And here we are we the second part of the October 2013 Cyber Attacks Timeline (first part here).
It’s interesting to notice how sophisticated cyber attacks are characterizing the final part of this 2013. The second timeline of October reports at least three remarkable cases: Belgacom (once again), the Finland’s Foreign Ministry and a wave of spear phishing against several targets belonging to Israeli Industries in the defense and security sector
Other noticeable events include the compromising of some servers belonging to php.net, the breach to the online database MongoHQ, and also a breach involving NeoGaf, a popular video games forum, targeting potentially 114,000 users.
The latter is the only remarkable breach (at least from a numerical perspective) of this second half of October, in the same period in which new revelations indicate that the number of victims of the infamous Adobe breach occurred in the first part of this month appears 12 times greater than initially estimated (38M users).
For the rest, the summary of the month is closed by the usual background of hacktivism, a growing phenomenon that is showing multiple different “flavors” and hence is no more characterized by the only infamous Anonymous collective.
As usual, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012 and now 2013 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Update 3/12/2013: I should also mention the Deutsche Telekom Security Tachometer
We live in a World made of Botnets and cyber attacks! While I am typing these few words in my keyboard, other fingers somewhere else in the Globe are moving quickly through the keys, firing stream of bits against their targets.
For thwarting this malicious landscape, trying to understand the evolving trends, more and more security companies and organizations collect data from their security endpoint or network devices spread all over the Globe, and send it to the cloud to be analyzed with big data algorithms. The purpose is to reduce the time between the release of a threat and the availability of an antidote. The same data can also be used to build spectacular maps that show in real time the status of the Internet, a quite impressive and worrisome spectacle! Here a short list of resources:
Probably the most impressive: the HoneyMap shows a real-time visualization of attacks detected by the Honeynet Project‘s sensors deployed around the world. The Map shows “automated scans and attacks originating from infected end-user computers or hijacked server systems”. This also means that an “attack” on the HoneyMap is not necessarily conducted by a single malicious person but rather by a computer worm or other forms of malicious programs. Please Notice that, as the creators of the Project declare, many red dots means there are many machines which are attacking our honeypots but this does not necessarily imply that those countries are “very active in the cyberwar”
Akamai monitors global Internet conditions around the clock. With this real-time data the company identifies the global regions with the greatest attack traffic, measuring attack traffic in real time across the Internet with their diverse network deployments. Data are collected on the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports in real time. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. Values are measured in attacks per 24 hours (attacks/24hrs).
The information collected by Kaspersky Security Network is shown in the Securelist Statistics section. In the corresponding navigable map, the user can select Local Infections, Online Threats, Network Attacks and Vulnerabilities with Map, Diagrams or Ratings format in a time scale of 24 hours, one week or one month.
Trend Micro continuously monitors malicious network activities to identify command-and-control (C&C) servers, making the ability to rapidly identify and correlate bot activity critical. The real-time map indicates the locations of C&C servers and victimized computers that have been discovered in the previous six hours.
The Shadowserver Foundation, managed by volunteer security professionals, gathers intelligence from the Internet via honeyclients, honeypots, and IDS/IPS Systems. The maps are made converting all of the IP addresses of the aggressor, the Command and Control and the target of the DDoS attack in coordinates and placing those points on a map. The maps are updated once a day and are available for DDoS activity and Botnet C&Cs.
Through its relationships with several worldwide service providers and global network operators, Arbor provides insight and on global DDoS attack activity, Internet security and traffic trends. Global Activity Map shows data in terms of scan sources, attack sources, phishing websites, botnet IRC Servers, Fast Flux bots.
The period between November and December is particularly interesting for the Infosec community, since nearly all the main security vendors use to unveil their predictions for the next year, trying to anticipate the trends and the issues that will trouble the system administrators’ sleeps.
Exactly as I did last year, I analyzed the predictions of 7 vendors, choosing the ones that I consider particularly meaningful for the presence of the vendor in the market and for the coverage of their respective solution portfolio. In comparison with the last year, I was not able to find any prediction from Cisco (at least so far). However I was able to include the ones issued by Symantec, that were missing from my initial version. Hence the list of the vendors taken into consideration is the following:
Nearly all the analyzed vendors went through deep transformations during the past year, reflecting the changing trends in the market. Fortinet is considered a vendor focused on UTM Technologies, although it offers a wide portfolio of solutions ranging from endpoint to WAFs. After the acquisition of Astaro, Sophos is expanding its offering from the endpoints to the UTM segment. McAfee covers a wide area: historically focused on the endpoints, the long trail of acquisitions allows the company to be present in all the segments of the security market. Websense went through its historical flagship, the URL filtering, moving its security model to the endpoint. Symantec and Trend Micro have their foundation on the endpoints, but are more and more concentrated on securing the cloud. Kaspersky is still concentrated on the endpoints, although the company has been very active in the last year in the analysis of the cyberwar events, most of all in Middle East.
Yes, the rise of the malware on mobile platforms seems unstoppable, not only it reached unprecedented levels in 2012, but apparently it will be the protagonist even for 2013, at least for 5 vendors on 7. Indeed the vendors are 6 if one considers also the cross-platform malware which is equally a threat for mobile platforms. Furthermore one vendor (Fortinet), considers the role of mobile threats also as a threat vector for APTs in 2013.
Politically motivated attacks rank at number 2, even if with different connotations: Kaspersky and Websense mention explicitly state-sponsored attacks, while Symantec and Trend Micro include also attacks motivated by hacktivism in this category. It is not a coincidence that Kaspersky and Websense include Hacktivism into an explicit prediction.
