About these ads

Archive

Posts Tagged ‘Trend Micro’

16-31 June 2014 Cyber Attacks Timeline

I do not know if being happy or not, but it looks like the second half of June (the first timeline covering 1-15 June is here) has seen a sharp inversion of the decreasing trend recorded on the last few months. I have registered an increase of the number of attacks with particular focus on targeted attacks.

The cyber crime front offered several noticeable events, targeting, just to mention the most devastating cases: AT&T, Evernote, the State of Montana (1.3 million single individuals potentially affected), and Butler University.

Moving to hacktivism, the cyber temperature is still high in Brazil, where the hacktivists concentrated their unwelcome attentions. Other points of interest involve Pakistan, and US.

Last but not least, this period recorded an unusual number of targeted attacks spotted in the news. The list includes (but is not limited to): the British Government Secure Intranet, an US Hedge Fund, Vietnamese Ministry of Natural Resources and Environment, ICS vendors in US and Europe and a Government Agency in Taiwan.

As usual, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013 and now 2014 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

16-31 June 2014 Cyber Attacks Timeline rev2

Read more…

About these ads

16-31 October 2013 Cyber Attacks Timeline

November 12, 2013 2 comments

And here we are we the second part of the October 2013 Cyber Attacks Timeline (first part here).

It’s interesting to notice how sophisticated cyber attacks are characterizing the final part of this 2013. The second timeline of October reports at least three remarkable cases: Belgacom (once again), the Finland’s Foreign Ministry and a wave of spear phishing against several targets belonging to Israeli Industries in the defense and security sector

Other noticeable events include the compromising of some servers belonging to php.net, the breach to the online database MongoHQ, and also a breach involving NeoGaf, a popular video games forum, targeting potentially 114,000 users.

The latter is the only remarkable breach (at least from a numerical perspective) of this second half of October, in the same period in which new revelations indicate that the number of victims of the infamous Adobe breach occurred in the first part of this month appears 12 times greater than initially estimated (38M users).

For the rest, the summary of the month is closed by the usual background of hacktivism, a growing phenomenon that is showing multiple different “flavors” and hence is no more characterized by the only infamous Anonymous collective.

As usual, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012 and now 2013 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

16-31 October 2013 Cyber Attacks Timeline Read more…

A (Graphical) World of Botnets and Cyber Attacks

January 26, 2013 7 comments

Update 3/12/2013: I should also mention the Deutsche Telekom Security Tachometer

We live in a World made of Botnets and cyber attacks! While I am typing these few words in my keyboard, other fingers somewhere else in the Globe are moving quickly through the keys, firing stream of bits against their targets.

For thwarting this malicious landscape, trying to understand the evolving trends, more and more security companies and organizations collect data from their security endpoint or network devices spread all over the Globe, and send it to the cloud to be analyzed with big data algorithms. The purpose is to reduce the time between the release of a threat and the availability of an antidote. The same data can also be used to build spectacular maps that show in real time the status of the Internet, a quite impressive and worrisome spectacle! Here a short list of resources:

HoneyMap

Probably the most impressive: the HoneyMap shows a real-time visualization of attacks detected by the Honeynet Project‘s sensors deployed around the world. The Map shows “automated scans and attacks originating from infected end-user computers or hijacked server systems”. This also means that an “attack” on the HoneyMap is not necessarily conducted by a single malicious person but rather by a computer worm or other forms of malicious programs. Please Notice that, as the creators of the Project declare, many red dots means there are many machines which are attacking our honeypots but this does not necessarily imply that those countries are “very active in the cyberwar”

HoneyMap

Akamai Real-Time Web Monitor

Akamai monitors global Internet conditions around the clock. With this real-time data the company identifies the global regions with the greatest attack traffic, measuring attack traffic in real time across the Internet with their diverse network deployments. Data are collected on the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports in real time. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. Values are measured in attacks per 24 hours (attacks/24hrs).

Akamai

Securelist Statistics (Kaspersky Lab)

The information collected by Kaspersky Security Network is shown in the Securelist Statistics section. In the corresponding navigable map, the user can select Local Infections, Online Threats, Network Attacks and Vulnerabilities with Map, Diagrams or Ratings format in a time scale of 24 hours, one week or one month.

SecureList

Trend Micro Global Botnet Map

Trend Micro continuously monitors malicious network activities to identify command-and-control (C&C) servers, making the ability to rapidly identify and correlate bot activity critical. The real-time map indicates the locations of C&C servers and victimized computers that have been discovered in the previous six hours.

