It is time for the summary of the second half of February, two weeks of remarkable cyber attacks against high-tech giants, massive breaches and Twitter Account Hijackings.
Probably the most resounding events of this period (maybe more for the high profile of the victims than for the actual effects) are the two attacks, allegedly originating from China, (with a common root cause, the compromising of an iPhone developer forum) carried on against Apple and Microsoft.
But not only the two high-tech giants, other illustrious victims have fallen under the blows of hacktivists and cyber criminals. The list is quite long and includes Bank of America, American Express, Casio, ZenDesk, cPanel, Central Hudson Gas & Electric Corporation, etc.).
Last but not least, the unprecedented trail of Cyber attack against Twitter Profile belonging to single individuals (see Donald Trump) or Corporations (Burger King and Jeep). Maybe it is time to change the passwords…
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012 and now 2013 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
A special thanks to Kim Guldberg AKA @bufferzone for continuously advising me about significant cyber events through the Submit Form! Much Appreciated!
Here is the summary of the Cyber Attacks Timeline for February. A month that will probably be remembered for the “sophisticated” cyber attacks to the two main social networks: Facebook and Twitter.
But the attacks against the two major social networks were not the only remarkable events of this period. Other governmental and industrial high-profile targets have fallen under the blows of (state-sponsored) cyber criminals: the list of the governmental targets is led by the U.S. Department of Energy and the Japan Ministry of Foreign Affairs, while Bit9, a primary security firm, was also targeted, leading the chart of Industrial targets.
Hacktivists have raised the bar and breached the Federal Reserve, leaking the details of 4,000 U.S. Banks executives. Similarly, the Bush family was also targeted, suffering the leak of private emails.
Even if the list is not as long as the one of January, it includes other important targets, so, scroll it down to have an idea of how fragile our data are inside the cyberspace. Also have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). To do so, you can use this form.
Update 3/12/2013: I should also mention the Deutsche Telekom Security Tachometer
We live in a World made of Botnets and cyber attacks! While I am typing these few words in my keyboard, other fingers somewhere else in the Globe are moving quickly through the keys, firing stream of bits against their targets.
For thwarting this malicious landscape, trying to understand the evolving trends, more and more security companies and organizations collect data from their security endpoint or network devices spread all over the Globe, and send it to the cloud to be analyzed with big data algorithms. The purpose is to reduce the time between the release of a threat and the availability of an antidote. The same data can also be used to build spectacular maps that show in real time the status of the Internet, a quite impressive and worrisome spectacle! Here a short list of resources:
Probably the most impressive: the HoneyMap shows a real-time visualization of attacks detected by the Honeynet Project‘s sensors deployed around the world. The Map shows “automated scans and attacks originating from infected end-user computers or hijacked server systems”. This also means that an “attack” on the HoneyMap is not necessarily conducted by a single malicious person but rather by a computer worm or other forms of malicious programs. Please Notice that, as the creators of the Project declare, many red dots means there are many machines which are attacking our honeypots but this does not necessarily imply that those countries are “very active in the cyberwar”
Akamai monitors global Internet conditions around the clock. With this real-time data the company identifies the global regions with the greatest attack traffic, measuring attack traffic in real time across the Internet with their diverse network deployments. Data are collected on the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports in real time. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. Values are measured in attacks per 24 hours (attacks/24hrs).
The information collected by Kaspersky Security Network is shown in the Securelist Statistics section. In the corresponding navigable map, the user can select Local Infections, Online Threats, Network Attacks and Vulnerabilities with Map, Diagrams or Ratings format in a time scale of 24 hours, one week or one month.
Trend Micro continuously monitors malicious network activities to identify command-and-control (C&C) servers, making the ability to rapidly identify and correlate bot activity critical. The real-time map indicates the locations of C&C servers and victimized computers that have been discovered in the previous six hours.
The Shadowserver Foundation, managed by volunteer security professionals, gathers intelligence from the Internet via honeyclients, honeypots, and IDS/IPS Systems. The maps are made converting all of the IP addresses of the aggressor, the Command and Control and the target of the DDoS attack in coordinates and placing those points on a map. The maps are updated once a day and are available for DDoS activity and Botnet C&Cs.
Through its relationships with several worldwide service providers and global network operators, Arbor provides insight and on global DDoS attack activity, Internet security and traffic trends. Global Activity Map shows data in terms of scan sources, attack sources, phishing websites, botnet IRC Servers, Fast Flux bots.
Another day, another revelation inside the (in)visible Cyber War going on Middle East. Today Kaspersky Lab has announced the discovery of another strain of malware derived from the infamous Tilded-Platform family: the little brother of Flame, the so-called miniFlame (or “John”, as named by the corresponding Gauss configuration).
