Threat Report Monthly Wrap Up
December 2015

This month, we hear about the most impactful data breaches, malware discoveries, and web and cloud security trends from the previous month.

Breaches

Hello Kitty and VTech Data Breaches 

Two recent breaches highlighted the importance of safeguarding the personal information of minors. VTech, a manufacturer known for the production of toys, experienced a data breach that exposed the personal information of 6.4 million children and 4.9 million adults.

In an unrelated incident, the data of 3.3 million users of the Hello Kitty and Sanrio Town online communities, many of whom are children, was also compromised.

Manufacturers are keen to innovate and create new products that take advantage of the Internet and the Cloud. However, any personal data collected needs to be properly secured. Attackers are constantly searching for weaknesses in systems, which can be exploited in order to gain access to personal information.

Breaches involving children’s personal data are problematic for many reasons. One issue is that fraud detection algorithms partly rely on previous activity in order to detect fraudulent transactions. Children who have yet to participate in economic activity have not built up a history of transactions from which to establish normal activity. Hence, their data may provide criminals with ideal identities to steal in order to conduct fraud.

Organizations that wish to secure personal data need to find and fix vulnerabilities in their systems. Nevertheless, organizations must remain vigilant for the presence of attackers, checking logs and network activity in order to resolve intrusions before they can cause harm. 

Reference:  Crisis of the Week: VTech Breach Exposes Children’s Info | Database leak exposes 3.3 million Hello Kitty fans

Mitigation Strategies:

  • Monitor Intrusion Detection System (IDS) signatures to detect the attempted malware communications seeking instructions or callbacks from command and control infrastructure.
  • Utilizing proper log management can detect any suspicious user account activity.
  • Use network traffic analysis to inspect for suspicious or malicious activity and detect the presence of data exfiltration.

Iranian Attackers Access Dam System

This month, it was reported that Iranian hackers accessed the control systems of a dam in Rye, New York during 2013. The incident came to light while U.S. intelligence agencies were monitoring the computers of an Iranian hacking gang believed to be targeting U.S. companies. Although the dam is small, and the attackers did not apparently operate the controls, the possibility that unauthorized individuals can gain access to the controls of physical infrastructure is of great concern.

Many industrial control systems set up to control physical infrastructure were installed with the intention of lasting decades before replacement and before cyber security became the concern that it is today. Consequently, the security of these systems may not be adequate.

Infrastructure such as dams may not be of interest for criminal gangs since it is difficult to monetize attacks against these systems. However, the major consequences of a successful attack could be attractive to nation state threat actors or malicious individuals holding a grudge.

To date, the industrial control systems attack with the largest environmental consequences took place in Maroochy Shire, Australia in 2000. A disgruntled individual with insider knowledge was able to access control systems to pump 800,000 liters (211,338 Gallons) of raw sewage into local parks and rivers, causing widespread environmental damage.

Deploying access protection and suitable security infrastructure should be priorities; in addition, system monitoring by security staff for attacks or unexpected access is vital to ensure long-term security for control systems.

Reference:  Iranian Hackers Infiltrated New York Dam in 2013 | Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia

Mitigation Strategies:

  • Netflow data analysis can show traffic communicating from a non-trusted node to a ICS network
  • Log management can detect any suspicious user account activity.
  • A Security Operations Center team provides around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection

Malware

Vulnerabilities in Juniper Firewalls

Two vulnerabilities have recently been discovered in ScreenOS, the operating system for Juniper’s NetScreen firewalls. One is due to the presence of a password hard coded into the firmware of vulnerable devices, which allows anyone with knowledge of the password to remotely login as an administrator. The other is a weakness in the random number generator used to encrypt VPN traffic with the Dual EC algorithm. This weakness potentially facilitates the decryption of VPN traffic by well-resourced attackers.

The issues were identified during a code review by Juniper, and patches have been released. The VPN vulnerability is exploitable only by attackers with nation state like capabilities. However, the hard coded password has been published and is easily exploitable by anyone.

Attackers have been observed attempting to use the disclosed password to gain access to firewalls. Organizations should apply the released patches to affected firewalls as soon as possible. Additionally, network traffic signatures are available to detect and block attempts to use the password to gain access to systems.

Reference: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755, CVE-2015-7756) | Attackers Attempt to Exploit Juniper Backdoor | Researchers confirm backdoor password in Juniper firewall code

Mitigation Strategies:

Cryptowall 4 Evolution 

Ransomware continues to be a strategy exploited by cyber crime gangs. In these attacks, malware placed on a victim’s device encrypts the contents of the hard disk and holds these to ransom against the victim.

The latest version of Cryptowall includes the instructions not to affect any computer using the following local languages: Russian, Kazakh, Ukrainian, Uzbek, Belarusian, Azeri, Armenian, Kyrgyz, or Georgian. This suggests that the software is designed not to infect users in the countries where those are native languages.