Trend Map

Shadowserver

The Shadowserver Foundation, managed by volunteer security professionals, gathers intelligence from the Internet via honeyclients, honeypots, and IDS/IPS Systems. The maps are made converting all of the IP addresses of the aggressor, the Command and Control and the target of the DDoS attack in coordinates and placing those points on a map. The maps are updated once a day and are available for DDoS activity and Botnet C&Cs.

shadowserver

Arbor’s Threat Level Analysis System (ATLAS)

Through its relationships with several worldwide service providers and global network operators, Arbor provides insight and on global DDoS attack activity, Internet security and traffic trends. Global Activity Map shows data in terms of scan sources, attack sources, phishing websites, botnet IRC Servers, Fast Flux bots.

ATLAS

Browsing Security Predictions for 2013

December 26, 2012 5 comments

The period between November and December is particularly interesting for the Infosec community, since nearly all the main security vendors use to unveil their predictions for the next year, trying to anticipate the trends and the issues that will trouble the system administrators’ sleeps.

Exactly as I did last year, I analyzed the predictions of 7 vendors, choosing the ones that I consider particularly meaningful for the presence of the vendor in the market and for the coverage of their respective solution portfolio. In comparison with the last year, I was not able to find any prediction from Cisco (at least so far). However I was able to include the ones issued by Symantec, that were missing from my initial version. Hence the list of the vendors taken into consideration is the following:

Nearly all the analyzed vendors went through deep transformations during the past year, reflecting the changing trends in the market. Fortinet is considered a vendor focused on UTM Technologies, although it offers a wide portfolio of solutions ranging from endpoint to WAFs. After the acquisition of Astaro, Sophos is expanding its offering from the endpoints to the UTM segment. McAfee covers a wide area: historically focused on the endpoints, the long trail of acquisitions allows the company to be present in all the segments of the security market. Websense went through its historical flagship, the URL filtering, moving its security model to the endpoint. Symantec and Trend Micro have their foundation on the endpoints, but are more and more concentrated on securing the cloud. Kaspersky is still concentrated on the endpoints, although the company has been very active in the last year in the analysis of the cyberwar events, most of all in Middle East.Security Predictions 2013

Yes, the rise of the malware on mobile platforms seems unstoppable, not only it reached unprecedented levels in 2012, but apparently it will be the protagonist even for 2013, at least for 5 vendors on 7. Indeed the vendors are 6 if one considers also the cross-platform malware which is equally a threat for mobile platforms. Furthermore one vendor (Fortinet), considers the role of mobile threats also as a threat vector for APTs in 2013.

Politically motivated attacks rank at number 2, even if with different connotations: Kaspersky and Websense mention explicitly state-sponsored attacks, while Symantec and Trend Micro include also attacks motivated by hacktivism in this category. It is not a coincidence that Kaspersky and Websense include Hacktivism into an explicit prediction.

It is also interesting to notice the ransomware at number 3 with just 3 preferences. Particularly interesting the indication of Sophos that speaks of “Irreversible” malware, since this class of threats is increasingly using encryption to make the compromised content unrecoverable.

The trend is even more visible from the distribution chart, that also emphasizes the role of the cloud, in the double shape of source and target of the cyber attacks.

Security Predictions Distributions 2013

Two vendors (McAfee and Trend Micro) include the proliferation of embedded systems (for instance Smart TV equipped with Android) as one of the main security issues for 2013. Honestly speaking I would have expected a major impact for this threat.

Last but not least, two vendors (Kaspersky and McAfee) believe that Targeted Attacks and Signed Malware will experience a major rise in 2013.

First Adobe Reader 0-Day Bypassing Sandbox Protection In The Wild

November 8, 2012 Leave a comment

Few Days ago, a Trend Micro Research Paper on the Russian Underground gave a scary landscape of the Underground Black Market showing that every hacking tool and service can be found at dramatically cheap prices in a sort of democratization of Cyber Crime.

Today the news related to the discovery of an unknown 0-day vulnerability targeting Adobe Reader X and XI, confirms that the underground market follows the same rules than the real economy: premium products (read 0-day vulnerabilities) are not for every wallet and if you want a brand new 0-day you must be able to pay up to $50.000.

This is the price at which the previously unidentified Adobe vulnerability is sold according to Malware analysts at Moscow-based forensics firm Group-IB, who have discovered it. The price is justified since this is really a “premium exploit”: in fact beginning with Reader X (June 2011), Adobe introduced a sandbox feature further enhanced in Adobe XI (only three weeks ago). The Sandbox is aimed at blocking the exploitation of previously unidentified security flaws and has proven to be particularly robust: Adobe claimed that since its introduction in Adobe Reader and Acrobat X, they have not seen any exploits in the wild capable of breaking out of it. At least until yesterday.