The malware has been discovered while looking closer at the protocol handlers of the Flame C2 Infrastructure. An analysis that had previously revealed four different types of malware clients codenamed SP, SPE, FL and IP, and hence the fragmented evidence of a new family of cyber weapons, where one only element were known at the time the FL client corresponding to Flame.
Exactly one month later, another member of the family has been given a proper name: the SPE element corresponding to miniFlame.
Unlike its elder brother Flame (and its cousin Gauss) miniFlame does not appear to be the element of a massive spy operation, infecting thousands of users, but rather resembles more a small, fully functional espionage module designed for data theft and direct access to infected systems. In few words: a high precision, surgical attack tool created to complement its most devastating relatives for high-profile targeted campaigns. The main purpose of miniFlame is to act as a backdoor on infected systems, allowing direct control by the attackers.
Researchers discovered that miniFlame is based on the Flame platform but is implemented as an independent module. This means that it can operate either independently, without the main modules of Flame in the system, or as a component controlled by Flame.
Furthermore, miniFlame can be used in conjunction Gauss. It has been assumed that Flame and Gauss were parallel projects without any modules or C&C servers in common. The discovery of miniFlame, and the evidence that it can works with both cyber espionage tools, proves that were products of the same ‘cyber-weapon factory’: miniFlame can work as a stand-alone program, or as a Flame or event Gauss plugin.
Although researchers believe that miniFlame is on the wild since 2007, it has infected a significantly smaller number of hosts (~50-60 vs. more than 10,000 systems affected by the Flame/Gauss couple). The distribution of the infections depends on the SPE variant, and spans a heterogeneous sample of countries: from Lebanon and Palestine, to Iran, Kuwait and Qatar; with Lebanon and Iran that appear to concentrate the bigger number of infected hosts.
Another evidence of the ongoing (since 2007) silent Cyber War in Middle East.
Apparently the “Psychosis of Targeted Attacks” is plaguing not only the end users but even the security researchers, leading to dangerous collisions and clamorous retractions.
Yesterday the security firm FireEye published a blog post about the well-known Gauss targeted attacks, concluding that there was some sort of relationship between the Gauss and Flame malware actors based on observing C&C communication going to the Flame C&C IP address.
Unfortunately they did not realize they were observing the activities of a sinkhole operated by Kaspersky in which the sinkhole process had been organized to monitor both the Flame and Gauss C&C infrastructure.
Kaspersky Chief Security Expert Alexander Gostev explains the reasons of the misleading conclusions:
After discovering Gauss we started the process of working with several organizations to investigate the C2 servers with sinkholes. Given Flame’s connection with Gauss, the sinkhole process was being organized to monitor both the Flame and Gauss’ C2 infrastructures. It’s important to note that the Gauss C2 infrastructure is completely different than Flame’s. The Gauss C2s were shut down in July by its operators and the servers have been in a dormant state by the operators since then. However, we wanted to monitor any activity on both C2 infrastructures.
During the process of initiating the investigation into Gauss C2s and creating sinkholes we notified trusted members of the security and anti-malware community about the sinkhole IP and operation so that they were aware of any activity. FireEye’s post about the Gauss C2 samples connecting to the same servers as Flame are actually our sinkholes they’re looking at.
With some easy Googling and checking on WhoIs, researchers could have verified all of this.
Since the investigation and sinkhole operation are still in progress we do not have any more information to provide at this time.
So, it looks like that the destructive impacts of the cyber attack targeting Aramco, where definitively true. In the same hours in which the first details about the malware were disclosed, Kasperky Lab, McAfee and Symantec have dedicated respectively three blog posts to describe what appears to be the latest example of a large scale cyber attack targeting Middle East (apparently focused on companies belonging to Energy Sector).
Shamoon (or W32/DistTrack), this is the name of the malware, has some points in common (the name of a module) with the infamous Flame, but according to Kaspersky this is the only similarity:
It is more likely that this is a copycat, the work of a script kiddies inspired by the story.
The malware has the same features seen in other “companions” among which the driver signed by a legitimate company “Eidos Corporation”.
According to Symantec, the malware consists of several components:
- Dropper: the main component and source of the original infection. It drops a number of other modules.
- Wiper: this module is responsible for the destructive functionality of the threat.
- Reporter: this module is responsible for reporting infection information back to the attacker.
According to McAfee, machines infected by the malware are made useless as most of the files, the MBR and the partition tables are overwritten with garbage data. The overwritten data is lost and is not recoverable, so this should confirm the destructive details received yesterday.
