attacking the source of their technology.

The latest demonstration, if necessary, that attacks are becoming more and more aggressive and sophisticated, and the protection is not only a matter of technology but even of good procedures and best practice, and not only for the possible victims…

Adobe Persistent Threat

September 28, 2012 Leave a comment

Adobe is the latest victim of a targeted attack. The news has been reported in a blog post by Brad Arkin, Director of product security and privacy at Adobe.

According to Mr. Arking the company has recently received two malware strains in disguise of malicious utilities that appeared to be digitally signed using a valid Adobe code signing certificate and has identified the possible reason for the illegitimate code signing in a compromised build server with access to the Adobe code signing infrastructure as part of the build server.

The first malicious utility is called pwdump7 v7.1 and extracts password hashes from the Windows OS as a single file that statically links the OpenSSL library libeay32.dll.  The second malicious utility, dubbed myGeeksmail.dll, is a malicious ISAPI filter.

Of course the forensic investigation is ongoing. To date Adobe has identified the presence of malware on the build server (although the details of the machine’s configuration were not to Adobe corporate standards for a build server, this was not caught during the normal provisioning process”) and the likely mechanism used to first gain access. Although the forensic investigation has found evidence linking the build server to the signing of the malicious utilities, it appears that the private key required for generating valid digital signatures was not extracted from the HSM, which is kept in physically secure facilities. Even, so far there is no evidence that the source code was compromised or stolen.

As a natural consequence the company has changed the signing process and has deployed an interim solution including an offline human verification to ensure that all files scheduled for signature are valid Adobe software. Furthermore the company is also designing and deploying a new, permanent signing solution.

All the certificates signed with the impacted key since July 10, 2012 will be revoked on Thursday October 4, 2012 (does this means that the build server has been compromised, undetected, for more than two months?). Potentially there could be 5127 applications signed with the compromised key.

According to the available information, we are in front of a typical targeted attack:

We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software.

Moreover “Targeted Attacks generate Targeted Attacks” since the malware samples discovered (most of all in case of the pwdump7 “utility”) show the typical features used by Advanced Persistent Threats: compromise one machine, extract information to escalate privileges (see password) and use the initial entry point as a bridgehead to harvest the target network.

So at the end Adobe is the latest high-profile target to join the group of the companies hit by targeted attack: “Through this process we learned a great deal about current issues with code signing and the impact of the inappropriate use of a code signing certificate. We plan to share our lessons learned as well as foster a conversation within the industry about the best way to protect users and minimize the impact on users in cases where the revocation of a certificate becomes necessary (as in this example).”

“Please stay tuned for more details in the coming weeks.”

July 2012 Cyber Attacks Timeline (Part II)

August 3, 2012 1 comment

Click here for Part I.

The Dog Days are nearly here. Weather forecast are announcing for Italy one of the hottest summers since 2003, and the same can be said for the Infosec temperature, although, July 2012 has been very different from the same month of 2011, which was deeply characterized by hacktvism.

Instead looks like that hacktivists have partially left the scene in favor of cyber criminals who executed several high profile breaches also in the second part of the month: Maplesoft, Gamigo, KT Corporation and Dropbox are the most remarkable victims of cyber-attacks, but also other important firms, even if with different scales, have been hit by (improvised) Cyber Criminals. One example for all? Nike who suffered a loss of $80,000 by a 25-year improvised hacker, who decided that exploiting a web vulnerability was the best way to acquire professional merchandise.

But probably the prize for the most “peculiar” cyber-criminal is completely deserved by Catherine Venusto, who successfully changed her sons’ grade for 110 times between 2011 and 2012.

As far as the Hacktivism is concerned, although we were not in the same condition of one year ago (a leak every day kept security away), this month has offered the massive leak of the Australian Provider AAPT, with 40 gb of data allegedly stolen by the Anonymous.

Last but not least, a special mention for the cyber espionage campaigns, that had an unprecedented growth in this month: Israel, Iran, Japan, the European Union and Canada, are only few of the victims. Iran gained also an unwelcome record, the first nation to be hit by a malware capable of blasting PC speakers with an AC/DC song…

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

Read more…

Israel Blamed for Fueling the Flame Cyber Weapon in Middle East

The day after its discovery, there are few doubts that the infamous malware dubbed Flame (or sKyWIper) has been developed by a government with significant budget and effort. The complexity of the malware suggests that it has been used for a huge cyber-espionage campaign and, easily predictable, Israel is listed as the main culprit, even if in good company if it is true, as argued by some bloggers, that the malware was created by a strict cooperation coproduction between  CIA and Mossad.

Israeli vice Premier Moshe Ya’alon has contributed to fuel the Flame: speaking in an interview with Army Radio, Ya’alon has hinted that Jerusalem could be behind the cyber attack, saying “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.” In light of this statement, it does not appear a simple coincidence the fact that the main victims of the cyber weapon, as reported by Kaspersky Lab, are nations who may not be just considered in good neighborhood relations with Israel.

Consequantly it is not that surprise the fact that the same interview has been readily reported by the Iranian News Agency Fars (which has interpreted it as a sign of liability and has hence blamed Israel for waging cyber war in Iran) as well as it is not that surprise the tone of several comments to an article posted on the Haaretz newspaper’s Web site (“Nice One Israel, Proud of You!!!!”).