This makes this 0-day particularly meaningful… And expensive, even if it has some limitations (for example, cannot be fully executed until the user closes his Web browser, or Reader).

Of course cyber criminals did not waste time and Group-IB says the vulnerability is included in a new, custom version of the Blackhole Exploit Kit (apparently it has not been still included in the official version).

And Adobe? So far they have not received any details: “We saw the announcement from Group IB, but we haven’t seen or received any details. Adobe has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately—beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”

July 2012 Cyber Attacks Timeline (Part I)

July 20, 2012 1 comment

Update 08/02/2012: July 2012 Cyber Attacks Timeline (Part II)

Although the number of attacks has considerably diminuished, the first half of July has left several high-profile attacks which deserverd huge attention, exposing in theory more than 2,000,000 individuals. Yahoo! Voice, Android Forums, Nvidia, Formspring, Billabong and ASUS are several of the well-known names that were victims of the high-profile breaches in the first two weeks of July.

World Health Organization and PBS (once again) were also illustrious victims of Cyber Attacks.

Besides these remarkable events, it looks like the actions carried on by the Law Enforcement agencies in the last period led to some results since the number of incidents looks undoubtably smaller than the previous months.

For what concerns the cyber attacks driven by hacktivism, it is particularly important to notice #OpPedoChat, still ongoing, which caused many pedophiles to be exposed, in several cases with unpredictable consequences, as in Belgium where a far-right official resigned after Anonymous’ Paedophilia Claims.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

Read more…

Exclusive Infographic: All Cyber Attacks on Military Aviation and Aerospace Industry

February 22, 2012 2 comments

Cross Posted from TheAviationist.

2011 has been an annus horribilis for information security, and aviation has not been an exception to this rule: not only in 2011 the corporate networks of several aviation and aerospace industries have been targeted by digital storms (not a surprise in the so-called hackmageddon) but, above all, last year will be probably remembered for the unwelcome record of two alleged hacking events targeting drones (“alleged” because in the RQ-170 Sentinel downed in Iran episode, several doubts surround the theory according to which GPS hacking could have been the real cause of the crash landing).

But, if Information Security professionals are quite familiar with the idea that military contractors could be primary and preferred targets of the current Cyberwar, as the infographic on the left shows, realizing that malware can be used to target a drone is still considered an isolated episode, and even worse, the idea of a malware targeting, for instance, the multirole Joint Strike Fighter is still something hard to accept.

However, things are about change dramatically. And quickly.

The reason is simple: the latest military and civil airplanes are literally full of electronics, which play a primary role in managing avionics, onboard systems, flight surfaces, communcation equipment and armament.

For instance an F-22 Raptor owns about 1.7 millions od line of codes , an F-35 Joint Strike Fighter about 5.7 millions and a Boeing 787 Dreamliner about 6.5 millions. Everything with some built in code may be exploited, therefore, with plenty of code and much current and future vulnerabilities, one may not rule out a priori that these systems will be targeted with specific tailored or generic malware for Cyberwar, Cybercrime, or even hacktivism purposes.

Unfortunately it looks like the latter hypothesis is closer to reality since too often these systems are managed by standard Windows operating systems, and as a matter of fact a generic malware has proven to be capable to infect the most important U.S. robots flying in Afghanistan, Pakistan, Libya, and Indian Ocean: Predator and Reaper Drones.

As a consequence, it should not be surprising, nor it is a coincidence, that McAfee, Sophos and Trend Micro, three leading players for Endpoint Security, consider the embedded systems as one of the main security concerns for 2012.

Making networks more secure (and personnel more educated) to prevent the leak of mission critical documents and costly project plans (as happened in at least a couple of circumstances) will not be aviation and aerospace industry’s information security challenge; the real challenge will be to embrace the security-by-design paradigm and make secure and malware-proof products ab initio.

While you wait to see if an endpoint security solution becomes available for an F-35, scroll down the image below and enjoy the list of aviation and aerospace related cyber attacks occurred since the very first hack targeting the F-35 Lightning II in 2009.

Of course aviation and aerospace industries are not the only targets for hackers and cybercriminals. So, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow @pausparrows on Twitter for the latest updates.