It is also interesting to notice the ransomware at number 3 with just 3 preferences. Particularly interesting the indication of Sophos that speaks of “Irreversible” malware, since this class of threats is increasingly using encryption to make the compromised content unrecoverable.
The trend is even more visible from the distribution chart, that also emphasizes the role of the cloud, in the double shape of source and target of the cyber attacks.
Two vendors (McAfee and Trend Micro) include the proliferation of embedded systems (for instance Smart TV equipped with Android) as one of the main security issues for 2013. Honestly speaking I would have expected a major impact for this threat.
Last but not least, two vendors (Kaspersky and McAfee) believe that Targeted Attacks and Signed Malware will experience a major rise in 2013.
Few Days ago, a Trend Micro Research Paper on the Russian Underground gave a scary landscape of the Underground Black Market showing that every hacking tool and service can be found at dramatically cheap prices in a sort of democratization of Cyber Crime.
Today the news related to the discovery of an unknown 0-day vulnerability targeting Adobe Reader X and XI, confirms that the underground market follows the same rules than the real economy: premium products (read 0-day vulnerabilities) are not for every wallet and if you want a brand new 0-day you must be able to pay up to $50.000.
This is the price at which the previously unidentified Adobe vulnerability is sold according to Malware analysts at Moscow-based forensics firm Group-IB, who have discovered it. The price is justified since this is really a “premium exploit”: in fact beginning with Reader X (June 2011), Adobe introduced a sandbox feature further enhanced in Adobe XI (only three weeks ago). The Sandbox is aimed at blocking the exploitation of previously unidentified security flaws and has proven to be particularly robust: Adobe claimed that since its introduction in Adobe Reader and Acrobat X, they have not seen any exploits in the wild capable of breaking out of it. At least until yesterday.
This makes this 0-day particularly meaningful… And expensive, even if it has some limitations (for example, cannot be fully executed until the user closes his Web browser, or Reader).
Of course cyber criminals did not waste time and Group-IB says the vulnerability is included in a new, custom version of the Blackhole Exploit Kit (apparently it has not been still included in the official version).
And Adobe? So far they have not received any details: “We saw the announcement from Group IB, but we haven’t seen or received any details. Adobe has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately—beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”
Update 08/02/2012: July 2012 Cyber Attacks Timeline (Part II)
Although the number of attacks has considerably diminuished, the first half of July has left several high-profile attacks which deserverd huge attention, exposing in theory more than 2,000,000 individuals. Yahoo! Voice, Android Forums, Nvidia, Formspring, Billabong and ASUS are several of the well-known names that were victims of the high-profile breaches in the first two weeks of July.
World Health Organization and PBS (once again) were also illustrious victims of Cyber Attacks.
Besides these remarkable events, it looks like the actions carried on by the Law Enforcement agencies in the last period led to some results since the number of incidents looks undoubtably smaller than the previous months.
For what concerns the cyber attacks driven by hacktivism, it is particularly important to notice #OpPedoChat, still ongoing, which caused many pedophiles to be exposed, in several cases with unpredictable consequences, as in Belgium where a far-right official resigned after Anonymous’ Paedophilia Claims.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Cross Posted from TheAviationist.
2011 has been an annus horribilis for information security, and aviation has not been an exception to this rule: not only in 2011 the corporate networks of several aviation and aerospace industries have been targeted by digital storms (not a surprise in the so-called hackmageddon) but, above all, last year will be probably remembered for the unwelcome record of two alleged hacking events targeting drones (“alleged” because in the RQ-170 Sentinel downed in Iran episode, several doubts surround the theory according to which GPS hacking could have been the real cause of the crash landing).
But, if Information Security professionals are quite familiar with the idea that military contractors could be primary and preferred targets of the current Cyberwar, as the infographic on the left shows, realizing that malware can be used to target a drone is still considered an isolated episode, and even worse, the idea of a malware targeting, for instance, the multirole Joint Strike Fighter is still something hard to accept.
However, things are about change dramatically. And quickly.
The reason is simple: the latest military and civil airplanes are literally full of electronics, which play a primary role in managing avionics, onboard systems, flight surfaces, communcation equipment and armament.
For instance an F-22 Raptor owns about 1.7 millions od line of codes , an F-35 Joint Strike Fighter about 5.7 millions and a Boeing 787 Dreamliner about 6.5 millions. Everything with some built in code may be exploited, therefore, with plenty of code and much current and future vulnerabilities, one may not rule out a priori that these systems will be targeted with specific tailored or generic malware for Cyberwar, Cybercrime, or even hacktivism purposes.
Unfortunately it looks like the latter hypothesis is closer to reality since too often these systems are managed by standard Windows operating systems, and as a matter of fact a generic malware has proven to be capable to infect the most important U.S. robots flying in Afghanistan, Pakistan, Libya, and Indian Ocean: Predator and Reaper Drones.
As a consequence, it should not be surprising, nor it is a coincidence, that McAfee, Sophos and Trend Micro, three leading players for Endpoint Security, consider the embedded systems as one of the main security concerns for 2012.
Making networks more secure (and personnel more educated) to prevent the leak of mission critical documents and costly project plans (as happened in at least a couple of circumstances) will not be aviation and aerospace industry’s information security challenge; the real challenge will be to embrace the security-by-design paradigm and make secure and malware-proof products ab initio.
While you wait to see if an endpoint security solution becomes available for an F-35, scroll down the image below and enjoy the list of aviation and aerospace related cyber attacks occurred since the very first hack targeting the F-35 Lightning II in 2009.
Of course aviation and aerospace industries are not the only targets for hackers and cybercriminals. So, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow @pausparrows on Twitter for the latest updates.
As usual the references are after the jump…