While, according to Seculert, the malware is a two-stage attack:
Stage 1: The attacker takes control of an internal machine connected directly to the internet, and uses that as a proxy to the external Command & Control server. Through the proxy, the attacker can infect the other internal machines, probably not connected directly to the internet.
Stage 2: Once the intended action on the internal infected machines is complete, the attacker executes the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines (or also the MBR and the partition table as McAfee Suggested). It then reported back to the external Command & Control Server through the proxy.
So far it is not clear who is behind the attack, although Kaspersky Lab suggests that the term Shamoon:
could be a reference to the Shamoon College of Engineering http://www.sce.ac.il/eng/. Or, it could simply be the name of one of the malware authors. Shamoon is the equivalent of Simon in Arabic.
More details are expected in the next hours.
While the U.S. and Israel keep on mutually claiming the Stuxnet’s paternity, Kaspersky Lab has unveiled further details about Flame that allow to connect it with the infamous malware targeting Iranian Nuclear Plants.
Are the two 21st century Cyber Weapons really correlated? Due to some architectural differences, the first data seemed to exclude any similarities between the two platforms: the so-called Tilded platform which Stuxnet and Duqu are based on, and the brand new platform from which Flame has been developed. In any case never trust appearances, as a small detail dating back to 2012 has unveiled a landscape that seems completely different from what was previously believed, which suggests the hypothesis that the Stuxnet malware had a kind of “proto flame” inside.
The Cyber Spy Story begins in October 2010 when the automated systems by Kaspersky Lab detected a False (Stuxnet) Positive. This sample apparently looked like a new variant (Worm.Win32.Stuxnet.s) but a deeper analysis showed (then) no apparent correlation with Stuxnet so it was subsequently dubbed Tocy.a.
Only two years later, in 2012, after the discovery of Flame, the russian security firm started to compare the brand new malware with previously detected samples to find any similarities. And guess what? The nearly forgotten Tocy.a was nearly identical to Flame. A further check to logs, allowed to discover that the Tocy.a, apparently an early module of Flame, was actually similar to “resource 207” from Stuxnet, and this similarity was the reason why the automatic system had previously classified it as Stuxnet.
Resource 207 is a 520,192 bytes Stuxnet encrypted DLL file that contains another PE file inside (351,768 bytes). It was found in the 2009 version of Stuxnet, despite it was dropped in the 2010 evolution, with its code merged into other modules. The PE file is actually a Flame Plugin, while the purpose of Resource 207 on the 2009 variant of Stuxnet was just to allow the malware propagation to removable USB drives via autorun.inf, as well as to exploit a then-unknown vulnerability (MS09-025) to escalate privileges in the system during the infection from USB drive.
Given the evidences collected, researchers suggests that, although Flame has been discovered a couple of years after Stuxnet, it was already in existence when Stuxnet was created (Jan-Jun 2009), having already a modular structure. The “Resource 207″ module was removed from Stuxnet in 2010 due to the addition of a new method of propagation (vulnerability MS10-046), while the Flame module in Stuxnet exploited a vulnerability which was unknown then, allowing an escalation of privileges, presumably exploiting MS09-025.
Part of the Flame code was used in Stuxnet despite, after 2009, the evolution of the Flame platform continued independently from Stuxnet.
Probably, this is the second important discovery about Flame after the MD5 Collision Attack, which enabled to malware to hide the download of its own modules behind Windows Updates.
Regarding the MD5 Collision Attack, I suggest you to have a look at this very interesting presentation. You will be amazed in discovering that the first successful demonstration of this attack took, in 2008 (the alleged year in which Flame was created), about 2 days on a cluster of 200 PS3s (corresponding to about $20k on Amazon EC2). Together with the complexity of the attack, this aspect is enough to suggest a state-sponsored origin for the malware (i.e. the need of huge resources and know-how). But there’s more: to make the MD5 Collision Attack successful in Flame, the Attackers, had to overcome a huge obstacle corresponding to prediction the Serial Number of the Certificate (which is based on a sequential certificate number and the current time). Nothing strange apparently, except for the fact that they had a 1-millisecond window to get the certificate issued. What does this mean in simple words? A large number of attempts required to get the certificate issued at the right moment, an effort 10-100x more costly that the original MD5 Collision Attack Demonstration.
Now I understand why the Iran Cyber Warfare Budget is estimated to be “only” USD 100 Million…
- Back to Stuxnet: the missing link (securelist.com)
- Researchers Connect Flame to U.S.-Israel Stuxnet Attack (wired.com)
- Discovery of new “zero-day” exploit links developers of Stuxnet, Flame (arstechnica.com)