As usual the references are after the jump…

Read more…

What Security Vendors Said One Year Ago…

January 10, 2012 2 comments

I did not resist, so after publishing the summary of Security Predictions for 2012, I checked out what security vendors predicted one year ago for 2011. Exactly as I did in my previous post, at the beginning of 2011 I collected the security predictions in a similar post (in Italian). I also published in May an update (in English) since, during the Check Point Experience in Barcelona held in May 2011, the Israeli security firm published its predictions. Even if the latters have been published nearly at the half of 2011, for the sake of completeness, I decided to insert them as well in this year-to-year comparison.

Then, I included Symantec (for which this year I did not find any prediction), McAfee, Trend Micro, Kaspersky, Sophos and Cisco. I included Check Point in a second time and I did not include Fortinet, At that time I missed their five security predictions, which I only discovered later so I decided to provide an addendum for this post including Fortinet as well in order to provide a deeper perspective.

The security predictions for 2011 are summarized in the following chart, which reports what the vendors (with the partial above described exception of Checkpoint) expected for the past year in terms of Information Security trends.

But a strict side-by-side comparison with the 2012 information security predictions (extracted by my previous post) is more helpful and meaningful:

As you may notice mobile threats were on top even among the predictions for 2011. This prediction came easily true most of all for Android which suffered (and keeps on suffering) a huge increase in malware detection samples (even if the overall security risk remains contained). Social Media were on top as well: they have been crucial for the Wind of the Changes blown by the Arab Spring but in the same time Social Media have raised many security concerns for reputation, the so called Social Network Poisoning (who remembers Primoris Era?). Although 2011 was the year of the Anonymous, hacktvism ranked “only” at number 4, behind Advanced Persistent Threats, which however played a crucial role for information security (an APT was deployed for the infamous RSA Breach, but it was not an isolated case).

Also botnets, web threats and application vulnerabilities ranked at the top of Security predictions for last year (and came true). As far as botnets are concerned, fortunately 2011 was a very important year for their shutdown (for instance Hlux/Kelihos, Coreflood, Rustock). In several cases the botnets were taken down thanks to joint operations between private sectors and law enforcement agencies (another prediction came true). On the application side, this prediction came true most of all thanks to the Sony breach, the Liza Moon infection and the huge rate of SQLi based attacks and ASP.NET vulnerabilities. We have also assisted to an hard blow to SSL/TLS and XML Encryption.

But what is more surprising (and amusing) in my opinion is not to emphasize which predictions were correct, but rather to notice  which predictions were dramatically wrong: it looks like that, against the predictions, virtualization threats were snubbed by cybercrookers in 2011 (and nearly do not appear in 2012). But the most amusing fact is that no security vendor (among the ones analyzed) was able to predict the collapse of the Certification Authority model thanks most of all to the Comodo and Diginotar Breaches.

Browsing Security Predictions for 2012

January 8, 2012 4 comments

Update 01/11/2012: Year-to-Tear comparison with 2011 Security Predictions

The new year has just come, vacations are over, and, as usually happens in this period, information security professionals use to wonder what the new year will bring them from an infosec perspective. The last year has been rich of events, whose echo is still resounding, and as a consequence, if RSA and Sony breach were not enough, the main (and somehow obvious) question is: will 2012 stop this trend or rather bring it to unprecedented levels, or, in other words, which threat vectors will disturb the (already troubled) administrators’ sleep?

Unfortunately my divination skills are not so developed (in that case I would not be here), but security firms can give a crucial help since they started to unveil their security predictions for 2012, at least since the half of December, so putting them together, and analyzing them is quite a straightforward and amusing task. Maybe even more amusing will be, in twelve years, to see if they were correct or not.

The security prediction that I take into consideration included, at my sole discretion (and in rigorous alphabetical order):

•    Cisco;
•    Fortinet;
•    Kaspersky;
•    McAfee;
•    Sophos;
•    Trend Micro;
•    Websense;

That is the only leader vendors for which I found predictions issued with original documents (feel free to indicate if I missed someone and I will be very glad to include them in the chart).

In any case, the landscape is quite heterogeneous since it encompasses security vendors covering different areas: one vendor, McAfee, covering all the areas (network, endpoint and content security), two vendors and one half focused on network and content security (Cisco, Fortinet and partially Sophos thanks to the Astaro acquisition), and two vendors focused essentially on endpoint security (Kaspersky and Trend Micro).

The following table summarizes their predictions:

In order to correctly understand the chart a premise is needed: as you will probably have already noticed, in several cases the predictions reflect the specific security focus for the analyzed vendor. For instance, Websense is focused on DLP, and that is the reason why the adoption of DLP is one of its predictions. Analogously McAfee is investing huge resources for Security on Silicon, and this implies that embedded systems and Malware Moving Beyond OS are present among its predictions. Same speech could be applied for Trend Micro and its Cloud Prediction and so on.