Of course it is too soon to jump to conclusion,in any case, whether Israel (and U.S.) is behind Flame or not, I could not help but wonder how it is possible that a malware has been able to go undetected for at least 5 years. Are endpoint protection technologies really dead, leaving us at the mercy of a (cyber)world ruled by APTs?

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

The Unbearable Lightness of Being an APT

April 25, 2012 2 comments

Or better “The Unbearable Lightness of (Human) Beings and APTs”. Immediately after my post on Cyber Weapons, I was pointed out that APTs are not Cyber Weapons. On a more general perspective, APTs are not things but (groups of) human beings who have the capability and the intent to target specific entries with multi-factor attacks. Said in few words an APT is not a “what” but is a “who”. On the other hand, how many could afford to hire (and pay) a double agent capable of implanting a malware inside a nuclear complex through an infected USB thumb?

An Oxford dictionary for Information Security has not already been published, hence this term is commonly used to refer to cyber threats or long-term sophisticated hacking attacks. The latter is the interpretation closer to what I meant in compiling the chart.

What Security Vendors Said One Year Ago…

January 10, 2012 2 comments

I did not resist, so after publishing the summary of Security Predictions for 2012, I checked out what security vendors predicted one year ago for 2011. Exactly as I did in my previous post, at the beginning of 2011 I collected the security predictions in a similar post (in Italian). I also published in May an update (in English) since, during the Check Point Experience in Barcelona held in May 2011, the Israeli security firm published its predictions. Even if the latters have been published nearly at the half of 2011, for the sake of completeness, I decided to insert them as well in this year-to-year comparison.

Then, I included Symantec (for which this year I did not find any prediction), McAfee, Trend Micro, Kaspersky, Sophos and Cisco. I included Check Point in a second time and I did not include Fortinet, At that time I missed their five security predictions, which I only discovered later so I decided to provide an addendum for this post including Fortinet as well in order to provide a deeper perspective.

The security predictions for 2011 are summarized in the following chart, which reports what the vendors (with the partial above described exception of Checkpoint) expected for the past year in terms of Information Security trends.

But a strict side-by-side comparison with the 2012 information security predictions (extracted by my previous post) is more helpful and meaningful:

As you may notice mobile threats were on top even among the predictions for 2011. This prediction came easily true most of all for Android which suffered (and keeps on suffering) a huge increase in malware detection samples (even if the overall security risk remains contained). Social Media were on top as well: they have been crucial for the Wind of the Changes blown by the Arab Spring but in the same time Social Media have raised many security concerns for reputation, the so called Social Network Poisoning (who remembers Primoris Era?). Although 2011 was the year of the Anonymous, hacktvism ranked “only” at number 4, behind Advanced Persistent Threats, which however played a crucial role for information security (an APT was deployed for the infamous RSA Breach, but it was not an isolated case).

Also botnets, web threats and application vulnerabilities ranked at the top of Security predictions for last year (and came true). As far as botnets are concerned, fortunately 2011 was a very important year for their shutdown (for instance Hlux/Kelihos, Coreflood, Rustock). In several cases the botnets were taken down thanks to joint operations between private sectors and law enforcement agencies (another prediction came true). On the application side, this prediction came true most of all thanks to the Sony breach, the Liza Moon infection and the huge rate of SQLi based attacks and ASP.NET vulnerabilities. We have also assisted to an hard blow to SSL/TLS and XML Encryption.

But what is more surprising (and amusing) in my opinion is not to emphasize which predictions were correct, but rather to notice  which predictions were dramatically wrong: it looks like that, against the predictions, virtualization threats were snubbed by cybercrookers in 2011 (and nearly do not appear in 2012). But the most amusing fact is that no security vendor (among the ones analyzed) was able to predict the collapse of the Certification Authority model thanks most of all to the Comodo and Diginotar Breaches.

December 2011 Cyber Attacks Timeline (Part II)

December 30, 2011 2 comments

This infamous 2011 is nearly gone and here it is the last post for this year concerning the 2011 Cyber Attacks Timeline. As you will soon see from an infosec perspective this month has been characterized by two main events: the LulzXmas with its terrible Stratfor hack (whose effects are still ongoing with the recent release of 860,000 accounts), and an unprecented wave of breaches in China which led to the dump of nearly 88 million of users for a theoretical cost of nearly $19 million (yes the Sony brech is close). For the rest an endless cyberwar between India and Pakistan, some hactivism and (unfortunately) the usual amounts of “minor” breaches and defacement. After the page break you find all the references.

Last but not least… This post is my very personal way to wish you a happy new infosec year.

Read more…

One Year Of Lulz (Part II)

December 26, 2011 1 comment

Christmas has just gone and here it is my personal way to wish you a Happy New Year: the second part of my personal chart (first part here) of Main 2011 Cyber Attacks covering the time window from August to November 2011 (December is not yet finished, and featuring remarkable events, so expect an update very soon). This memorable year is nearly over and is time, if you feel nostalgic, to scroll down the second part of the list to review the main Cyber Events that contributed, in my opinion, to change the landscape and the rules of the (information security) game. Many events in this period among whom, IMHO, the most noticeable is the one carried on against Diginotar. Since then our trust in conventional authentication models is not (and will not be) the same anymore.

Of course this is my personal selection. Suggestions are well accepted and if you need more details about the cyber events in 2011, feel free to consult my 2011 Cyber Attacks Master Index. As usual after the page break you find all the references…

Read more…

Follow

Get every new post delivered to your Inbox.

Join 2,898 other followers