So that the ransom demand can be displayed to the victim, the malware also refuses to encrypt file types like .exe files that are involved with the operating system and starting the computer.

Backing up computers so that unencrypted files can be restored, coupled with the use of antivirus software, are excellent mitigations against the malware. The malware does not begin to encrypt files until it connects to the command and control server and receives the encryption key. Blocking this connection prevents the malware from encrypting files and causing havoc.

Reference: Threat Spotlight: Cryptowall 4 - The Evolution Continues

Mitigation Strategies:

  • Monitor Intrusion Detection System (IDS) signatures to detect the attempted malware communications seeking instructions or callbacks from command and control infrastructure.
  • A Security Operations Center (SOC) team that can provide around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Log management that can detect any new service installed or registry changes on a server if logs are configured correctly. 

Cloud Security

Cloud Security Concerns Remain

In a recent poll, 65% of companies were concerned with cyber security as part of cloud migration. 69% were afraid of unauthorized access of their data in the cloud, with 43% concerned about the hijacking of cloud data.

Only companies that are conscious of the various risks associated with cloud environments and how these differ from the on-premise environment will be able to deploy the protection necessary to mitigate these threats.

Organizations that wish to adopt the cloud securely should consider the cloud as a

series of technological layers, ranging from a physical layer of hardware and cables to an application layer of software facing the end user.

In almost all cloud systems, access protection and application security will be the responsibility of the customer. A web application firewall can protect the application layer, while network protection and system monitoring can help protect access systems.

Far too often, organizations fail to recognize that they are responsible for the security of key parts of their cloud systems, partly because they are not aware of the consequences of a lack of protection.

Reference: Cloud Security Concerns Persist

Web Security

25th Anniversary of the First Website 

This month marks the 25th anniversary of the first website. The invention of the Internet dates to the late 1960s; however, the invention of HyperText Transfer Protocol (HTTP) and HyperText Markup Language (HTML) was required to describe how web pages could be requested and written before the first website could be created in 1990.

Websites were envisaged as a method for sharing physics research data among researchers. The open, collaborative atmosphere in which the Web was born provided the ideal environment, allowing it to grow and for websites to become primary means for disseminating information. Over time, the Web grew in size and scope to support the many applications that we take for granted today.

The academic origin of websites helps to explain many of the issues that we face today.  Security was not a requirement for the first websites since they were created for the open sharing of data. The ability to authenticate cryptographically the identity of websites and their visitors was not a priority before the web became to be used for ecommerce. As the Web grew, the tools and techniques necessary to protect the transactions and data generated by websites had to be invented and retrofitted.

As we look forward to the next 20 years of website development, security is emerging to be one of the most important factors enabling the growth of the Web. Now, any website must consider security as a primary requirement in order to assure the confidentiality of any data collected by the website, the integrity of the website and its contents, as well as the availability of the website to remain online in the face of attack.

Reference: 25 years ago: Sir Tim Berners-Lee builds world's first website Sir Tim Berners-Lee defends decision not to bake security into www

Honeypot Data - Top 20

IP Addresses
1.162.36.103 - NEW
190.75.172.147 - NEW
82.166.184.187 - NEW
1.162.5.130 - NEW
59.115.224.233 - NEW
118.160.145.240
190.205.222.66 - NEW
186.94.43.53 - NEW
36.3.210.254 - NEW
191.254.127.12 - NEW
36.3.89.52 - NEW
187.10.68.16 - NEW
5.227.141.26 - NEW
200.84.29.16 - NEW
189.111.21.123 - NEW
201.92.119.221 - NEW
201.68.37.167 - NEW
177.68.214.169 - NEW
201.42.153.67 - NEW
190.199.202.225 - NEW
Most Attacked Usernames / Passwords
root/admin
root/123456]
admin/admin
root/root
admin/(blank password)
ubnt/ubnt
support/support
admin/password
root/ (blank password)
root/default
root/administrator
root/123456
root/654321
root/zaq1xsw2
root/1234
root/aaaaaa
root/a123456
root/123654
root/qwerty
admin/default
Most Attacked Ports
445 Microsoft Directory Service
23 Telnet
22 Secure Shell (SSH)
25 SMTP
3389 Remote Desktop Protocol
80 HTTP
110 POP3
139 NetBIOS Service Session
3306 MySQL
3128 Squid Proxy
8080 HTTP Alternative (Proxy)
443 HTTPS
1433 Microsoft SQL Server
21 FTP
135 RPC Locator
5000 Universal Plug ‘N Play (UPnP)
1900 Universal Plug ‘N Play (UPnP) Discovery
143 IMAP
445 Microsoft Directory Service
23 Telnet