Some trends for this year are clearly emphasized: easily predictable Hactivism appears on 6 of the 7 vendors, as mobile (with different connotations) does. Social Media is on the spot as well as are SCADA, Embedded Systems and, quite surprisingly in my opinion, cloud. I would have expected a greater impact for APTs, but for a complete and more accurate analysis one should consider them together with threats targeting embedded systems or ICS. Even because according to several security firms, for instance Kasperky, APT Stuxnet-like will be used for tailored campaigns, whilst more “general purpose malware”, including botnets will be used for massive campaigns (this item is summarized as Mass Targeted Campaigns).

 

Some “old acquaintances” will be with us in 2012: consumerization, at least according to Sophos and Trend Micro (even if consumerization is strictly connected, if not overlapped with mobile) and, if the Comodo and Diginotar affaires were not enough, Rogue Certificates, according to McAfee. Instead some “new entries” are absolutely interesting, such as the threats related to NFC (even if in this case I would have expected a greater impact) or related to Virtual Currency. Besides let us hope that the prediction to adopt DNSSEC be more than a prediction but a consolidated practice.

The most conservative security firm? In my opinion Cisco. The most “visionary”? Maybe Fortinet, I found the “Crime as a Service (CaaS)” absolutely awesome, and most of all not so visionary, since there are already some (even if clumsy) attempts.

In any case with this plenty of Cyber Nightmares is not a surprise the fact the Enterprise security market is going to reach $23 billion worldwide in 2012 with a 8.7% growth year-on-year.

An Industry Wide Attack

September 9, 2011 3 comments

9/9/2011: Globalsign admitted evidence of a breach to the web server hosting the www website:

Today we found evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the http://www.globalsign.com website. At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely. The investigation and high threat approach to returning services to normal continues.

Starting from March 2011, one might say that the authentication bastions have been crumbling one after another. In hindsight, one event in particular occurred during March 2011 has been mostly underestimated. Of course I am not referring to the RSA affair, but to the Comodo Hack, whose only blame was to happen too close in time to the RSA Breach, which ended up obfuscating its impact for the Information Security Landscape … At least until August 2011.

As a matter of fact when, immediately after the Comodo Hack, the so called Comodo Hacker published on pastebin his declaration of Cyberwar, no one considered the hypothesis that other Certification Authorities could have been equally compromised. Consequently, although the hack was classified as a serious cyberattack, driven by a political matrix and capable to establish a new (unwelcome) record, it was considered an isolated episode, mainly due to the scarce attention to application security by the targeted Comodo partner. Moreover the final target (Google) and the political reasons behind the attack deserved much more attention than the means used to perpetrate the attack itself: the first-time compromission of a Certification Authority, a completely inedited attack vector.

Nearly four months later, the Diginotar hack (again an attack with alleged political reasons behind although according to Trend Micro it targeted Iranian Internet users) has shown to the world the weaknesses of our authentication model and its chain of trust. Not only the hacker was able to forge more than 500 fake Code Sign and SSL certificates, but he also claimed to have access to other four CAs, quoting explicitly GlobalSign, and indirectly another one StartCom, which was able to avoid the hack since its CEO was sitting in front of the HSM during the attack, although the Comodo Hacker claims to own email, DB Backup and Customer data.

Trust in Diginotar Certificate Authority has been revoked from all browsers and OSes, permanently from all Mozilla Products, but not from Smartphones, with heavy consequences for the Dutch government’s PKIoverheid (PKIgovernment) program. Of course, easily predictable, the assertions from Comodo Hacker triggered panic between cert providers. On September the 6th GlobalSign decided to temporary cease issuance of all certificates as a precautionary measure and appointed Fox-IT to perform an intensive audit (Fox-IT is the same Dutch Cybsersecurity Company which performed the audit on Diginotar); on September the 7th Symantec released a statement to reassure their customers their infrastructure has been audited and it is not compromised. A similar announcement has been published by Thawte after an erroneous report from a Dutch Government agency according to which the Security firm had been breached. Unfortunately the story does not end here and although the Comodo Hacker promises further disclosures.

If I can spend few words on the question, the best way to describe it is to quote a statement from GlobalSign: “these claims (from Comodo Hacker) represent an industry wide attack”. Said in simple words: the aftermaths of the Diginotar hack will force to rethink the current authentication model and chain of trust (even because authentication technologies and vendors are increasingly tied) even if we seriously risk to run out of ammo: in this year we lost tokens and CAs… Now What Else?

Follow

Get every new post delivered to your Inbox.

Join 2,898 other followers